CN110417557A - Intelligent terminal peripheral data method of controlling security and device - Google Patents

Intelligent terminal peripheral data method of controlling security and device Download PDF

Info

Publication number
CN110417557A
CN110417557A CN201910710316.2A CN201910710316A CN110417557A CN 110417557 A CN110417557 A CN 110417557A CN 201910710316 A CN201910710316 A CN 201910710316A CN 110417557 A CN110417557 A CN 110417557A
Authority
CN
China
Prior art keywords
peripheral hardware
random factor
transaction information
call request
peripheral
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910710316.2A
Other languages
Chinese (zh)
Other versions
CN110417557B (en
Inventor
雷斌
鲁金彪
陆杰文
周新衡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN201910710316.2A priority Critical patent/CN110417557B/en
Publication of CN110417557A publication Critical patent/CN110417557A/en
Application granted granted Critical
Publication of CN110417557B publication Critical patent/CN110417557B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The embodiment of the present application provides a kind of intelligent terminal peripheral data method of controlling security and device, and method includes: the peripheral hardware call request for receiving server and sending, and calls corresponding peripheral hardware according to the peripheral hardware call request, obtains the Transaction Information of the peripheral hardware acquisition;The second random factor that the process according to the first random factor in the peripheral hardware call request and locally generated presets private-key digital signature generates encryption key;The Transaction Information is encrypted according to the encryption key, and the server will be back to by encrypted Transaction Information, second random factor and terminal public key;The application can effectively solve the problem that presently, there are illegal invasion person pass through override mode access intelligent terminal peripheral hardware; it carries out malice card reading or collects the potential security risk of card transaction data; and factors cause the sensitive informations such as client trading card number information and password to protect ineffective, the risk leaked because Strategy of Data Maintenance is not perfect etc..

Description

Intelligent terminal peripheral data method of controlling security and device
Technical field
This application involves data security arts, and in particular to a kind of intelligent terminal peripheral data method of controlling security and dress It sets.
Background technique
Traditional financial POS terminal is generally had by oneself using each manufacturer closed due to integrating the dedicated peripheral hardware of a variety of financial card readings Operating system, the closed system can not load other applications, and the integrated dedicated peripheral hardware of financial card reading, which can only be also closed, is Specific program calls in system, and safety is higher.With the development of mobile internet, the closure of traditional financial POS terminal is gradually It is impacted by intelligent terminal.Compared to traditional financial POS terminal, financial intelligent terminal has higher hardware configuration, open intelligence Energy operating system can load multiple business application, can be attracted to more trade companies in industrial application developed above, form payment industry The closed loop of business.
However as the opening of financial intelligent terminal platform, integrated some financial peripheral hardwares for having sensitivity characteristic, such as Magnetic card reader, contact/Contactless IC Card Reader etc. also can be with open platforms due to the needs of trade company's industrial application Opening.How under the open platform quality event for guaranteeing financial intelligent terminal, control trade company APP is set using above-mentioned intelligence Standby peripheral hardware permission avoids attacker by technological means, gets around the permission control of financial intelligent terminal platform, access financial intelligent The focal issue of industry is configured to outside terminal.
Existing financial intelligent terminal is mostly based on Android operation system, and existing Peripheral Interface is open to be applied to trade company After program, when calling peripheral hardware to read the sensitive informations such as card number, input password, safe handling strategy can not be protected trade company's application program Card follows bank card security specification, it is easy to user sensitive information be caused to be leaked out during the landing of financial intelligent terminal It goes, becomes attacker and utilize channel.
Summary of the invention
For the problems of the prior art, the application provides a kind of intelligent terminal peripheral data method of controlling security and dress Set, can effectively solve the problem that presently, there are illegal invasion person pass through override mode access intelligent terminal peripheral hardware, carry out malice card reading Or the potential security risk of card transaction data is collected, and factors lead to client trading card because Strategy of Data Maintenance is not perfect etc. The sensitive informations such as number information and password protect ineffective, the risk leaked.
At least one of to solve the above-mentioned problems, the application the following technical schemes are provided:
In a first aspect, the application provides a kind of intelligent terminal peripheral data method of controlling security, comprising:
The peripheral hardware call request that server is sent is received, and corresponding peripheral hardware is called according to the peripheral hardware call request, is obtained The Transaction Information acquired to the peripheral hardware;
The process according to the first random factor in the peripheral hardware call request and locally generated presets private-key digital signature The second random factor generate encryption key;
The Transaction Information is encrypted according to the encryption key, and will be by encrypted Transaction Information, described Second random factor and terminal public key are back to the server, so that the server is according to the terminal public key to described Two random factors carry out signature verification, and the signature verification result be by when, according to second random factor and institute It states the first random factor and generates decruption key, and be decrypted to described by encrypted Transaction Information.
Further, second generated in first random factor according in the peripheral hardware call request and locally with The machine factor generates before encryption key, comprising:
Signature verification is carried out to first random factor according to the server public key in the peripheral hardware call request, is obtained Signature verification result;
If the signature verification result is not pass through, failed encryption result is returned.
It is further, described that the Transaction Information is encrypted according to the encryption key, comprising:
Judge to whether there is in the Transaction Information of the peripheral hardware acquisition and the default sensitive number in the peripheral hardware call request According to matched information;
If it exists, then the Transaction Information for capableing of the default sensitive data of successful match is added according to the encryption key It is close.
Further, after the peripheral hardware call request that the reception server is sent, described according to the peripheral hardware tune Before the corresponding peripheral hardware of request call, further includes:
Authenticity school is carried out to the server public key in the peripheral hardware call request according to pre-stored operator's root certificate It tests, if check results are not pass through, returns to peripheral hardware malloc failure malloc result.
Second aspect, the application provide a kind of peripheral data method of controlling security, comprising:
Peripheral hardware call request is sent to intelligent terminal, so that the intelligent terminal is according to peripheral hardware call request calling pair The peripheral hardware answered, obtains the Transaction Information of peripheral hardware acquisition, and according in the peripheral hardware call request the first random factor and The second random factor that intelligent terminal locally generates generates encryption key, is carried out according to the encryption key to the Transaction Information Encryption;
Receive intelligent terminal return by encrypted Transaction Information, the second random factor and terminal public key, and according to The terminal public key carries out signature verification to second random factor;
If the result of the signature verification is to pass through, first according to second random factor and locally generated is at random The factor generates decruption key, and is decrypted to described by encrypted Transaction Information, the Transaction Information after being decrypted.
Further, before the transmission peripheral hardware call request to intelligent terminal, comprising:
The first random factor in the peripheral hardware call request is digitally signed according to predetermined server private key.
The third aspect, the application provide a kind of intelligent terminal peripheral data method of controlling security device, comprising:
Transaction Information obtains module, calls for receiving the peripheral hardware call request of server transmission, and according to the peripheral hardware The corresponding peripheral hardware of request call obtains the Transaction Information of the peripheral hardware acquisition;
Encryption key generation module, for what is according to the first random factor in the peripheral hardware call request and locally generated The second random factor by presetting private-key digital signature generates encryption key;
Transaction Information encrypting module for being encrypted according to the encryption key to the Transaction Information, and will pass through Encrypted Transaction Information, second random factor and terminal public key are back to the server, so that the server root According to the terminal public key to second random factor carry out signature verification, and the signature verification result be by when, root Decruption key is generated according to second random factor and first random factor, and passes through encrypted Transaction Information to described It is decrypted.
Further, further includes:
First digital signature unit, for random to described first according to the server public key in the peripheral hardware call request The factor carries out signature verification, obtains signature verification result;
Failed encryption return unit returns to failed encryption result if being not pass through for the signature verification result.
Further, the Transaction Information encrypting module includes:
Sensitive information matching unit, whether there is in the Transaction Information for judging peripheral hardware acquisition and the peripheral hardware tune With the matched information of default sensitive data in request;
Sensitive information encryption unit, if for existing and the peripheral hardware call request in the Transaction Information of peripheral hardware acquisition In the matched information of default sensitive data, then according to the encryption key to be capable of successful match preset sensitive data transaction Information is encrypted.
Further, further includes:
Certificate verification unit, the operator root certificate pre-stored for basis is to the server in the peripheral hardware call request Public key carries out authenticity verification, if check results are not pass through, returns to peripheral hardware malloc failure malloc result.
Fourth aspect, the application provide a kind of peripheral data method of controlling security device, comprising:
Call request sending module, for intelligent terminal send peripheral hardware call request so that the intelligent terminal according to Corresponding peripheral hardware is called in the peripheral hardware call request, obtains the Transaction Information of the peripheral hardware acquisition, and call according to the peripheral hardware The second random factor that the first random factor and intelligent terminal in request locally generate generates encryption key, according to the encryption Transaction Information described in key pair is encrypted;
Signature verification module, for receive intelligent terminal return by encrypted Transaction Information, the second random factor And terminal public key, and signature verification is carried out to second random factor according to the terminal public key;
Transaction Information deciphering module, if for the signature verification result be pass through, according to described second it is random because Son and the first random factor locally generated generate decruption key, and are decrypted to described by encrypted Transaction Information, Transaction Information after being decrypted.
Further, further includes:
Digital signature unit, for according to predetermined server private key to the first random factor in the peripheral hardware call request It is digitally signed.
5th aspect, the application provides a kind of electronic equipment, including memory, processor and storage are on a memory and can The computer program run on a processor, the processor realize the peripheral data security control when executing described program The step of method.
6th aspect, the application provide a kind of computer readable storage medium, are stored thereon with computer program, the calculating The step of peripheral data method of controlling security is realized when machine program is executed by processor.
As shown from the above technical solution, the application provides a kind of intelligent terminal peripheral data method of controlling security and device, The second random factor generated by terminal to itself carries out data signature using default private key, and it is outer to combine server to send If the first random factor in call request generates encryption key, believed by encryption key transaction collected to peripheral apparatus Breath carries out data encryption, and will be back to by encrypted Transaction Information, second random factor and terminal public key described Server is tested according to terminal public key sign by encrypted Transaction Information and the second random factor in the server After card, i.e., verifying Transaction Information and the second random factor be really terminal issue after, according to the second random factor and itself first Random factor generates decruption key, and Transaction Information is decrypted according to the decruption key, solve presently, there are it is non- Method invader accesses intelligent terminal peripheral hardware by override mode, carries out malice card reading or collects the potential safety of card transaction data Risk, and factors lead to the protection of the sensitive informations such as client trading card number information and password not because Strategy of Data Maintenance is not perfect etc. Power, the risk leaked.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is the application Some embodiments for those of ordinary skill in the art without creative efforts, can also basis These attached drawings obtain other attached drawings.
Fig. 1 is one of the flow diagram of the intelligent terminal peripheral data method of controlling security in the embodiment of the present application;
Fig. 2 is the two of the flow diagram of the intelligent terminal peripheral data method of controlling security in the embodiment of the present application;
Fig. 3 is the three of the flow diagram of the intelligent terminal peripheral data method of controlling security in the embodiment of the present application;
Fig. 4 is the four of the flow diagram of the intelligent terminal peripheral data method of controlling security in the embodiment of the present application;
Fig. 5 is one of the structure chart of the intelligent terminal peripheral data safety control in the embodiment of the present application;
Fig. 6 is the two of the structure chart of the intelligent terminal peripheral data safety control in the embodiment of the present application;
Fig. 7 is the three of the structure chart of the intelligent terminal peripheral data safety control in the embodiment of the present application;
Fig. 8 is the four of the structure chart of the intelligent terminal peripheral data safety control in the embodiment of the present application;
Fig. 9 is the structural schematic diagram of the electronic equipment in the embodiment of the present application.
Specific embodiment
To keep the purposes, technical schemes and advantages of the embodiment of the present application clearer, below in conjunction with the embodiment of the present application In attached drawing, technical solutions in the embodiments of the present application carries out clear, complete description, it is clear that described embodiment is Some embodiments of the present application, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art Every other embodiment obtained without creative efforts, shall fall in the protection scope of this application.
In view of existing financial intelligent terminal is mostly based on Android operation system, existing Peripheral Interface is open to quotient After the application program of family, trade company's application program is when calling peripheral hardware to read the sensitive informations such as card number, input password, safe handling strategy It not can guarantee and follow bank card security specification, it is easy to user sensitive information be caused to be let out during the landing of financial intelligent terminal The problem of exposing is gone, and becomes attacker using channel, the application provide a kind of intelligent terminal peripheral data method of controlling security and Device, the second random factor generated by terminal to itself carries out data signature using default private key, and server is combined to send out The first random factor in the peripheral hardware call request sent generates encryption key, collected to peripheral apparatus by the encryption key Transaction Information carries out data encryption, and will return by encrypted Transaction Information, second random factor and terminal public key To the server, carried out according to terminal public key to by encrypted Transaction Information and the second random factor in the server After signature verification, i.e., verifying Transaction Information and the second random factor are after terminal issues, according to the second random factor and certainly really The first random factor of body generates decruption key, and Transaction Information is decrypted according to the decruption key, solves and deposits at present Illegal invasion person intelligent terminal peripheral hardware is accessed by override mode, carry out malice card reading or collect the latent of card transaction data In security risk, and because Strategy of Data Maintenance is not perfect etc., factors lead to the sensitive informations such as client trading card number information and password Protect ineffective, to leak risk.
In order to effectively solve presently, there are illegal invasion person pass through override mode access intelligent terminal peripheral hardware, carry out Malice card reading or the potential security risk for collecting card transaction data, and factors lead to visitor because Strategy of Data Maintenance is not perfect etc. Family is traded, and the protection of the sensitive informations such as card number information and password is ineffective, and the risk leaked, the application provides a kind of intelligent terminal The embodiment of peripheral data method of controlling security, executing subject are intelligent terminal, referring to Fig. 1, the intelligent terminal peripheral data Method of controlling security specifically includes following content:
Step S101: the peripheral hardware call request that server is sent is received, and is called and is corresponded to according to the peripheral hardware call request Peripheral hardware, obtain the Transaction Information of peripheral hardware acquisition.
It is understood that the peripheral hardware, which can be intelligent terminal, completes the indispensable peripheral hardware of transaction, such as integrate a variety of gold Melt the defeated equipment such as close of dedicated card reading, and is external input device necessary to other mainstream means of payment, the intelligent terminal It can download equipped with open type intelligent operating system and industry trade company APP is installed, and integrate the dedicated peripheral hardware packet of a variety of finance Front end input peripheral such as IC card card reader, camera, barcode scanning gun, code keyboard, and output peripheral hardware such as printer etc. are included, except branch It holds in addition to the means of payment such as bank card payment, the sudden strain of a muscle pair of Unionpay's cloud, other means of payment can also be integrated by APP, including but not It is confined to: the mobile payment based on internet account such as wechat payment, Alipay payment, Baidu's wallet, Jingdone district payment, Yi Jiwei The internet cards certificate such as letter card certificate, public comment checks and writes off the means of payment such as own two dimensional code barcode scanning payment, trading card payment.The intelligence Terminal installation not only has the means of payment abundant, and specific form includes but is not limited to: financial intelligent terminating machine and intelligence are received Silver-colored platform.
It is understood that after the intelligent terminal receives the peripheral hardware call request that the server is sent, according to institute The peripheral type and model that peripheral hardware call request determines that it specifically to be called are stated, and actually calls the peripheral hardware to complete Transaction Information Collecting work.
Step S102: the process according to the first random factor in the peripheral hardware call request and locally generated presets private key Second random factor of digital signature generates encryption key.
It is understood that first random factor in the peripheral hardware call request can pass through for server local Existing random number algorithm generates, and is specifically as follows a random digit, and optionally, the server can pass through itself default clothes Business device private key is digitally signed first random factor.
Optionally, the intelligent terminal can also locally generate second random factor by existing random algorithm, and Second random factor is digitally signed by preset terminal secret key, the intelligent terminal can be according to described first According to available data conversion method one encryption key of generation, the available data is changed for random factor and second random factor Calculation method is, for example, to add up and tire out to multiply, and in some other embodiment of the application, can also be converted according to other available datas Method or data combination method carry out data processing to the first random factor and the second random factor, and then obtain encryption key.
Step S103: encrypting the Transaction Information according to the encryption key, and will pass through encrypted transaction Information, second random factor and terminal public key are back to the server, so that the server is public according to the terminal Key to second random factor carry out signature verification, and the signature verification result be by when, according to described second with The machine factor and first random factor generate decruption key, and are decrypted to described by encrypted Transaction Information.
It is understood that the intelligent terminal has obtained corresponding Transaction Information by peripheral hardware, and also create Encryption key can encrypt the Transaction Information by the encryption key, the specific encryption side of the encryption at this time Method can using it is in the prior art any one, such as a kind of symmetric encryption method or a kind of asymmet-ric encryption method can Use the encryption key.
It is understood that the intelligent terminal will pass through encrypted Transaction Information, second random factor and end End public key is back to the server, wherein the terminal public key is used for second random factor Jing Guo digital signature Carry out signature verification so that the server the signature verification result be by when, according to second random factor and First random factor generates decruption key, and is decrypted to described by encrypted Transaction Information.
Optionally, the intelligent terminal and the server are stored with consistent data reduction method, i.e., the described intelligence is eventually The encryption key and the server that end is generated according to first random factor and second random factor are according to described the One random factor is consistent with the decruption key that second random factor generates, therefore the server can be according to the decryption Key pair passes through encrypted Transaction Information successful decryption.
As can be seen from the above description, intelligent terminal peripheral data method of controlling security provided by the embodiments of the present application, Neng Goutong It crosses the second random factor that terminal generates itself and carries out data signature, and the peripheral hardware for combining server to send using default private key The first random factor in call request generates encryption key, by the encryption key to the collected Transaction Information of peripheral apparatus Data encryption is carried out, and the clothes will be back to by encrypted Transaction Information, second random factor and terminal public key Business device carries out signature verification to by encrypted Transaction Information and the second random factor according to terminal public key in the server Afterwards, that is, verify Transaction Information and the second random factor is after terminal issues really, according to the second random factor and itself first with The machine factor generates decruption key, and Transaction Information is decrypted according to the decruption key, solve presently, there are it is illegal Invader accesses intelligent terminal peripheral hardware by override mode, carries out malice card reading or collects the potential safety wind of card transaction data Danger, and factors lead to the protection of the sensitive informations such as client trading card number information and password not because Strategy of Data Maintenance is not perfect etc. Power, the risk leaked.
In order to generate the authenticity for first verifying the first random factor before encryption key, outside the intelligent terminal of the application If also specifically including following content referring to fig. 2 in an embodiment of data security control method:
Step S201: it is signed according to the server public key in the peripheral hardware call request to first random factor Verifying, obtains signature verification result.
Step S202: if the signature verification result is not pass through, failed encryption result is returned to.
It is understood that the peripheral hardware tune can be extracted after the intelligent terminal receives the peripheral hardware call request With the server public key for including in request and the first random factor, taken since first random factor passes through in server internal Business device private key carried out digital signature, therefore can use the server public key to first random factor carry out signature test Card, if the result of signature verification is not pass through, shows data not to determine that first random factor is that server issues really Symbol, first random factor are not to be issued by server and its data validity is lower, then return to failed encryption at this time as a result, No longer execute follow-up process.
In order to be encrypted to crucial sensitive information, in the intelligent terminal peripheral data security control side of the application Also specifically include following content referring to Fig. 3 in one embodiment of method:
Step S301: judge in the Transaction Information of peripheral hardware acquisition with the presence or absence of with it is pre- in the peripheral hardware call request If the matched information of sensitive data.
Step S302: if it exists, then the transaction for capableing of the default sensitive data of successful match is believed according to the encryption key Breath is encrypted.
It optionally, also include default sensitive data in the peripheral hardware call request, the intelligent terminal may determine that outer If whether containing corresponding default sensitive data in the collected Transaction Information, if so, can be only to corresponding part Transaction Information is encrypted.
In order to carry out signature verification to server public key according to the operator's root certificate prestored, in the intelligence of the application It also specifically include following content in one embodiment of terminal peripheral data method of controlling security: according to pre-stored operator Root certificate carries out authenticity verification to the server public key in the peripheral hardware call request, if check results are not pass through, returns Return peripheral hardware malloc failure malloc result.
It is understood that containing the signing messages of certificate pact in certificate, this signing messages is certificate authority machine What structure was added.It can be verified using the public key of issuing organization.
In order to effectively solve presently, there are illegal invasion person pass through override mode access intelligent terminal peripheral hardware, carry out Malice card reading or the potential security risk for collecting card transaction data, and factors lead to visitor because Strategy of Data Maintenance is not perfect etc. Family is traded, and the protection of the sensitive informations such as card number information and password is ineffective, and the risk leaked, the application provides a kind of intelligent terminal The embodiment of peripheral data method of controlling security, executing subject are server, referring to fig. 4, the intelligent terminal peripheral data peace Full control method specifically includes following content:
Step S401: peripheral hardware call request is sent to intelligent terminal, so that the intelligent terminal is called according to the peripheral hardware The corresponding peripheral hardware of request call obtains the Transaction Information of the peripheral hardware acquisition, and according to first in the peripheral hardware call request The second random factor that random factor and intelligent terminal locally generate generates encryption key, according to the encryption key to the friendship Easy information is encrypted.
It is understood that after the intelligent terminal receives the peripheral hardware call request that the server is sent, according to institute The peripheral type and model that peripheral hardware call request determines that it specifically to be called are stated, and actually calls the peripheral hardware to complete Transaction Information Collecting work.
Optionally, the intelligent terminal can be according to first random factor and second random factor according to existing Data reduction method generates an encryption key, and the available data conversion method is, for example, to add up and tire out to multiply, the application's In some other embodiment, can also according to other available data conversion methods or data combination method to the first random factor and Second random factor carries out data processing, and then obtains encryption key.
Step S402: the public by encrypted Transaction Information, the second random factor and terminal of intelligent terminal return is received Key, and signature verification is carried out to second random factor according to the terminal public key.
Step S403: if the result of the signature verification is to pass through, according to second random factor and local generation The first random factor generate decruption key, and be decrypted to described by encrypted Transaction Information, after being decrypted Transaction Information.
It is understood that the intelligent terminal will pass through encrypted Transaction Information, second random factor and end End public key is back to the server, wherein the terminal public key is used for second random factor Jing Guo digital signature Carry out signature verification so that the server the signature verification result be by when, according to second random factor and First random factor generates decruption key, and is decrypted to described by encrypted Transaction Information.
As can be seen from the above description, intelligent terminal peripheral data method of controlling security provided by the embodiments of the present application, Neng Goutong It crosses the second random factor that terminal generates itself and carries out data signature, and the peripheral hardware for combining server to send using default private key The first random factor in call request generates encryption key, by the encryption key to the collected Transaction Information of peripheral apparatus Data encryption is carried out, and the clothes will be back to by encrypted Transaction Information, second random factor and terminal public key Business device carries out signature verification to by encrypted Transaction Information and the second random factor according to terminal public key in the server Afterwards, that is, verify Transaction Information and the second random factor is after terminal issues really, according to the second random factor and itself first with The machine factor generates decruption key, and Transaction Information is decrypted according to the decruption key, solve presently, there are it is illegal Invader accesses intelligent terminal peripheral hardware by override mode, carries out malice card reading or collects the potential safety wind of card transaction data Danger, and factors lead to the protection of the sensitive informations such as client trading card number information and password not because Strategy of Data Maintenance is not perfect etc. Power, the risk leaked.
In order to be digitally signed the safety with improve data transfer to the first random factor, in the intelligence of the application It also specifically include following content in one embodiment of energy terminal peripheral data method of controlling security: according to predetermined server private Key is digitally signed the first random factor in the peripheral hardware call request.
It is understood that first random factor in the peripheral hardware call request can pass through for server local Existing random number algorithm generates, and is specifically as follows a random digit, and optionally, the server can pass through itself default clothes Business device private key is digitally signed first random factor.
In order to effectively solve presently, there are illegal invasion person pass through override mode access intelligent terminal peripheral hardware, carry out Malice card reading or the potential security risk for collecting card transaction data, and factors lead to visitor because Strategy of Data Maintenance is not perfect etc. Family sensitive informations such as card number information and password of trading protect ineffective, the risk leaked, the application provide it is a kind of for realizing The intelligent terminal peripheral data security control of all or part of the content of the intelligent terminal peripheral data method of controlling security fills The embodiment set, executing subject are intelligent terminal, and referring to Fig. 5, the intelligent terminal peripheral data safety control is specifically wrapped Contain following content:
Transaction Information obtains module 10, for receiving the peripheral hardware call request of server transmission, and according to the peripheral hardware tune With the corresponding peripheral hardware of request call, the Transaction Information of the peripheral hardware acquisition is obtained.
Encryption key generation module 20, for according to the first random factor in the peripheral hardware call request and locally generation Through presetting private-key digital signature the second random factor generate encryption key.
Transaction Information encrypting module 30, for being encrypted according to the encryption key to the Transaction Information, and will be through It crosses encrypted Transaction Information, second random factor and terminal public key and is back to the server, so that the server According to the terminal public key to second random factor carry out signature verification, and the signature verification result be by when, Decruption key is generated according to second random factor and first random factor, and is believed by encrypted transaction described Breath is decrypted.
As can be seen from the above description, intelligent terminal peripheral data safety control provided by the embodiments of the present application, Neng Goutong It crosses the second random factor that terminal generates itself and carries out data signature, and the peripheral hardware for combining server to send using default private key The first random factor in call request generates encryption key, by the encryption key to the collected Transaction Information of peripheral apparatus Data encryption is carried out, and the clothes will be back to by encrypted Transaction Information, second random factor and terminal public key Business device carries out signature verification to by encrypted Transaction Information and the second random factor according to terminal public key in the server Afterwards, that is, verify Transaction Information and the second random factor is after terminal issues really, according to the second random factor and itself first with The machine factor generates decruption key, and Transaction Information is decrypted according to the decruption key, solve presently, there are it is illegal Invader accesses intelligent terminal peripheral hardware by override mode, carries out malice card reading or collects the potential safety wind of card transaction data Danger, and factors lead to the protection of the sensitive informations such as client trading card number information and password not because Strategy of Data Maintenance is not perfect etc. Power, the risk leaked.
In order to generate the authenticity for first verifying the first random factor before encryption key, in the embodiment of the application In, also specifically include following content referring to Fig. 6:
First digital signature unit 71, for according to the server public key in the peripheral hardware call request to described first with The machine factor carries out signature verification, obtains signature verification result.
Failed encryption return unit 72 returns to failed encryption result if being not pass through for the signature verification result.
In order to be encrypted to crucial sensitive information, in the embodiment of the application, referring to Fig. 7, the friendship Easy information encrypting module 30 includes:
Sensitive information matching unit 31, whether there is in the Transaction Information for judging peripheral hardware acquisition and the peripheral hardware The matched information of default sensitive data in call request.
Sensitive information encryption unit 32, if being asked for existing in the Transaction Information of peripheral hardware acquisition with peripheral hardware calling The matched information of default sensitive data in asking, the then friendship according to the encryption key to the default sensitive data of successful match is capable of Easy information is encrypted.
In order to carry out signature verification to server public key according to the operator's root certificate prestored, one in the application is real It applies in example, further includes: certificate verification unit 73, the operator root certificate pre-stored for basis is in the peripheral hardware call request Server public key carry out authenticity verification, if check results be do not pass through, return to peripheral hardware malloc failure malloc result.
In order to effectively solve presently, there are illegal invasion person pass through override mode access intelligent terminal peripheral hardware, carry out Malice card reading or the potential security risk for collecting card transaction data, and factors lead to visitor because Strategy of Data Maintenance is not perfect etc. Family sensitive informations such as card number information and password of trading protect ineffective, the risk leaked, the application provide it is a kind of for realizing The intelligent terminal peripheral data security control of all or part of the content of the intelligent terminal peripheral data method of controlling security fills The embodiment set, executing subject are server, and referring to Fig. 8, the intelligent terminal peripheral data safety control specifically includes There is following content:
Call request sending module 40, for sending peripheral hardware call request to intelligent terminal, so that the intelligent terminal root Corresponding peripheral hardware is called according to the peripheral hardware call request, obtains the Transaction Information of the peripheral hardware acquisition, and according to the peripheral hardware tune With in request the first random factor and the second random factor for locally generating of intelligent terminal generate encryption key, according to described plus Transaction Information described in close key pair is encrypted.
Signature verification module 50, for receive intelligent terminal return by encrypted Transaction Information, second it is random because Son and terminal public key, and signature verification is carried out to second random factor according to the terminal public key.
Transaction Information deciphering module 60, it is random according to described second if the result for the signature verification is to pass through The factor and the first random factor locally generated generate decruption key, and solve to described by encrypted Transaction Information It is close, the Transaction Information after being decrypted.
As can be seen from the above description, intelligent terminal peripheral data safety control provided by the embodiments of the present application, Neng Goutong It crosses the second random factor that terminal generates itself and carries out data signature, and the peripheral hardware for combining server to send using default private key The first random factor in call request generates encryption key, by the encryption key to the collected Transaction Information of peripheral apparatus Data encryption is carried out, and the clothes will be back to by encrypted Transaction Information, second random factor and terminal public key Business device carries out signature verification to by encrypted Transaction Information and the second random factor according to terminal public key in the server Afterwards, that is, verify Transaction Information and the second random factor is after terminal issues really, according to the second random factor and itself first with The machine factor generates decruption key, and Transaction Information is decrypted according to the decruption key, solve presently, there are it is illegal Invader accesses intelligent terminal peripheral hardware by override mode, carries out malice card reading or collects the potential safety wind of card transaction data Danger, and factors lead to the protection of the sensitive informations such as client trading card number information and password not because Strategy of Data Maintenance is not perfect etc. Power, the risk leaked.
In order to be digitally signed the safety with improve data transfer to the first random factor, the one of the application In embodiment, further includes: digital signature unit 74, for according to predetermined server private key in the peripheral hardware call request One random factor is digitally signed.
In order to further explain this programme, the application also provides a kind of above-mentioned intelligent terminal peripheral data of application control safely Device processed realizes the specific application example of intelligent terminal peripheral data method of controlling security, specifically includes following content:
Line process on a kind of trade company APP, specifically comprises the following steps:
1, trade company APP server generates a pair of of public private key pair, uses including but not limited to APPID, Peripheral Interface Access Column The information groups such as table, sensitive information encryption Tag list are bundled into App publication application message, and using the privacy key to publication Shen Please message calculate and Hash and sign, and together with the public key certificate of oneself signature, to financial intelligent terminal management platform application for registration quotient Family APP.
2, financial intelligent terminal management platform passes through the consistency of PKI signature verification trade company APP application for registration information, verifying Confirmation trade company APP, which is audited, by rear notice background devices Carrier Management personnel registers APP and Peripheral Interface access list, sensitivity Information encrypts the information such as Tag.
3, after background audit passes through and authorizes, financial intelligent terminal management platform uses the root certificate of itself, for the quotient Family APP generates signature merchant server certificate, and to the Peripheral Interface access list of trade company APP, sensitive information encryption Tag column Table carries out Hash respectively and signs, which is returned to trade company's APP server together with signing certificate.
A kind of peripheral access control method, specifically includes following content:
1, trade company APP requests access to the peripheral hardware of financial intelligent terminal, to trade company APP server application peripheral access TOKEN, Trade company's APP server generates disposable random number N ounce1, Peripheral Interface access list and signature, sensitive information encryption Tag column The information such as table and signature, APPID, TOKEN validity period are assembled into TOKEN, and using trade company APP privacy key to above-mentioned Token calculates Hash and signs.
2, trade company APP receive the Token and signature after, when calling secure peripheral service layer, be passed to the Token certificate with The trade company's APP public key certificate and peripheral hardware request call data signed through financial intelligent terminal management platform.
3, secure peripheral service layer forwards the request to secure peripheral management module.Receiving the call request, permission Authentication module verifies the Token information received, specifically:
The root certificate for using operator first, is attached to trade company's APP public key certificate to Token and verifies, it is ensured that the trade company The validity and correctness of APP public key certificate, and therefrom restore to obtain the information such as trade company APPID.It specifically includes: public using trade company Whether the signature that key certificate verifies TOKEN Hash correct whether the trade company APPID for checking trade company APPID and TOKEN consistent core It is whether effective to TOKEN validity period check TOKEN validity period whether super maximum time it is verified using operator's root certificate sensitive Does information encrypt Tag list and whether signature correct Peripheral Interface access list is verified using operator's root certificate and whether is signed Correctly check the authorization interface list that interface call request is carried in Token any one of above-mentioned verifying failure, then recognize To be unauthorized access finance peripheral hardware, refusal transaction.Above-mentioned verifying passes through, then it is assumed that the peripheral access of trade company APP requests to close Method, Authority Verification module are instructed according to peripheral access, and the correspondence peripheral hardware of secure peripheral management module driving mounting carries out card reading, sweeps Code, the defeated operation such as close.
A kind of sensitive data transmission method, specifically comprises the following steps:
1, secure peripheral management module drives financial peripheral hardware outer from IC card card reader, barcode scanning gun, camera, defeated close keyboard etc. If the input data for getting financial peripheral hardware is imparted to sensitive data encrypting module.
2, sensitive data encrypting module obtains the random number of trade company APP from TOKEN, and is locally generated a random number Nounce2, and signed using own private key to the random number, sensitive data encrypting module is raw using Token random number and locally At one data encrypted tunnel key of generating random number.
3, the transaction data that sensitive data encrypting module reads equipment is split according to Tag, and checks corresponding number According to Tag whether in sensitive data encryption Tag list, if there is in list, then the Tag data content is encrypted.With For reading IC card information, when equipment reads the sensitive informations such as bis- magnetic identical, data of Tag57, Tag5A bank card number, due to above-mentioned Sensitive information does not allow to land in terminal in trade company APP, and signature is in sensitive data encryption Tag list, then sensitive data encrypts Module use previous step generate channel transfer key, to above-mentioned Tag carry out encrypted transmission, and to card number conceal intermediate digit into Row deformation, returns to trade company APP.
4, trade company APP receives the information, only shows locally through deformed card number prefix and mantissa, the card number of encryption The information such as Nounce2, signature, terminal public key give trade company's APP server.
5, trade company APP server receives the terminal public signature key certificate and Nounce2, verifies terminal signing certificate, uses Nounce1, Nounce2 and own private key recover data encryption channel keys, and decrypt above-mentioned Tag using the key and encrypt Information, assembling message are sent to receiving server.
Bank's card number is not landed in financial intelligent terminal whole process in this process, prevents financial sensitive information because of financial intelligence Energy terminal itself loophole, in open operation system platform layer and trade company's APP internal leakage.
Embodiments herein also provides the intelligent terminal peripheral data security control side that can be realized in above-described embodiment The specific embodiment of a kind of electronic equipment of Overall Steps in method, referring to Fig. 9, the electronic equipment is specifically included in following Hold:
Processor (processor) 601, memory (memory) 602, communication interface (Communications Interface) 603 and bus 604;
Wherein, the processor 601, memory 602, communication interface 603 complete mutual lead to by the bus 604 Letter;The communication interface 603 sets for realizing intelligent terminal peripheral data safety control, online operation system, client Information transmission between standby and other participation mechanisms;
The processor 601 is used to call the computer program in the memory 602, and the processor executes the meter The Overall Steps in the intelligent terminal peripheral data method of controlling security in above-described embodiment are realized when calculation machine program, for example, institute It states when processor executes the computer program and realizes following step:
Step S101: the peripheral hardware call request that server is sent is received, and is called and is corresponded to according to the peripheral hardware call request Peripheral hardware, obtain the Transaction Information of peripheral hardware acquisition.
Step S102: the process according to the first random factor in the peripheral hardware call request and locally generated presets private key Second random factor of digital signature generates encryption key.
Step S103: encrypting the Transaction Information according to the encryption key, and will pass through encrypted transaction Information, second random factor and terminal public key are back to the server, so that the server is public according to the terminal Key to second random factor carry out signature verification, and the signature verification result be by when, according to described second with The machine factor and first random factor generate decruption key, and are decrypted to described by encrypted Transaction Information.
As can be seen from the above description, electronic equipment provided by the embodiments of the present application, can be generated by terminal to itself Two random factors carry out data signature using default private key, and first in the peripheral hardware call request for combining server to send is random The factor generates encryption key, carries out data encryption to the collected Transaction Information of peripheral apparatus by the encryption key, and will be through It crosses encrypted Transaction Information, second random factor and terminal public key and is back to the server, in the server root According to terminal public key to after encrypted Transaction Information and the second random factor carry out signature verification, i.e., verifying Transaction Information and Second random factor is to generate decruption key according to the second random factor and itself the first random factor after terminal issues really, And Transaction Information is decrypted according to the decruption key, solve presently, there are illegal invasion person pass through override mode visit It asks intelligent terminal peripheral hardware, carry out malice card reading or collects the potential security risk of card transaction data, and because of data protection plan Slightly not perfect etc. factors cause the sensitive informations such as client trading card number information and password to protect ineffective, the risk leaked.
Embodiments herein also provides the intelligent terminal peripheral data security control side that can be realized in above-described embodiment A kind of computer readable storage medium of Overall Steps in method is stored with computer journey on the computer readable storage medium Sequence, the computer program realize the intelligent terminal peripheral data method of controlling security in above-described embodiment when being executed by processor Overall Steps, for example, the processor realizes following step when executing the computer program:
Step S101: the peripheral hardware call request that server is sent is received, and is called and is corresponded to according to the peripheral hardware call request Peripheral hardware, obtain the Transaction Information of peripheral hardware acquisition.
Step S102: the process according to the first random factor in the peripheral hardware call request and locally generated presets private key Second random factor of digital signature generates encryption key.
Step S103: encrypting the Transaction Information according to the encryption key, and will pass through encrypted transaction Information, second random factor and terminal public key are back to the server, so that the server is public according to the terminal Key to second random factor carry out signature verification, and the signature verification result be by when, according to described second with The machine factor and first random factor generate decruption key, and are decrypted to described by encrypted Transaction Information.
As can be seen from the above description, computer readable storage medium provided by the embodiments of the present application, it can be by terminal to this The second random factor that body generates carries out data signature using default private key, and in the peripheral hardware call request for combining server to send The first random factor generate encryption key, by the encryption key to the collected Transaction Information of peripheral apparatus carry out data add It is close, and it will be back to the server by encrypted Transaction Information, second random factor and terminal public key, described Server according to terminal public key to after encrypted Transaction Information and the second random factor carry out signature verification, i.e. hand over by verifying Easy information and the second random factor are to generate solution according to the second random factor and itself the first random factor after terminal issues really Key, and Transaction Information being decrypted according to the decruption key, solve presently, there are illegal invasion person pass through more Power mode accesses intelligent terminal peripheral hardware, carries out malice card reading or collects the potential security risk and factor of card transaction data According to Preservation tactics are not perfect etc., factors cause the protection of the sensitive informations such as client trading card number information and password ineffective, leak Risk.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for hardware+ For program class embodiment, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to side The part of method embodiment illustrates.
It is above-mentioned that this specification specific embodiment is described.Other embodiments are in the scope of the appended claims It is interior.In some cases, the movement recorded in detail in the claims or step can be come according to the sequence being different from embodiment It executes and desired result still may be implemented.In addition, process depicted in the drawing not necessarily require show it is specific suitable Sequence or consecutive order are just able to achieve desired result.In some embodiments, multitasking and parallel processing be also can With or may be advantageous.
Although this application provides the method operating procedure as described in embodiment or flow chart, based on conventional or noninvasive The labour for the property made may include more or less operating procedure.The step of enumerating in embodiment sequence is only numerous steps One of execution sequence mode, does not represent and unique executes sequence.It, can when device or client production in practice executes To execute or parallel execute (such as at parallel processor or multithreading according to embodiment or method shown in the drawings sequence The environment of reason).
System, device, module or the unit that above-described embodiment illustrates can specifically realize by computer chip or entity, Or it is realized by the product with certain function.It is a kind of typically to realize that equipment is computer.Specifically, computer for example may be used Think personal computer, laptop computer, vehicle-mounted human-computer interaction device, cellular phone, camera phone, smart phone, individual Digital assistants, media player, navigation equipment, electronic mail equipment, game console, tablet computer, wearable device or The combination of any equipment in these equipment of person.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
It will be understood by those skilled in the art that the embodiment of this specification can provide as the production of method, system or computer program Product.Therefore, in terms of this specification embodiment can be used complete hardware embodiment, complete software embodiment or combine software and hardware Embodiment form.
This specification embodiment can describe in the general context of computer-executable instructions executed by a computer, Such as program module.Generally, program module includes routines performing specific tasks or implementing specific abstract data types, journey Sequence, object, component, data structure etc..This specification embodiment can also be practiced in a distributed computing environment, in these points Cloth calculates in environment, by executing task by the connected remote processing devices of communication network.In distributed computing ring In border, program module can be located in the local and remote computer storage media including storage equipment.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for system reality For applying example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to embodiment of the method Part explanation.In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", The description of " specific example " or " some examples " etc. means specific features described in conjunction with this embodiment or example, structure, material Or feature is contained at least one embodiment or example of this specification embodiment.In the present specification, to above-mentioned term Schematic representation be necessarily directed to identical embodiment or example.Moreover, description specific features, structure, material or Person's feature may be combined in any suitable manner in any one or more of the embodiments or examples.In addition, in not conflicting feelings Under condition, those skilled in the art by different embodiments or examples described in this specification and different embodiment or can show The feature of example is combined.
The foregoing is merely the embodiments of this specification, are not limited to this specification embodiment.For ability For field technique personnel, this specification embodiment can have various modifications and variations.It is all this specification embodiment spirit and Any modification, equivalent replacement, improvement and so within principle should be included in the scope of the claims of this specification embodiment Within.

Claims (14)

1. a kind of intelligent terminal peripheral data method of controlling security, which is characterized in that the described method includes:
The peripheral hardware call request that server is sent is received, and corresponding peripheral hardware is called according to the peripheral hardware call request, obtains institute State the Transaction Information of peripheral hardware acquisition;
The process according to the first random factor in the peripheral hardware call request and locally generated presets the of private-key digital signature Two random factors generate encryption key;
The Transaction Information is encrypted according to the encryption key, and encrypted Transaction Information, described second will be passed through Random factor and terminal public key are back to the server so that the server according to the terminal public key to described second with The machine factor carries out signature verification, and the signature verification result be by when, according to second random factor and described the One random factor generates decruption key, and is decrypted to described by encrypted Transaction Information.
2. intelligent terminal peripheral data method of controlling security according to claim 1, which is characterized in that described according to institute It states before the first random factor in peripheral hardware call request and the second random factor locally generated generate encryption key, comprising:
Signature verification is carried out to first random factor according to the server public key in the peripheral hardware call request, is signed Verification result;
If the signature verification result is not pass through, failed encryption result is returned.
3. intelligent terminal peripheral data method of controlling security according to claim 1, which is characterized in that described according to Encryption key encrypts the Transaction Information, comprising:
Judge to whether there is and the default sensitive data in the peripheral hardware call request in the Transaction Information of the peripheral hardware acquisition The information matched;
If it exists, then the Transaction Information for capableing of the default sensitive data of successful match is encrypted according to the encryption key.
4. intelligent terminal peripheral data method of controlling security according to claim 1, which is characterized in that taken in the reception It is engaged in after the peripheral hardware call request that device is sent, before the corresponding peripheral hardware according to peripheral hardware call request calling, also wraps It includes:
Authenticity verification is carried out to the server public key in the peripheral hardware call request according to pre-stored operator's root certificate, if Check results are not pass through, then return to peripheral hardware malloc failure malloc result.
5. a kind of peripheral data method of controlling security, which is characterized in that the described method includes:
Peripheral hardware call request is sent to intelligent terminal, so that the intelligent terminal is corresponding according to peripheral hardware call request calling Peripheral hardware obtains the Transaction Information of the peripheral hardware acquisition, and according to the first random factor and intelligence in the peripheral hardware call request The second random factor that terminal local generates generates encryption key, is added according to the encryption key to the Transaction Information It is close;
Receive that intelligent terminal returns by encrypted Transaction Information, the second random factor and terminal public key, and according to described Terminal public key carries out signature verification to second random factor;
If the result of the signature verification is to pass through, the first random factor according to second random factor and locally generated Decruption key is generated, and is decrypted to described by encrypted Transaction Information, the Transaction Information after being decrypted.
6. peripheral data method of controlling security according to claim 5, which is characterized in that sent described to intelligent terminal Before peripheral hardware call request, comprising:
The first random factor in the peripheral hardware call request is digitally signed according to predetermined server private key.
7. a kind of intelligent terminal peripheral data safety control characterized by comprising
Transaction Information obtains module, for receiving the peripheral hardware call request of server transmission, and according to the peripheral hardware call request Corresponding peripheral hardware is called, the Transaction Information of the peripheral hardware acquisition is obtained;
Encryption key generation module, the process for according to the first random factor in the peripheral hardware call request and locally generating Second random factor of default private-key digital signature generates encryption key;
Transaction Information encrypting module, for being encrypted according to the encryption key to the Transaction Information, and will be by encryption Transaction Information, second random factor and terminal public key afterwards is back to the server, so that the server is according to institute State terminal public key to second random factor carry out signature verification, and the signature verification result be by when, according to institute It states the second random factor and first random factor generates decruption key, and carried out to described by encrypted Transaction Information Decryption.
8. peripheral data safety control according to claim 7, which is characterized in that further include:
First digital signature unit, for according to the server public key in the peripheral hardware call request to first random factor Signature verification is carried out, signature verification result is obtained;
Failed encryption return unit returns to failed encryption result if being not pass through for the signature verification result.
9. peripheral data safety control according to claim 7, which is characterized in that the Transaction Information encrypting module Include:
Sensitive information matching unit is asked with the presence or absence of with peripheral hardware calling in the Transaction Information for judging peripheral hardware acquisition The matched information of default sensitive data in asking;
Sensitive information encryption unit, if for the peripheral hardware acquisition Transaction Information in exist in the peripheral hardware call request The default matched information of sensitive data, then according to the encryption key to the Transaction Information for capableing of the default sensitive data of successful match It is encrypted.
10. peripheral data safety control according to claim 7, which is characterized in that further include:
Certificate verification unit, the operator root certificate pre-stored for basis is to the server public key in the peripheral hardware call request Authenticity verification is carried out, if check results are not pass through, returns to peripheral hardware malloc failure malloc result.
11. a kind of peripheral data safety control characterized by comprising
Call request sending module, for sending peripheral hardware call request to intelligent terminal, so that the intelligent terminal is according to Corresponding peripheral hardware is called in peripheral hardware call request, obtains the Transaction Information of the peripheral hardware acquisition, and according to the peripheral hardware call request In the second random factor for locally generating of the first random factor and intelligent terminal generate encryption key, according to the encryption key The Transaction Information is encrypted;
Signature verification module, for receive intelligent terminal return by encrypted Transaction Information, the second random factor and end Public key is held, and signature verification is carried out to second random factor according to the terminal public key;
Transaction Information deciphering module, if the result for the signature verification is to pass through, according to second random factor and The first random factor locally generated generates decruption key, and is decrypted to described by encrypted Transaction Information, obtains Transaction Information after decryption.
12. peripheral data safety control according to claim 11, which is characterized in that further include:
Digital signature unit, for being carried out according to predetermined server private key to the first random factor in the peripheral hardware call request Digital signature.
13. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor Machine program, which is characterized in that the processor realizes peripheral hardware number as claimed in any one of claims 1 to 6 when executing described program The step of according to method of controlling security.
14. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program quilt The step of processor realizes peripheral data method of controlling security as claimed in any one of claims 1 to 6 when executing.
CN201910710316.2A 2019-08-02 2019-08-02 Intelligent terminal peripheral data security control method and device Active CN110417557B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910710316.2A CN110417557B (en) 2019-08-02 2019-08-02 Intelligent terminal peripheral data security control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910710316.2A CN110417557B (en) 2019-08-02 2019-08-02 Intelligent terminal peripheral data security control method and device

Publications (2)

Publication Number Publication Date
CN110417557A true CN110417557A (en) 2019-11-05
CN110417557B CN110417557B (en) 2022-06-10

Family

ID=68365370

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910710316.2A Active CN110417557B (en) 2019-08-02 2019-08-02 Intelligent terminal peripheral data security control method and device

Country Status (1)

Country Link
CN (1) CN110417557B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112712370A (en) * 2020-12-17 2021-04-27 宝付网络科技(上海)有限公司 Method and system for monitoring appropriation of payment interface
CN114338152A (en) * 2021-12-27 2022-04-12 上海市数字证书认证中心有限公司 Data processing method and device
CN114780156A (en) * 2022-04-24 2022-07-22 中国工商银行股份有限公司 External operation equipment calling method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7096494B1 (en) * 1998-05-05 2006-08-22 Chen Jay C Cryptographic system and method for electronic transactions
CN104852911A (en) * 2015-04-27 2015-08-19 小米科技有限责任公司 Safety verification method, device and system
US20150310431A1 (en) * 2014-04-23 2015-10-29 Minkasu, Inc. Secure Payments Using a Mobile Wallet Application
CN105023151A (en) * 2015-07-22 2015-11-04 天地融科技股份有限公司 Card transaction data processing method and device
CN105023374A (en) * 2015-07-22 2015-11-04 天地融科技股份有限公司 Transaction system of POS machine
CN105933119A (en) * 2015-12-24 2016-09-07 中国银联股份有限公司 Authentication method and device
WO2019020824A1 (en) * 2017-07-27 2019-01-31 Sofitto Nv Method for authenticating a financial transaction in a blockchain-based cryptocurrency, smart card, and blockchain authentication infrastructure

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7096494B1 (en) * 1998-05-05 2006-08-22 Chen Jay C Cryptographic system and method for electronic transactions
US20150310431A1 (en) * 2014-04-23 2015-10-29 Minkasu, Inc. Secure Payments Using a Mobile Wallet Application
CN104852911A (en) * 2015-04-27 2015-08-19 小米科技有限责任公司 Safety verification method, device and system
CN105023151A (en) * 2015-07-22 2015-11-04 天地融科技股份有限公司 Card transaction data processing method and device
CN105023374A (en) * 2015-07-22 2015-11-04 天地融科技股份有限公司 Transaction system of POS machine
CN105933119A (en) * 2015-12-24 2016-09-07 中国银联股份有限公司 Authentication method and device
WO2019020824A1 (en) * 2017-07-27 2019-01-31 Sofitto Nv Method for authenticating a financial transaction in a blockchain-based cryptocurrency, smart card, and blockchain authentication infrastructure

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112712370A (en) * 2020-12-17 2021-04-27 宝付网络科技(上海)有限公司 Method and system for monitoring appropriation of payment interface
CN114338152A (en) * 2021-12-27 2022-04-12 上海市数字证书认证中心有限公司 Data processing method and device
CN114338152B (en) * 2021-12-27 2024-04-12 上海市数字证书认证中心有限公司 Data processing method and device
CN114780156A (en) * 2022-04-24 2022-07-22 中国工商银行股份有限公司 External operation equipment calling method and device

Also Published As

Publication number Publication date
CN110417557B (en) 2022-06-10

Similar Documents

Publication Publication Date Title
CN111770200B (en) Information sharing method and system
EP3269119B1 (en) Mutual authentication of software layers
RU2537795C2 (en) Trusted remote attestation agent (traa)
Basin et al. The EMV standard: Break, fix, verify
RU2523304C2 (en) Trusted integrity manager (tim)
ES2599985T3 (en) Validation at any time for verification tokens
CN105957276B (en) Based on android system intelligence POS security systems and startup, data management-control method
CN110035052A (en) A kind of method, apparatus that checking historical transactional information and electronic equipment
CN105160242B (en) Certificate loading method, certificate update method and the card reader of a kind of card reader
EP3017580B1 (en) Signatures for near field communications
CN111770199B (en) Information sharing method, device and equipment
CN106688004A (en) Transaction authentication method, device, mobile terminal, POS terminal and server
CN106465112A (en) Offline authentication
CN105745661A (en) Policy-based trusted inspection of rights managed content
CN103051451A (en) Encryption authentication of security service execution environment
WO2018144238A1 (en) Methods and systems for securely storing sensitive data on smart cards
CN110417557A (en) Intelligent terminal peripheral data method of controlling security and device
CN111160908B (en) Supply chain transaction privacy protection system, method and related equipment based on blockchain
CN107967605B (en) Rail transit automatic fare collection two-dimensional code credit payment encryption method
El Madhoun et al. An online security protocol for NFC payment: Formally analyzed by the scyther tool
CN109933987A (en) For the key generation method of block chain network, endorsement method, storage medium, calculate equipment
CN102664736A (en) Electronic cipher generating method, device and equipment and electronic cipher authentication system
CN111818186A (en) Information sharing method and system
CN110100410A (en) Cryptographic system management
CN110992034A (en) Supply chain transaction privacy protection system and method based on block chain and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant