CN203399141U - Information channel security certificate device - Google Patents

Information channel security certificate device Download PDF

Info

Publication number
CN203399141U
CN203399141U CN201320554564.0U CN201320554564U CN203399141U CN 203399141 U CN203399141 U CN 203399141U CN 201320554564 U CN201320554564 U CN 201320554564U CN 203399141 U CN203399141 U CN 203399141U
Authority
CN
China
Prior art keywords
information
safety certification
user
information channel
channel safety
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CN201320554564.0U
Other languages
Chinese (zh)
Inventor
董宏勋
肖平
沈新力
邢雷
袁萍
戚光亚
肖凯提
王睿
高健
李宗俐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN201320554564.0U priority Critical patent/CN203399141U/en
Application granted granted Critical
Publication of CN203399141U publication Critical patent/CN203399141U/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Landscapes

  • Telephonic Communication Services (AREA)

Abstract

The utility model provides an information channel security certificate device connected with a user application server through a serial port and a USB channel, connected with a short message/micro message processing server through an SMS information channel and connected with a front-end processor through a wireless access private network. The front-end processor and the short message/micro message processing server are connected with a service information detection and control processing server separately through an intranet. A user application service is connected with a user POS device and a biological characteristic entrance guard device. The information channel security certificate device is characterized by comprising a single-chip microprocessor or an FPGA chip, a security check mode selecting button connected with the single-chip microprocessor or the FPGA chip, a parameter setting button, an application main menu button, a confirm and direction control button, a cancel/modification button, a voice video collecting card, a touch control display screen, a biological characteristic collecting card and an external certificate information collector, wherein the parameter setting button, the application main menu button, the confirm and direction control button, the cancel/modification button, the voice video collecting card, the touch control display screen, the biological characteristic collecting card and the external certificate information collector are connected with the single-chip microprocessor or the FPGA chip. According to the utility model, a security certificate information channel, a data information exchange channel and a short message/micro message transceiving channel are separated from each other, so that information security is guaranteed.

Description

A kind of information channel safety certification device
Technical field
The utility model is about Data Communication in Computer Networks technology, particularly about a kind of information channel safety certification device.
Background technology
Under current techniques condition, for realizing user's application system and the bipartite data information sharing of information exchange service application system, often take the method for network interconnection to reach the object of exchanges data and interaction process, now some private information of a side transmits the network by the other side and system, sometimes both sides also have to share some technology or data processing algorithm, thereby have the weak point in following technical security hidden danger or function:
1, realize the safety certification measure of information channel of both sides' information exchange conventionally more single, the function that provides multiple authentication freely to select is provided, convenience and the flexibility of safety certification are poor.And holder of certificate's legitimacy is not carried out to the function that technical security authentication is checked yet, have an authentication password and certificate and do not authenticate the potential safety hazard of people and equipment.
2, under prior art condition, secure authenticated information passage and the data information exchange passage of implementation information exchange do not carry out separation, are shared and share, and channel information is is easily intercepted and captured, safety certification device and control system thereof are easily by network attack, and then initiating system infiltration disaster.
3, the information exchange treatment technology method under prior art condition, data message is not carried out technical finesse and the safe prosecutions such as Data Source discriminating, format match screening, the conversion of confidential data modification, encrypting and decrypting, fractionation assembling of automation at handing-over mouthful front end boundary, so easily cause the events such as illegal connection, leakage of information and information personation.
Therefore, under prior art condition, not only there is the deficiency in some function in data information exchange treatment system and treatment technology method, and have obvious technical security hidden danger, not only use inconvenience, and operating cost is higher, and the wasting of resources is also more serious.
Utility model content
The utility model provides a kind of information channel safety certification device, so that secure authenticated information passage and data information exchange passage, short micro-letter transceiver channel are carried out to separation, preventing that network attack, information from stealing with system infiltration and classified information reveals and distorts, and ensures confidentiality and the fail safe of both sides' confidential data information.
To achieve these goals, the utility model provides 1, a kind of information channel safety certification device, by serial ports or USB passage, be connected with user's application server, by SMS information channel, be connected with short micro-letter processing server, by wireless access private network, connect front end processor, described front end processor and short micro-letter processing server connect and by Intranet, are connected with business information prosecution processing server respectively, described user's application server is connected with user POS equipment and biological characteristic entrance guard device, it is characterized in that, described information channel safety certification device comprises:
Single-chip microcomputer or fpga chip;
For triggering the safety check mode selection key of authentication selection function, connect described single-chip microcomputer or fpga chip;
For triggering the parameter of the parameter setting function of described information channel safety certification device, button is set, connects described single-chip microcomputer or fpga chip;
Application main menu button for the upgrading of trigger equipment system mend and application parameter maintenance function, connects described single-chip microcomputer or fpga chip;
For generating, current secret window information input validation completes and cursor direction moves confirmation and the direction control button of controlling notification instruction, connects described single-chip microcomputer or fpga chip;
For generating cancellation/modification button of cancelling or revising the instruction of current secret window information, connect described single-chip microcomputer or fpga chip;
For gathering, transmit the voice and video capture card of operator's voice and video information, connect described single-chip microcomputer or fpga chip;
Be used for described operator's touch-screen control inputs and operation, indicated the operating state of described information channel safety certification device, display operation person informs the touching display screen of information, connects described single-chip microcomputer or fpga chip;
For gathering the physical characteristics collecting card of user's biological characteristic, connect described single-chip microcomputer or fpga chip;
Be used for reading and comprise the main security factor information of IC chip card such as user identity card number, bank card number, social security card, and the external certificate information collector of the electronic security(ELSEC) certificate of certification information of IC-card certificate, TF card certificate, U shield, connect described single-chip microcomputer or fpga chip;
For receiving and send the information-communication device of exchanges data information, connect described single-chip microcomputer or fpga chip.
Further, described information channel safety certification device also comprises: for power supply and the battery charger of powering and battery charges;
Further, described information channel safety certification device also comprises: for obtaining the site environment image video of living in of user face biological characteristic or channel security authenticate device and the camera of photo.
In one embodiment, described information channel safety certification device also comprises: for play cuing voice and from the alarm voice signal Microspeaker 302 of server.
In one embodiment, described information channel safety certification device also comprises: for gathering the microphone of user speech and site environment sound.
In one embodiment, described information channel safety certification device also comprises: the client server that is used for connecting by serial communication mode authenticate device and client server is connected serial ports.
In one embodiment, described information channel safety certification device also comprises: for connecting external power source, for described information channel safety certification device supplies the external power interface of distribution.
In one embodiment, described information channel safety certification device also comprises: for connecting user's digital certificates and gathering its information, realize information interaction between authenticate device and certificate and the external connected electronic certificate interface of contact, comprising: IC-card certificate information reader, SD card certificate socket, U shield card certificate socket.
In one embodiment, described information channel safety certification device also comprises: earphone jack.
In one embodiment, described information channel safety certification device also comprises: mains switch.
In one embodiment, described information channel safety certification device also comprises: communication card socket 602.
In one embodiment, described information channel safety certification device also comprises: external wireless antenna module.
In one embodiment, described information channel safety certification device also comprises: power supply indicator, wireless network indicator light and short micro-letter communications status indicator light.
In one embodiment, described information-communication device is wireless messages communicator or wired information-communication device.
The beneficial effects of the utility model are, at information interface front end, carry out the technical finesses such as the discriminating of information data source, format match screening, the conversion of confidential data modification, encrypting and decrypting, fractionation assembling of automation and the function of security control, realized the controlled communication of direction; The management and control of the content of receiving and sending messages and form, plain code transmission, storage and the cross processing of confidential data information have been avoided, also avoided the sharing of transmission, algorithm and data processing technique method etc. of some classified information, effectively having prevented that network attack, information from stealing with system infiltration and classified information reveals and distorts, and has ensured confidentiality and the fail safe of both sides' confidential data information; By to the security control of information exchanging channel and technical finesse and control to the automations such as customization in advance of the discriminating of information source and information format, realized the two ends customization of information exchange, single-point handing-over, multiple authentication, two-way prosecution; Realized the suitable separation of secure authenticated information passage and data information exchange passage, after exchanges data information is split, carrying out directed controlled transmission again by different information channels becomes a reality, effectively prevented information-leakage, improved the fail safe of information exchange, effectively reduce the cost of information exchange, eliminated technology hidden danger.
Accompanying drawing explanation
In order to be illustrated more clearly in the utility model embodiment or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only embodiment more of the present utility model, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the result schematic diagram of information-leakage inspection control system at the information channel safety certification device place of the utility model embodiment;
Fig. 2 is the structured flowchart of the information channel safety certification device 100 of the utility model embodiment;
Fig. 3 is the appearance assumption diagram of the information channel safety certification device of the utility model embodiment;
Fig. 4, Fig. 5 and Fig. 6 are the construction profile of the information channel safety certification device of the utility model embodiment;
Fig. 7 is the structured flowchart of the front end processor 300 of the utility model embodiment;
Fig. 8 is the structured flowchart of the business information prosecution processing server 400 of the utility model embodiment;
Fig. 9 is the information-leakage detecting and control method flow chart that the information channel safety certification device of the utility model embodiment is carried out;
Figure 10 be the utility model embodiment the detail flowchart of information-leakage detecting and control method of information-leakage inspection control system;
Figure 11 is the structured flowchart of the information-leakage measuring and controlling device of another embodiment of the utility model.
Embodiment
Below in conjunction with the accompanying drawing in the utility model embodiment, the technical scheme in the utility model embodiment is clearly and completely described, obviously, described embodiment is only the utility model part embodiment, rather than whole embodiment.Embodiment based in the utility model, those of ordinary skills are not making the every other embodiment obtaining under creative work prerequisite, all belong to the scope of the utility model protection.
As shown in Figure 1, the utility model embodiment provides a kind of information-leakage inspection control system, and described system comprises: information channel safety certification device 100, at least one biological characteristic entrance guard device 200, at least one front end processor 300, at least one business information prosecution processing server 400, at least one short micro-letter processing server 500, user's application server 600 and a plurality of user POS equipment 700.
A plurality of user POS equipment 700 and biological characteristic entrance guard device 200 are connected with user's application server 600 by user application network, and user's application server 600 is connected by serial ports or USB passage with information channel safety certification device 100.Information channel safety certification device 100 is connected with short micro-letter processing server 500 by short micro-letter passage, short micro-letter processing server 500 is served application system Intranet by information exchange and is connected with business information prosecution processing server 400, information channel safety certification device 100 accesses private network by long distance wireless and fire compartment wall 101 is connected with front end processor phase 300, and front end processor 300 is served application system Intranet by information exchange and is connected with business information prosecution processing server 400.
Fig. 2 is the structured flowchart of the utility model embodiment information channel safety certification device 100, and the effect of information channel safety certification device 100 mainly comprises:
One, for the information exchange between user's application system and information-leakage inspection control system provides three kinds of information exchanging channels, the first information exchanging channel is the passage that carries out information exchange between information channel safety certification device 100 and user's application system, the second information exchanging channel is safety certification and maintenance channel, and the third information exchanging channel is at least two short micro-letters passages of receiving and sending messages.Between each passage, function is separated, share out the work and help one another, and organic interaction, the legal use for information channel safety certification device 100 provides safety certification and the relevant information technology of divulging a secret to control processing support jointly.
Two, to user, provide and from multiple digital certificates and multiple secure authentication technology method, independently select and a kind of authentication is set the user of information channel safety certification device 100 to be implemented to force the function of safety certification, improve convenience and the flexibility of safety certification.
Three, possessed the function of information source device legitimacy being carried out to technology discriminating and safety certification, an authentication password and certificate have been eliminated and the potential safety hazard of the equipment source of authentication information not, effectively prevent information source personation, improved the fail safe of data information exchange.
Four, possessed the data message that user's application system is sent to information exchange service application system, at message switch mouth front end boundary, carry out the divulge a secret function of prosecution technical finesse of automated information, realized the controlled transmission of its information, and the autonomous customization management and control that specializes of receive and send messages content and form, effectively prevented network penetration and classified information leakage and distorted, having ensured confidentiality and the fail safe of each side's confidential data information.
Five, for information-leakage inspection control system disposes to the automated maintenance of information channel safety certification device 100 the IP network connecting communication service that provides, and for providing technical finesse, associated safety authentication supports.
Six, the setting for information channel safety certification device operational factor provides technical support.
As shown in Figure 2, information channel safety certification device 100 comprises: central processing unit 2001 and the safety check mode selection key 201 being connected with central processing unit 2001, parameter arranges button 202, application main menu button 203, confirm and direction control button 204, cancel/revise button 205, voice and video capture card 206, touching display screen 207, physical characteristics collecting card 208, external certificate information collector 209, information partition management and top control module 210, information-communication device 211, information exchange security control device 212, information source device characteristic processing module 213, power supply and battery charger 214.
As shown in Fig. 3, Fig. 4, Fig. 5 and Fig. 6, information channel safety certification device 100 also comprises: camera 301, with infrared lamp, for obtaining site environment image video of living in and the photo of user face biological characteristic or channel security authenticate device, complete security monitoring if desired; Microspeaker 302, is used for play cuing voice and from the alarm voice signal of server, and its volume keys available regulates setting; Microphone 303, for gathering user speech and site environment sound; Client server connects serial ports 401, be used for connecting authenticate device and client server by serial communication mode, realize communication and exchanges data between them, one of them work, another is standby, or all carry on a shoulder pole, be generally positioned at the trailing flank (as shown in Figure 4) of information channel safety certification device 100; External power interface 402, for connecting external power source, for authenticate device supplies distribution, is generally positioned at information channel safety certification device 100 trailing flanks (as shown in Figure 4); External connected electronic certificate interface, be used for connecting user's digital certificates and gather its information, realize information interaction and contact between authenticate device and certificate, can be IC-card certificate information reader, SD(or TF) the digital certificates interface such as card certificate interface, U shield certificate, IC-card certificate information reader 403 is positioned at the trailing flank of authenticate device, IC-card certificate information reader can also, for reading active user's IC-card information, comprise the information of the IC chip cards such as IC-card identity card, IC bank card, social security IC-card.SD(or TF) card certificate socket 601 is positioned at the left surface (as shown in Figure 6) of authenticate device, and U shield card certificate socket 501 is positioned at the right flank of authenticate device, be responsible for gathering user U shield information and carry out safety certification, or be connected for carrying out USB communication between information channel safety certification device 100 and client server 600, also can download digital certificates information for user; Receiver J-Horner 502, for frames connecting with headphone, realizes the earphone output of sound, and the button on volume Ke Yongqi side regulates, and is positioned at authenticate device right flank; Mains switch 503, for carrying out the control of authenticate device power supply, opens or closes, and is positioned at authenticate device right flank; Communication card socket 602, is used to long-range TCP wireless communication card and two different operators' SMS communication card that circumscription socket is provided, and realizes relevant communication, is positioned at authenticate device left surface; External wireless antenna module 215, for carrying out telecommunication network communication antenna with front end processor, strengthens the reliability of signal, is positioned at authenticate device right flank.In addition, the authenticate device back side is for auxiliary auxiliary facilities such as the logical rechargeable batteries of cloth, and authenticate device main frame is used to authenticate device that master control electric component and relevant matching component are provided.
In addition, information channel safety certification device 100 also comprises: power supply indicator 304, wireless network indicator light 305, short micro-letter communications status indicator light 306.
Central processing unit 2001 is between each parts of information channel safety certification device 100, to carry out the maincenter of two-way information interaction, also be the control centre of device feature, for the work between master control, management and inner each parts of cooperative information channel security authenticate device 100, complete information interaction and command service response between information channel safety certification device 100 internal parts.Between central processing unit 2001 and other parts, all there is information interaction, central processing unit 2001 obtains button operation information, or the input message of physical characteristics collecting card 208 and external certificate information collector 209, or the input message of touching display screen 207, and call voice and video capture card 206, information partition management and top control module 210, information exchange security control device 212, information source device characteristic processing module 213 is carried out after front end screening management and control and safe handling it, send to information-communication device 211, by information-communication device 211, sent to front end processor 300 again, and then be transmitted to business information prosecution processing server 400 and carry out safety certification and upgrade maintenance and process, or reception front end processor 300 forwards next business information prosecution processing server service response processing feedback result, recalls information partition management and top control module 210 further feed back to touching display screen 207 and show feedback result after processing, and call voice and video capture card 206, information partition management and top control module 210, information exchange security control device 212 and information source device characteristic processing module 213, complete the concrete subsequent treatment work of voice and video prompting and the 400 relevant control instructions of execution business information prosecution processing server, or receive the exchanges data information that user's application server 600 is sent, and recalls information partition management and top control module 210, information source device characteristic processing module 213 and information exchange security control device 212 are carried out after the processing such as front end screening management and control safety encipher, send to short micro-letter dispensing device 212b, again and then send to short micro-letter processing server 500, and then be transmitted to business information prosecution processing server 400 and carry out safety inspection and control to process, then, business information prosecution processing server 400 is given short micro-letter processing server 500 by the customer consumption account settlement information result feedback after processing, after formaing processing by it again, be transmitted to information exchange security control device 212, and then be transmitted to short micromessage receiving system 212a, Xun Yuan road feeds back to user's application server, notify user to carry out follow-up associative operation, or receive the information channel safety certification device 100 user right register informations that each parts collect, the subscriber authorisation secure authenticated information of information channel safety certification device 100, digital certificates technical parameter table, trust user POS apparatus characteristic log-on message, user POS device ID condition code, user POS device registration title, the customization of transmission information form, information element splits analytical algorithm automatically, classified information conversion deformation algorithm, information element automatic packaging packing algorithm, short micro-letter enciphering and deciphering algorithm, the information such as user's input feature vector information, and call voice and video capture card 206, information partition management and top control module 210, the control of information exchange peace fills 212, information source device characteristic processing module 213 is carried out partitioned storage after safe handling to it.When receiving the crucial production equipment use authority safety certification request of information channel safety certification device 100 and user's application system and information transmission security, detect while controlling request, call voice and video capture card 206, information partition management and top control module 210, information exchange security control device 212 and information source device characteristic processing module 213 and automatically extract secure authenticated information and carry out the maltilevel securities such as operating personnel, digital certificates, information source apparatus characteristic, swap data form and content and authenticate and complete the safety inspection of transmission information concerning security matters and control every processing.
When information channel safety certification device 100 is operated in safety certification state, user's webmaster personnel trigger authentication selection function by safety check mode selection key 101, make it neatly for user network operations staff selects to determine a kind of suitable authentication, to complete the use authority authentication of data exchange channel.Now, information channel safety certification device 100 automatic acquisition user webmaster personal security authentication mode selection result information, call voice and video capture card 206, information partition management and top control module 210, carry out necessary processing, preservation, and activate its authentication and select, according to this authentication, start user network operations staff to carry out the security certificate authentication of device rights of using and data exchange channel unlatching authority.User's webmaster personnel can independently select the combination attestation mode of the biological informations such as different types of digital certificates, identity card, IC bank card, password and fingerprint, complete its legitimacy safety certification.
Safety certification combination must meet following technical specification: the one, in safety certification combination, must comprise and only comprise a kind of biological characteristic authentication key element; The 2nd, carry out flexibly for the convenience of the user safety certification, digital certificates kind can only be selected wherein a kind of; The 3rd, authenticate device ID condition code, authenticate device register name are the default project that substantially comprises of safety certification content; The 4th, the user of registered in advance mandate just has the right to operate.So just form flexible selection and applied the safety certification example combinations that multiple digital certificates carry out the authentication of electronic authorization maltilevel security step by step, as: IC-card certificate+password+fingerprint+device ID condition code+device registration title, TF card (or SD card) certificate+password+facial photo+device ID condition code+device registration title, U shield certificate+password+fingerprint+voice+device ID condition code+device registration title etc.For improving fail safe, it must be that registed authorization user just can carry out operational access that safety check mode is selected change, carry out necessary fraction and operating right system, people is set in registration and certified people can not be identical, by brush identity card defeated close mode, carry out user and operate login, can Modify password after login, if forgotten Password, must serve the personnel of application system mechanism by information exchange and just can complete replacement.
After choosing safety check mode, just start the authentication of relevant information channel security.Now, the central processing unit 2001 of information channel safety certification device 100 is according to the selected authentication automatic-prompting of user's webmaster personnel and obtain secure authenticated information, call voice and video capture card 206, information partition management and top control module 210, information exchange security control device 212, carry out after necessary temporary and format processing, send to information-communication device 211, by information-communication device 211, sent to front end processor 300 again, and then be transmitted to business information prosecution processing server 400 and carry out safety certification processing, if authentication is passed through, the short micro-letter receive path to information channel safety certification device 100 by short micro-letter processing server 500, the information that granting has information source recognition function and timeliness stamp sends dynamic electron license passport, make only to have held dynamic electron license passport, short micro-letter sendaisle of information channel safety certification device 100 could send the exchange of data message implementation information.After this, business information prosecution processing server 400 passes through front end processor 300 processing forward security certification result to central processing unit 2001, if safety certification is passed through, recalls information partition management and top control module 210, touching display screen 207 is processed rear demonstration feedback result, call after voice and video capture card 206 is processed simultaneously feedback result is carried out to voice message, recalls information exchanges security control device 212 and information source device characteristic processing module 213 simultaneously, carry out the 400 relevant control instructions of business information prosecution processing server, safety certification and the maintenance channel of lock information channel security authenticate device 100, the passage that carries out information exchange between opening information channel security authenticate device 100 and user's application system, short micro-letter sends information channel, start to carry out exchanges data, if safety certification is not passed through, central processing unit 2001 recalls information partition managements and top control module 210, touching display screen 207 is processed rear demonstration feedback safety certification and is not passed through object information, after calling voice and video capture card 206 simultaneously and processing, feedback result is carried out to voice message user and re-start safety certification, when repeatedly safety certification is unsuccessful, central processing unit 2001 recalls information partition managements and top control module 210, safety certification and the maintenance channel of information exchange security control device 212 lock information channel security authenticate devices 100, the information exchanging channel of information channel safety certification device 100 and user's application system, short micro-letter sends information channel, end closed safe authentication function, and carry out audio alert and transmission user webmaster personnel and information exchange and serve the warning messages such as the short micro-letter of the personnel of application system management organization mobile phone.
When information channel safety certification device 100 is operated in parameter state is set, for user's webmaster personnel, the parameter setting function of button 102 automatic triggering authentication devices is set by parameter, completes following parameter setting: one completes the initialization mandate of the parameter setting function of information channel safety certification device 100 and user of service's ID card No. and password and sets and registration, the two completes setting and the configuration of the hardware operational factor of information channel safety certification device 100, three complete Internet access user application server 500 the information source device feature of being trusted user POS equipment 700 selected, arrange and registration, four complete the information-leakage inspection control system operation user's name of having the right to carry out exchanges data, the register name of user POS equipment 700, registration and the setting of the security control informations such as apparatus characteristic of user POS equipment 700, realize man-machine system three's binding, only have and set user and use the designated equipment operation information inspection control system of divulging a secret, could implement legal active data exchange, otherwise by information source device characteristic processing Module recognition, being judged to be invalid data exchanges, end its every operation and exchanges data, to unauthorized device is got rid of when production run, prevent illegal access, legitimacy and the fail safe of protected data exchange, information format and the content essential characteristic of five setting data exchanges, so that relevant apparatus and module are carried out information format and content essential characteristic automatic screening and the rejecting of exchanges data accordingly, on the one hand prevent information leakage, prevent on the other hand overlength and against regulation form or there is the mess code of not clear intention and contain can not the customer consumption information afferent message Exchange Service application system of identifying information in.Its authorization User names and passwords are registered setting by the information exchange service personnel of application system management organization when information channel safety certification device 100 is provided, can Modify password after login, if forgotten Password, must serve the personnel of application system management organization by information exchange and just can complete replacement, to prevent that unauthorized personnel from changing device setting.Now, information channel safety certification device 100 automatic acquisition parameter setting information, recalls information partition management and top control module 210, information exchange security control device 212, information source device characteristic processing module 213, carry out necessary processing, preservation, and activation parameter arranges result, its parameter setting is come into force, and then start to carry out information leakage prevention and control according to this parameter Provisioning Policy.
When information channel safety certification device is operated in upgrade maintenance state, for user's webmaster personnel, by application main menu button 103 upgrading of automatic initiating device system mend and application parameter maintenance functions, complete following task: one is implemented authenticate device application main menu by the information exchange service personnel of application system management organization and set and registration by the initialization mandate of bonding method user's ID card No. and password; The two foundation is connected with the TCP of business information prosecution processing server, and some system and application patch are downloaded, moved, upgrade, upgrade to automatic deployment; Three sets up and is connected with the TCP of business information prosecution processing server, automatically downloads and load some applicating maintenance parameter; Four selection and the switchings that are used for the pattern of finishing the work.In this process, central processing unit 2001 receives application main menu button 203 trigger messages, start application main menu, by carrying out information exchange with business information prosecution processing server 400, complete the setting of related application maintenance parameters and automatic deployment task, and recalls information partition management and top control module 210, touching display screen 207 process rear demonstration relevant information switching task processing result information, after calling voice and video capture card 206 simultaneously and processing by voice message feedback-related information switching task processing result information.
Confirm and direction is controlled button 204 for generating current secret window information input validation and complete and cursor direction moving control notification instruction.In this process, complete/the input validation of operation that central processing unit 2001 reception buttons 204 send is controlled information command, and pass to information-leakage inspection control system after recalls information partition management and top control module 210 processing, complete the subsequent treatment work of this instruction.Certainly, its cursor position also can be positioned by contactor control device.
Cancel/revise button 205 for generating the instruction of cancelling or revising current secret window information, to facilitate, the information of current secret window input is cancelled and mobile cursor is modified or re-enters wrong content.In this process, information command is controlled in the operation that central processing unit 2001 reception buttons 205 send, and is transmitted to information-leakage inspection control system after recalls information partition management and top control module 210 processing, completes the subsequent treatment work of this instruction.
Voice and video capture card 206, for collection when the safety certification, processing, transfer device operator's related voice video information, completes speech recognition or photo and facial characteristics identification; Or for the operator of information channel safety certification device 100 forwards operation and relevant suggestion voice and the video of input content.In this process, central processing unit 2001 receives the voice and video information that voice and video capture card 206 sends, format is transmitted to information-leakage inspection control system after processing and suitably processes, the loudspeaker that result voice and video information is fed back on information channel safety certification device carry out suggestion voice broadcasting, maybe touching display screen 207 will be transmitted to after the video information process of feedback, for operator carries out video and image demonstration.
Touching display screen 207 is used for finishing device operator's touch-screen control inputs and operation, and the related work state of indicating device and show all information that need operator to know.To carry out information bidirectional mutual according to setting rule for touching display screen 207 and central processing unit 2001, touching display screen 207 gathers user's operational order and after preliminary treatment, is transmitted to central processing unit 2001, after central processing unit 2001 recalls information partition managements and top control module 210 are processed, be transmitted to other parts or information-leakage inspection control system is processed; Or be transmitted to after touching display screen 207 is processed and complete relevant information demonstration after the relevant demonstration of central processing unit 2001 reception information processing.
Physical characteristics collecting card 208, for channel security verification process, automatically gathers user's biological characteristic under the control of central processing unit 2001, completes biometric secure authentication.Biological characteristic can be fingerprint or finger vena information, even can comprise the finger temperature information collecting with additional SMD intelligent temperature sensor.It can certainly be the biological characteristic that the facial characteristics, voice, nethike embrane, iris etc. of registered in advance authorized user easily extract; In this process, central processing unit 2001 receives the user biological feature that physical characteristics collecting card 208 gathers, and is then transmitted to information-leakage inspection control system, carries out the authentication of user biological feature.
External certificate information collector 209 for user in safety certification process, automatically read the main security factor information of IC chip card such as user identity card number, bank card number, social security card, and the information of the multiple electronic security(ELSEC) certificate of certification such as IC-card certificate, TF card (or SD card) certificate, U shield, process and be transmitted to information-leakage inspection control system and carry out safety certification.In this process, the instruction of central processing unit 2001 receives and response message is divulged a secret inspection control system, according to the requirement of related procedure, receive user IC chip card information that external certificate information collector 209 collects and the information of electronic security(ELSEC) certificate of certification, process and forward and submit to information-leakage inspection control system and carry out safety certification.
Information partition management and top control module 210 are used for extracting user related information with cipher mode partitioned storage with manner of decryption, and it is registered and is arranged and respective handling.User related information and processing module mainly comprise: the subscriber authorisation secure authenticated information of information channel safety certification device 100, digital certificates technical parameter table, trust apparatus characteristic log-on message, device ID condition code, device registration title, the customization of transmission information form, information element splits analytical algorithm automatically, classified information conversion deformation algorithm, information element automatic packaging packing algorithm, short micro-letter enciphering and deciphering algorithm, user's input feature vector information table, master control menu modular program, hardware setting functional program module, user function changeover program module, button Trigger Function program module, short micromessage security feature recognition function program module, communication interface functional program module, information source device characteristic processing program module etc.After information partition management and top control module 210 reception central processing unit 2001 instructions and information are processed, feedback processing result forwards and feeds back to relevant information processing request parts and device after further processing to central processing unit 2001.
Information-communication device 211 is for receiving exchanges data information, carry out being transmitted to other device of information-leakage inspection control system or server after information-leakage prosecution processing, in accordance with instruction, automatically according to information, transmit target, regulate and control suitable passage, realize security information communication and data information exchange between information channel safety certification device 100 and other device of information-leakage inspection control system or associated server.Under the control commander of central processing unit 2001, at information partition management and top control module 110, under the coordinated of information exchange security control device 212 and information source device characteristic processing module 213, receive directional data exchange message and other relevant information, carry out after information-leakage prosecution relevant treatment, send to other device of information-leakage inspection control system or associated server, and receive directional data exchange message and other relevant information of other device of information-leakage inspection control system or associated server, carry out after information-leakage prosecution relevant treatment, information channel safety certification device 100 and even user's application server 600 are submitted in forwarding.
When information-communication device 211 is operated in safety certification pattern, receives central processing unit 2001 and forward the secure authenticated information of coming, after processing, be transmitted to front end processor 300, after being processed by front end processor 300 formats again, be transmitted to business information prosecution processing server 400 and carry out safety certification, business information prosecution processing server 400 carries out safety certification processing and authentication result is fed back to front end processor according to former road and even central processing unit 2001 is processed, and further feeds back to information-communication device 211 again, after this information with information source recognition function and timeliness stamp that the business information prosecution processing server 400 Security Authentication Service response results that information-communication device 211 reception front end processors 300 are sent and short micro-letter processing server 500 send sends dynamic electron license passport, and recalls information source device characteristic processing module 213, the passage of information exchange peace control module 212 and information partition management and top control module 210 is opened and locking and coupled system, safety certification and safeguard that processing unit is opened short micro-letter sendaisle and after locking processes, forward relevant treatment result and feed back to voice and video capture card 206 or touching display screen 207, if voice messaging sends to Microspeaker to complete voice message by voice and video capture card 106, if demonstration information completes directed demonstration by touching display screen 207.
When information-communication device 211 is operated in maintenance upgrade pattern, for information channel safety certification device 100 and front end processor 300 are set up the service of wireless tcp network connecting communication automatically, realize automatically and download and dispose upgrade application patch and other data message that need to exchange, and it is encrypted to storage.
When information-communication device 211 is operated in application message data exchange mode, user safety authentication success, between information channel safety certification device 100 and user's application server 600, carry out the unlatching of giving orders of the passage of information exchange, short micro-letter passage sending function, the locking and information channel safety certification device safety certification and maintenance channel are given orders, and the service of wireless tcp network connecting communication is also closed automatically.In addition, short micro-letter communication module of the short-and-medium micro-letter dispensing device 212b of the present embodiment and short micro-each self-assembly different service providers of letter information receiving device 212a, so just can reduce or avoid the information that important key message may cause with net transmission to kidnap, distort and information-leakage.In this process, target and source that information-communication device 211 transmits according to information automatically according to the instruction of central processing unit 2001, regulate and control suitable passage, realize bidirectional safe information communication and data information exchange between information channel safety certification device and other device of information-leakage inspection control system or associated server.
Information exchange security control device 212, for carrying out security customization and management and control to information exchanging channel under information partition management and top control module 210 assistance.Comprise following auxiliary equipment: at least one short micro-letter receiving system 212a, at least one short micro-letter dispensing device 212b, passage is opened and locking and coupled system 212c, safety certification and safeguard processing unit 212d, information storage and administration module 212e.Each auxiliary equipment is all connected with short message exchange security control device 212, and by carrying out information exchange between information exchange security control device 212 and other auxiliary equipment, or carry out information exchange with central processing unit 2001, and even carry out bidirectional safe information communication and data information exchange between the transfer realization by central processing unit 2001 and other device of information-leakage inspection control system or associated server.Short micro-letter receiving system 212a, for receiving the application message data exchange processing result that short micro-letter processing server 500 is sent, or receive the information with information source recognition function and timeliness stamp that short micro-letter processing server 500 sends and send dynamic electron license passport, giving orders to control makes to only have safety certification to pass through, held dynamic electron license passport, short micro-letter sendaisle of information channel safety certification device 100 could send data message, practices information data exchange; Short micro-letter dispensing device 212b, for sending user data information to short micro-letter processing server; Passage is opened and locking and coupled system 212c, be used for according to channel security authentication result, give orders and control united opening or the locking of relevant information passage, if channel security authentication success, give orders between opening information channel security authenticate device 100 and user's application service 600, carry out the passage of information exchange, short micro-letter sendaisle, short micro-letter receives information channel, safety certification and the maintenance channel locking of giving orders; Otherwise, keep each passage default conditions, and safety certification repeatedly not by time give orders locking safety certification and maintenance channel, by short micro-letter processing server 500, to user or the information exchange service personnel of application system management organization, send the warning messages such as SMS in time; Safety certification and safeguard processing unit 212d, is used to the maintenance of channel security authentication and information channel safety certification device 100 that environmental facility technical support is provided.The value of personalized information source identification (enemy and we's identification) characteristic parameter of registered signing while providing according to information channel safety certification device 100 gathers and generates processing automatically, and according to engagement arithmetic and rule, generate and comprise authenticate device characteristic information when channel security authentication and device maintenance license safety check, authenticate device ID condition code, the corresponding response message of the information such as authenticate device register name, then after sending to short micro-letter processing server further to process, be transmitted to business information prosecution processing server, carry out the maintenance license authentication of the authentication of authenticate device channel security and information channel safety certification device 100.If the maintenance of information channel safety certification device 100 license safety check is successfully passed through, call relative program module and complete the maintenance process such as authenticate device application patch upgrading, implement the relevant treatment such as patch automatic deployment, complete upgrade maintenance; If channel security authentication success passes through, business information prosecution processing server 400 sends an information transmission dynamic electron license passport with information source recognition function and timeliness stamp to short micro-letter receive path feedback of channel security authenticate device, completes authenticate device and registers.Otherwise, the unsuccessful information of feedback authentication, and by short micro-letter processing server 500, to user or the information exchange service personnel of application system management organization, send the warning messages such as SMS in time; Information storage and administration module 212e are used to information exchange security control device to provide message buffer storage and necessary format to process.
Information source device characteristic processing module 213 is for according to trusting apparatus characteristic log-on message, the value of information source identification (enemy and we's identification) characteristic parameter of the user data information on the one hand user's application server being sent is automatically extracted and processes, on the other hand itself and trust apparatus characteristic log-on message are automatically identified and checked, if information source is the believable equipment of registering, and short micro-letter passage has received that information sends dynamic electron license passport, user data information and information transmission dynamic electron license passport are carried out to analytical decomposition, information source device Feature Conversion is wherein deformed into the information source device feature that information sends the information channel safety certification device in dynamic electron license passport, then after ressembling processing, send to short micro-letter processing server to carry out the identification of related information source apparatus characteristic and safety inspection, if safety inspection is passed through, after preserving this information and it being carried out to subsequent processes, until submitting to business information prosecution processing server, forwarding carries out business Account Disposal, otherwise, the safety inspection of information source device feature is not passed through, the information of automatically it being sent is rejected, and this equipment is piped off, simultaneously, to information exchange, serve the personnel of application system management organization and carry out the warnings such as short micro-letter with user's webmaster personnel mobile phone, after this feedback processing result is to information channel safety certification device, information channel safety certification device receives after the short micro-letter of feedback of upper end server, carry out analytical decomposition, by information source device feature wherein again reverse transformation be deformed in user data information information source device feature originally, and confidential data is wherein reduced (comprising deciphering), hold back data and implement reverse dosing, hiding data carries out reverse reparation, complete the reverse true restoration disposal of suitable information full dose, and then algorithm sends to user's application server after re-starting assembling processing according to a preconcerted arrangement, thereby controlled divulging a secret of relevant classified information.
Power supply and battery charger 214 is responsible for the charging of the power supply of information channel safety certification device and battery thereof, makes to be allly integrated in safe and stable arrangement on information channel safety certification device and to share this power supply.
Biological characteristic entrance guard device 200 is used for obtaining user POS equipment operating user (user attendant's) biological characteristic, after completing necessary processing, be transmitted to user's application server 600 and information channel safety certification device 100, carry out user safety authentication and mandate, and by Certificate Authority result feedback to user.Biological characteristic can be fingerprint or finger vena information, even can comprise the finger temperature information collecting with additional SMD intelligent temperature sensor.It can certainly be the biological characteristic that the facial characteristics, voice, nethike embrane, iris etc. of registered in advance authorized user easily extract, so that user's application server 600 and authenticate device are achieved as follows function according to this jointly: the one, according to user's application server 600, according to biological characteristic authentication output control, command the gate inhibition management apparatus of biological characteristic entrance guard device 200, automatically carry out the unlatching of electric linkage protective door or close, to control, whether allowing these user personnel to enter user's application service region, the 2nd, user's application server 600 and information channel safety certification device 100 are jointly according to biological characteristic authentication result and predefined licensing scheme, automatically detect and determine whether that these user personnel of permission operate user POS equipment 700, if allow it to operate user POS equipment 700, for it distributes an exercisable user POS equipment 700, and send the dynamic login password of user's application system of effective restriction by inner mailbox for user, completing user carries out the permission mandate that the operation of user's application system is used, simultaneously, by real name, operate and realized people, machine (equipment), system, the quadruple side of passage determines safety certification.
Front end processor 300 can be multiple servers or PC, also can be the part-time front server of comprehensive multinomial identity function, be mainly used in having set up the bridge of service request and service response between business information prosecution processing server 400 and information channel safety certification device 100.Front end processor 300 receptions forwarding information channel security authenticate device 100 are issued the business service request relevant information of business information prosecution processing server 400, format is transmitted to business information prosecution processing server 400 after processing, and the service request response result message that described in receiving, at least one business information prosecution processing server 400 sends, and after the service response processing result information that described at least one business information prosecution processing server 400 is sent format, feedback is forwarded to the information channel safety certification device 100 that sends business service request related news, thereby erected the information bridge of service request and service response between business information prosecution processing server 400 and information channel safety certification device 100, complete that its information bidirectional is mutual and format is processed and transmitting-receiving transfer.Meanwhile, also need the tasks such as voice and video information conversion generation of finishing service information prosecution processing server 400 relevant feedback and information, and send voice message and voice reading information feedback to information channel safety certification device 100.
Fig. 7 is the utility model embodiment front end processor 300 structural representations, and this front end processor 300 comprises: master control device 703, information channel safety certification device interface 701, audio, video data processing unit 702, server interface 704, data storage and administrative unit 705.Master control device 703 is connected with information channel safety certification device interface 701, audio, video data processing unit 702, server interface 704, data storage and administrative unit 705 respectively.Front end processor is mainly used in having set up the bridge of service request and service response between business information prosecution processing server 400 and information channel safety certification device 100, receive safety certification and the maintenance upgrade information of information channel safety certification device 100, after the processing such as formaing, be transmitted to business information prosecution processing server 400, or connect after the safety certification of business information prosecution processing server 400 and maintenance upgrade information and result feedback information such as format at the processing and be transmitted to information channel safety certification device 100.
Information channel safety certification device interface 701 is received and dispatched and exchange with the bidirectional information of information channel safety certification device 100 for complete master control device 703 according to agreement prescribed form, is mainly used for processing and transmitting-receiving transfer for the information exchange between information channel safety certification device interface 701 and business information prosecution processing server 400 provides format.Under the control of master control device 703, information channel safety certification device interface 701 receives operational order, the input message of information channel safety certification device 100 inputs, by data, store and administrative unit 705, audio, video data processing unit 702 is transmitted to server interface 704 after processing, then be transmitted to business information prosecution processing server 400 by server interface 704; Or server interface 704 receives service response result and the feedback information of business information prosecution processing server 400, by data, store and after administrative unit 705, audio, video data processing unit 702 process, be transmitted to information channel safety certification device interface 701, by information channel safety certification device interface 701, send to information channel safety certification device 100 again, erect the bridge of information bidirectional exchange between information channel safety certification device 100 and business information prosecution processing server 400.
Audio, video data processing unit 702 is for receiving and dispatching user's audio frequency and video secure authenticated information of storage information channel safety certification device 100, and canned data is effectively managed.
Master control device 703 is used to the bi-directional exchanges of information between each member of front end processor to format processing, and the service request of information channel safety certification device interface 701 is carried out being transmitted to server interface 704 after Data Format Transform processing; Or contrary, master control device 703, after receiving business information prosecution processing server 400 processing result information that server interface 704 receives, it is carried out to format conversion processing, and then loopback is to information channel safety certification device interface 701.Server interface 704, for completing bidirectional information transmitting-receiving and the exchange between master control device 703 and business information prosecution processing server 400 according to agreement prescribed form.Data buffer storage and switch processing unit 705, for receiving the instruction of master control device 703, support for relevant interface transceiving data and information provide data buffer storage and information management and processing to process.
Short micro-letter processing server 500 can be multiple servers or PC, also can be the part-time front server of comprehensive multinomial identity function, be mainly used in having set up short micro-telecommunications services request between business information prosecution processing server 400 and information channel safety certification device 100 and the bridge of service response.Short micro-letter processing server 500 receptions forwarding information channel security authenticate device 100 are issued short micro-communication service service request relevant information of business information prosecution processing server 400, format is transmitted to business information prosecution processing server 400 after processing, and the service request response result message that described in receiving, at least one business information prosecution processing server 400 sends, and after short micro-telecommunications services response processing result information format that described at least one business information prosecution processing server 400 is sent, feedback is forwarded to the information channel safety certification device 100 that sends short micro-communication service service request related message, thereby erected the information bridge of short micro-communication service service request and service response between business information prosecution processing server 400 and information channel safety certification device 100, complete that the short micro-letter of its information bidirectional is mutual and format is processed and transmitting-receiving transfer.
Business information prosecution processing server 400 is used for processing and information support for the information channel safety certification device 100 of information-leakage prosecution treatment system, front end processor 300, short micro-letter processing server 500 etc. provide safety certification and information service response, is core and the maincenter of information-leakage prosecution treatment system.Simultaneously, for providing information service support between other facility in information-leakage prosecution treatment system, and with database mode centralized management, classification storage, process the information such as various information data table and system operational parameters, functional program module and associated electrical certificate technical parameter table, authenticate device information source device feature log-on message, authenticate device ID condition code, authenticate device register name, user's input feature vector information table, user profile tables of data, business datum table, transmission information form customized information, and relevant information processing unit.The traffic information services request message coming for receiving front end processor 300 or 500 forwardings of short micro-letter processing server, for different service requests, carry out appropriate service response and information processing, and form service response result message, feed back to front end processor 300 or short micro-letter processing server 500, after processing, format feeds back to information channel safety certification device 100, completing user safety certification and Business Processing again.
As shown in Figure 8, business information prosecution processing server 400 comprises: security feature parameter arranges location registration process unit 801, safety certification and maintenance upgrade unit 802, short micro-letter processing unit 803, business account processing unit 804, data storage and administrative unit 805.Business information prosecution processing server 400 is used for processing and information support for the information channel safety certification device 100 of information-leakage prosecution treatment system, front end processor 300, short micro-letter processing server 500 etc. provide safety certification and information service response, is core and the maincenter of information-leakage prosecution treatment system.Mainly complete following information processing services: the one, call security feature parameter and location registration process and correlation unit are set the information such as authenticate device 100 operational factor tables, digital certificates technical parameter table, authenticate device information source device characteristic information table, user's input feature vector information table, user's characteristic information table (comprising biological characteristic relevant information), business datum table, technical parameter table, safety certification policy information table, transmission information form customized information are registered default; The 2nd, call safety certification and maintenance upgrade unit the information such as digital certificates technical parameter, authenticate device information source device characteristic information, user's input feature vector information, user's characteristic information (comprising biological characteristic relevant information), business datum, technical parameter, safety certification policy information, transmission information form customized information are carried out to safety certification and management and control; And send dynamic electron license passport according to the authentication result information that 100 passage grantings have an information source recognition function and timeliness stamp to information channel safety certification device, and then information channel safety certification device 100 is carried out to passage management and control, or adjusting function program module is carried out the maintenance processing such as application system upgrading to information channel safety certification device 100; The 3rd, call short micro-letter processing unit, business account processing unit 803, data storage and 805 pairs of Business Processing requests of administrative unit and carry out service response processing, and feedback result is controlled with the short micro-letter of voice SMS warning of associated user's mobile phone and information channel safety certification device 100 mutual simultaneously; The 4th, according to operation flow, rely on information interaction instruction directs correlation unit to work in coordination with and carry out information processing; The 5th, with database mode centralized management, classification storage, process the information such as various information data table and system operational parameters, functional program module and associated electrical certificate technical parameter table, authenticate device information source device characteristic information table, user's input feature vector information table, user's characteristic information table (comprising biological characteristic relevant information), business datum table, technical parameter table, safety certification policy information table, transmission information form customized information, and correlation function program module running technology parameter etc.Business information prosecution processing server 400 receives front end processor 300 or server 500 forwards the traffic information services request message of coming, for different service requests, call relevant treatment unit and carry out appropriate service response and information processing, and form service response result message, feed back to front end processor 300 or server 500, after processing, format feeds back to information channel safety certification device 100, completing user safety certification and Business Processing again.
Security feature parameter arranges location registration process unit 801 for generate the secure authenticated information such as client's digital certificate according to user characteristics and requirement when to user's release information channel security authenticate device 100, and call security feature parameter and location registration process and correlation unit are set to information channel safety certification device 100 operational factor tables, digital certificates technical parameter table, authenticate device information source device characteristic information table, user's input feature vector information table, user's characteristic information table (comprising biological characteristic relevant information), business datum table, technical parameter table, safety certification policy information table, the information such as transmission information form customized information are registered default.Converting thereof into ciphertext is on the one hand issued in information channel safety certification device 100, be stored on the other hand the data storage of server and user's characteristic information tables of data and the authenticate device of management processing unit are registered in characteristic information tables of data, to divulge a secret and carry out maltilevel security authentication when prosecution treatment system is carried out safety certification and upgrade maintenance at user login information; When selling information channel safety certification device 100 to user, this unit collection or obtain relevant registration presupposed information, according to safety certification mechanism, generating ciphertext partitioned storage is in the storage medium in information channel safety certification device 100 and be recorded in the data table related of the 400 data storages of business information prosecution processing server and administrative unit 805 simultaneously.
Safety certification and maintenance upgrade unit 802 carry out safety certification for calling data storage and 805 pairs of digital certificates technical parameters of administrative unit, authenticate device information source device characteristic information, user's characteristic information (comprising biological characteristic relevant information), user's input feature vector information according to information such as the operational factor of information channel safety certification device 100, technical parameter, safety certification policy information, transmission information form customized informations; And send dynamic electron license passport according to the authentication result information that 100 passage grantings have an information source recognition function and timeliness stamp to information channel safety certification device, and then information channel safety certification device 100 is carried out to passage management and control, or adjusting function program module is carried out the maintenance processing such as application system upgrading to information channel safety certification device 100.Safety certification and maintenance upgrade unit 802 receive the safety certification request information that front end processor 300 forwards the information channel safety certification device 100 coming, calling data storage and administrative unit 805, according to information channel safety certification device 100 operational factors, technical parameter, authenticate device information source device characteristic information, user's characteristic information, safety certification policy information, the information such as transmission information form customized information are carried out as IC-card certificate+password+fingerprint+authenticate device information source device feature user, TF card (or SD card) certificate+password+facial photo+authenticate device information source device feature, the safety certification of the modes such as U shield certificate+password+fingerprint+voice+authenticate device information source device feature, with this, guarantee the input unit and the certificate that only have user accredited personnel to use appointment, input meets the information of my feature and has carried out meeting the operation of I role's authority, the relevant issues of just having the right to process.Then, according to authentication result, complete suitable information processing, generate return information, feed back to front end processor 300.If safety certification is passed through, safety certification and maintenance upgrade unit 802 call short micro-letter processing unit 803, and the information that the passage granting of information channel safety certification device 100 is had to information source recognition function and timeliness stamp according to authentication result sends dynamic electron license passport, and then information channel safety certification device 100 is carried out to passage management and control, and start to carry out applied business information processing and the prosecution of divulging a secret processing; Or adjusting function program module is carried out the maintenance response processing such as system upgrade to information channel safety certification device 100.Otherwise feedback information, allows user to correct input message, until interrupt this safety certification, process, by short micro-letter processing server, to user or the information exchange service personnel of application system management organization, send the warning messages such as SMS in time.
Short micro-letter processing unit 803 is processed the solicited message prosecution of divulging a secret for the applied business of calling data storage and administrative unit 805,804 pairs of short micro-letter processing servers 500 of business account processing unit and is processed solicited message and carry out service response processing, and feedback result is controlled with the short micro-letter of voice SMS warning of associated user's mobile phone and information channel safety certification device 100 mutual simultaneously; Or calling data storage and administrative unit 805, safety certification and maintenance upgrade unit 802 are in the situation that safety certification is passed through, the information transmission dynamic electron license passport to the passage granting of information channel safety certification device 100 with information source recognition function and timeliness stamp, and then information channel safety certification device 100 completes passage management and control accordingly.Receive short micro-letter processing server 500 and forward next short micro-letter processing service request information, calling data storage and administrative unit 805, business account processing unit 804, the short micro-letter processing solicited message of applied business and the prosecution of divulging a secret processing solicited message are carried out to service response processing, then result is fed back to short micro-letter processing server 500; Or when the 100 channel security authentications of information channel safety certification device are passed through, to information channel safety certification device 100, send the information transmission dynamic electron license passport with information source recognition function and timeliness stamp, giving orders to control makes to only have safety certification to pass through, hold short micro-letter sendaisle of the information channel safety certification device of dynamic electron license passport and could send out the short micro-letter data information of receipts, practiced the exchange of control that has of information data.
Business account processing unit 804 is mainly used to bear information-leakage prosecution processing and the information processing of business account of application message data.Receive short micro-telecommunications services device 500 and forward the application message data processing service request information of coming, calling data storage and administrative unit 805, business account processing unit 804, application information data is carried out to information-leakage prosecution processing and the processing of business account service response, then result is fed back to short micro-letter processing server 500; Processing item has: whether block expiredly, whether certificate is effectively, whether content is correct, whether feature meets, whether information format is correct etc.
Data storage and administrative unit 805 are mainly used to manage concentratedly with database mode, classification storage, process various system operational parameters, functional program module and associated electrical certificate technical parameter table, authenticate device information source device characteristic information table, user's input feature vector information table, user's characteristic information table (comprising biological characteristic relevant information), business datum table, technical parameter table, safety certification policy information table, the business information such as transmission information form customized information, for other unit provides data message support, other unit all needs calling data storage and administrative unit 805 when completing information processing.
As shown in Figure 9, the present embodiment provides a kind of information-leakage detecting and control method, and this information-leakage detecting and control method comprises:
Step 901: send the request of information channel Security Authentication Service by front end processor to business information prosecution processing server, make described business information prosecution processing server carry out information channel safety certification according to the authentication of setting;
Step 902: receive the information transmission dynamic electron license passport with information source recognition function and timestamp that described business information prosecution processing server is issued by short micro-letter processing server;
Step 903: receive the user data information of POS equipment, and information source recognition feature parameter value, transmission information form and the content characteristic parameter value of described user data information are automatically identified and checked;
Step 904: user POS information source sign and information encoding in described user data information are remembered, rebuild retrieval symbol, and generate on the user who is uploaded to described short micro-letter processing server that security information has been implemented to hold back, hide, be out of shape and send server deal with data information;
Step 905: send on described user and send server deal with data information to described short micro-letter processing server shunting, so that described short micro-letter processing server is to sending server deal with data information to carry out being transmitted to after information combination and format that described business information prosecution processing server carries out information-leakage prosecution and business account service response is processed on described user;
Step 906: receive short micro-letter of described business information prosecution processing server feedback, carry out analytical decomposition, and the information source device feature reverse transformation in described short micro-letter is deformed into the information source device feature of script in described user data information;
Step 907: feed back to described user's application server after described short micro-letter is ressembled.
Flow process is as shown in Figure 1 known, in the utility model embodiment, information channel safety certification device 100 sends the request of information channel Security Authentication Service by front end processor to business information prosecution processing server, and receives the information transmission dynamic electron license passport with information source recognition function and timestamp that business information prosecution processing server is issued by short micro-letter processing server; Then receive the user data information of POS equipment, and information source recognition feature parameter value, transmission information form and the content characteristic parameter value of described user data information are automatically identified and checked; By user POS information source sign and information encoding in user data information, remember, rebuild retrieval symbol, and generate on the user who is uploaded to described short micro-letter processing server that security information has been implemented to hold back, hide, be out of shape and send server deal with data information, and send server deal with data information on the user described in described short micro-letter processing server shunting transmission; Finally, by receiving short micro-letter of described business information prosecution processing server feedback, carry out analytical decomposition, information source device feature reverse transformation in described short micro-letter is deformed into the information source device feature of script in described user data information, and after described short micro-letter is ressembled, feeds back to described user's application server.By said method, realized the controlled communication of direction; The management and control of the content of receiving and sending messages and form, plain code transmission, storage and the cross processing of confidential data information have been avoided, also avoided the sharing of transmission, algorithm and data processing technique method etc. of some classified information, effectively having prevented that network attack, information from stealing with system infiltration and classified information reveals and distorts, and has ensured confidentiality and the fail safe of both sides' confidential data information; Realized the two ends customization of information exchange, single-point handing-over, multiple authentication, two-way prosecution; Realized the suitable separation of secure authenticated information passage and data information exchange passage, after exchanges data information is split, carrying out directed controlled transmission again by different information channels becomes a reality, effectively prevented information-leakage, improved the fail safe of information exchange, effectively reduce the cost of information exchange, eliminated technology hidden danger.
During concrete enforcement, before step 901, this information-leakage detecting and control method also comprises: obtain and comprise customer digital certificate, operational factor, digital certificates technical parameter, authenticate device information source device characteristic information, user's input feature vector information, user's characteristic information, the pre-registration of safety certification policy information and transmission information form customized information is carried out the information registering of information exchange service application system, then obtain and comprise POS equipment user information, apparatus characteristic information is trusted in user POS facility information source, the user profile of biological characteristic entrance guard device and biological information is carried out user profile registration.
In one embodiment, above-mentioned authentication comprises: IC-card certificate+password+fingerprint+authenticate device information source device feature, TF card or SD card certificate+password+facial photo+authenticate device information source device feature, U shield certificate+password+fingerprint+voice+authenticate device information source device feature.
During concrete enforcement, if information channel safety certification failure, according to instruction locking safety certification and maintenance channel, if the failure of information channel safety certification, the information exchanging channel between opening information channel security authenticate device 100 and user's application server 600 and short micro-letter passage.
Figure 10 is the detail flowchart of information-leakage detecting and control method of the present utility model, by the security control to information exchanging channel, in addition technical finesse and the control to the automations such as information sifting filtration in the customization in advance of the discriminating of information source and information format and information exchanging process, realized the two ends customization to classified information, single-point handing-over, multiple discriminating, two-way prosecution.Both realized the suitable separation of secure authenticated information passage and user's application data information exchanging channel, realized again the multichannel transmission of data information exchange, both can make a partial data exchange message according to setting after strategy fractionation, with different short micro-letter transceiver channels, carry out directed controlled transmission, also a short micro-letter transceiver channel can be used for to the dynamic password of transmission of information, and other passage is used for transmitting exchanges data information itself, after arriving target ground, carry out again decrypts information reduction, improved the fail safe of information exchange.Simultaneously, on information exchange border, carrying out the information data source of automation differentiates, format match screening, the conversion of confidential data modification and reduction, encrypting and decrypting, splitting the technical finesses such as assembling and transmission security controls, realized the safety handing-over of communication, form is adjustable, passage is optional, password is variable, avoided the plain code transmission of confidential data information, storage and cross processing, also avoided the transmission of some classified information, sharing of algorithm and data processing technique method etc., effectively prevented network attack, information is stolen with system infiltration and classified information leakage and is distorted, confidentiality and the fail safe of both sides' confidential data information have been ensured.For clearer description information-leakage detecting and control method of the present utility model, below in conjunction with Figure 10, describe in detail, the detailed process of the information-leakage detecting and control method of Figure 10 comprises the steps:
Step 1001: two ends customization registration, subregion kept secure, first implementation information Exchange Service application system information registering, after carry out user profile registration.
Information exchange service application system information registering: information channel safety certification device 100 is when being issued to user, need to obtain customer digital certificate, operational factor, digital certificates technical parameter, authenticate device information source device characteristic information, user's input feature vector information, user's characteristic information (comprising biological characteristic relevant information), business datum table, technical parameter table, safety certification policy information, transmission information form customized informations etc. need the various information of default registration, according to its information ownership, with ciphertext granting, store user's digital certificates into respectively, in the tables of data of information channel safety certification device 100 and business information prosecution processing server 400, to divulge a secret and carry out maltilevel security authentication when prosecution treatment system is carried out safety certification and upgrade maintenance at the user login information of information channel safety certification device 100, according to the principle of whose preservation of whose information, the application system both sides of implementation information exchange, side's log-on message true form, the opposing party is the feature of log-on message only, but some information needs both sides to preserve separately, meets the needs of safety certification simultaneously, meet again and prevent the requirement of divulging a secret.
Carry out user profile registration: information channel safety certification device 100 obtains user profile, the user POS information source of user POS equipment 700 and trusts the user profile such as biological information that apparatus characteristic information, biological characteristic entrance guard device and intelligent paste transducer collect, process post-registration and store in the user profile dedicated memory of information channel safety certification device 100, to distinguish and system data dedicated memory and information exchange service application system management organization information dedicated memory block.So that in order to realize, real name operates, dynamic password is logined, enough information is prepared in multiple authentication collection, the quadruple that realizes people, machine (equipment), system, passage bundlees mutual safety certification.
Step 1002: gate inhibition pacifies control, entrance checking, dynamic password granting, operating equipment is assigned.
Biological characteristic entrance guard device 200 obtains the operation user (user attendant) of user POS equipment 700 and the personnel's such as administrative staff of user information channel safety certification device 100 biological information, and send it to user's application server 600 request and carry out user safety authentication and mandate, user's application server 600 carries out service request response processing and its result is fed back to biological characteristic entrance guard device 200 by user application network.Biological characteristic entrance guard device 200 is according to the user safety authentication of user's application server 600 and Authorization result instruction, control the gate inhibition management apparatus of commander's biological characteristic entrance guard device 200, automatically carry out the unlatching of electric linkage protective door or close, to control, whether allowing these user personnel to enter user's application service region; Simultaneously, user's application server 600 is according to user safety authentication and Authorization result and predefined licensing scheme, automatically detect and determine whether that these user personnel of permission operate user POS equipment 700, if allow it to carry out 700 operations of user POS equipment, for it distributes an exercisable user POS equipment 700, and provide the dynamic login password of user's application system of effective restriction by secured fashions such as inner mailboxes for user, completing user carries out the permission mandate that the operation of user's application system is used.Biological characteristic can be fingerprint or finger vena information, even can comprise the biological characteristic authentication informations such as finger temperature information that additional SMD intelligent temperature sensor collects, it can certainly be the biological characteristic that the facial characteristics, voice, nethike embrane, iris etc. of registered in advance authorized user easily extract, by real name, operate the side that has realized people, machine (equipment), system like this and determine safety certification, realize gate inhibition and pacified control, entrance checking, dynamic password granting, operating equipment is assigned automatically.
Step 1003: single-point traffic, safety check mode is selected, and device is registered, maltilevel security authentication.
Information channel safety certification device 100 carries out serial ports with user's application server 600 or USB line is connected, and carries out wireless tcp with front end processor 300 and business information prosecution processing server 400 and be connected.Information channel safety certification device 100 is intermediary's control device facilities that user's application server 600 and business information prosecution processing server 400 carry out information exchange, for guaranteeing safety, user's application system is only opened Yi Ge traffic intermediary control device facility, realizes single-point traffic.For anti-locking apparatus is illegally used, each legal information channel safety certification device 100 has the device digital certificates that business information prosecution processing server 400 is issued, be kept in system data dedicated memory, with difference, with user profile dedicated memory with information exchange, serve application system management organization information dedicated memory block, simultaneously, its device characteristic, title, id number, Certificate Number must carry out registration in business information prosecution processing server.Information channel safety certification device 100 obtains user's webmaster personnel associated safety authentication information according to the authentication of user management personnel setting, and send it to front end processor 300 and then be transmitted to business information prosecution processing server 400, send Security Authentication Service request.Authentication mode is for example: IC-card certificate+password+fingerprint+authenticate device information source device feature, TF card (or SD card) certificate+password+facial photo+authenticate device information source device feature, U shield certificate+password+fingerprint+voice+authenticate device information source device feature etc., with this, guarantee the input unit and the certificate that only have user accredited personnel to use appointment, input meets the information of my feature and has carried out meeting the operation of I role's authority, the relevant issues of just having the right to process.Then, the requests of business information prosecution processing server 400 response Security Authentication Service are carried out safety certification response and are processed, and safety certification result is fed back to front end processor 300 according to former road format processing, then feed back to authenticate device.If safety certification success, completes registering of information channel safety certification device 100.If safety certification is unsuccessful, safety certification repeatedly not by time information channel safety certification device 100 locking safety certification and the maintenance channels of transmitting orders, and by short micro-letter processing server 500, to user or the information exchange service personnel of application system management organization, send the warning messages such as SMS in time, carry out the rehabilitation of some necessity simultaneously, interrupt or exit safety certification.If the success of maintenance upgrade safety certification, automatic deployment upgrade application patch and other data message that need to exchange are to information channel safety certification device 100.Realized single-point traffic, safety check mode is selected, and device is registered, maltilevel security authentication.
Step 1004: certificate issued, passage regulation and control, application login, POS registers.
After channel security authentication success, business information prosecution processing server 400 is issued the information transmission dynamic electron license passport with information source recognition function and timeliness stamp to information channel safety certification device 100 by short micro-letter processing server 500, between information channel safety certification device 100 and user's application server 600, carry out the unlatching of giving orders of the passage of information exchange, short micro-letter passage sending function, the locking and the safety certification of information channel safety certification device 100 and maintenance channel are given orders, and the service of wireless tcp network connecting communication is also closed automatically.To information channel safety certification device 100, send the information transmission dynamic electron license passport with information source recognition function and timeliness stamp, giving orders to control makes to only have safety certification to pass through, hold short micro-letter sendaisle of the information channel safety certification device 100 of dynamic electron license passport and could send out the short micro-letter data information of receipts, the controlled exchange of implementation information data.After this, user POS equipment 700 obtains user's application system log-on messages such as user attendant user's name and dynamic login password, sends user's application server 600 to carry out user's application system user (asu) login safety certification by user application network.User's application server 600 carries out user and logins Security Authentication Service response processing, according to user safety authentication and predefined licensing scheme, automatically detect and determine whether this user's login of permission, whether allow this user to operate active user POS equipment 700, and processing result information is fed back to user POS equipment 700 according to request incoming road.If user log-in authentication success, user POS equipment 700 gives its information source device feature to user's application server 600 on automatically gathering, carry out user POS and register, if registered successfully, and announcement information channel security authenticate device 100.Thereby completed certificate issued, passage regulation and control, application login, POS register, prevented the access of disabled user POS and used operation.
Step 1005: border prosecution, information analysis, information source identification, form filters, Content Advisor, feature trial.
Information channel safety certification device 100 is between user's application server 600 and business information prosecution processing server 400, to carry out the mediating device of data information exchange, at this, implements strict border prosecution, and entrance is set up defences.Information channel safety certification device 100 receives user's application server 600 and forwards the user data information that next user POS equipment 700 collects, first, on the one hand the value of the information source recognition feature parameter of user data information is resolved automatically, extract and process, on the other hand itself and trust apparatus characteristic log-on message are automatically identified and checked, if information source is the believable equipment of registering, and short micro-letter passage has received that information sends dynamic electron license passport, be for further processing, otherwise this user data information of automatic rejection, and this equipment is piped off, simultaneously, send warning message to user's webmaster.Secondly, on the one hand the value of the transmission information form of user data information and content characteristic parameter is automatically extracted and processed, on the other hand transmission information form and the content characteristic log-on message of itself and user data information are automatically identified and checked, if the transmission information form of user data information and content characteristic and log-on message are joined type success, meet form and content related request, be for further processing, otherwise this user data information of automatic rejection, and send warning message to user's webmaster.Realized border prosecution, information analysis, information source identification, form filters, Content Advisor, feature trial.
Step 1006: the memory of information source sign, rebuild retrieval symbol, security information is held back, confidential data distortion.
User POS information source sign in 100 pairs of user data informations of information channel safety certification device, information encoding etc. are remembered, and rebuild retrieval symbol according to the algorithm of customization, and generate on the user who is uploaded to short micro-letter processing server 500 that security information has been implemented to hold back, hide, be out of shape and give server deal with data information, above give short micro-letter processing server 500 and ask to carry out service response processing.So-called security information is held back exactly on can be or not is sent the security information of assigning to be retained down, and when the result of this service request information is returned, then is added to and in service response result feedback information, is given to the request person of sending.In the feedback result information of user's application server 600.So-called hiding will retain the security information of uploading exactly, algorithm according to customization carries out after recompile replacement, with original out of Memory, be uploaded to service response processing server and carry out service request processing, when the result of this service request information is returned, then added in service response result feedback information and be given to the service request person of sending.So-called confidential data distortion is exactly to carry out after Morphological Transitions (comprising encryption) according to the algorithm customizing retaining the crucial security information of uploading, with original out of Memory, be uploaded to service response processing server and carry out service request processing, when the result of this service request information is returned, then added in service response result feedback information and be given to the service request person of sending.Realized the memory of information source sign, rebuild retrieval symbol, security information is held back, confidential data distortion.
Step 1007: Information encapsulation, upload in shunting; Account Disposal, shunting feedback.
Finally, on 100 couples of users of information channel safety certification device, send server deal with data to carry out information package encapsulation even after encryption according to the communication strategy subchannel of setting, send to short micro-letter processing server 500; Short micro-letter processing server 500 subchannels receive on users and send server deal with data, and according to the unified communication strategy subchannel of setting, carry out forwarding after information combination and format are processed and submit to that business information prosecution processing server 400 carries out information-leakage prosecution processing and business account service response is processed; Both can realize the suitable separation of secure authenticated information passage and user's application data information exchanging channel, can realize again the multichannel transmission of data information exchange, both can make a partial data exchange message according to setting after strategy fractionation, with different short micro-letter transceiver channels, carry out directed controlled transmission, also a short micro-letter transceiver channel can be used for to the dynamic password of transmission of information, and other passage is used for transmitting exchanges data information itself, after arriving target ground, carry out again decrypts information reduction, improved the fail safe of information exchange.Processing item at least comprises: whether device information Data Source is differentiated, blocks expired, and effectively whether certificate, whether content is correct, whether feature meets, whether information format is correct, the adjustment of account record is checked etc.If Account Disposal success, carries out Account Disposal successful information feedback according to the communication strategy subchannel of setting, and after it is carried out to subsequent processes until be transmitted to information channel safety certification device 100; Otherwise, automatically the information of it being sent is rejected, unauthorized access device also will pipe off, simultaneously, to information exchange, serve the personnel of application system management organization and carry out the warnings such as short micro-letter with user's webmaster personnel mobile phone, after this feedback processing result, to information channel safety certification device 100, has realized Information encapsulation, and upload in shunting; Account Disposal, shunting feedback.On information exchange border, carrying out the information data source of automation differentiates, format match screening, the conversion of confidential data modification, encrypt, the technical finesses such as encapsulation and transmission security are controlled, realized the safety handing-over of communication, form is adjustable, passage is optional, password is variable, avoided the plain code transmission of confidential data information, storage and cross processing, also avoided the transmission of some classified information, sharing of algorithm and data processing technique method etc., effectively prevented network attack, information is stolen with system infiltration and classified information leakage and is distorted, confidentiality and the fail safe of both sides' confidential data information have been ensured.
Step 1008: decrypts information, confidential data reduction, information source identification recovery, characteristic indication reparation.
Information channel safety certification device 100 receives after the short micro-letter of feedback of upper end server, carry out decrypts information, parsing, fractionation, restructuring, and by information source device feature wherein again reverse transformation be deformed in user data information information source device feature originally, confidential data is wherein reduced (comprising deciphering), characteristic indication is repaired.
Step 1009: passage prosecution, refitting feedback.Information channel safety certification device 100 regulates and controls by passage, after feedback information is ressembled to processing, transmission feeds back to user's application server 600, by user's application server 600, complete subsequent treatment, customer service process finishes, thereby has controlled divulging a secret of relevant classified information.
As shown in figure 11, the utility model embodiment provides a kind of information-leakage measuring and controlling device, and this information-leakage measuring and controlling device is used for realizing information channel safety certification device 100 functions.This information-leakage measuring and controlling device comprises: authentication request unit 1101, and license passport receiving element 1102, unit 1103 is checked in user data information identification, information generating unit 1104, information shunting transmitting element 1105, short micro-letter reverse transformation unit 1106, short micro-letter feedback unit 1107.
Authentication request unit 1101, for sending the request of information channel Security Authentication Service by front end processor 300 to business information prosecution processing server 400, makes described business information prosecution processing server 400 carry out information channel safety certification according to the authentication of setting.
The information transmission dynamic electron license passport with information source recognition function and timestamp that license passport receiving element 1102 is issued by short micro-letter processing server for receiving described business information prosecution processing server;
User data information identification is checked unit 1103 for receiving the user data information of POS equipment, and information source recognition feature parameter value, transmission information form and the content characteristic parameter value of described user data information are automatically identified and checked;
Information generating unit 1104 is remembered for user POS information source sign and information encoding to described user data information, rebuild retrieval symbol, and generate on the user who is uploaded to described short micro-letter processing server that security information has been implemented to hold back, hide, be out of shape and send server deal with data information;
Information shunting transmitting element 1105 sends on described user and send server deal with data information for short micro-letter processing server shunting to described, so that described short micro-letter processing server is to sending server deal with data information to carry out being transmitted to after information combination and format that described business information prosecution processing server carries out information-leakage prosecution and business account service response is processed on described user;
Short micro-letter reverse transformation unit 1106 is for receiving short micro-letter of described business information prosecution processing server feedback, carry out analytical decomposition, and the information source device feature reverse transformation in described short micro-letter is deformed into the information source device feature of script in described user data information;
Short micro-letter feedback unit 1107 feeds back to described user's application server after described short micro-letter is ressembled.
From Figure 11 and describe, in the utility model embodiment, information channel safety certification device 100 sends the request of information channel Security Authentication Service by front end processor to business information prosecution processing server, and receives the information transmission dynamic electron license passport with information source recognition function and timestamp that business information prosecution processing server is issued by short micro-letter processing server; Then receive the user data information of POS equipment, and information source recognition feature parameter value, transmission information form and the content characteristic parameter value of described user data information are automatically identified and checked; By user POS information source sign and information encoding in user data information, remember, rebuild retrieval symbol, and generate on the user who is uploaded to described short micro-letter processing server that security information has been implemented to hold back, hide, be out of shape and send server deal with data information, and send server deal with data information on the user described in described short micro-letter processing server shunting transmission; Finally, by receiving short micro-letter of described business information prosecution processing server feedback, carry out analytical decomposition, information source device feature reverse transformation in described short micro-letter is deformed into the information source device feature of script in described user data information, and after described short micro-letter is ressembled, feeds back to described user's application server.By said method, realized the controlled communication of direction; The management and control of the content of receiving and sending messages and form, plain code transmission, storage and the cross processing of confidential data information have been avoided, also avoided the sharing of transmission, algorithm and data processing technique method etc. of some classified information, effectively having prevented that network attack, information from stealing with system infiltration and classified information reveals and distorts, and has ensured confidentiality and the fail safe of both sides' confidential data information; Realized the two ends customization of information exchange, single-point handing-over, multiple authentication, two-way prosecution; Realized the suitable separation of secure authenticated information passage and data information exchange passage, after exchanges data information is split, carrying out directed controlled transmission again by different information channels becomes a reality, effectively prevented information-leakage, improved the fail safe of information exchange, effectively reduce the cost of information exchange, eliminated technology hidden danger.
As shown in figure 11, information-leakage inspection control system also comprises: information exchange service application system register unit 1108 and user profile registering unit 1109, and information exchange service application system register unit 1108 carries out the information registering of information exchange service application system for obtaining the pre-registration that comprises customer digital certificate, operational factor, digital certificates technical parameter, authenticate device information source device characteristic information, user's input feature vector information, user's characteristic information, safety certification policy information and transmission information form customized information; User profile registering unit 1109 is carried out user profile registration for obtaining the user profile that comprises POS equipment user information, the trust of user POS facility information source apparatus characteristic information, biological characteristic entrance guard device and biological information.
In one embodiment, above-mentioned authentication comprises: IC-card certificate+password+fingerprint+authenticate device information source device feature, TF card or SD card certificate+password+facial photo+authenticate device information source device feature, U shield certificate+password+fingerprint+voice+authenticate device information source device feature.
During concrete enforcement, if information channel safety certification failure, according to instruction locking safety certification and maintenance channel, if the failure of information channel safety certification, the information exchanging channel between opening information channel security authenticate device 100 and user's application server 600 and short micro-letter passage.Information-leakage inspection control system also comprises: pathway closure unit 1110, unlatching unit, road 1111 and feedback information receiving element 1112.Pathway closure unit 1110 is for according to instruction locking safety certification and maintenance channel, passage is opened unit 1111 for opening information exchanging channel and the short micro-letter passage between described information channel safety certification device and user's application server, and feedback information receiving element 1112 for receiving and successfully process feedback information when business account service response is processed successfully.
The beneficial effects of the utility model are, at information interface front end, carry out the technical finesses such as the discriminating of information data source, format match screening, the conversion of confidential data modification, encrypting and decrypting, fractionation assembling of automation and the function of security control, realized the controlled communication of direction; The management and control of the content of receiving and sending messages and form, plain code transmission, storage and the cross processing of confidential data information have been avoided, also avoided the sharing of transmission, algorithm and data processing technique method etc. of some classified information, effectively having prevented that network attack, information from stealing with system infiltration and classified information reveals and distorts, and has ensured confidentiality and the fail safe of both sides' confidential data information; By to the security control of information exchanging channel and technical finesse and control to the automations such as customization in advance of the discriminating of information source and information format, realized the two ends customization of information exchange, single-point handing-over, multiple authentication, two-way prosecution; Realized the suitable separation of secure authenticated information passage and data information exchange passage, after exchanges data information is split, carrying out directed controlled transmission again by different information channels becomes a reality, effectively prevented information-leakage, improved the fail safe of information exchange, effectively reduce the cost of information exchange, eliminated technology hidden danger.
Those skilled in the art should understand, embodiment of the present utility model can be provided as method, system or computer program.Therefore, the utility model can adopt complete hardware implementation example, implement software example or in conjunction with the form of the embodiment of software and hardware aspect completely.And the utility model can adopt the form that wherein includes the upper computer program of implementing of computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) of computer usable program code one or more.
The utility model is with reference to describing according to flow chart and/or the block diagram of the method for the utility model embodiment, equipment (system) and computer program.Should understand can be in computer program instructions realization flow figure and/or block diagram each flow process and/or the flow process in square frame and flow chart and/or block diagram and/or the combination of square frame.Can provide these computer program instructions to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, the instruction of carrying out by the processor of computer or other programmable data processing device is produced for realizing the device in the function of flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame appointments.
These computer program instructions also can be stored in energy vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work, the instruction that makes to be stored in this computer-readable memory produces the manufacture that comprises command device, and this command device is realized the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make to carry out sequence of operations step to produce computer implemented processing on computer or other programmable devices, thereby the instruction of carrying out is provided for realizing the step of the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame on computer or other programmable devices.
In the utility model, applied specific embodiment principle of the present utility model and execution mode are set forth, the explanation of above embodiment is just for helping to understand method of the present utility model and core concept thereof; , for one of ordinary skill in the art, according to thought of the present utility model, all will change in specific embodiments and applications, in sum, this description should not be construed as restriction of the present utility model meanwhile.

Claims (14)

1. an information channel safety certification device, by serial ports or USB passage, be connected with user's application server, by SMS information channel, be connected with short micro-letter processing server, by wireless access private network, connect front end processor, described front end processor and short micro-letter processing server connect and by Intranet, are connected with business information prosecution processing server respectively, described user's application server is connected with user POS equipment and biological characteristic entrance guard device, it is characterized in that, described information channel safety certification device comprises:
Single-chip microcomputer or fpga chip;
For triggering the safety check mode selection key of authentication selection function, connect described single-chip microcomputer or fpga chip;
For triggering the parameter of the parameter setting function of described information channel safety certification device, button is set, connects described single-chip microcomputer or fpga chip;
Application main menu button for the upgrading of trigger equipment system mend and application parameter maintenance function, connects described single-chip microcomputer or fpga chip;
For generating, current secret window information input validation completes and cursor direction moves confirmation and the direction control button of controlling notification instruction, connects described single-chip microcomputer or fpga chip;
For generating cancellation/modification button of cancelling or revising the instruction of current secret window information, connect described single-chip microcomputer or fpga chip;
For gathering, transmit the voice and video capture card of operator's voice and video information, connect described single-chip microcomputer or fpga chip;
Be used for described operator's touch-screen control inputs and operation, indicated the operating state of described information channel safety certification device, display operation person informs the touching display screen of information, connects described single-chip microcomputer or fpga chip;
For gathering the physical characteristics collecting card of user's biological characteristic, connect described single-chip microcomputer or fpga chip;
Be used for reading and comprise the main security factor information of IC chip card such as user identity card number, bank card number, social security card, and the external certificate information collector of the electronic security(ELSEC) certificate of certification information of IC-card certificate, TF card certificate, U shield, connect described single-chip microcomputer or fpga chip;
For receiving and send the information-communication device of exchanges data information, connect described single-chip microcomputer or fpga chip.
2. information channel safety certification device according to claim 1, is characterized in that, described information channel safety certification device also comprises: for power supply and the battery charger of powering and battery charges.
3. information channel safety certification device according to claim 1, it is characterized in that, described information channel safety certification device also comprises: for obtaining the site environment image video of living in of user face biological characteristic or channel security authenticate device and the camera of photo.
4. information channel safety certification device according to claim 1, is characterized in that, described information channel safety certification device also comprises: for play cuing voice and from the alarm voice signal Microspeaker of server.
5. information channel safety certification device according to claim 1, is characterized in that, described information channel safety certification device also comprises: for gathering the microphone of user speech and site environment sound.
6. information channel safety certification device according to claim 1, is characterized in that, described information channel safety certification device also comprises: the client server that is used for connecting by serial communication mode authenticate device and client server is connected serial ports.
7. information channel safety certification device according to claim 1, is characterized in that, described information channel safety certification device also comprises: for connecting external power source, for described information channel safety certification device supplies the external power interface of distribution.
8. information channel safety certification device according to claim 1, it is characterized in that, described information channel safety certification device also comprises: for connecting user's digital certificates and gathering its information, realize information interaction between authenticate device and certificate and the external connected electronic certificate interface of contact, comprising: IC-card certificate information reader, SD card certificate socket, U shield card certificate socket.
9. information channel safety certification device according to claim 1, is characterized in that, described information channel safety certification device also comprises: earphone jack.
10. information channel safety certification device according to claim 1, is characterized in that, described information channel safety certification device also comprises: mains switch.
11. information channel safety certification devices according to claim 1, is characterized in that, described information channel safety certification device also comprises: communication card socket.
12. information channel safety certification devices according to claim 1, is characterized in that, described information channel safety certification device also comprises: external wireless antenna module.
13. information channel safety certification devices according to claim 1, is characterized in that, described information channel safety certification device also comprises: power supply indicator, wireless network indicator light and short micro-letter communications status indicator light.
14. information channel safety certification devices according to claim 1, is characterized in that, described information-communication device is wireless messages communicator or wired information-communication device.
CN201320554564.0U 2013-09-06 2013-09-06 Information channel security certificate device Expired - Lifetime CN203399141U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201320554564.0U CN203399141U (en) 2013-09-06 2013-09-06 Information channel security certificate device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201320554564.0U CN203399141U (en) 2013-09-06 2013-09-06 Information channel security certificate device

Publications (1)

Publication Number Publication Date
CN203399141U true CN203399141U (en) 2014-01-15

Family

ID=49910637

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201320554564.0U Expired - Lifetime CN203399141U (en) 2013-09-06 2013-09-06 Information channel security certificate device

Country Status (1)

Country Link
CN (1) CN203399141U (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104184593A (en) * 2014-09-16 2014-12-03 北京唐密科技发展有限公司 Event type dynamic password device and implementation method
CN104539871A (en) * 2014-12-22 2015-04-22 小米科技有限责任公司 Multimedia call method and device
CN106330902A (en) * 2016-08-23 2017-01-11 西安电子科技大学 Environmental sound-based two-factor rapid authentication method
CN107094169A (en) * 2016-02-18 2017-08-25 福特全球技术公司 For strengthening the apparatus and method of telematics security by auxiliary channel
CN109639641A (en) * 2018-11-09 2019-04-16 山西特信环宇信息技术有限公司 A kind of certificate chain electronic identity network analysis system
CN110235424A (en) * 2017-01-20 2019-09-13 三星电子株式会社 For providing the device and method with managing security information in a communications system

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104184593A (en) * 2014-09-16 2014-12-03 北京唐密科技发展有限公司 Event type dynamic password device and implementation method
CN104539871A (en) * 2014-12-22 2015-04-22 小米科技有限责任公司 Multimedia call method and device
CN107094169A (en) * 2016-02-18 2017-08-25 福特全球技术公司 For strengthening the apparatus and method of telematics security by auxiliary channel
CN106330902A (en) * 2016-08-23 2017-01-11 西安电子科技大学 Environmental sound-based two-factor rapid authentication method
CN110235424A (en) * 2017-01-20 2019-09-13 三星电子株式会社 For providing the device and method with managing security information in a communications system
CN110235424B (en) * 2017-01-20 2022-03-08 三星电子株式会社 Apparatus and method for providing and managing security information in a communication system
CN109639641A (en) * 2018-11-09 2019-04-16 山西特信环宇信息技术有限公司 A kind of certificate chain electronic identity network analysis system

Similar Documents

Publication Publication Date Title
CN103295341B (en) POS safety certification device, system and POS equipment safety authentication method
CN103490893B (en) A kind of information-leakage detecting and control method, device, system and communication channel safety certification device
US20230124022A1 (en) Security system for handheld wireless devices using time-variable encryption keys
CN203399141U (en) Information channel security certificate device
KR102056722B1 (en) Authentication system, and transmit terminal, receive terminal, and right authentication method of same
CN106233796B (en) Calculate the automatic subscriber registration and unlock of equipment
CN111478917B (en) Background system for providing network service for access control device and user terminal
CN203350880U (en) POS safety certification device and system
US20210320909A1 (en) Communications system, communications device used in same, management device, and information terminal
WO2017197974A1 (en) Biometric characteristic-based security authentication method, device and electronic equipment
US8751794B2 (en) System and method for secure nework login
CN110245144A (en) Protocol data management method, device, storage medium and system
CN105516104A (en) Identity verification method and system of dynamic password based on TEE (Trusted execution environment)
CN105659244A (en) Security system, apparatus and method using additional code
CN104050510A (en) Intelligent room reservation system based on mobile terminal
CN105684483A (en) Registry apparatus, agent device, application providing apparatus and corresponding methods
CN116325647A (en) Authentication chain using public key infrastructure
CN102111271A (en) Network security authentication method and device as well as authentication method of hand-held electronic device
CN108604269A (en) For the device and method of certification, and it is applied to identical computer program and recording medium
US8990887B2 (en) Secure mechanisms to enable mobile device communication with a security panel
JP2005036394A (en) User authentication system
CN106815907A (en) A kind of method and intelligent access control system based on picture password management intelligent entrance guard
CN109583977A (en) A kind of certificate chain house pre-sale permit electronics license system and its application method
CN105991524A (en) Family information security system
JP2023527862A (en) Secure remote access to industrial control systems with hardware-based authentication

Legal Events

Date Code Title Description
C14 Grant of patent or utility model
GR01 Patent grant
CX01 Expiry of patent term
CX01 Expiry of patent term

Granted publication date: 20140115