Key authorization authentication method, related device and medium

By comparing the authorization key and process information obtained on the target terminal, the problem of easy leakage of static credentials in the key management server is solved, achieving more secure key authorization and authentication and reducing the risk of key leakage.

CN119106412BActive Publication Date: 2026-07-03TENCENT TECHNOLOGY (SHENZHEN) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
TENCENT TECHNOLOGY (SHENZHEN) CO LTD
Filing Date
2023-06-09
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

In existing technologies, the access authentication credentials and verification credential identifiers of key management servers are easily obtained by malicious individuals, leading to a high risk of key leakage.

Method used

By obtaining the authorization key and its corresponding authorization process information on the target terminal, the target process information is compared with multiple authorization process information, and the authorization key is only returned to the matching process information, thus avoiding the use of static credential information for authentication.

Benefits of technology

It improves the security of the key authorization and authentication process, reduces the risk of key leakage, enhances the dynamism and forgery resistance of process information, and improves the security of authentication.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN119106412B_ABST
    Figure CN119106412B_ABST
Patent Text Reader

Abstract

The present disclosure provides a key authorization authentication method, related devices and media. The key authorization authentication method comprises: obtaining an authorized key on a target terminal and authorized process information corresponding to the authorized key; receiving a key acquisition request of a target process on the target terminal; in response to the key acquisition request, obtaining target process information of the target process; comparing the target process information with a plurality of authorized process information to obtain matching authorized process information in the plurality of authorized process information; and returning the authorized key corresponding to the matching authorized process information to the target process. The embodiments of the present disclosure improve the security of the key authorization authentication process and reduce the risk of key leakage. The embodiments of the present disclosure can be applied to various scenarios that require secure use of keys, such as identity verification, blockchain, data security, information technology, etc.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of information security, and in particular to a key authorization and authentication method, related apparatus and medium. Background Technology

[0002] Currently, to ensure data encryption and decryption security, the keys used for data encryption and decryption are generally stored by a key management server. When a key is needed for data encryption and decryption, it is requested from the key management server. Currently, before a terminal can use the key management service, it needs to register with the key management server. The key management server issues access authentication credentials and verification credential identifiers to the terminal. When the terminal needs to use the key management service, it sends the access authentication credentials and verification credential identifiers to the key management server, which then verifies them. After successful verification, the key management server returns the key to the terminal.

[0003] Access authentication credentials and authentication credential identifiers are typically stored by the endpoint in configuration files, code, or a database. Malicious individuals can easily obtain access authentication credentials and authentication credential identifiers through configuration files, code, and databases, thereby gaining unauthorized access to the key management server and posing a risk of key leakage. Summary of the Invention

[0004] This disclosure provides a key authorization and authentication method, related apparatus, and medium, which can improve the security of the key authorization and authentication process and reduce the risk of key leakage.

[0005] According to one aspect of this disclosure, a key authorization authentication method is provided, comprising:

[0006] Obtain the authorization key on the target terminal and the authorization process information corresponding to the authorization key;

[0007] Receive a key acquisition request from the target process on the target terminal;

[0008] In response to the key acquisition request, the target process information of the target process is acquired;

[0009] The target process information is compared with multiple authorized process information to obtain matching authorized process information from the multiple authorized process information;

[0010] Return the authorization key corresponding to the matching authorized process information to the target process.

[0011] According to one aspect of this disclosure, a key authorization and authentication device is provided, comprising:

[0012] The first acquisition unit is used to acquire the authorization key on the target terminal and the authorization process information corresponding to the authorization key;

[0013] The first receiving unit is used to receive a key acquisition request from the target process on the target terminal;

[0014] The second acquisition unit is used to acquire the target process information of the target process in response to the key acquisition request;

[0015] The third acquisition unit is used to compare the target process information with multiple authorized process information to obtain matching authorized process information from the multiple authorized process information;

[0016] The return unit is used to return the authorization key corresponding to the matching authorization process information to the target process.

[0017] Optionally, the first acquisition unit is specifically used for:

[0018] Send a first request to the key management server, the first request containing the target terminal address of the target terminal;

[0019] The key management server receives the authorization key corresponding to the target terminal address and the authorization process information corresponding to the authorization key, sent in response to the first request.

[0020] Optionally, the authorization key corresponding to the target terminal address and the authorization process information corresponding to the authorization key are determined by the key management server in the following ways:

[0021] Based on the first correspondence table, the target process group corresponding to the target terminal address is determined, and the first correspondence table indicates the first correspondence between the terminal address and the process group.

[0022] Based on the second correspondence table, the authorization key corresponding to the target process group is determined as the authorization key corresponding to the target terminal address. The second correspondence table indicates the second correspondence between the process group and the authorization key.

[0023] Based on the third correspondence table, the authorized process information corresponding to the target process group is determined as the authorized process information corresponding to the authorized key. The third correspondence table indicates the third correspondence between the authorized process information of the process group and the processes contained in the process group.

[0024] Optionally, the first correspondence is pre-generated on the key management server in the following manner:

[0025] The process group configuration interface is displayed, which includes a process group identifier input area and a terminal address input area for the application of the process group.

[0026] In the process group identifier input area, the input process group identifier is received;

[0027] The terminal address input area receives the input terminal address;

[0028] The process group corresponding to the input process group identifier and the input terminal address are stored as the first correspondence.

[0029] Optionally, the first correspondence is pre-generated on the key management server in the following manner:

[0030] For each process group, a second request is sent to the process group deployment management node, the second request containing the process group identifier of the process group;

[0031] Receive the terminal address corresponding to the process group identifier sent by the process group deployment management node in response to the second request;

[0032] The process group and the received terminal address are stored as the first correspondence.

[0033] Optionally, the second correspondence is pre-generated on the key management server in the following manner:

[0034] Receive the selection of the authorization key;

[0035] In response to a process group input command for the selected authorization key, the process group input area is displayed;

[0036] The process group input area receives the input process group;

[0037] The input process group and the authorization key are stored as the second correspondence.

[0038] Optionally, the third correspondence is pre-generated on the key management server in the following manner:

[0039] In response to an instruction to configure authorized process information for processes belonging to the process group, the authorized process information configuration interface is displayed;

[0040] The authorization process information configuration interface receives the input authorization process information;

[0041] The process group and the authorized process information are stored as the third correspondence.

[0042] Optionally, the key acquisition request includes a target process identifier, and the second acquisition unit includes:

[0043] A process identifier acquisition unit is used to acquire the target process identifier from the key acquisition request;

[0044] The process information acquisition unit is used to acquire the target process information based on the target process identifier.

[0045] Optionally, the key authorization and authentication method is executed by a key management agent with permission to read the process running status. The target process information includes the target process execution object identifier, the target process name, the target process execution path, and the target process file digest. The process information acquisition unit is specifically used for:

[0046] Obtain the target process execution object identifier corresponding to the target process identifier;

[0047] Using the process running status read permission, read the target process running status corresponding to the target process identifier. The target process running status includes the target process name and the target process execution path.

[0048] Obtain the target process name and the target process execution path from the target process running status;

[0049] According to the target process name and the target process execution path, obtain the target process file, perform a digest operation on the target process file, and obtain the target process file digest.

[0050] Optionally, the authorization process information includes the authorization process execution object identifier, the authorization process name, the authorization process execution path, and the authorization process file summary;

[0051] The third acquisition unit is specifically used for:

[0052] If, among a plurality of authorized process information, one of the authorized process execution object identifiers is the same as the target process execution object identifier, the authorized process name is the same as the target process name, the authorized process execution path is the same as the target process execution path, and the authorized process file digest is the same as the target process file digest, then the authorized process information is determined to be the matching authorized process information.

[0053] Optionally, obtaining the authorization key on the target terminal and the authorization process information corresponding to the authorization key includes: obtaining the authorization key on the target terminal, the key identifier corresponding to the authorization key, and the authorization process information corresponding to the authorization key;

[0054] The process identifier acquisition unit is used for:

[0055] Obtain the target process identifier and the target key identifier from the key acquisition request;

[0056] The third acquisition unit is specifically used for:

[0057] From the multiple authorization process information, obtain candidate authorization process information whose key identifier is consistent with the target key identifier corresponding to the authorization key;

[0058] If the target process information matches the candidate authorized process information, the candidate authorized process information is determined as the matching authorized process information.

[0059] Optionally, the key identifier corresponding to the authorization key is obtained based on the authorization key reference fourth correspondence table, the fourth correspondence table indicating the fourth correspondence between the authorization key and the key identifier;

[0060] The fourth correspondence table is pre-generated on the key management server in the following manner:

[0061] The authorization key configuration interface is displayed, which includes a key identifier input area and an authorization key generation method selection control;

[0062] In the key identifier input area, the input key identifier is received;

[0063] In response to selecting a random generation method using the authorization key generation method selection control, the authorization key is randomly generated;

[0064] The authorization key and the key identifier are stored as the fourth correspondence.

[0065] Optionally, the first acquisition unit is used to:

[0066] Obtain the effective and expiration times of each authorization key;

[0067] From the plurality of authorized keys, select the authorized key whose effective time is earlier than the current time and whose expiration time is later than the current time, and the authorization process information corresponding to the authorized key.

[0068] Optionally, the first acquisition unit is further configured to: acquire the authorization key on the target terminal, the first encryption algorithm version corresponding to the authorization key, and the authorization process information corresponding to the authorization key;

[0069] The key authorization and authentication device further includes a comparison unit, which is used for:

[0070] Receive the encryption algorithm version verification request of the target process during the encryption process using the authorized key, wherein the encryption algorithm version verification request has a second encryption algorithm version applied by the authorized key;

[0071] If the second encryption algorithm version is the same as the first encryption algorithm version, a successful encryption algorithm version verification response is sent to the target process.

[0072] Optionally, the authorization process information includes the identifier of the execution object of the authorization process, the name of the authorization process, and the execution path of the authorization process;

[0073] The third acquisition unit further includes:

[0074] The first matching unit is used to determine a first matching score based on the target process execution object identifier and the authorized process execution object identifier;

[0075] The second matching unit is used to determine a second matching score based on the target process name and the authorized process name;

[0076] The third matching unit is used to determine a third matching score based on the execution path of the target process and the execution path of the authorized process;

[0077] The filtering unit is used to obtain the matching authorization process information from multiple authorization process information based on the first matching score, the second matching score, and the third matching score.

[0078] Optionally, the filtering unit is used for:

[0079] The first matching score, the second matching score, and the third matching score are weighted and summed to obtain the total matching score.

[0080] Based on the total matching score, the matching authorization process information is obtained from multiple authorization process information. According to one aspect of this disclosure, an electronic device is provided, including a memory and a processor, the memory storing a computer program, and the processor executing the computer program to implement the key authorization authentication method as described above.

[0081] According to one aspect of this disclosure, a computer-readable storage medium is provided, the storage medium storing a computer program that, when executed by a processor, implements the key authorization and authentication method as described above.

[0082] According to one aspect of this disclosure, a computer program product is provided, the computer program product comprising a computer program that is read and executed by a processor of a computer device, causing the computer device to perform the key authorization authentication method as described above.

[0083] This disclosure does not use static credential information such as access authentication credentials and authentication credential identifiers, which are easily obtained by malicious actors, for key authorization authentication. Instead, it uses target process information of the target process that performs encryption and decryption using the calling key for key authorization authentication. It first obtains the authorization key on the target terminal and the authorization process information corresponding to the authorization key. When the target process information is obtained, it is compared with multiple authorization process information to obtain matching authorization process information, and thus the corresponding authorization key is obtained. This target process information varies depending on the specific process performing encryption and decryption using the calling key. As long as the process is different, this information will be different. Even if a malicious actor tries to forge the same process information to obtain the key, it is difficult to forge an identical process, making it difficult to obtain the same process information and therefore difficult to obtain the key. This disclosure significantly improves the security of the key authorization authentication process and reduces the risk of key leakage.

[0084] Other features and advantages of this disclosure will be set forth in the following description and will be apparent in part from the description or may be learned by practicing the disclosure. The objectives and other advantages of this disclosure may be realized and obtained by means of the structures particularly pointed out in the description, claims and drawings. Attached Figure Description

[0085] The accompanying drawings are provided to further understand the technical solutions of this disclosure and constitute a part of the specification. They are used together with the embodiments of this disclosure to explain the technical solutions of this disclosure and do not constitute a limitation on the technical solutions of this disclosure.

[0086] Figure 1 This is a system architecture diagram of a key authorization and authentication method applied according to an embodiment of the present disclosure;

[0087] Figure 2A This is a schematic diagram illustrating the application of key authorization and authentication methods in key authorization scenarios.

[0088] Figure 2B This is a schematic diagram illustrating the application of the key authorization and authentication method according to the embodiments of this disclosure in a key authorization scenario;

[0089] Figure 3 This is a flowchart of a key authorization and authentication method according to an embodiment of the present disclosure;

[0090] Figure 4 It shows Figure 3 The flowchart for step 310, obtaining the authorization key and the corresponding authorization process information;

[0091] Figure 5A flowchart illustrating the determination of an authorization key and the authorization process information corresponding to the authorization key, according to an embodiment of this disclosure, is shown.

[0092] Figure 6A -D illustrates a schematic diagram of a first correspondence table, a second correspondence table, and a third correspondence table according to an embodiment of this disclosure;

[0093] Figure 7 A flowchart illustrating the generation of a first correspondence relationship according to an embodiment of this disclosure is shown;

[0094] Figure 8 A flowchart illustrating the generation of a first correspondence according to another embodiment of this disclosure is shown;

[0095] Figure 9 This is a schematic diagram illustrating the implementation process of generating the first correspondence relationship according to an embodiment of this disclosure;

[0096] Figure 10 A flowchart illustrating the generation of a second correspondence according to an embodiment of this disclosure is shown;

[0097] Figure 11A -B is a schematic diagram illustrating the implementation process of generating the second correspondence in an embodiment of this disclosure;

[0098] Figure 12 A flowchart illustrating the generation of a third correspondence in one embodiment of this disclosure is shown;

[0099] Figure 13 This is a schematic diagram illustrating the implementation process of generating a third correspondence relationship according to an embodiment of this disclosure;

[0100] Figure 14 It shows Figure 3 The flowchart for step 330, obtaining target process information;

[0101] Figure 15 It shows Figure 13 The flowchart for step 1420, obtaining the target execution object identifier, target process name, target process execution path, and target process file summary;

[0102] Figure 16 This illustration shows a schematic diagram of the implementation process of obtaining the target execution object identifier, target process name, target process execution path, and target process file digest according to an embodiment of the present disclosure;

[0103] Figure 17 It shows Figure 3 The flowchart for step 340, which compares the target process information with the information of multiple authorized processes;

[0104] Figure 18A flowchart illustrating the generation of a fourth correspondence in one embodiment of this disclosure is shown;

[0105] Figure 19A -C is a schematic diagram illustrating the implementation process of generating the fourth correspondence in an embodiment of this disclosure;

[0106] Figure 20 It shows Figure 3 Another flowchart for step 340, which compares the target process information with the information of multiple authorized processes;

[0107] Figure 21 It shows Figure 20 The flowchart for step 2040 of the process is as follows: obtaining matching authorization process information from multiple authorization process information based on the first matching score, the second matching score, and the third matching score.

[0108] Figure 22 This is a flowchart of a key authorization and authentication method according to another embodiment of the present disclosure;

[0109] Figure 23 This is a schematic diagram illustrating the implementation details of a key authorization and authentication method according to an embodiment of the present disclosure;

[0110] Figure 24 This is a block diagram of a key authorization and authentication device according to an embodiment of the present disclosure;

[0111] Figure 25 This is a terminal structure diagram of a key authorization and authentication method according to an embodiment of the present disclosure;

[0112] Figure 26 This is a server architecture diagram of a key authorization and authentication method according to an embodiment of the present disclosure. Detailed Implementation

[0113] To make the objectives, technical solutions, and advantages of this disclosure clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and are not intended to limit the scope of this disclosure.

[0114] Before providing a further detailed description of the embodiments of this disclosure, the terms and concepts used in these embodiments are explained, and they are subject to the following interpretations:

[0115] Artificial intelligence (AI) is the theory, methods, technology, and application systems that use digital computers or machines controlled by digital computers to simulate, extend, and expand human intelligence, perceive the environment, acquire knowledge, and use that knowledge to achieve desired results. In other words, AI is a comprehensive technology within computer science that attempts to understand the essence of intelligence and produce a new kind of intelligent machine that can react in a way similar to human intelligence. AI studies the design principles and implementation methods of various intelligent machines, enabling them to have perception, reasoning, and decision-making capabilities. AI technology is a comprehensive discipline involving a wide range of fields, encompassing both hardware and software technologies. Fundamental AI technologies generally include sensors, dedicated AI chips, cloud computing, distributed storage, big data processing, operating / interactive systems, and mechatronics. AI software technologies mainly include computer vision, speech processing, natural language processing, and machine learning / deep learning. With the research and advancement of artificial intelligence (AI) technology, AI is being studied and applied in various fields, such as smart homes, smart wearable devices, virtual assistants, smart speakers, smart marketing, autonomous driving, drones, robots, smart healthcare, and smart customer service. It is believed that with the development of technology, AI will be applied in more fields and play an increasingly important role.

[0116] Blockchain: Blockchain is a new application model of computer technologies such as distributed data storage, peer-to-peer transmission, consensus mechanisms, and encryption algorithms. Essentially, a blockchain is a decentralized database, a chain of data blocks linked together using cryptographic methods. Each data block contains information about a batch of transactions, used to verify the validity of the information (anti-counterfeiting) and to link it to the previous block.

[0117] A process is a single execution of a program on a specific set of data in a computer. It is the basic unit for resource allocation in a system and forms the foundation of the operating system structure. A process is the fundamental execution entity of a program.

[0118] Currently, to ensure data encryption and decryption security, the keys used for data encryption and decryption are generally stored by a key management server. When a key is needed for data encryption and decryption, it is requested from the key management server. Currently, before a terminal can use the key management service, it needs to register with the key management server. The key management server issues access authentication credentials and verification credential identifiers to the terminal. When the terminal needs to use the key management service, it sends the access authentication credentials and verification credential identifiers to the key management server, which then verifies them. After successful verification, the key management server returns the key to the terminal.

[0119] Access authentication credentials and authentication credential identifiers are typically stored by the endpoint in configuration files, code, or a database. Malicious individuals can easily obtain access authentication credentials and authentication credential identifiers through configuration files, code, and databases, thereby gaining unauthorized access to the key management server and posing a risk of key leakage.

[0120] System architecture and scenario description of the embodiments disclosed herein

[0121] Figure 1 This is a system architecture diagram of the key authorization and authentication method applied according to embodiments of this disclosure. It includes a target terminal 140, a key management server 110, etc. The target terminal 140 includes a target process and a key management agent 120 deployed on the same machine. The target process contains key management software for data transmission between the target process and the key management agent. The key management server 110 includes a key management backend server 130, a key management terminal 140, an encryption machine 150, and a database 160.

[0122] The target terminal 140 can take various forms, including desktop computers, laptops, PDAs (personal digital assistants), mobile phones, vehicle terminals, home theater terminals, and dedicated terminals. Furthermore, it can be a single device or a collection of multiple devices. The target terminal 140 can communicate with the key management server 110 via the key management agent 120 to exchange data, either wired or wirelessly.

[0123] Key management server 110 refers to a computer system that can provide certain services to target terminal 140. Compared to ordinary target terminal 140, key management server 110 has higher requirements in terms of stability, security, and performance. Key management server 110 can be a single high-performance computer in a network platform, a cluster of multiple high-performance computers, a portion of a single high-performance computer (e.g., a virtual machine), or a combination of portions of multiple high-performance computers (e.g., virtual machines). Key management server 110 is a server that performs key authentication for target processes. Key management terminal 140 in key management server 110 is used for key creation and key management operations; encryption machine 150 is used to encrypt various data in key management server 110; database 160 is used to store various data in key management server 110.

[0124] When object A operates on the interface corresponding to the key management terminal 140, the key management server 110 receives the key information and process information added by object A through input operations, as well as the association relationship between the key information and process information input by object A, and associates the key and process information. Further, the key management backend server 130 sends the key information to the encryption machine 150 for encryption processing to obtain encrypted data. Further, the key management backend server 130 stores the encrypted data in the database 160.

[0125] When the key management agent 120 on the target terminal sends a request to the key management server 110 for the information it wants, the key management server 110 will send the key information and associated process information to the key management agent 120.

[0126] When a target process on a target terminal wants to obtain key authorization and authentication, the target process sends a key acquisition request to the key management agent 120 through the key management software, and sends its own process information along with the key acquisition request to the key management agent 120. The key management agent 120 compares the process information provided by the target process with the process information associated with the key information, and determines whether to return the key information to the target process based on the comparison results.

[0127] like Figure 2A As shown, object 210 first sends an access request to the key management terminal 140 of the key service manager 110. This access request is used to access the key management server. Next, based on the access request, the key management server 110 assigns an authorization key to object 210 and generates an identity credential corresponding to the authorization key, while simultaneously returning the identity credential to object 210. Further, when business module 220 needs to use the key management service, object 210 provides the identity credential to business module 220, which then sends the identity credential to the key management server 110 for verification. Upon successful verification, the key management server 110 returns an authorization key to business module 220.

[0128] This method makes it easy for malicious individuals to obtain access authentication credentials and authentication credential identifiers, thereby illegally accessing the key management server, which carries a high risk of key leakage.

[0129] Compared to related technologies, the embodiments of this disclosure perform key authorization and authentication based on the target process information of the target process that performs encryption and decryption processing using the calling key. The embodiments of this disclosure can be applied in various scenarios, such as... Figure 2B The key authorization scenario shown is an example.

[0130] like Figure 2BAs shown, the key management server 220 stores authorization keys and corresponding authorization process information. When a target process needs to use the key management service, its target process information is compared with the authorization process information for verification. Upon successful verification, the authorization key is returned to the target process.

[0131] General Description of Embodiments in this Disclosure

[0132] According to one embodiment of this disclosure, a key authorization and authentication method is provided.

[0133] Key-based authentication methods are often used for, for example Figure 2B This invention addresses key authorization scenarios. In related key authorization methods, malicious actors can easily obtain access authentication credentials and verification credential identifiers, thereby illegally accessing the key management server, resulting in a high risk of key leakage. Therefore, this disclosure provides a key authorization authentication scheme based on target process information of the target process performing encryption and decryption processing using the calling key. This improves the security of the key authorization authentication process and reduces the risk of key leakage.

[0134] It should be noted that the key authorization and authentication method in this embodiment is executed by the key management agent 120.

[0135] like Figure 3 As shown, a key authorization and authentication method according to an embodiment of this disclosure may include:

[0136] Step 310: Obtain the authorization key on the target terminal and the authorization process information corresponding to the authorization key;

[0137] Step 320: Receive the key acquisition request from the target process on the target terminal;

[0138] Step 330: In response to the key acquisition request, obtain the target process information of the target process;

[0139] Step 340: Compare the target process information with multiple authorized process information to obtain matching authorized process information from the multiple authorized process information;

[0140] Step 350: Return the authorization key corresponding to the matching authorized process information to the target process.

[0141] Steps 310-350 are briefly described below.

[0142] In step 310, the authorization key on the target terminal and the authorization process information corresponding to the authorization key are obtained.

[0143] An authorization key is a confidential code or number used to read, modify, or verify protected data. Authorization process information refers to the process information used for authorization protection via the authorization key.

[0144] In one embodiment, in order to improve the efficiency of key authorization authentication, the authorization key on the target terminal and the authorization process information corresponding to the authorization key can be obtained once at a preset time interval. The preset time interval is set according to actual needs and is not limited.

[0145] In another embodiment, to maximize the number of keys used for key authorization and authentication, the authorization key and the corresponding authorization process information on the target terminal can be acquired in real time according to the data acquisition instruction issued by the target process. The data acquisition instruction is used by the target process to instruct the acquisition of the authorization key and the authorization process information.

[0146] In step 320, a key acquisition request from the target process on the target terminal is received.

[0147] A target process is a computer program that is currently executing or about to execute. Target processes can include various running service programs, such as social networking services, shopping services, and various financial services. These service programs require loading necessary keys to function properly at startup or during operation. For example, in a financial service program, to ensure the security of financial transactions, an object needs to transfer funds to another object. During the transfer process, the service program's process needs to obtain the transaction key input by the object or stored somewhere to continue running.

[0148] A key acquisition request is a request generated by the target process to obtain a key.

[0149] Specifically, when a target process on a target terminal wants to obtain a key, it sends a key acquisition request to the key management agent 120. At this time, the key management agent 120 receives the key acquisition request from the target process and determines whether to provide the key to the target process based on the key acquisition request.

[0150] In step 330, in response to the key acquisition request, the target process information of the target process is acquired.

[0151] Target process information is the runtime status information of the target process, which is used to indicate the specific running status of the target process.

[0152] Specifically, after receiving a key acquisition request from the target process, the key management agent 120 needs to further obtain the target process information and use the target process information to determine whether to provide the key to the target process.

[0153] In step 340, the target process information is compared with multiple authorized process information to obtain matching authorized process information from the multiple authorized process information.

[0154] The matching authorized process information is the process information that has been authorized by the authorization key and whose specific content is consistent with the target process information.

[0155] In some embodiments, for each authorized process information, the entire content of the authorized process information is compared with the entire content of the target process information. If the authorized process information and the target process information are completely identical, then the authorized process information is used as the matching authorized process information. This method can improve the information overlap between the matching authorized process information and the target process information.

[0156] In other embodiments, for each authorized process information, the authorized process information is converted into vector form to obtain an authorized process feature vector. Next, the target process information is converted into vector form to obtain a target process feature vector. Further, a similarity algorithm is used to calculate the similarity between the authorized process feature vectors and the target process information, and this similarity is used as the matching degree between the authorized process information and the target process information. Finally, based on the matching degree, authorized process information with a matching degree higher than a preset threshold is selected as the matched authorized process information. Alternatively, the authorized process information is sorted according to the matching degree, and the authorized process information with the highest predetermined ranking is selected as the matched authorized process information. This method can effectively increase the number of matched authorized process information, thereby increasing the likelihood that the target process will obtain the authorization key.

[0157] It should be noted that similarity algorithms include, but are not limited to, cosine similarity, Euclidean distance, Manhattan distance, etc. The specific numerical value of the predetermined ranking is set according to the actual situation and is not restricted.

[0158] In step 350, the authorization key corresponding to the matching authorized process information is returned to the target process in the following ways, including but not limited to:

[0159] (1) The key management agent 120 directly sends the authorization key to the target process. This method can improve the timeliness of authorization key transmission.

[0160] (2) The key management agent 120 encrypts the authorization key using its private key, enabling the target process to decode the authorization key using the public key corresponding to the private key. The public key of the key management agent 120 can be published on a public platform, allowing the target process to obtain it. This method ensures efficient transmission of the authorization key while further improving its security and reducing the risk of key leakage.

[0161] Through steps 310-350 above, this embodiment of the disclosure does not use static credential information such as access authentication credentials and verification credential identifiers, which are easily obtained by malicious actors, for key authorization authentication. Instead, it performs key authorization authentication based on the target process information of the target process that performs encryption and decryption processing using the calling key. It first obtains the authorization key on the target terminal and the authorization process information corresponding to the authorization key. When the target process information of the target process is obtained, it is compared with multiple authorization process information to obtain matching authorization process information, and thus obtains the corresponding authorization key. This target process information changes depending on the specific process that performs encryption and decryption processing using the calling key. As long as the process is different, this information will be different. Even if a malicious actor wants to forge the same process information to obtain the key, it is difficult to forge an identical process, making it difficult to obtain the same process information and therefore difficult to obtain the key. This embodiment of the disclosure greatly improves the security of the key authorization authentication process and reduces the risk of key leakage.

[0162] The above is a general description of steps 310-350. Since steps 320 and 350 have been detailed in the above general description, the specific implementations of steps 310, 330 and 340 will be described in detail below.

[0163] Detailed description of step 310

[0164] In step 310, the authorization key on the target terminal and the authorization process information corresponding to the authorization key are obtained.

[0165] Since the key management server 110 contains authorization keys corresponding to different target terminals, directly providing the authorization keys to each key management agent 120 would pose a significant risk of key leakage. Furthermore, determining whether each authorization key should be provided to the key management agent 120 of the target terminal individually would result in low efficiency. Therefore, this disclosure provides a scheme for obtaining authorization keys and corresponding authorization process information based on the terminal address of the target terminal, effectively improving data acquisition efficiency.

[0166] like Figure 4 As shown, in some embodiments, the process of obtaining the authorization key on the target terminal and the authorization process information corresponding to the authorization key includes, but is not limited to, the following steps 410 to 420.

[0167] Step 410: Send a first request to the key management server. The first request contains the target terminal address of the target terminal.

[0168] Step 420: Receive the authorization key corresponding to the target terminal address and the authorization process information corresponding to the authorization key sent by the key management server in response to the first request.

[0169] Steps 410-420 are described in detail below.

[0170] A terminal address refers to the address code of a target terminal such as a mobile phone or desktop computer. The target terminal address of a target terminal is unique, that is, one target terminal corresponds to a unique target terminal address, and different target terminals have different target terminal addresses.

[0171] In step 410, the first request is triggered by the key management agent 120 wanting to obtain the authorization key and the corresponding authorization process information from the key management server 110. Specifically, when the key management agent 120 sends the first request to the key management server 110, it also sends the target terminal address of the target terminal to the key management server 110.

[0172] In step 420, the key management server 110 pre-stores the correspondence between terminal addresses and authorization keys, as well as the corresponding authorization key information. When the key management agent 120 sends a first request to the key management server 110, the key management server 110 first obtains the target terminal address from the first request. Then, based on the pre-stored correspondence, it queries the authorization key corresponding to the target terminal address and the authorization process information corresponding to the authorization key. Finally, it sends the authorization key corresponding to the target terminal address and the authorization process information corresponding to the authorization key ...

[0173] Through the above steps 410-420, the key management agent 120 of this embodiment sends the target terminal address of the target terminal to the key management server 110. The key management server 110 can conveniently query the authorization key corresponding to the target terminal address and the authorization process information corresponding to the authorization key by utilizing the pre-stored correspondence between the terminal address and the authorization key and the authorization key information corresponding to the authorization key, which can greatly improve the data acquisition efficiency and data acquisition accuracy.

[0174] It should be noted that the authorization key corresponding to the target terminal address and the authorization process information corresponding to the authorization key are generated by the key management server 110.

[0175] The following is combined with Figure 5 , Figure 6A-D provides a detailed description of the process by which the key management server 110 generates the authorization key and the authorization process information corresponding to the authorization key.

[0176] like Figure 5 As shown, in some embodiments, the process by which the key management server 110 generates an authorization key and authorization process information corresponding to the authorization key includes, but is not limited to, the following steps 510 to 530.

[0177] Step 510: Based on the first correspondence table, determine the target process group corresponding to the target terminal address;

[0178] Step 520: Based on the second correspondence table, determine the authorization key corresponding to the target process group, which will be used as the authorization key corresponding to the target terminal address;

[0179] Step 530: Based on the third correspondence table, determine the authorized process information corresponding to the target process group, which will be used as the authorized process information corresponding to the authorization key.

[0180] Steps 510-530 are described in detail below.

[0181] A process group is a group of one or more authorized process information, and a process group has at least one authorized process information.

[0182] In step 510, since the first correspondence table indicates the first correspondence between terminal addresses and process groups, all process groups corresponding to the target terminal address can be determined by querying the first correspondence table, and the queried process groups are used as the target process groups.

[0183] like Figure 6A As shown, in the first correspondence table, terminal address 1 corresponds to process group 1 and process group 2. Terminal address 2 corresponds to process group 1 and process group 3. Terminal address 3 corresponds to process group 2 and process group 3. Terminal address 4 corresponds to process group 2, process group 4, process group 5, and process group 6. Terminal address 5 corresponds to process group 10 and process group 6. When the target terminal address is terminal address 3, by querying the first correspondence table, it can be seen that the target process groups corresponding to the target terminal address are process group 2 and process group 3.

[0184] In step 520, since the second correspondence table indicates the second correspondence between process groups and authorization keys, all authorization keys corresponding to the target process group can be determined by querying the second correspondence table, and all the queried authorization keys are used as the authorization keys corresponding to the target terminal address.

[0185] like Figure 6BAs shown, in the second correspondence table, the authorization keys include authorization key 1, authorization key 2, authorization key 3, authorization key 4, authorization key 5, etc.; the process groups include process group 1, process group 2, process group 3, process group 4, process group 5, etc. Specifically, authorization key 1 corresponds to process group 1; authorization key 2 corresponds to process group 2; authorization key 3 corresponds to process group 3; authorization key 4 corresponds to process group 4; and authorization key 5 corresponds to process group 5. When the target process group corresponding to the target terminal address is process group 2 or process group 3, by querying the second correspondence table, it can be seen that the authorization key corresponding to process group 2 is authorization key 2, and the authorization key corresponding to process group 3 is authorization key 3. Therefore, authorization key 2 and authorization key 3 are used as the authorization keys corresponding to the target terminal address.

[0186] In step 530, since the third correspondence table indicates the third correspondence between process groups and the authorized process information of the processes contained in the process groups, all authorized process information corresponding to the target process group can be determined by querying the third correspondence table, and all the queried authorized process information is used as the authorized process information corresponding to the authorization key.

[0187] like Figure 6C As shown, in the third correspondence table, the authorized process information under process group 1 includes authorized process information 1 and authorized process information 3. The authorized process information under process group 2 includes authorized process information 2 and authorized process information 4. The authorized process information under process group 3 includes authorized process information 5 and authorized process information 6. The authorized process information under process group 4 includes authorized process information 7, authorized process information 8, and authorized process information 9. The authorized process information under process group 5 includes authorized process information 10 and authorized process information 11. When the target process group corresponding to the target terminal address is process group 2 or process group 3, by querying the third correspondence table, it can be seen that the authorized process information under process group 2 is authorized process information 2 and authorized process information 4. Therefore, the authorized process information corresponding to authorized key 2 is determined to be authorized process information 2 and authorized process information 4. Similarly, the authorized process information corresponding to authorized key 3 can be determined to be authorized process information 5 and authorized process information 6.

[0188] like Figure 6DAs shown, the key information for each key includes the key algorithm version, key identifier, effective time, expiration time, and activation status, etc. Each process group corresponds to a terminal address list and an authorized process list. The terminal address list records the specific terminal addresses corresponding to the process group, and the authorized process list records the information of the authorized processes under the process group. The information of each authorized process includes the authorized process execution object identifier, authorized process name, authorized process execution path, and authorized process file summary, etc. When a key is authorized to a process group, a correspondence is established between the key information of the authorized key and the terminal address and authorized process information corresponding to that process group. Based on these correspondences, the authorized key and the authorized process information corresponding to the authorized key can be determined.

[0189] It should be noted that the key algorithm version indicates the encryption algorithm version of the authorized key. Key algorithm versions include, but are not limited to, symmetric encryption algorithms, MD5 encryption algorithms, etc. The key identifier is a unique credential used to distinguish different authorized keys; that is, different authorized keys have different key identifiers, and each authorized key corresponds to a unique key identifier. The effective time and expiration time indicate the validity period of the authorized key. If the current time is earlier than the effective time or later than the expiration time, the authorized key cannot be used normally. The activation status indicates whether the authorized key is activated. If the authorized key is activated, it will be in a ready-to-use state.

[0190] Through steps 510-530 above, this embodiment of the disclosure determines the target process group corresponding to the target terminal address through the mapping relationship between terminal address and process group in the first correspondence table. Further, it determines the authorization key corresponding to the target terminal address through the mapping relationship between process group and authorization key in the second correspondence table. Finally, it determines the authorization process information corresponding to the authorization key through the mapping relationship between process group and authorized process information in the third correspondence table. By using multiple mapping relationships between various pieces of information to determine the correspondence between the authorization key and the authorization process information, the association between the authorization key and the authorization process information becomes more accurate and reasonable. This series of correspondences can significantly improve the efficiency of information retrieval, thereby improving the efficiency of obtaining the authorization key on the target terminal and the authorization process information corresponding to the authorization key, thus determining the authorization key that can be provided to the target process more quickly and accurately.

[0191] The following is combined with Figure 7 , Figure 8 , Figure 9 The process of generating the first correspondence for the key management server 110 is described in detail.

[0192] like Figure 7As shown, in some embodiments, the process by which the key management server 110 generates the first correspondence includes, but is not limited to, the following steps 710 to 740.

[0193] Step 710: Display the process group configuration interface;

[0194] Step 720: Receive the input process group identifier in the process group identifier input area;

[0195] Step 730: Receive the input terminal address in the terminal address input area;

[0196] Step 740: Store the process group corresponding to the input process group identifier and the input terminal address as the first correspondence.

[0197] Steps 710-740 are described in detail below.

[0198] A process group identifier is a unique credential used to distinguish different process groups. That is, different process groups have different process group identifiers, and each process group corresponds to a unique process group identifier.

[0199] In step 710, a process group configuration interface is displayed on the key management terminal 140 of the key management server 110. This interface is used by objects to interact with and configure various information about the process group. "Objects" refers to people, smart assistants, etc., who want to configure process group information through interaction with the interface. The process group configuration interface has a process group identifier input area and a process group application terminal address input area. The process group identifier input area is used for objects to input the process group identifier. The process group application terminal address input area is used for objects to input the terminal address.

[0200] Furthermore, the process group configuration interface also includes input areas for the Chinese name of the process group, the responsible party, and the department. The Chinese name input area allows users to enter the process group's Chinese name. The responsible party input area allows users to enter the party responsible for managing the process group. The department input area allows users to enter the department to which the process group belongs. Using the Chinese name, responsible party, and department allows for convenient categorization of process groups and improves process group management. It also ensures that when a process group needs modification or information deletion, the corresponding responsible party and department can be quickly identified.

[0201] like Figure 9 As shown, the process group configuration interface displays a process group identifier input area, a terminal address generation method selection control, a terminal address input area, and an "OK" button.

[0202] In step 720, based on the input operation of the object in the process group identifier input area, the key management server 110 receives the input process group identifier.

[0203] In step 730, the key management server 110 receives the input terminal address based on the input operation of the object in the terminal address input area.

[0204] In step 740, the key management server 110 determines each process group based on the process group identifier, constructs the correspondence between process groups and terminal addresses, and stores the correspondence between all authorized keys and key identifiers in the form of a data table to obtain a first correspondence table.

[0205] It should be noted that in the first correspondence table, a process group can correspond to multiple terminal addresses, and a terminal address can also correspond to multiple process groups.

[0206] like Figure 9 As shown, in the process group configuration interface, based on the object's input operation in the process group identifier input area, the key management server 110 receives the input process group identifier as "ABB". Based on the object's input operation in the process group Chinese name input area, the key management server 110 receives the input process group Chinese name as "Xxx". Based on the object's input operation in the responsibility attribution object input area, the key management server 110 receives the input responsibility attribution object as "Xx". Based on the object's input operation in the department input area, the key management server 110 receives the input department as "Xxxx department". Further, based on the manual synchronization method selected by the object using the terminal address generation method selection control, the object enters the terminal address in the terminal address input area. The key management server 110 receives the input terminal addresses as "terminal address 1", "terminal address 12", "terminal address 10", and "terminal address 6". Finally, the object clicks the "OK" button, and the key management server 110 generates the process group identifier and the corresponding terminal address of the process group based on the object's click operation.

[0207] Through the above steps 710-740, the key management server 110 of this embodiment can determine the matching relationship between the process group identifier and the terminal address by receiving the input process group identifier and terminal address, and construct a first correspondence table according to the matching relationship between the process group and the authorization key, so that the process group corresponding to each terminal address can be obtained according to the first correspondence table, thereby improving the efficiency of querying the process group corresponding to the terminal address.

[0208] like Figure 8 As shown, in some other embodiments, the process by which the key management server 110 generates the first correspondence includes, but is not limited to, the following steps 810 to 830.

[0209] Step 810: For each process group, send a second request to the process group deployment management node. The second request contains the process group identifier of the process group.

[0210] Step 820: Receive the terminal address corresponding to the process group identifier sent by the process group deployment management node in response to the second request;

[0211] Step 830: Store the process group and the received terminal address as the first correspondence.

[0212] Steps 810-830 are described in detail below.

[0213] In step 810, the process group deployment management node refers to a data node that stores multiple terminal addresses. The process group deployment management node can determine the terminal address corresponding to a process group based on the functions implemented by the process group. Specifically, based on the synchronization method of the process group deployment management node selected by the object using the terminal address generation method selection control in the process group configuration interface, the key management server 110 will send a second request to the process group deployment management node for each process group. The second request is a request generated in response to the object's selection operation for process group deployment management node synchronization, used to obtain the terminal address from the process group deployment management node. The second request includes the process group identifier of the process group.

[0214] In step 820, the process group deployment management node can query the process group identifier sent by the second request, find the terminal address corresponding to the process group identifier, and return the terminal address to the key management agent 120.

[0215] In step 830, the specific implementation process of storing the process group and the received terminal address as a first correspondence is similar to the specific implementation process in step 740 above, which stores the process group corresponding to the input process group identifier and the input terminal address as a first correspondence. To save space, it will not be described in detail again.

[0216] Through the above steps 810-830, this embodiment of the disclosure sends a second request to the process group deployment management node, enabling the process group deployment management node to provide the corresponding terminal address based on the process group identifier. This reduces input errors caused by object inputting terminal addresses, shortens the terminal address generation time, improves the terminal address generation efficiency, and thus improves the construction efficiency of the first correspondence table.

[0217] The following is combined with Figure 10 , Figure 11A -B provides a detailed description of the process by which the key management server 110 generates the second correspondence.

[0218] like Figure 10As shown, in some embodiments, the process by which the key management server 110 generates the second correspondence includes, but is not limited to, the following steps 1010 to 1040.

[0219] Step 1010: Receive the selection of the authorization key;

[0220] Step 1020: In response to the process group input command for the selected authorization key, display the process group input area;

[0221] Step 1030: In the process group input area, receive the input process group;

[0222] Step 1040: Store the input process group and the authorization key as a second correspondence.

[0223] Steps 1010-1040 are described in detail below.

[0224] In step 1010, when generating the second correspondence, the object selects an authorization key on the display interface of the key management terminal 140 of the key management server 110. Based on the object's selection of the authorization key, the key management server 110 can more easily determine the key to be authorized and the key information of the authorization key.

[0225] like Figure 11A As shown, on the display interface of the key management terminal 140 of the key management server 110, the object clicks the "Authorization Management" taskbar. An authorization key input area is displayed on the interface corresponding to the "Authorization Management" taskbar. The object performs an input operation in the authorization key input area, and the key management server 110 receives the key identifier of the selected authorization key, which is "Xxxx".

[0226] In step 1020, after selecting the authorization key, the object issues a process group input command to input information about the process group it wants to authorize. At this time, the key management server 110 responds to the process group input command for the selected authorization key by displaying the process group input area. The process group input area is used by the object to input information about the process group it wants to authorize.

[0227] In step 1030, when relevant information about a process group is entered in the process group input area, the key management server 110 receives the specific information of the entered process group and then identifies the process group that needs authorization based on the specific information.

[0228] like Figure 11BAs shown, after the object selects the authorization key, it issues a process group input command. At this time, the key management server 110 displays a process group input area. In the process group input area, the object can enter the department and process group identifier corresponding to the process group. Based on the object's input of the department and process group identifier, the key management server 110 determines the department of the process group to be authorized as "Xxxxxx Department" and the process group identifier of the process group to be authorized as "ABB". Further, based on the object's click of the "OK" button, the key management server 110 determines to authorize the authorization key "Xxxx" to the process group with the process group identifier "ABB".

[0229] In step 1040, the key management server 110 constructs a correspondence between process groups and authorized keys based on the authorization relationship between each process group and the authorized key, and stores all the correspondence between authorized keys and process groups in the form of a data table to obtain a second correspondence table.

[0230] Through the above steps 1010-1040, the key management server 110 of this embodiment can determine the matching relationship between process groups and authorized keys by receiving the selection and input of authorized keys. It can clearly authorize each key to the corresponding process group. At the same time, it constructs a second correspondence table based on the matching relationship between process groups and authorized keys, so that the process group corresponding to each authorized key can be obtained according to the second correspondence table, thereby improving the efficiency of querying the process group corresponding to the authorized key.

[0231] The following is combined with Figure 12 , Figure 13 The process of generating a third correspondence in the key management server 110 is described in detail.

[0232] like Figure 12 As shown, in some embodiments, the process by which the key management server 110 generates a third correspondence includes, but is not limited to, the following steps 1210 to 1230.

[0233] Step 1210: In response to the instruction to configure authorized process information for processes under the process group, display the authorized process information configuration interface;

[0234] Step 1220: In the authorization process information configuration interface, receive the input authorization process information;

[0235] Step 1230: Store the process group and authorized process information as a third correspondence.

[0236] Steps 1210-1230 are described in detail below.

[0237] The authorization process information configuration instruction is an instruction issued by an object to configure the authorization process information of the authorization process belonging to each process group.

[0238] The authorization process information configuration interface is used to provide objects with interactive operations to configure the specific content of each authorization process information.

[0239] In step 1210, based on the authorization process information configuration instruction issued by the object for the processes under the process group, the key management server 110 will display the authorization process information configuration interface.

[0240] In step 1220, in the authorization process information configuration interface, the object can perform input operations in each information configuration input area of ​​the authorization process information configuration interface. The key management server 110 will receive the specific content of the input authorization process information and generate the authorization process information of each process under the process group.

[0241] It should be noted that the authorization process information includes the authorization process version number, authorization process name, authorization process execution path, authorization process execution object identifier, and authorization process file digest. The authorization process version number identifies the current version of the authorization process. The authorization process name refers to the specific name of the authorization process, and the authorization process execution path indicates the storage location of the corresponding authorization process file. The authorization process execution object identifier identifies the object capable of running the authorization process. The authorization process file digest is the result of signing the authorization process information, which reduces the risk of the authorization process information being stolen or tampered with.

[0242] In step 1230, the key management server 110 constructs a correspondence between process groups and authorized process information based on the hierarchical relationship between process groups and authorized process information, and stores all correspondences between process groups and authorized process information in the form of a data table to obtain a third correspondence table.

[0243] like Figure 13As shown, in the authorized process information configuration interface, based on the object's input in the authorized process version number input area, the key management server 110 determines the authorized process version number as "Xxxx2". Based on the object's input in the authorized process name input area, the key management server 110 determines the authorized process name as "m1". Based on the object's input in the authorized process execution path input area, the key management server 110 determines the authorized process execution path as "D\xx1". Based on the object's input in the authorized process execution object identifier input area, the key management server 110 determines the authorized process execution object identifier as "Yy1". Based on the input authorized process execution path and authorized process name, the key management server 110 queries the specific authorized process file and performs a digest operation on the authorized process file, obtaining the authorized process file digest as "Qdq154". After the object completes the input of the authorized process information, it clicks the "OK" button. The key management server 110 responds to the object's selection operation and completes the configuration of the authorized process information for the processes under the process group.

[0244] Furthermore, the authorized process information configuration interface includes prompts for the input of the authorized process name and authorized process execution path. Specifically, below the authorized process name input area, there is a prompt field stating, "It is recommended to enter the name of the process at runtime; otherwise, any process may have permission to access the key." Below the authorized process execution path input area, there is a prompt field stating, "Authorized process name and authorized process execution path; at least one must be entered." These prompt fields guide the user's input operations, making the input information more reasonable.

[0245] Through steps 1210-1230 above, the key management server 110 of this embodiment provides an authorization process information configuration interface. This interface receives the specific content of the authorization process information for each process under a process group, thereby generating complete authorization process information and effectively improving the accuracy and rationality of the authorization process information. Furthermore, a third correspondence table can be constructed based on the correspondence between the authorization process information and the process group, enabling the retrieval of the authorization process information corresponding to each process group based on the third correspondence table, thus improving the efficiency of querying the authorization process information corresponding to the authorization key.

[0246] Detailed description of step 330

[0247] In step 330, in response to the key acquisition request, the target process information of the target process is acquired.

[0248] In this specific implementation, the key acquisition request includes a target process identifier. This identifier distinguishes different target processes and is unique; each target process corresponds to a single identifier, and the identifiers for different target processes are different. The target process identifier can be a Process Identity Document (PID) for that target process. One PID can identify one target process, and the value of the PID is typically a non-zero integer.

[0249] like Figure 14 As shown, in some embodiments, the process of obtaining target process information of a target process in response to a key acquisition request includes, but is not limited to, the following steps 1410 to 1420.

[0250] Step 1410: Obtain the target process identifier from the key acquisition request;

[0251] Step 1420: Obtain target process information based on the target process identifier.

[0252] Steps 1410-1420 are described in detail below.

[0253] In step 1410, since the key acquisition request is triggered by the target process when it needs to obtain an authorization key, and different target processes often have different process tasks to perform, in order to distinguish the identities of different target processes, when sending a key acquisition request, the target process often sends its own target process identifier to the key management agent 120 along with the key acquisition request through a preset protocol. Therefore, the key management agent 120 can obtain the target process identifier used to represent the identity of the target process from the key acquisition request.

[0254] For example, when a target process sends a key acquisition request using key management software, it often sends its own target process identifier to the key management agent 120 via the Unix SOCK protocol.

[0255] It should be noted that the key authorization and authentication method is executed by the key management agent 120, which has permission to read the process runtime status. The process runtime status indicates the resources required for the target process to operate normally, and may include specific process information about the target process. The permission to read the process runtime status restricts the key management agent 120 from reading the specific process information within the process runtime status.

[0256] Specifically, the target process information includes the target process execution object identifier, the target process name, the target process execution path, and the target process file digest. The target process execution object identifier identifies the object capable of running the target process. The target process name refers to the specific name of the target process. The target process execution path indicates the storage location of the target process file corresponding to the target process. The target process file digest is the result of signing the target process information; it reduces the risk of the target process information being stolen or tampered with, thus improving the security of the target process information.

[0257] The following is combined with Figure 15 , Figure 16 The process of obtaining target process information based on the target process identifier is described in detail.

[0258] like Figure 15 As shown, in some embodiments, the process of obtaining target process information based on the target process identifier includes, but is not limited to, the following steps 1510 to 1540.

[0259] Step 1510: Obtain the target process execution object identifier corresponding to the target process identifier;

[0260] Step 1520: Use the process running status read permission to read the running status of the target process corresponding to the target process identifier;

[0261] Step 1530: Obtain the target process name and the target process execution path from the target process running status;

[0262] Step 1540: Obtain the target process file according to the target process name and the target process execution path, and perform a digest operation on the target process file to obtain the target process file digest.

[0263] Steps 1510-1540 are described in detail below.

[0264] In step 1510, since there is a mapping relationship between the target process identifier and the target process execution object identifier, the key service management 120 can query based on the target process identifier to obtain the target process execution object identifier corresponding to the target process identifier.

[0265] In step 1520, since the key service management 120 has the permission to read process running status, and there is a corresponding relationship between the process running status and the process identifier of each process, the key service management 120 can use the process running status reading permission to read the process running status of multiple processes, and determine the target process running status corresponding to the target process identifier from the read process running status. The target process running status includes the target process name and the target process execution path.

[0266] In step 1530, since the target process running status includes the target process name and the target process execution path, the key service management 120 can directly obtain the target process name and the target process execution path from the target process running status.

[0267] In step 1540, a file query is performed based on the target process execution path and the target process name to obtain the target process file at the storage location indicated by the target process execution path; then, a digest algorithm is used to perform a digest operation on the target process file to obtain the target process file digest.

[0268] It should be noted that the above-mentioned hash algorithm can be Poseidon hash algorithm, MD5 hash algorithm, or other types of hash algorithm, without restriction.

[0269] like Figure 16 As shown, firstly, the target process uses key algorithm software to access the key management agent 120 via a protocol and sends a key acquisition request to the key management agent 120. Next, the key management agent 120 obtains the target process identifier from the key acquisition request. Further, the key management agent 120, with permission to read the process execution status, reads the target process execution status corresponding to the target process identifier. Further, the key management agent 120 calculates the target process execution object identifier, target process name, target process execution path, and target process file digest of the target process in real time based on the target process execution status. Further, the key management agent 120 compares the target process execution object identifier, target process name, target process execution path, and target process file digest of the target process with the authorized process execution object identifier, authorized process name, authorized process execution path, and authorized process file digest of the authorized process information one by one, obtaining the matching authorized process information from multiple authorized process information sets. Finally, the authorized key corresponding to the matching authorized process information is sent to the target process.

[0270] Through the above steps 1510-1540, the key management agent of this embodiment can obtain the target process identifier from the key acquisition request; further, by utilizing the process running status reading permission, the target process running status corresponding to the target process identifier is read, and based on the target process running status, the specific content of the target process information is obtained, which can effectively improve the efficiency and comprehensiveness of the target process information acquisition, thereby enabling detailed comparison between the target process information and the authorized process information, and improving the accuracy of the information comparison.

[0271] Detailed description of step 340

[0272] In step 340, the target process information is compared with multiple authorized process information to obtain matching authorized process information from the multiple authorized process information.

[0273] In this specific implementation, the target process information includes the target process execution object identifier, the target process name, the target process execution path, and the target process file summary; the authorized process information includes the authorized process execution object identifier, the authorized process name, the authorized process execution path, and the authorized process file summary. Therefore, when comparing the target process information with multiple authorized process information, either a portion of the target process information can be compared with the authorized process information, or all of the target process information can be compared with the authorized process information.

[0274] In one embodiment, one or more of the following information from the target process information—target process execution object identifier, target process name, target process execution path, and target process file summary—can be randomly selected as comparison items. Next, the corresponding authorized process execution object identifier, authorized process name, authorized process execution path, and authorized process file summary are selected from the authorized process information for process information comparison. If all the selected comparison items are identical, the authorized process information is determined to be the matching authorized process information.

[0275] This method effectively improves information comparison efficiency by selecting a portion of the target process information as comparison items and comparing only those items.

[0276] In another embodiment, each piece of information in the target process information and the authorized process information can be compared one by one. If one of the authorized process information contains the same authorized process execution object identifier as the target process execution object identifier, the same authorized process name as the target process name, the same authorized process execution path as the target process execution path, and the same authorized process file digest as the target process file digest, then the authorized process information is determined to be the matching authorized process information.

[0277] This method compares each piece of information in the target process information and the authorized process information one by one, which enables the matching authorized process information and the target process information to have a high degree of information overlap, thus improving the accuracy of information comparison.

[0278] The process of comparing process information based on key identifiers

[0279] Because the amount of authorized process information is large, randomly comparing each piece of authorized process information with the target process information would often be time-consuming, leading to low comparison efficiency and affecting the efficiency of the target process in obtaining the authorization key. Therefore, this embodiment of the disclosure considers that a key identifier can uniquely identify the authorization key. This embodiment provides a scheme for comparing the target process information with multiple authorized process information based on the key identifier, which can improve the information comparison efficiency and thus improve the efficiency of the target process in obtaining the authorization key.

[0280] In some embodiments, step 310 includes:

[0281] Obtain the authorization key, the key identifier corresponding to the authorization key, and the authorization process information corresponding to the authorization key on the target terminal.

[0282] In this specific implementation, while obtaining the authorization key on the target terminal and the authorization process information corresponding to the authorization key, the key identifier corresponding to the authorization key is also obtained. The specific implementation process for obtaining the key identifier corresponding to the authorization key is similar to the specific implementation process for obtaining the authorization key on the target terminal and the authorization process information corresponding to the authorization key in step 310 above. For the sake of brevity, it will not be described in detail again.

[0283] In some embodiments, step 320 includes:

[0284] Obtain the target process identifier and the target key identifier from the key acquisition request.

[0285] In this specific implementation, while obtaining the target process identifier from the key acquisition request, the target key identifier is also obtained from the key acquisition request. The target key identifier refers to the key identifier corresponding to the target key required by the target process during encryption. The specific implementation process of obtaining the target key identifier from the key acquisition request is similar to the specific implementation process of obtaining the target process identifier from the key acquisition request in step 1410 above. For the sake of brevity, it will not be described again.

[0286] like Figure 17 As shown, in some embodiments, the process of comparing the target process information with multiple authorized process information based on the key identifier includes, but is not limited to, the following steps 1710 to 1720.

[0287] Step 1710: From multiple authorization process information, obtain candidate authorization process information whose key identifiers corresponding to the authorization key are consistent with the target key identifier;

[0288] Step 1720: If the target process information is consistent with the candidate authorized process information, the candidate authorized process information is determined as the matching authorized process information.

[0289] Steps 1710-1720 are described in detail below.

[0290] In step 1710, since each authorized process information has a corresponding authorized key, the key identifier of the authorized key can be used as the criterion for determining whether the authorized process information meets the requirements. Specifically, firstly, the key identifier corresponding to the authorized key is compared with the target key identifier; then, among multiple authorized process information, the authorized process information whose key identifier matches the target key identifier is selected as candidate authorized process information. Compared to authorized process information whose key identifier does not match the target key identifier, the probability of candidate authorized process information matching the target process information is higher.

[0291] In step 1720, the target process information can be compared with the candidate authorized process information; if the target process information and the candidate authorized process information are consistent, the candidate authorized process information is determined as the matching authorized process information. The specific implementation process of comparing the target process information with the candidate authorized process information is similar to the specific implementation process of comparing the specific content of the target process information with the specific content of the authorized process information described earlier. For the sake of brevity, it will not be repeated here.

[0292] In other embodiments, if the target process information and the candidate authorized process information are inconsistent, then among the multiple authorized process information, the candidate authorized process information whose key identifier corresponding to the authorized key is inconsistent with the target key identifier is obtained; if the target process information and the candidate authorized process information are consistent, the candidate authorized process information is determined as the matching authorized process information. The specific implementation process of this embodiment is similar to steps 1710-1720 above, the difference being that this process compares the candidate authorized process information whose key identifier corresponding to the authorized key is inconsistent with the target key identifier with the target process information, while step 1720 compares the candidate authorized process information whose key identifier corresponding to the authorized key is consistent with the target key identifier with the target process information. For the sake of brevity, further details are omitted.

[0293] Through steps 1710-1720 above, this embodiment of the disclosure takes into account the uniqueness of the key identifier of each authorization key. It prioritizes acquiring candidate authorization process information whose key identifier matches the target key identifier, and compares this candidate authorization process information with the target process information. This allows for priority comparison of candidate authorization process information with a higher matching probability. If the target process information matches a candidate authorization process information, the candidate authorization process information is directly identified as the matching authorization process information. There is no need to further compare authorization process information with inconsistent key identifiers with the target process information, reducing the number of authorization process information pieces that need to be compared, effectively shortening the information comparison time, and thus improving the efficiency of the target process in acquiring the authorization key.

[0294] It should be noted that the key identifier corresponding to the authorized key in this embodiment is obtained based on the authorized key reference fourth correspondence table. The fourth correspondence table is generated by the key management server 110 and is used to indicate the fourth correspondence between the authorized key and the key identifier.

[0295] The following is combined with Figure 18 , Figure 19A -C provides a detailed description of the process by which the key management server 110 generates the fourth correspondence.

[0296] like Figure 18 As shown, in some embodiments, the process by which the key management server 110 generates the fourth correspondence includes, but is not limited to, the following steps 1810 to 1840.

[0297] Step 1810: Display the authorization key configuration interface;

[0298] Step 1820: Receive the input key identifier in the key identifier input area;

[0299] Step 1830: In response to selecting the random generation method using the authorization key generation method selection control, a random authorization key is generated;

[0300] Step 1840: Store the authorization key and key identifier as a fourth correspondence.

[0301] Steps 1810-1840 are described in detail below.

[0302] In step 1810, an authorization key configuration interface will be displayed on the key management terminal 140 of the key management server 110. This interface is used for interactive operations by objects, such as individuals or smart assistants, who want to construct authorization key information through interaction with the interface. The authorization key configuration interface includes a key identifier input area and an authorization key generation method selection control. The key identifier input area is used for the object to input a key identifier, and the authorization key generation method selection control is used for the object to select a specific authorization key generation method.

[0303] Furthermore, the authorization key configuration interface also includes a business input area and a responsible object input area. The business input area is used to provide the object with the business type and business segment to which the key is applied; the responsible object input area is used to provide the object with the person responsible for key management. By setting the business input area and the responsible object input area, it is relatively easy to determine the business type to which the key applies and the object responsible for key management, so that when the key needs to be modified or deleted, the responsible object can be notified in a timely manner for processing.

[0304] like Figure 19A As shown in -B, there are two authorization key configuration interfaces. The first authorization key configuration interface includes a department input area, a key identifier input area, and a key acquisition method selection control. The second authorization key configuration interface includes a validity period selection control, a key algorithm version selection control, an authorization key generation method selection control, and a key value input area.

[0305] In step 1820, based on the input operation of the object in the key identifier input area, the key management server 110 receives the input key identifier.

[0306] like Figure 19A As shown, in the first authorized key configuration interface, based on the object's input operation in the key identifier input area, the key management server 110 receives the input key identifier as "Key21". Further, based on the object's input operation in the department input area, the key management server 110 receives the input department as "Xxxx Department". Further, based on the object's input operation in the business input area, the key management server 110 receives the input business as "Xxxx". Further, based on the object's input operation in the responsible object input area, the key management server 110 receives the input responsible object as "XXx". Based on the object's selection operation in the key acquisition method selection control, the key management server 110 determines the key acquisition method to "Allow direct API acquisition". Finally, based on the object's selection operation in the "Next" control, the key management server 110 will jump to the next authorized key configuration interface.

[0307] In step 1830, in the second authorization key configuration interface, the object can use the authorization key generation method selection control to select either manual input or random generation to generate a key. Specifically, when the object selects the random generation method using the authorization key generation method selection control, the key management server 110 responds by randomly generating an authorization key in a random manner.

[0308] like Figure 19B As shown, when an object clicks the "Next" button in the first authorized key configuration interface, the key management server 110 will respond to the object's click operation and jump to the second authorized key configuration interface. In the second authorized key configuration interface, a selection control is displayed to indicate whether to enter a key value. When the object chooses not to enter a new key value, in response to selecting "not enter" using the key value selection control, the object does not need to enter any other content in the second authorized key configuration interface. When the object chooses to enter a new key value, in response to selecting "enter" using the key value selection control, the key management server 110 will prompt the object to continue entering the relevant key value information. Specifically, based on the object's date selection operation in the validity period selection control, the key management server 110 will determine the effective time and expiration time of the authorized key. Based on the object's selection operation in the key algorithm version selection control, the key management server 110 will determine the key algorithm version of the authorized key as "Xxxx". Based on the object's selection of random generation method using the authorized key generation method selection control, the key management server 110 will randomly generate the key value "Qaz##58714". After the object enters the key information of the authorized key, it clicks the "Submit" button. The key management server 110 will generate key information for this authorization key in response to the object selection operation.

[0309] Furthermore, the second authorization key configuration interface also includes various prompt fields. Specifically, below the validity period selection control, a prompt field appears: "Prompt: The key will not be obtained before the effective time. (Please enter the actual validity period of the certificate key)". Below the key algorithm version selection control, a prompt field appears: "Prompt: Please select manual input for the std algorithm". Below the key value input area, a prompt field appears: "Prompt: If you choose not to enter a new key value for now, none of the above needs to be filled in". In addition, a "How to select?" selection control is set behind the key algorithm version selection control to provide guidance on key algorithm version selection in response to the user's click on the "How to select?" selection control.

[0310] In step 1840, the key management server 110 constructs a one-to-one correspondence between key identifiers and authorized keys based on the key identifiers in the key information of each authorized key, and stores the correspondence between all authorized keys and key identifiers in the form of a data table to obtain a fourth correspondence table.

[0311] like Figure 19C As shown, in the fourth correspondence, the key identifiers include identifier 1, identifier 2, identifier 3, identifier 4, identifier 5, ..., identifier n; the authorization keys include authorization key 1, authorization key 2, authorization key 3, authorization key 4, authorization key 5, ..., authorization key n, where n is a positive integer greater than 5. Specifically, identifier 1 corresponds to authorization key 1; identifier 2 corresponds to authorization key 2; identifier 3 corresponds to authorization key 3; identifier 4 corresponds to authorization key 4; identifier 5 corresponds to authorization key 5; and identifier n corresponds to authorization key n.

[0312] Through steps 1810-1840 above, the key management server 110 of this embodiment provides an authorization key configuration interface. This interface receives key identifiers input by objects and generates specific key values ​​based on the authorization key generation method selected by the object, effectively improving the accuracy and rationality of the authorization key information. Furthermore, based on the correspondence between authorization keys and key identifiers, a fourth correspondence table is generated, enabling the acquisition of the key identifier for each authorization key. This improves the efficiency of key identifier acquisition and, consequently, enhances the efficiency of filtering candidate authorization process information based on key identifiers and target key identifiers.

[0313] The process of selecting an authorization key based on the validity period of the authorization key

[0314] Since authorization keys have an expiration date, if the expiration date of the authorization key does not meet the time requirements of the target process, the authorization key often cannot meet the key authorization and authentication requirements of the target process. Therefore, comparing the authorization process information corresponding to each authorization key with the target process information one by one often wastes a lot of time and results in low efficiency in obtaining authorization keys. Based on this, embodiments of this disclosure also provide a scheme for selecting authorization keys based on the expiration date, which can effectively filter out authorization keys with expiration dates that do not meet the requirements, as well as the authorization process information corresponding to the invalid authorization keys, thereby improving the efficiency of information comparison.

[0315] In some embodiments, the process of selecting an authorization key based on the validity period of the authorization key includes, but is not limited to, the following steps:

[0316] Obtain the effective and expiration times of each authorization key;

[0317] From multiple authorization keys, select the authorization key whose effective time is earlier than the current time and whose expiration time is later than the current time, along with the authorization process information corresponding to the authorization key.

[0318] In this specific implementation, since each authorized process information has a corresponding authorized key, the effective time and expiration time of the authorized key can be used as the criteria for determining whether the authorized process information meets the requirements. The specific implementation process for obtaining the effective time and expiration time of the authorized key is similar to the specific implementation process for obtaining the authorized key and the corresponding authorized process information on the target terminal in step 310 above. For the sake of brevity, it will not be described in detail again.

[0319] In some embodiments, the process of selecting, from a plurality of authorization keys, authorization keys whose effective time is earlier than the current time and whose expiration time is later than the current time, and authorization process information corresponding to the authorization keys, includes, but is not limited to, the following steps:

[0320] Compare the effective time of each authorized key with the current time;

[0321] Filter out authorization keys whose effective time is later than the current time to obtain intermediate authorization keys;

[0322] Compare the expiration time of each intermediate authorization key with the current time;

[0323] Filter out intermediate authorization keys whose expiration time is earlier than the current time to obtain the filtered authorization key;

[0324] Obtain the filtered authorization key and the authorization process information corresponding to the filtered authorization key.

[0325] In this specific implementation, the effective time of the intermediate authorization key meets the requirements. The effective and expiration times of the filtered authorization keys also meet the requirements. First, the effective time of each authorization key is compared with the current time. If the effective time of an authorization key is later than the current time, it means that the authorization key is not yet effective, and the target process cannot use this authorization key for encryption. Therefore, authorization keys with effective times later than the current time are filtered out to obtain the intermediate authorization key. Next, the expiration time of each intermediate authorization key is compared with the current time. If the expiration time of an intermediate authorization key is earlier than the current time, it means that the authorization key has expired, and the target process cannot use this authorization key for encryption. Therefore, intermediate authorization keys with expiration times earlier than the current time can be filtered out to obtain the filtered authorization key. Finally, the filtered authorization key and the authorization process information corresponding to the filtered authorization key are obtained; the authorization process information corresponding to the filtered authorization key is used as the information for comparison with the target process information.

[0326] In the above manner, the embodiments of this disclosure can utilize the effective time and expiration time of the authorization key to filter authorization keys and authorization process information, filter out authorization keys whose validity period does not meet the requirements, and authorization process information corresponding to authorization keys that do not meet the requirements, reduce the number of authorization keys and authorization process information obtained from the key management server, effectively reduce the number of authorization process information that needs to be compared, and improve the efficiency of the target process in obtaining authorization keys.

[0327] A detailed description of another process for obtaining matching authorization process information from multiple authorization process information.

[0328] Since the authorized process information includes the authorized process execution object identifier, the authorized process name, and the authorized process execution path, and the target process information includes the target process execution object identifier, the target process name, and the target process execution path, comparing each piece of information in the target process information and the authorized process information one by one would result in low comparison efficiency. Therefore, this disclosure provides a scheme for obtaining matching authorized process information from multiple authorized process information based on a matching score, which can improve the information comparison efficiency.

[0329] like Figure 20 As shown, in some embodiments, the process of obtaining matching authorization process information from multiple authorization process information includes, but is not limited to, the following steps 2010-2040:

[0330] Step 2010: Determine the first matching score based on the target process execution object identifier and the authorized process execution object identifier;

[0331] Step 2020: Determine the second matching score based on the target process name and the authorized process name;

[0332] Step 2030: Determine the third matching score based on the execution path of the target process and the execution path of the authorized process;

[0333] Step 2040: Based on the first matching score, the second matching score, and the third matching score, obtain the matching authorization process information from multiple authorization process information.

[0334] Steps 2010-2040 are described in detail below.

[0335] In step 2010, it is first determined whether the target process execution object identifier and the authorized process execution object identifier are the same. If the target process execution object identifier and the authorized process execution object identifier are the same, then the first matching score is determined as the first score. If the target process execution object identifier and the authorized process execution object identifier are different, it is determined whether the execution objects indicated by the target process execution object identifier and the authorized process execution object identifier belong to the same department. If the execution objects indicated by the target process execution object identifier and the authorized process execution object identifier belong to the same department, then the first matching score is determined as the second score. If the execution objects indicated by the target process execution object identifier and the authorized process execution object identifier do not belong to the same department, then the first matching score is determined as the third score. The first score is higher than the second score, and the second score is higher than the third score.

[0336] For example, if the target process execution object identifier and the authorized process execution object identifier are the same, the first match score is 1. If the target process execution object identifier and the authorized process execution object identifier are different, but the execution objects indicated by the target process execution object identifier and the authorized process execution object identifier belong to the same department, the first match score is 0.5. If the target process execution object identifier and the authorized process execution object identifier are different, and the execution objects indicated by the target process execution object identifier and the authorized process execution object identifier do not belong to the same department, the first match score is 0.

[0337] In step 2020, it is first determined whether the target process name and the authorized process name are the same. If the target process name and the authorized process name are the same, the second matching score is determined as the fourth score. If the target process name and the authorized process name are different, it is determined whether the target process name and the authorized process name belong to the same process group. If the target process name and the authorized process name belong to the same process group, the second matching score is determined as the fourth score. If the target process name and the authorized process name do not belong to the same process group, the second matching score is determined as the sixth score. The fourth score is higher than the fifth score, and the fifth score is higher than the sixth score.

[0338] For example, if the target process name and the authorized process name are the same, the second match score is 1. If the target process name and the authorized process name are different, but they belong to the same process group, the second match score is 0.8. If the target process name and the authorized process name are different, and the execution object identifiers of the target process and the authorized process do not belong to the same process group, the second match score is 0.

[0339] In step 2030, since both the target process execution path and the authorized process execution path are strings, they are first vectorized to obtain vector forms of the target process execution path and the authorized process execution path. Next, the similarity between the vector forms of the target process execution path and the authorized process execution path is calculated, and this similarity is used as the third matching score.

[0340] Furthermore, when using the cosine similarity algorithm to calculate the similarity between the target process execution path and the authorized process execution path in vector form, the similarity is directly used as the third matching score. When using the Euclidean distance method to calculate the similarity between the target process execution path and the authorized process execution path in vector form, since a smaller Euclidean distance indicates a higher similarity between the vectors, the reciprocal of the Euclidean distance between the target process execution path and the authorized process execution path in vector form is used as the similarity, thus obtaining the third matching score.

[0341] In step 2040, matching authorization process information can be obtained from multiple authorization process information based on one of the first matching score, second matching score, and third matching score. Alternatively, matching authorization process information can be obtained from multiple authorization process information based on a combination of two of the first, second, and third matching scores. It is also possible to obtain matching authorization process information from multiple authorization process information based on the first, second, and third matching scores together. There are no restrictions.

[0342] Through the steps 2010-2040 described above, this embodiment of the disclosure determines a first matching score using the target process execution object identifier and the authorized process execution object identifier; determines a second matching score using the target process name and the authorized process name; and determines a third matching score using the target process execution path and the authorized process execution path. This achieves the effect of obtaining matching authorized process information from multiple authorized process information based on the matching score, effectively improving information comparison efficiency. Furthermore, quantifying the matching situation between target process information and authorized process information using the matching score can also improve the accuracy of information comparison, thereby improving the accuracy of the obtained matching authorized process information.

[0343] Because obtaining matching authorization process information from multiple authorization process information solely based on the first matching score, or solely based on the second matching score, or solely based on the third matching score, cannot comprehensively reflect the matching situation between the target process information and the authorization process information, leading to inaccurate matching authorization process information, this disclosure provides a scheme that combines the first matching score, the second matching score, and the third matching score to obtain matching authorization process information from multiple authorization process information. This scheme can more comprehensively quantify the matching situation between the target process information and the authorization process information, improving the accuracy of information comparison.

[0344] like Figure 21 As shown, in some embodiments, the process of obtaining matching authorization process information from multiple authorization process information based on the first matching score, the second matching score, and the third matching score includes, but is not limited to, the following steps 2110-2120:

[0345] Step 2110: Perform a weighted sum operation on the first matching score, the second matching score, and the third matching score to obtain the total matching score;

[0346] Step 2120: Based on the total matching score, obtain the matching authorization process information from multiple authorization process information.

[0347] Steps 2110-2120 are described in detail below.

[0348] In step 2110, firstly, a first weight corresponding to the first matching score, a second weight corresponding to the second matching score, and a third weight corresponding to the third matching score are set. The first weight characterizes the importance of the process execution object identifier in the information comparison; the second weight characterizes the importance of the process name in the information comparison; and the third weight characterizes the importance of the process execution path in the information comparison. Next, the first weight and the first matching score are multiplied to obtain the first weighted matching score; the second weight and the second matching score are multiplied to obtain the second weighted matching score; and the third weight and the third matching score are multiplied to obtain the third weighted matching score. Finally, the first weighted matching score, the second weighted matching score, and the third weighted matching score are added together to obtain the total matching score.

[0349] In step 2120, the methods for obtaining matching authorization process information from multiple authorization process information based on the total matching score include, but are not limited to, the following:

[0350] Method 1: Based on the total matching score, randomly select several authorized process information from the authorized process information whose total matching score is higher than the preset threshold as the matching authorized process information. The preset threshold is determined according to the actual business needs and is not restricted.

[0351] Method 2: Sort the authorized process information in descending order according to the total matching score. Randomly select a number of authorized process information from the top-ranked authorized process information as the matching authorized process information. The pre-ranked order is determined according to actual business needs and is not restricted.

[0352] Through the above steps 2110-2120, this embodiment of the disclosure obtains matching authorization process information from multiple authorization process information based on the first matching score, the second matching score, and the third matching score. It can more comprehensively reflect the matching situation of target process information and authorization process information from the matching situation of multiple information, thereby improving the accuracy of information comparison and improving the accuracy of the obtained matching authorization process information.

[0353] Detailed description of a process for comparing encryption algorithm versions of an authorization key according to an embodiment of this disclosure.

[0354] Since different authorization keys use different encryption versions, and different target processes have different requirements for encryption algorithms when encrypting data, if the encryption version used by the authorization key does not meet the actual needs of the target process, the target process will be unable to use the authorization key for data encryption normally, which will affect the normal operation of the target process. Therefore, this disclosure provides a scheme for comparing the encryption algorithm versions of authorization keys, which can effectively determine whether the encryption algorithm version of the authorization key and the encryption algorithm version applied by the authorization key are consistent, thereby improving the working stability of the target process.

[0355] To improve the efficiency of querying the encryption algorithm version of the authorization key, the first encryption algorithm version corresponding to the authorization key is obtained simultaneously with the authorization key on the target terminal and the authorization process information corresponding to the authorization key. The specific implementation process of obtaining the first encryption algorithm version corresponding to the authorization key is similar to the specific implementation process of obtaining the authorization key on the target terminal and the authorization process information corresponding to the authorization key in step 310 above. For the sake of brevity, it will not be elaborated further.

[0356] It should be noted that the first encryption algorithm version is the encryption algorithm used when encrypting data using the authorized key.

[0357] like Figure 22 As shown, in some embodiments, the process of comparing the encryption algorithm version of the authorization key includes, but is not limited to, steps 2210 to 2220.

[0358] Step 2210: Receive the encryption algorithm version verification request from the target process during the encryption process using the authorized key;

[0359] Step 2220: If the second encryption algorithm version is consistent with the first encryption algorithm version, send an encryption algorithm version verification success response to the target process.

[0360] Steps 2210-2220 are described in detail below.

[0361] In step 2210, the encryption algorithm version verification request is triggered by the target process wanting to verify the encryption algorithm version of the authorization key. The encryption algorithm version verification request includes a second encryption algorithm version applied to the authorization key; this second encryption algorithm version is the encryption algorithm the target process intends to use when encrypting data.

[0362] Because the target process often needs to determine whether the encryption algorithm version of the authorization key meets the requirements when using it for encryption, it sends an encryption algorithm version verification request to the key management agent during the encryption process. The key management agent then verifies the encryption algorithm version of the authorization key based on the received request.

[0363] In step 2220, the key management agent compares the first encryption algorithm version and the second encryption algorithm version. If the second encryption algorithm version is inconsistent with the first encryption algorithm version, it indicates that the encryption algorithm provided by the authorized key does not meet the encryption requirements of the target process. In this case, the key management agent sends an encryption algorithm version verification failure response to the target process. If the second encryption algorithm version is consistent with the first encryption algorithm version, it indicates that the encryption algorithm provided by the authorized key meets the encryption requirements of the target process. In this case, the key management agent sends an encryption algorithm version verification success response to the target process.

[0364] Through the above steps 2210-2220, the embodiments of this disclosure can conveniently compare the second encryption algorithm version applied by the authorized key with the first encryption version of the authorized key according to the encryption algorithm version verification request sent by the target process. This can effectively detect the application of the authorized key and send a verification response to the target process in a timely manner based on the comparison results, thereby improving the stability of the target process's encryption using the authorized key.

[0365] Detailed description of the implementation details of key authorization and authentication in the embodiments of this disclosure

[0366] The following reference Figure 23 This document describes in detail a specific implementation process of the key authorization and authentication method according to the embodiments of this disclosure, including but not limited to the following steps 2301 to 2319.

[0367] Step 2301: Input the key identifier for the object;

[0368] Step 2302: Random generation method for object selection control;

[0369] Step 2303: The key management server responds to the object selection control's random generation method and randomly generates an authorization key;

[0370] Step 2304: The key management server generates a fourth correspondence table based on the authorization key and key identifier;

[0371] Step 2305: Object input process group identifier;

[0372] Step 2306: The key management server sends a second request to the process group deployment node;

[0373] Step 2307: The process group deployment node responds to the second request by sending the terminal address to the key management server;

[0374] Step 2308: The key management server generates a first correspondence table based on the process group identifier and the terminal address;

[0375] Step 2309: Select the authorization key for the object;

[0376] Step 2310: Authorize the process group for object input;

[0377] Step 2311: The key management server generates a second correspondence table based on the authorization key and process group;

[0378] Step 2312: Input authorization process information for the target;

[0379] Step 2313: The key service manager generates a third correspondence table based on process group and authorized process information;

[0380] Step 2314: The key management agent requests the authorization key and the corresponding authorization process information from the key management server based on the terminal address.

[0381] Step 2315: The key management server queries the first correspondence table, the second correspondence table, and the third correspondence table based on the terminal address, and sends the authorization key corresponding to the terminal address and the authorization process information corresponding to the authorization key to the key management agent.

[0382] Step 2316: The target process sends a key acquisition request to the key management agent;

[0383] Step 2317: The key management agent responds to the key acquisition request and obtains the target process information of the target process;

[0384] Step 2318: The key management agent compares the target process information with the information of multiple authorized processes to obtain the matching authorized process information;

[0385] Step 2319: The key management agent sends the authorization key corresponding to the authorized process information to the target process.

[0386] It is understood that the specific processes of steps 2301-2304 are similar to steps 1810-1840 in the above embodiments. The specific processes of steps 2305-2308 are similar to steps 710-740 in the above embodiments. The specific processes of steps 2309-2311 are similar to steps 1010-1040 in the above embodiments. The specific processes of steps 2312-2313 are similar to steps 1210-1230 in the above embodiments. The specific process of step 2314 is similar to step 310 in the above embodiments. The specific process of step 2315 is similar to steps 510-530 in the above embodiments. The specific process of step 2316 is similar to step 320 in the above embodiments. The specific process of step 2317 is similar to step 330 in the above embodiments. The specific process of step 2318 is similar to step 340 in the above embodiments. The specific process of step 2319 is similar to step 350 in the above embodiments. To save space, these will not be described in detail here.

[0387] Description of apparatus and devices according to embodiments of this disclosure

[0388] It is understood that although the steps in the above flowcharts are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated in this embodiment, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the above flowcharts may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages in other steps.

[0389] It should be noted that in various specific embodiments of this application, when processing is required based on data related to the characteristics of the target object, such as target object attribute information or a set of attribute information, the permission or consent of the target object will be obtained first. Furthermore, the collection, use, and processing of this data will comply with relevant laws, regulations, and standards. In addition, when embodiments of this application require obtaining target object attribute information, separate permission or consent from the target object will be obtained through pop-ups or redirection to a confirmation page. Only after obtaining the target object's separate permission or consent will the necessary target object-related data for the normal operation of the embodiments of this application be obtained.

[0390] Figure 24A schematic diagram of the structure of a key authorization and authentication device 2400 provided in an embodiment of this disclosure. The key authorization and authentication device 2400 includes:

[0391] The first acquisition unit 2410 is used to acquire the authorization key on the target terminal and the authorization process information corresponding to the authorization key;

[0392] The first receiving unit 2420 is used to receive a key acquisition request from the target process on the target terminal;

[0393] The second acquisition unit 2430 is used to acquire target process information of the target process in response to a key acquisition request;

[0394] The third acquisition unit 2440 is used to compare the target process information with multiple authorized process information to obtain matching authorized process information from the multiple authorized process information;

[0395] Return unit 2450 is used to return the authorization key corresponding to the matching authorized process information to the target process.

[0396] Optionally, the first acquisition unit 2410 is specifically used for:

[0397] Send a first request to the key management server. The first request contains the target terminal address of the target terminal.

[0398] The key management server receives the authorization key corresponding to the target terminal address and the authorization process information corresponding to the authorization key, sent in response to the first request.

[0399] Optionally, the authorization key corresponding to the target terminal address and the authorization process information corresponding to the authorization key are determined by the key management server in the following ways:

[0400] Based on the first correspondence table, the target process group corresponding to the target terminal address is determined. The first correspondence table indicates the first correspondence between the terminal address and the process group.

[0401] Based on the second correspondence table, the authorization key corresponding to the target process group is determined as the authorization key corresponding to the target terminal address. The second correspondence table indicates the second correspondence between the process group and the authorization key.

[0402] Based on the third correspondence table, the authorized process information corresponding to the target process group is determined as the authorized process information corresponding to the authorization key. The third correspondence table indicates the third correspondence between the process group and the authorized process information of the processes contained in the process group.

[0403] Optionally, the first correspondence is pre-generated on the key management server in the following manner:

[0404] The process group configuration interface is displayed, which includes a process group identifier input area and a terminal address input area for the process group application.

[0405] In the process group identifier input area, receive the input process group identifier;

[0406] In the terminal address input area, receive the input terminal address;

[0407] Store the process group corresponding to the input process group identifier and the input terminal address as the first correspondence.

[0408] Optionally, the first correspondence is pre-generated on the key management server in the following manner:

[0409] For each process group, a second request is sent to the process group deployment management node. The second request contains the process group identifier of the process group.

[0410] The terminal address corresponding to the process group identifier is sent by the process group deployment management node in response to the second request;

[0411] Store the process group and the received terminal address as the first correspondence.

[0412] Optionally, the second correspondence is pre-generated on the key management server in the following manner:

[0413] Receive the selection of the authorization key;

[0414] In response to a process group input command for the selected authorization key, the process group input area is displayed;

[0415] The process group input area is the process group that receives input.

[0416] Store the input process group and the authorization key as a second correspondence.

[0417] Optionally, the third correspondence is pre-generated on the key management server in the following manner:

[0418] In response to an instruction to configure authorized process information for processes under a process group, the authorized process information configuration interface is displayed.

[0419] The authorization process information configuration interface receives the input authorization process information;

[0420] Store the process group and authorized process information as a third-party correspondence.

[0421] Optionally, the key acquisition request includes a target process identifier, and the second acquisition unit 2430 includes:

[0422] A process identifier acquisition unit (not shown) is used to acquire the target process identifier from the key acquisition request;

[0423] A process information acquisition unit (not shown) is used to acquire target process information based on the target process identifier.

[0424] Optionally, the key authorization and authentication method is executed by a key management agent with permission to read the process running status. The target process information includes the target process execution object identifier, the target process name, the target process execution path, and the target process file digest; the process information acquisition unit (not shown) is specifically used for:

[0425] Obtain the target process execution object identifier corresponding to the target process identifier;

[0426] Using the process running status read permission, read the running status of the target process corresponding to the target process identifier. The running status of the target process includes the target process name and the target process execution path.

[0427] Obtain the target process name and the target process execution path from the target process's running status;

[0428] Obtain the target process file according to the target process name and the target process execution path, and perform a digest operation on the target process file to obtain the target process file digest.

[0429] Optionally, the authorization process information includes the identifier of the execution object of the authorization process, the name of the authorization process, the execution path of the authorization process, and the file summary of the authorization process;

[0430] The third acquisition unit 2440 is specifically used for:

[0431] If, among multiple authorized process information entries, one of the authorized process execution object identifiers is the same as the target process execution object identifier, the authorized process name is the same as the target process name, the authorized process execution path is the same as the target process execution path, and the authorized process file digest is the same as the target process file digest, then the authorized process information is determined to be the matching authorized process information.

[0432] Optionally, the first acquisition unit 2410 is used to: acquire the authorization key on the target terminal, the key identifier corresponding to the authorization key, and the authorization process information corresponding to the authorization key;

[0433] The process identifier acquisition unit (not shown) is used for:

[0434] Obtain the target process identifier and the target key identifier from the key acquisition request;

[0435] The third acquisition unit 2440 is specifically used for:

[0436] Among multiple authorization process information, obtain candidate authorization process information whose key identifiers corresponding to the authorization key match the target key identifier;

[0437] If the target process information matches the candidate authorized process information, the candidate authorized process information will be determined as the matching authorized process information.

[0438] Optionally, the key identifier corresponding to the authorized key is obtained based on the fourth correspondence table of the authorized key, which indicates the fourth correspondence between the authorized key and the key identifier;

[0439] The fourth mapping table is pre-generated on the key management server in the following way:

[0440] The authorization key configuration interface is displayed, which includes a key identifier input area and an authorization key generation method selection control;

[0441] In the key identifier input area, receive the input key identifier;

[0442] In response to selecting a random generation method using the authorization key generation method selection control, an authorization key is randomly generated.

[0443] Store the authorization key and key identifier as a fourth correspondence.

[0444] Optionally, the first acquisition unit 2410 is used for:

[0445] Obtain the effective and expiration times of each authorization key;

[0446] From multiple authorization keys, select the authorization key whose effective time is earlier than the current time and whose expiration time is later than the current time, along with the authorization process information corresponding to the authorization key.

[0447] Optionally, the first acquisition unit 2410 is further configured to: acquire the authorization key on the target terminal, the first encryption algorithm version corresponding to the authorization key, and the authorization process information corresponding to the authorization key;

[0448] The key authorization and authentication device also includes a comparison unit (not shown), which is used for:

[0449] Receive a verification request for the encryption algorithm version during the encryption process using the authorized key by the target process. The encryption algorithm version verification request has a second encryption algorithm version applied by the authorized key.

[0450] If the second encryption algorithm version is the same as the first encryption algorithm version, send a successful encryption algorithm version verification response to the target process.

[0451] Optionally, the authorization process information includes the identifier of the object to be executed by the authorization process, the name of the authorization process, and the execution path of the authorization process;

[0452] The third acquisition unit 2440 also includes:

[0453] The first matching unit (not shown) is used to determine the first matching score based on the target process execution object identifier and the authorized process execution object identifier;

[0454] The second matching unit (not shown) is used to determine the second matching score based on the target process name and the authorized process name;

[0455] The third matching unit (not shown) is used to determine the third matching score based on the execution path of the target process and the execution path of the authorized process;

[0456] A filtering unit (not shown) is used to obtain matching authorization process information from multiple authorization process information based on a first matching score, a second matching score, and a third matching score.

[0457] Optionally, the filtering unit (not shown) is used for:

[0458] The first matching score, the second matching score, and the third matching score are weighted and summed to obtain the total matching score.

[0459] Based on the total matching score, obtain the matching authorization process information from multiple authorization process information.

[0460] Reference Figure 25 , Figure 25 The structural block diagram of a terminal implementing the key authorization and authentication method of this embodiment includes: a radio frequency (RF) circuit 2510, a memory 2515, an input unit 2530, a display unit 2540, a sensor 2550, an audio circuit 2560, a wireless fidelity (WiFi) module 2570, a processor 2580, and a power supply 2590, among other components. Those skilled in the art will understand that... Figure 25 The terminal structure shown does not constitute a limitation on mobile phones or computers and may include more or fewer components than shown, or combine certain components, or have different component arrangements.

[0461] The RF circuit 2510 can be used to receive and transmit signals during information transmission or calls. In particular, it receives downlink information from the base station and processes it with the processor 2580; in addition, it transmits uplink data to the base station.

[0462] The memory 2515 can be used to store software programs and modules. The processor 2580 executes various functional applications and data processing of the target terminal by running the software programs and modules stored in the memory 2515.

[0463] The input unit 2530 can be used to receive input numeric or character information, and to generate key signal inputs related to the settings and function control of the target terminal. Specifically, the input unit 2530 may include a touch panel 2531 and other input devices 2525.

[0464] Display unit 2540 can be used to display input or provided information, as well as various menus of the target terminal. Display unit 2540 may include display panel 2541.

[0465] Audio circuitry 2560, speaker 2561, and microphone 2562 provide an audio interface.

[0466] In this embodiment, the processor 2580 included in the terminal can execute the key authorization and authentication method of the previous embodiment.

[0467] The terminals disclosed in this embodiment include, but are not limited to, mobile phones, computers, intelligent voice interaction devices, smart home appliances, vehicle terminals, and aircraft. The embodiments of this invention can be applied to various scenarios, including but not limited to identity verification, blockchain, data security, and key authentication.

[0468] Figure 26 This is a partial structural block diagram of a server implementing the key authorization and authentication method of this disclosure. The server can vary significantly due to different configurations or performance characteristics, and may include one or more Central Processing Units (CPUs) 3252 (e.g., one or more processors) and memory 2625, and one or more storage media 2630 (e.g., one or more mass storage devices) for storing application programs 2642 or data 2644. The memory 2625 and storage media 2630 may be temporary or persistent storage. The program stored in the storage media 2630 may include one or more modules (not shown in the diagram), each module including a series of instruction operations on the server. Furthermore, the CPU 3252 may be configured to communicate with the storage media 2630 and execute the series of instruction operations in the storage media 2630 on the server.

[0469] The server may also include one or more power supplies 3256, one or more wired or wireless network interfaces 2650, one or more input / output interfaces 2658, and / or one or more operating systems 2641, such as Windows Server™, Mac OS X™, Unix™, Linux™, FreeBSD™, etc.

[0470] The central processing unit 3252 in the server can be used to execute the key authorization and authentication method of the present disclosure embodiments.

[0471] This disclosure also provides a computer-readable storage medium for storing program code that executes the key authorization and authentication methods of the foregoing embodiments.

[0472] This disclosure also provides a computer program product comprising a computer program. A processor of a computer device reads and executes the computer program, causing the computer device to perform the key authorization and authentication method described above.

[0473] The terms “first,” “second,” “third,” “fourth,” etc. (if present) in this disclosure and the foregoing drawings are used to distinguish similar objects and are not necessarily used to describe a particular order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this disclosure described herein can be implemented, for example, in orders other than those illustrated or described herein. Furthermore, the terms “comprising” and “including,” and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that includes a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatuses.

[0474] It should be understood that in this disclosure, "at least one item" means one or more, and "more than one" means two or more. "And / or" is used to describe the relationship between related objects, indicating that three relationships can exist. For example, "A and / or B" can represent three cases: only A exists, only B exists, and both A and B exist simultaneously, where A and B can be singular or plural. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one of a, b, or c can represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", where a, b, and c can be single or multiple.

[0475] It should be understood that in the description of the embodiments disclosed herein, "multiple" means two or more, "greater than", "less than", "exceeding" etc. are understood to exclude the number itself, and "above", "below", "within" etc. are understood to include the number itself.

[0476] In the several embodiments provided in this disclosure, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces, indirect coupling or communication connection between apparatuses or units, and may be electrical, mechanical, or other forms.

[0477] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0478] Furthermore, the functional units in the various embodiments of this disclosure can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0479] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this disclosure, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of the various embodiments of this disclosure. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0480] It should also be understood that the various implementation methods provided in this disclosure can be combined arbitrarily to achieve different technical effects.

[0481] The above is a detailed description of the embodiments of this disclosure. However, this disclosure is not limited to the above embodiments. Those skilled in the art can make various equivalent modifications or substitutions without departing from the spirit of this disclosure. All such equivalent modifications or substitutions are included within the scope defined by the claims of this disclosure.

Claims

1. A method of key authorization authentication, characterized by, include: Obtain the authorization key on the target terminal and the authorization process information corresponding to the authorization key, wherein the authorization process information includes the authorization process execution object identifier, the authorization process name, and the authorization process execution path; Receive a key acquisition request from the target process on the target terminal; In response to the key acquisition request, the target process information of the target process is acquired; The target process information is compared with multiple authorized process information to obtain matching authorized process information from the multiple authorized process information; The step of comparing the target process information with multiple authorized process information to obtain matching authorized process information from the multiple authorized process information includes: A first matching score is determined based on the target process execution object identifier and the authorized process execution object identifier; A second matching score is determined based on the target process name and the authorized process name; A third matching score is determined based on the execution path of the target process and the execution path of the authorized process; Based on the first matching score, the second matching score, and the third matching score, obtain matching authorization process information from multiple authorization process information; Return the authorization key corresponding to the matching authorized process information to the target process.

2. The key authorization authentication method of claim 1, wherein, The step of obtaining the authorization key on the target terminal and the authorization process information corresponding to the authorization key includes: Send a first request to the key management server, the first request containing the target terminal address of the target terminal; The key management server receives the authorization key corresponding to the target terminal address and the authorization process information corresponding to the authorization key, sent in response to the first request.

3. The key authorization authentication method of claim 2, wherein, The authorization key corresponding to the target terminal address and the authorization process information corresponding to the authorization key are determined by the key management server in the following way: Based on the first correspondence table, the target process group corresponding to the target terminal address is determined, and the first correspondence table indicates the first correspondence between the terminal address and the process group. Based on the second correspondence table, the authorization key corresponding to the target process group is determined as the authorization key corresponding to the target terminal address. The second correspondence table indicates the second correspondence between the process group and the authorization key. Based on the third correspondence table, the authorized process information corresponding to the target process group is determined as the authorized process information corresponding to the authorized key. The third correspondence table indicates the third correspondence between the authorized process information of the process group and the processes contained in the process group.

4. The key authorization authentication method of claim 3, wherein, The first correspondence is pre-generated on the key management server in the following manner: The process group configuration interface is displayed, which includes a process group identifier input area and a terminal address input area for the application of the process group. In the process group identifier input area, the input process group identifier is received; The terminal address input area receives the input terminal address; The process group corresponding to the input process group identifier and the input terminal address are stored as the first correspondence.

5. The key authorization and authentication method according to claim 3, characterized in that, The first correspondence is pre-generated on the key management server in the following manner: For each process group, a second request is sent to the process group deployment management node, the second request containing the process group identifier of the process group; Receive the terminal address corresponding to the process group identifier sent by the process group deployment management node in response to the second request; The process group and the received terminal address are stored as the first correspondence.

6. The key authorization and authentication method according to claim 3, characterized in that, The second correspondence is pre-generated on the key management server in the following manner: Receive the selection of the authorization key; In response to a process group input command for the selected authorization key, the process group input area is displayed; The process group input area receives the input process group; The input process group and the authorization key are stored as the second correspondence.

7. The key authorization and authentication method according to claim 3, characterized in that, The third correspondence is pre-generated on the key management server in the following manner: In response to an instruction to configure authorized process information for processes belonging to the process group, the authorized process information configuration interface is displayed; The authorization process information configuration interface receives the input authorization process information; The process group and the authorized process information are stored as the third correspondence.

8. The key authorization and authentication method according to claim 1, characterized in that, The key acquisition request includes a target process identifier, and the step of obtaining the target process information of the target process in response to the key acquisition request includes: Obtain the target process identifier from the key acquisition request; Based on the target process identifier, obtain the target process information.

9. The key authorization and authentication method according to claim 8, characterized in that, The key authorization and authentication method is executed by a key management agent with permission to read the process running status. The target process information includes the target process execution object identifier, the target process name, the target process execution path, and the target process file digest. The step of obtaining the target process information based on the target process identifier includes: Obtain the target process execution object identifier corresponding to the target process identifier; Using the process running status read permission, read the target process running status corresponding to the target process identifier. The target process running status includes the target process name and the target process execution path. Obtain the target process name and the target process execution path from the target process running status; According to the target process name and the target process execution path, obtain the target process file, perform a digest operation on the target process file, and obtain the target process file digest.

10. The key authorization and authentication method according to claim 9, characterized in that, The authorization process information includes the identifier of the execution object of the authorization process, the name of the authorization process, the execution path of the authorization process, and the file summary of the authorization process; The step of comparing the target process information with multiple authorized process information to obtain matching authorized process information from the multiple authorized process information includes: If, among a plurality of authorized process information, one of the authorized process execution object identifiers is the same as the target process execution object identifier, the authorized process name is the same as the target process name, the authorized process execution path is the same as the target process execution path, and the authorized process file digest is the same as the target process file digest, then the authorized process information is determined to be the matching authorized process information.

11. The key authorization and authentication method according to claim 8, characterized in that, The step of obtaining the authorization key on the target terminal and the authorization process information corresponding to the authorization key includes: obtaining the authorization key on the target terminal, the key identifier corresponding to the authorization key, and the authorization process information corresponding to the authorization key; Obtaining the target process identifier from the key acquisition request includes: obtaining the target process identifier and the target key identifier from the key acquisition request; The step of comparing the target process information with multiple authorized process information to obtain matching authorized process information from the multiple authorized process information includes: From the multiple authorization process information, obtain candidate authorization process information whose key identifier is consistent with the target key identifier corresponding to the authorization key; If the target process information matches the candidate authorized process information, the candidate authorized process information is determined as the matching authorized process information.

12. The key authorization and authentication method according to claim 11, characterized in that, The key identifier corresponding to the authorized key is obtained based on the authorized key reference fourth correspondence table, the fourth correspondence table indicating the fourth correspondence between the authorized key and the key identifier; The fourth correspondence table is pre-generated on the key management server in the following manner: The authorization key configuration interface is displayed, which includes a key identifier input area and an authorization key generation method selection control; In the key identifier input area, the input key identifier is received; In response to selecting a random generation method using the authorization key generation method selection control, the authorization key is randomly generated; The authorization key and the key identifier are stored as the fourth correspondence.

13. The key authorization and authentication method according to claim 1, characterized in that, The step of obtaining the authorization key on the target terminal and the authorization process information corresponding to the authorization key includes: Obtain the effective and expiration times of each authorization key; From the plurality of authorized keys, select the authorized key whose effective time is earlier than the current time and whose expiration time is later than the current time, and the authorization process information corresponding to the authorized key.

14. The key authorization and authentication method according to claim 1, characterized in that, The step of obtaining the authorization key on the target terminal and the authorization process information corresponding to the authorization key includes: Obtain the authorization key on the target terminal, the first encryption algorithm version corresponding to the authorization key, and the authorization process information corresponding to the authorization key; After returning the authorization key corresponding to the matching authorized process information to the target process, the method further includes: Receive the encryption algorithm version verification request of the target process during the encryption process using the authorized key, wherein the encryption algorithm version verification request has a second encryption algorithm version applied by the authorized key; If the second encryption algorithm version is the same as the first encryption algorithm version, a successful encryption algorithm version verification response is sent to the target process.

15. The key authorization and authentication method according to claim 1, characterized in that, The step of obtaining matching authorization process information from multiple authorization process information based on the first matching score, the second matching score, and the third matching score includes: The first matching score, the second matching score, and the third matching score are weighted and summed to obtain the total matching score. Based on the total matching score, the matching authorization process information is obtained from multiple authorization process information.

16. A key authorization and authentication device, characterized in that, include: The first acquisition unit is used to acquire the authorization key on the target terminal and the authorization process information corresponding to the authorization key. The authorization process information includes the authorization process execution object identifier, the authorization process name, and the authorization process execution path. The first receiving unit is used to receive a key acquisition request from the target process on the target terminal; The second acquisition unit is used to acquire the target process information of the target process in response to the key acquisition request; The third acquisition unit includes: a first matching unit, configured to determine a first matching score based on the target process execution object identifier and the authorized process execution object identifier; a second matching unit, configured to determine a second matching score based on the target process name and the authorized process name; a third matching unit, configured to determine a third matching score based on the target process execution path and the authorized process execution path; and a filtering unit, configured to acquire matching authorized process information from multiple authorized process information based on the first matching score, the second matching score, and the third matching score. The return unit is used to return the authorization key corresponding to the matching authorization process information to the target process.

17. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the key authorization and authentication method according to any one of claims 1 to 15.

18. A computer-readable storage medium storing a computer program, characterized in that, When the computer program is executed by a processor, it implements the key authorization and authentication method according to any one of claims 1 to 15.

19. A computer program product comprising a computer program that is read and executed by a processor of a computer device, causing the computer device to perform the key authorization authentication method according to any one of claims 1 to 15.