Summary of the invention
The embodiment of the present invention provides a kind of cipher key initialization method, apparatus, electronic equipment and computer readable storage medium.
In a first aspect, providing a kind of cipher key initialization method in the embodiment of the present invention.
Specifically, the cipher key initialization method, comprising:
Cipher key initialization instruction is sent to first password equipment, the cipher key initialization instruction is close for triggering described first
Decoding apparatus generates the first device keys and target cipher key, and the first proof of identity data of offline write-in offline, and described in reception
The first equipment public key in the first device keys that first password equipment returns;
Cipher key initialization preparation instruction is sent to the second encryption device, the cipher key initialization preparation instruction is for triggering institute
It states the second encryption device and generates the second device keys offline, and receive in the second device keys that second encryption device returns
The second equipment public key;
The target cipher key is exported from the first password equipment, it is written to second encryption device online.
With reference to first aspect, the embodiment of the present invention is in the first implementation of first aspect, to first password equipment
Cipher key initialization instruction is sent, and receives the first equipment public key in the first device keys that the first password equipment returns,
Include:
To the first password equipment send the first device keys generate instruction, the first proof of identity data write instruction with
And target cipher key generates instruction;
Instruction in response to receiving the first password equipment feedback receives information, by the first proof of identity data
Offline write-in first password equipment, and the first device keys for receiving the first password equipment feedback generate successful information, the
One equipment public key and target cipher key generate successful information.
With reference to first aspect with the first implementation of first aspect, second in first aspect of the embodiment of the present invention
It is described to send cipher key initialization preparation instruction offline to the second encryption device in implementation, and receive second password and set
The second equipment public key in standby the second device keys returned, comprising:
Cipher key initialization preparation instruction is sent to second encryption device;
The cipher key initialization for receiving the second encryption device feedback prepares in successful information and the second device keys
Second equipment public key.
With reference to first aspect, second of implementation of the first implementation of first aspect and first aspect, this hair
Bright embodiment is in the third implementation of first aspect, and described to export the target from the first password equipment close
Second encryption device is written in it by key online, comprising:
Obtain tiers e'tat verification data and the second equipment public key;
Target cipher key export instruction is sent to the first password equipment, wherein the target cipher key export instruction carries
There are the tiers e'tat verification data and the second equipment public key, the tiers e'tat verification data are used for and first identity school
It tests data cooperation and proof of identity is carried out for the first password equipment, the second equipment public key is used to carry out target cipher key
Encryption generates target cipher key ciphertext;
Receive the target cipher key ciphertext and signing messages that the first password equipment returns, wherein the signing messages is
Signature calculation is carried out to the target cipher key ciphertext according to the first device private in the first device keys to obtain;
The signing messages is verified using the first equipment public key in first device keys, and in response to right
It is proved to be successful in the signing messages, second encryption device is written into the target cipher key online.
With reference to first aspect, the first implementation of first aspect, first aspect second of implementation and first
The third implementation of aspect, the embodiment of the present invention are described to utilize described the in the 4th kind of implementation of first aspect
The first equipment public key in one device keys verifies the signing messages, and in response to verifying for the signing messages
Success, is written second encryption device for the target cipher key online, comprising:
The signing messages is verified using the first equipment public key in first device keys;
In response to being proved to be successful for the signing messages, the target cipher key ciphertext is sent to second password and is set
It is standby, wherein the target cipher key ciphertext can be decrypted to obtain target cipher key by the second device private in second device keys;
Receive the target cipher key write-in feedback information that the first password equipment returns.
Second aspect provides a kind of cipher key initialization device in the embodiment of the present invention.
Specifically, the cipher key initialization device, comprising:
First sending module is configured as sending cipher key initialization instruction, the cipher key initialization to first password equipment
Instruction generates the first device keys and target cipher key, and the first body of offline write-in for triggering the first password equipment off-line
Part verification data, and receive the first equipment public key in the first device keys that the first password equipment returns;
Second sending module is configured as sending cipher key initialization preparation instruction to the second encryption device, at the beginning of the key
Beginningization preparation instruction generates the second device keys for triggering second encryption device offline, and receives second password and set
The second equipment public key in standby the second device keys returned;
Writing module is configured as exporting the target cipher key from the first password equipment, by its online write-in institute
State the second encryption device.
In conjunction with second aspect, for the embodiment of the present invention in the first implementation of second aspect, described first sends mould
Block includes:
First sending submodule, is configured as sending the first device keys to the first password equipment and generates instruction, the
One identity check number generates instruction according to write instruction and target cipher key;
First receiving submodule, the instruction for being configured to respond to receive the first password equipment feedback receive letter
First password equipment is written in the first proof of identity off-line data by breath, and receive that the first password equipment feeds back the
One device keys generate successful information, the first equipment public key and target cipher key and generate successful information.
In conjunction with the first of second aspect and second aspect implementation, second in second aspect of the embodiment of the present invention
In implementation, second sending module includes:
Second sending submodule is configured as sending cipher key initialization preparation instruction to second encryption device;
Second receiving submodule, the cipher key initialization for being configured as receiving the second encryption device feedback prepare successfully to believe
The second equipment public key in breath and the second device keys.
In conjunction with the first implementation of second aspect, second aspect and second of implementation of second aspect, this hair
In the third implementation of second aspect, the write module includes: bright embodiment
Acquisition submodule is configured as obtaining tiers e'tat verification data and the second equipment public key;
Third sending submodule is configured as sending target cipher key export instruction to the first password equipment, wherein institute
It states target cipher key export instruction and carries the tiers e'tat verification data and the second equipment public key, the tiers e'tat check number
According to for carrying out proof of identity, second equipment for the first password equipment with the first proof of identity data cooperation
Public key is used to carry out target cipher key encryption to generate target cipher key ciphertext;
Third receiving submodule is configured as receiving the target cipher key ciphertext and A.L.S. that the first password equipment returns
Breath, wherein the signing messages is to be carried out according to the first device private in the first device keys to the target cipher key ciphertext
Signature calculation obtains;
Submodule is written, is configured as using the first equipment public key in first device keys to the signing messages
It is verified, and in response to being proved to be successful for the signing messages, second password is written into the target cipher key online
Equipment.
In conjunction with the first implementation of second aspect, second aspect, second of implementation and second of second aspect
The third implementation of aspect, the embodiment of the present invention is in the 4th kind of implementation of second aspect, said write submodule
Include:
Submodule is verified, is configured as using the first equipment public key in first device keys to the signing messages
It is verified;
4th sending submodule is configured to respond to be proved to be successful the signing messages, by the target cipher key
Ciphertext is sent to second encryption device, wherein the target cipher key ciphertext can be by second in second device keys
Device private decrypts to obtain target cipher key;
4th receiving submodule is configured as receiving the target cipher key write-in feedback letter that the first password equipment returns
Breath.
The third aspect, the embodiment of the invention provides a kind of electronic equipment, including memory and processor, the memories
The computer of cipher key initialization method in above-mentioned first aspect is executed for storing one or more support cipher key initialization device
Instruction, the processor is configured to for executing the computer instruction stored in the memory.The cipher key initialization dress
Setting can also include communication interface, for cipher key initialization device and other equipment or communication.
Fourth aspect, the embodiment of the invention provides a kind of computer readable storage mediums, for storing cipher key initialization
Computer instruction used in device, it includes be cipher key initialization dress for executing cipher key initialization method in above-mentioned first aspect
Set related computer instruction.
Technical solution provided in an embodiment of the present invention can include the following benefits:
Above-mentioned technical proposal passes through the combination of off-line operation and on-line operation, hierarchically crypto module is carried out in batches close
Key initialization, to most of workload be gone in automatic online process flow, therefore the technical solution can guarantee
Under the premise of information security, meets the needs of high-volume crypto module cipher key initialization, while also will be greatly reduced cost of labor
And time cost, working efficiency is improved, the subsequent dilatation of crypto module is conducive to.
It should be understood that above general description and following detailed description be only it is exemplary and explanatory, not
The embodiment of the present invention can be limited.
Specific embodiment
Hereinafter, the illustrative embodiments of the embodiment of the present invention will be described in detail with reference to the attached drawings, so that art technology
Them are easily implemented in personnel.In addition, for the sake of clarity, being omitted in the accompanying drawings unrelated with description illustrative embodiments
Part.
In embodiments of the present invention, it should be appreciated that the term of " comprising " or " having " etc. is intended to refer in this specification
The presence of disclosed feature, number, step, behavior, component, part or combinations thereof, and be not intended to exclude it is one or more its
A possibility that his feature, number, step, behavior, component, part or combinations thereof exist or are added.
It also should be noted that in the absence of conflict, the feature in embodiment and embodiment in the present invention
It can be combined with each other.Embodiment that the present invention will be described in detail below with reference to the accompanying drawings and embodiments.
Technical solution provided in an embodiment of the present invention by the combination of off-line operation and on-line operation, in batches hierarchically for
Crypto module carries out cipher key initialization, to most of workload be gone in automatic online process flow, therefore the technology
Scheme can meet the needs of high-volume crypto module cipher key initialization, while can also be big under the premise of ensuring information security
It is big to reduce cost of labor and time cost, working efficiency is improved, the subsequent dilatation of crypto module is conducive to.
Fig. 1 shows the flow chart of cipher key initialization method according to an embodiment of the present invention, and the method can be applied to
Server end, as shown in Figure 1, the cipher key initialization method includes the following steps S101-S103:
In step s101, cipher key initialization instruction is sent to first password equipment, the cipher key initialization instruction is used for
It triggers the first password equipment off-line and generates the first device keys and target cipher key, and the first proof of identity number of offline write-in
According to, and receive the first equipment public key in the first device keys that the first password equipment returns;
In step s 102, cipher key initialization preparation instruction is sent to the second encryption device, the cipher key initialization prepares
Instruction generates the second device keys for triggering second encryption device offline, and receives what second encryption device returned
The second equipment public key in second device keys;
In step s 103, the target cipher key is exported from the first password equipment, it is written to described online
Two encryption devices.
Mentioned above, the distribution routing algorithm service platform based on crypto module, which is one, can effectively solve the problem that information security
Approach, and the initialization of crypto module work master key is the basic point and core of entire cryptographic service platform safety Establishing
Point.In order to ensure the safety of cipher key initialization, the method that the prior art generallys use whole offline cipher key initialization, but this side
Method is completed by manual operation, is only applicable to the cipher key initialization of small lot crypto module, for the close of high-volume crypto module
Key initialization, can generate huge cost of labor and time cost, and also result in working efficiency and be greatly reduced, while also not
Conducive to crypto module dilatation.
In view of drawbacks described above, in this embodiment, a kind of cipher key initialization method is proposed, this method by grasping offline
The combination of work and on-line operation hierarchically carries out cipher key initialization for crypto module in batches, so that most of workload be turned
Into automatic online process flow, therefore the technical solution it is close can to meet high-volume under the premise of ensuring information security
The demand of code module cipher key initialization, while also will be greatly reduced cost of labor and time cost, working efficiency is improved, is conducive to
The subsequent dilatation of crypto module.
Wherein, the encryption device refer to crypto module, cipher card or other can separately provide cryptographic service and close
The equipment of key management function.
Wherein, the signature or encryption of first device keys and the second device keys for being communicated between encryption device.?
In one optional implementation of the present embodiment, first device keys and the second device keys are used cooperatively.For example, described
First device keys and the second device keys can be combined into key pair, and the first device keys are the public key of cipher key pair, and second
Device keys are the private key of cipher key pair, in this way, just the first device keys can be used to be encrypted for first password equipment, and are encrypted
Information afterwards can be decrypted by the second encryption device using the second device keys.
Wherein, the proof of identity data are for verifying the identity of equipment, to ensure mesh in follow-up process
Mark safety when key export.In an optional implementation of the present embodiment, the proof of identity data are simultaneously referred not only to
For a certain proof of identity data, but refer to the data that can be used for proof of identity, for example may refer to proof of identity critical data,
The encryption device of write-in proof of identity critical data may act as first device keys, realize the function of safety export target cipher key
Can, it also may refer to match the data for realizing authentication with the proof of identity critical data.
Wherein, the target cipher key refers to master key or other needs in the close of initial phase write-in encryption device
Key.
Wherein, the first password equipment just completes cipher key initialization work after generating offline and storing target cipher key
Make, therefore the first password equipment is the encryption device that first batch is performed cipher key initialization, second encryption device
Corresponding cipher key initialization is also just completed after line is written and stores target cipher key subsequent, that is to say, that described second is close
Decoding apparatus is the encryption device that subsequent batches are performed cipher key initialization.And when second encryption device completes cipher key initialization
It afterwards, can be based on the target cipher key that it is stored according to above-mentioned stream if second encryption device is also written into proof of identity data
Journey carries out cipher key initialization for other encryption devices.Thus it is formed the encryption device cipher key initialization machine being classified in batches
System, while by the combination and multi-level verification mechanism of the operation of offline and online cipher key initialization, it can will be at the beginning of most of key
Beginning chemical industry safely goes in automatic online process flow and carries out, so that at the beginning of effective key of high-volume crypto module
Beginningization is possibly realized.
In an optional implementation of the present embodiment, as shown in Fig. 2, the step S101, i.e., set to first password
Preparation send cipher key initialization to instruct, and receives the first equipment public key in the first device keys that the first password equipment returns
The step of, include the following steps S201-S202:
In step s 201, Xiang Suoshu first password equipment sends the first device keys and generates instruction, the first proof of identity
Data write instruction and target cipher key generate instruction;
In step S202, the instruction in response to receiving first password equipment feedback receives information, by described the
One identity check number is according to offline write-in first password equipment, and the first device keys for receiving the first password equipment feedback are raw
Successful information is generated at successful information, the first equipment public key and target cipher key.
In this embodiment, completing specifically can be first to institute for the offline cipher key initialization of first password equipment
It states first password equipment and sends the generation instruction of the first device keys;Receive the first device keys of the first password equipment feedback
Generate successful information and the first equipment public key;The first proof of identity data write instruction is sent to the first password equipment;
Instruction in response to receiving the first password equipment feedback receives information, and the first proof of identity off-line data is written
First password equipment;Target cipher key, which is sent, to the first password equipment generates instruction;Receive the first password equipment feedback
Target cipher key generate successful information.It should be noted that the transmission sequence of above-metioned instruction is not particularly limited in the present invention,
Those skilled in the art can be configured according to the needs of practical application.
Wherein, the first proof of identity data write instruction can be come real by the first proof of identity data write request
It is existing, data write-in interface call request can also be verified by first password equipment identities to realize, the present invention does not make to have to it
Body limits.
Mentioned above, the proof of identity data are used to carry out proof of identity for relevant device, the one of the present embodiment
In a optional implementation, the proof of identity data can be digital signature, Message Authentication Code, public key certificate or MAC key
Etc. data, or the relevant supplemental characteristic of proof of identity, when practical application, those skilled in the art can be according to various identity
The characteristics of verifying data and specifically used demand select suitable proof of identity data, and the present invention is not especially limited it.
Wherein, the target cipher key generates instruction and can realize by target cipher key generation request, can also be by first
Encryption device target cipher key generates interface call request to realize, the present invention is not especially limited it.
In an optional implementation of the present embodiment, the target cipher key can be according to goal-selling key create-rule
It is generated by key generation devices such as random number generators, specific target cipher key create-rule content can be according to practical application
It needs to be configured, specific key generation device can also be selected according to the needs of practical application, and the present invention does not make it
It is specific to limit.
In an optional implementation of the present embodiment, as shown in figure 3, the step S102, i.e., set to the second password
It is standby offline to send cipher key initialization preparation instruction, and receive in the second device keys that second encryption device returns second
The step of equipment public key, include the following steps S301-S302:
In step S301, the second encryption device of Xiang Suoshu sends cipher key initialization preparation instruction;
In step s 302, the cipher key initialization for receiving the second encryption device feedback prepares successful information and second
The second equipment public key in device keys.
In this embodiment, the offline cipher key initialization preparation for the second encryption device is completed.Specifically, to
Second encryption device sends cipher key initialization preparation instruction;It receives second encryption device and completes cipher key initialization standard
The cipher key initialization fed back after standby work prepares the second equipment public key in successful information and the second device keys.
Wherein, to generate the second equipment offline close for triggering second encryption device for the cipher key initialization preparation instruction
Key.In addition, the cipher key initialization preparation instruction can be realized by cipher key initialization preparation request, it can also be by the second password
Device keys initialization prepares interface call request to realize, the present invention is not especially limited it.
In an optional implementation of the present embodiment, the cipher key initialization preparation instruction can also be used in triggering to institute
It states the second encryption device and the second proof of identity data is written offline, the second encryption device of the second proof of identity data is written, after
It is continuous to can be used as first password equipment, cipher key initialization is carried out for other encryption devices based on this paper process.Wherein, described second
Proof of identity data may be the same or different with the first proof of identity data.
In an optional implementation of the present embodiment, as shown in figure 4, the step S103, i.e., close from described first
The step of exporting the target cipher key in decoding apparatus, it is written to second encryption device online, includes the following steps S401-
S404:
In step S401, tiers e'tat verification data and the second equipment public key are obtained;
In step S402, Xiang Suoshu first password equipment sends target cipher key export instruction, wherein the target cipher key
Export instruction carries the tiers e'tat verification data and the second equipment public key, and the tiers e'tat verification data are used for and institute
State the first proof of identity data cooperation for the first password equipment carry out proof of identity, the second equipment public key for pair
Encryption, which is carried out, in target cipher key generates target cipher key ciphertext;
In step S403, the target cipher key ciphertext and signing messages that the first password equipment returns are received, wherein institute
Stating signing messages is to carry out signature calculation to the target cipher key ciphertext according to the first device private in the first device keys to obtain
It arrives;
In step s 404, the signing messages is tested using the first equipment public key in first device keys
Card, and in response to being proved to be successful for the signing messages, second encryption device is written into the target cipher key online.
In this embodiment, the online cipher key initialization for the second encryption device is completed.Specifically, the is obtained first
Three proof of identity data and the second equipment public key;Then target cipher key export instruction is sent to the first password equipment;It receives
The target cipher key ciphertext and signing messages that the first password equipment returns;Finally utilize first in first device keys
Equipment public key verifies the signing messages, and in response to being proved to be successful for the signing messages, and the target is close
Second encryption device is written in key online.
Wherein, the tiers e'tat verification data can be obtained by terminal token device, can specifically be enabled by terminal
Board equipment sends proof of identity request of data to realize, can also calculate interface by calling terminal token device proof of identity data
It realizes, the present invention is not especially limited it.The terminal token device is that can be realized crypto-operation and key management function
The terminal password equipment of cryptographic service can, be provided, for example can be USB Key, bluetooth Key, audio Key, U-shield, password board etc.
Deng.
Wherein, the tiers e'tat verification data can match with the first proof of identity data and the second proof of identity data
To using, i.e., when carrying out proof of identity to the first password equipment based on tiers e'tat verification data, storage can be passed through
The first proof of identity data in first password equipment are matched or are verified to tiers e'tat verification data to realize, and root
Authentication is completed according to matching or verifying situation.Wherein, the proof of identity is the concept of a general justice, be can be understood as pair
It is verified in the identity of verified object, it is understood that be the legitimacy identity that a certain operation is executed for verified object
It is verified, for example the legitimacy of first password equipment export target cipher key is verified.
In an optional implementation of the present embodiment, as shown in figure 5, the step S404, that is, utilize described first
The first equipment public key in device keys verifies the signing messages, and in response to for the signing messages verifying at
Function, includes the following steps S501-S503 at the step of second encryption device is written in the target cipher key online:
In step S501, the signing messages is tested using the first equipment public key in first device keys
Card;
In step S502, in response to being proved to be successful for the signing messages, the target cipher key ciphertext is sent to
Second encryption device, wherein the target cipher key ciphertext can be by the second device private solution in second device keys
It is close to obtain target cipher key;
In step S503, the target cipher key write-in feedback information that the first password equipment returns is received.
In this embodiment, the online cipher key initialization of the second encryption device is completed by encrypting and decrypting mechanism.Specifically
The signing messages is verified using the first equipment public key in first device keys in ground;In response to for described
Signing messages is proved to be successful, that is, when proving that the first password equipment is legitimate device, the target cipher key ciphertext is sent to
Second encryption device, wherein the target cipher key ciphertext can be by the second device private solution in second device keys
It is close to obtain target cipher key;Receive the target cipher key write-in feedback information that the first password equipment returns.
Wherein, the target cipher key ciphertext is sent to the second encryption device, mesh can be sent by the second encryption device
It marks key ciphertext and imports request to realize, can also be realized by the second encryption device target cipher key ciphertext introducting interface is called,
The present invention is not especially limited it.
Following is apparatus of the present invention embodiment, can be used for executing embodiment of the present invention method.
Fig. 6 shows the structural block diagram of cipher key initialization device according to an embodiment of the present invention, which can pass through
Being implemented in combination with as some or all of of electronic equipment for software, hardware or both, can be applied to server end.Such as Fig. 6
Shown, the cipher key initialization device includes:
First sending module 601 is configured as sending cipher key initialization instruction to first password equipment, and the key is initial
Change instruction and generate the first device keys and target cipher key for triggering the first password equipment off-line, and first is written offline
Proof of identity data, and receive the first equipment public key in the first device keys that the first password equipment returns;
Second sending module 602 is configured as sending cipher key initialization preparation instruction, the key to the second encryption device
Initialization preparation instruction generates the second device keys for triggering second encryption device offline, and receives second password
The second equipment public key in the second device keys that equipment returns;
Writing module 603 is configured as exporting the target cipher key from the first password equipment, by its online write-in
Second encryption device.
Mentioned above, the distribution routing algorithm service platform based on crypto module, which is one, can effectively solve the problem that information security
Approach, and the initialization of crypto module work master key is the basic point and core of entire cryptographic service platform safety Establishing
Point.In order to ensure that the safety of cipher key initialization, the prior art generally use the device of whole offline cipher key initialization, but this dress
It sets and is completed by manual operation, be only applicable to the cipher key initialization of small lot crypto module, for the close of high-volume crypto module
Key initialization, can generate huge cost of labor and time cost, and also result in working efficiency and be greatly reduced, while also not
Conducive to crypto module dilatation.
In view of drawbacks described above, in this embodiment, a kind of cipher key initialization device is proposed, the device by grasping offline
The combination of work and on-line operation hierarchically carries out cipher key initialization for crypto module in batches, so that most of workload be turned
Into automatic online process flow, therefore the technical solution it is close can to meet high-volume under the premise of ensuring information security
The demand of code module cipher key initialization, while also will be greatly reduced cost of labor and time cost, working efficiency is improved, is conducive to
The subsequent dilatation of crypto module.
Wherein, the encryption device refer to crypto module, cipher card or other can separately provide cryptographic service and close
The equipment of key management function.
Wherein, the signature or encryption of first device keys and the second device keys for being communicated between encryption device.?
In one optional implementation of the present embodiment, first device keys and the second device keys are used cooperatively.For example, described
First device keys and the second device keys can be combined into key pair, and the first device keys are the public key of cipher key pair, and second
Device keys are the private key of cipher key pair, in this way, just the first device keys can be used to be encrypted for first password equipment, and are encrypted
Information afterwards can be decrypted by the second encryption device using the second device keys.
Wherein, the proof of identity data are for verifying the identity of equipment, to ensure mesh in follow-up process
Mark safety when key export.In an optional implementation of the present embodiment, the proof of identity data are simultaneously referred not only to
For a certain proof of identity data, but refer to the data that can be used for proof of identity, for example may refer to proof of identity critical data,
The encryption device of write-in proof of identity critical data may act as first device keys, realize the function of safety export target cipher key
Can, it also may refer to match the data for realizing authentication with the proof of identity critical data.
Wherein, the target cipher key refers to master key or other needs in the close of initial phase write-in encryption device
Key.
Wherein, the first password equipment just completes cipher key initialization work after generating offline and storing target cipher key
Make, therefore the first password equipment is the encryption device that first batch is performed cipher key initialization, second encryption device
Corresponding cipher key initialization is also just completed after line is written and stores target cipher key subsequent, that is to say, that described second is close
Decoding apparatus is the encryption device that subsequent batches are performed cipher key initialization.And when second encryption device completes cipher key initialization
It afterwards, can be based on the target cipher key that it is stored according to above-mentioned stream if second encryption device is also written into proof of identity data
Journey carries out cipher key initialization for other encryption devices.Thus it is formed the encryption device cipher key initialization machine being classified in batches
System, while by the combination and multi-level verification mechanism of the operation of offline and online cipher key initialization, it can will be at the beginning of most of key
Beginning chemical industry safely goes in automatic online process flow and carries out, so that at the beginning of effective key of high-volume crypto module
Beginningization is possibly realized.
In an optional implementation of the present embodiment, as shown in fig. 7, first sending module 601 includes:
First sending submodule 701, be configured as to the first password equipment send the first device keys generate instruction,
First proof of identity data write instruction and target cipher key generate instruction;
First receiving submodule 702, the instruction for being configured to respond to receive the first password equipment feedback receive
First password equipment is written in the first proof of identity off-line data by information, and receives the first password equipment feedback
First device keys generate successful information, the first equipment public key and target cipher key and generate successful information.
In this embodiment, the offline cipher key initialization for first password equipment is completed, specifically, first sends son
Module 701 to the first password equipment send the first device keys generate instruction, the first proof of identity data write instruction with
And target cipher key generates instruction;First receiving submodule 702 connects in response to receiving the instruction of the first password equipment feedback
By information, first password equipment is written into the first proof of identity off-line data, and receives the first password equipment feedback
The first device keys generate successful information, the first equipment public key and target cipher key generate successful information.It should be noted that
The transmission sequence of above-metioned instruction is not particularly limited in first sending submodule 701, and those skilled in the art can be according to reality
The needs of application are configured.
Wherein, the first proof of identity data write instruction can be come real by the first proof of identity data write request
It is existing, data write-in interface call request can also be verified by first password equipment identities to realize, the present invention does not make to have to it
Body limits.
Mentioned above, the proof of identity data are used to carry out proof of identity for relevant device, the one of the present embodiment
In a optional implementation, the proof of identity data can be digital signature, Message Authentication Code, public key certificate or MAC key
Etc. data, or the relevant supplemental characteristic of proof of identity, when practical application, those skilled in the art can be according to various identity
The characteristics of verifying data and specifically used demand select suitable proof of identity data, and the present invention is not especially limited it.
Wherein, the target cipher key generates instruction and can realize by target cipher key generation request, can also be by first
Encryption device target cipher key generates interface call request to realize, the present invention is not especially limited it.
In an optional implementation of the present embodiment, the target cipher key can be according to goal-selling key create-rule
It is generated by key generation devices such as random number generators, specific target cipher key create-rule content can be according to practical application
It needs to be configured, specific key generation device can also be selected according to the needs of practical application, and the present invention does not make it
It is specific to limit.
In an optional implementation of the present embodiment, as shown in figure 8, second sending module 602 includes:
Second sending submodule 801 is configured as sending cipher key initialization preparation instruction to second encryption device;
Second receiving submodule 802, the cipher key initialization for being configured as receiving the second encryption device feedback are prepared to
The second equipment public key in function information and the second device keys.
In this embodiment, the offline cipher key initialization preparation for the second encryption device is completed.Specifically,
Two sending submodules 801 send cipher key initialization preparation instruction to second encryption device;Second receiving submodule 802 receives
The cipher key initialization of the second encryption device feedback prepares the second equipment public key in successful information and the second device keys.
Wherein, to generate the second equipment offline close for triggering second encryption device for the cipher key initialization preparation instruction
Key.In addition, the cipher key initialization preparation instruction can be realized by cipher key initialization preparation request, it can also be by the second password
Device keys initialization prepares interface call request to realize, the present invention is not especially limited it.
In an optional implementation of the present embodiment, the cipher key initialization preparation instruction can also be used in triggering to institute
It states the second encryption device and the second proof of identity data is written offline, the second encryption device of the second proof of identity data is written, after
It is continuous to can be used as first password equipment, cipher key initialization is carried out for other encryption devices based on this paper process.Wherein, described second
Proof of identity data may be the same or different with the first proof of identity data.
In an optional implementation of the present embodiment, as shown in figure 9, the write module 603 includes:
Acquisition submodule 901 is configured as obtaining tiers e'tat verification data and the second equipment public key;
Third sending submodule 902 is configured as sending target cipher key export instruction to the first password equipment,
In, the target cipher key export instruction carries the tiers e'tat verification data and the second equipment public key, the tiers e'tat
It verifies data to be used to carry out proof of identity for the first password equipment with the first proof of identity data cooperation, described the
Two equipment public keys are used to carry out target cipher key encryption to generate target cipher key ciphertext;
Third receiving submodule 903 is configured as receiving the target cipher key ciphertext and label that the first password equipment returns
Name information, wherein the signing messages is according to the first device private in the first device keys to the target cipher key ciphertext
Signature calculation is carried out to obtain;
Submodule 904 is written, is configured as using the first equipment public key in first device keys to the signature
Information is verified, and in response to being proved to be successful for the signing messages, the target cipher key is written described second online
Encryption device.
In this embodiment, the online cipher key initialization for the second encryption device is completed.Specifically, acquisition submodule
901 obtain tiers e'tat verification data and the second equipment public key;Third sending submodule 902 is sent to the first password equipment
Target cipher key export instruction;Third receiving submodule 903 receives the target cipher key ciphertext and label that the first password equipment returns
Name information;Write-in submodule 904 tests the signing messages using the first equipment public key in first device keys
Card, and in response to being proved to be successful for the signing messages, second encryption device is written into the target cipher key online.
Wherein, the tiers e'tat verification data can be obtained by terminal token device, can specifically be enabled by terminal
Board equipment sends proof of identity request of data to realize, can also calculate interface by calling terminal token device proof of identity data
It realizes, the present invention is not especially limited it.The terminal token device is that can be realized crypto-operation and key management function
The terminal password equipment of cryptographic service can, be provided, for example can be USB Key, bluetooth Key, audio Key, U-shield, password board etc.
Deng.
Wherein, the tiers e'tat verification data can match with the first proof of identity data and the second proof of identity data
To using, i.e., when carrying out proof of identity to the first password equipment based on tiers e'tat verification data, storage can be passed through
The first proof of identity data in first password equipment are matched or are verified to tiers e'tat verification data to realize, and root
Authentication is completed according to matching or verifying situation.Wherein, the proof of identity is the concept of a general justice, be can be understood as pair
It is verified in the identity of verified object, it is understood that be the legitimacy identity that a certain operation is executed for verified object
It is verified, for example the legitimacy of first password equipment export target cipher key is verified.
In an optional implementation of the present embodiment, as shown in Figure 10, said write submodule 904 includes:
Submodule 1001 is verified, is configured as using the first equipment public key in first device keys to the signature
Information is verified;
4th sending submodule 1002 is configured to respond to be proved to be successful the signing messages, by the target
Key ciphertext is sent to second encryption device, wherein the target cipher key ciphertext can be by second device keys
Second device private decrypts to obtain target cipher key;
4th receiving submodule 1003 is configured as receiving the target cipher key write-in feedback that the first password equipment returns
Information.
In this embodiment, the online cipher key initialization of the second encryption device is completed by encrypting and decrypting mechanism.Specifically
Ground, verifying submodule 1001 verify the signing messages using the first equipment public key in first device keys;
In response to being proved to be successful for the signing messages, the target cipher key ciphertext is sent to described by the 4th sending submodule 1002
Second encryption device;4th receiving submodule 1003 receives the target cipher key write-in feedback letter that the first password equipment returns
Breath.
Wherein, the target cipher key ciphertext is sent to the second encryption device, mesh can be sent by the second encryption device
It marks key ciphertext and imports request to realize, can also be realized by the second encryption device target cipher key ciphertext introducting interface is called,
The present invention is not especially limited it.
The embodiment of the invention also discloses a kind of electronic equipment, Figure 11 shows electronics according to an embodiment of the present invention and sets
Standby structural block diagram, as shown in figure 11, the electronic equipment 1100 include memory 1101 and processor 1102;Wherein,
The memory 1101 is for storing one or more computer instruction, wherein one or more computer
Instruction is executed by the processor 1102 to realize any of the above-described method and step.
Figure 12 is suitable for being used to realize the structure of the computer system of the cipher key initialization method of embodiment according to the present invention
Schematic diagram.
As shown in figure 12, computer system 1200 include central processing unit (CPU) 1201, can according to be stored in only
It reads the program in memory (ROM) 1202 or is loaded into random access storage device (RAM) 1203 from storage section 1208
Program and execute the various processing in above embodiment.In RAM1203, be also stored with system 1200 operate it is required various
Program and data.CPU1201, ROM1202 and RAM1203 are connected with each other by bus 1204.Input/output (I/O) interface
1205 are also connected to bus 1204.
I/O interface 1205 is connected to lower component: the importation 1206 including keyboard, mouse etc.;Including such as cathode
The output par, c 1207 of ray tube (CRT), liquid crystal display (LCD) etc. and loudspeaker etc.;Storage section including hard disk etc.
1208;And the communications portion 1209 of the network interface card including LAN card, modem etc..Communications portion 1209 passes through
Communication process is executed by the network of such as internet.Driver 1210 is also connected to I/O interface 1205 as needed.It is detachable to be situated between
Matter 1211, such as disk, CD, magneto-optic disk, semiconductor memory etc. are mounted on as needed on driver 1210, so as to
In being mounted into storage section 1208 as needed from the computer program read thereon.
Particularly, embodiment according to the present invention, method as described above may be implemented as computer software programs.
For example, embodiments of the present invention include a kind of computer program product comprising be tangibly embodied in and its readable medium on
Computer program, the computer program includes program code for executing the cipher key initialization method.Such
In embodiment, which can be downloaded and installed from network by communications portion 1209, and/or from detachable
Medium 1211 is mounted.
Flow chart and block diagram in attached drawing illustrate system, method and computer according to the various embodiments of the present invention
The architecture, function and operation in the cards of program product.In this regard, each box in course diagram or block diagram can be with
A part of a module, section or code is represented, a part of the module, section or code includes one or more
Executable instruction for implementing the specified logical function.It should also be noted that in some implementations as replacements, institute in box
The function of mark can also occur in a different order than that indicated in the drawings.For example, two boxes succeedingly indicated are practical
On can be basically executed in parallel, they can also be executed in the opposite order sometimes, and this depends on the function involved.Also it wants
It is noted that the combination of each box in block diagram and or flow chart and the box in block diagram and or flow chart, Ke Yiyong
The dedicated hardware based system of defined functions or operations is executed to realize, or can be referred to specialized hardware and computer
The combination of order is realized.
Being described in unit or module involved in embodiment of the present invention can be realized by way of software, can also
It is realized in a manner of through hardware.Described unit or module also can be set in the processor, these units or module
Title do not constitute the restriction to the unit or module itself under certain conditions.
As on the other hand, the embodiment of the invention also provides a kind of computer readable storage mediums, this is computer-readable
Storage medium can be computer readable storage medium included in device described in above embodiment;It is also possible to individually
In the presence of without the computer readable storage medium in supplying equipment.Computer-readable recording medium storage has one or one
Procedure above, described program are used to execute the method for being described in the embodiment of the present invention by one or more than one processor.
Above description is only presently preferred embodiments of the present invention and the explanation to institute's application technology principle.Those skilled in the art
Member is it should be appreciated that invention scope involved in the embodiment of the present invention, however it is not limited to which the specific combination of above-mentioned technical characteristic forms
Technical solution, while should also cover in the case where not departing from the inventive concept, by above-mentioned technical characteristic or its equivalent spy
Levy the other technical solutions for carrying out any combination and being formed.Such as features described above with it is (but unlimited disclosed in the embodiment of the present invention
In) technical characteristic with similar functions is replaced mutually and the technical solution that is formed.