CN102571760B - Secure sockets layer method for meeting programmable communications interface (PCI) 3.0 on financial point of sale (POS) - Google Patents
Secure sockets layer method for meeting programmable communications interface (PCI) 3.0 on financial point of sale (POS) Download PDFInfo
- Publication number
- CN102571760B CN102571760B CN201110429571.3A CN201110429571A CN102571760B CN 102571760 B CN102571760 B CN 102571760B CN 201110429571 A CN201110429571 A CN 201110429571A CN 102571760 B CN102571760 B CN 102571760B
- Authority
- CN
- China
- Prior art keywords
- ssl
- management unit
- pos
- secure sockets
- sockets layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Cash Registers Or Receiving Machines (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to a secure sockets layer method for meeting a programmable communications interface (PCI) 3.0 on a financial point of sale (POS), which is characterized in that a secure sockets layer (SSL) safety module of a POS system is divided into two parts of a foreground safety dynamic library and a background management unit which achieve address space separation through a memory management unit (MMU) mechanism of a central processing unit (CPU) and achieve communication in a Unix socket mode. The foreground safety dynamic library is used for being called by an application program of an application program interface (API) supply system and managing SSL connection parameters through configuration files. The background management unit takes charge of managing a certificate and a secrete key and carrying out SSL consultation. The secure sockets layer method is capable of achieving space separation of the certificate and a secrete key file in the POS system and an SSL consultation process and an application program, and forcefully protects critical data.
Description
Technical field
The present invention relates to a kind of safe socket layer method meeting PCI3.0 on financial POS.
Background technology
PCI3.0 (Payment Card Industry version 3.0, Payment Card industrial standard version 3) be financial field international safety standard, to SSL/TLS(Secure Sockets Layer/Transport Layer Security, security bundle layer/Transport Layer Security) secure communication protocols and credential key store strict requirement, SSL/TLS adopts public key technique, ensure the confidentiality that communicates between two methods and reliability, make client and server apply between communication not victim eavesdrop.The advantage of SSL/TLS agreement is that it and application layer protocol are independently irrelevant.High-rise application layer protocol (such as: Http, FTP, Telnet etc.) can transparent building on SSL/TLS agreement.SSL/TLS agreement had just completed cryptographic algorithm, the negotiation of communication key and server authentication work before application layer protocol communication.The data that application layer protocol transmits after this all can be encrypted, thus ensure the privacy of communication.But existing SSL/TLS secure communication protocols generally provides api interface by dynamic base to application program, dynamic base is all the critical datas (schematic flow sheet as shown in Figure 1) such as direct access certificate, private key, itself and application program operate in same address space and have identical operation authority with application program, such Storage and Processing mechanism, there is the possibility that unauthorized applications is directly stolen and distorted the critical data such as certificate, private key, the safety requirements of PCI3.0 can not be met.
Summary of the invention
The object of this invention is to provide a kind of safe socket layer method meeting PCI3.0 on financial POS, can realize the certificate in POS system, private key file and SSL negotiations process and application program to carry out space every, strong protection critical data.
The following scheme of employing of the present invention realizes: a kind of safe socket layer method meeting PCI3.0 on financial POS, it is characterized in that: the SSL security module of POS system is divided into Safety actuality storehouse, foreground and background management unit two parts, they realize address space isolation by the memory management unit MMU mechanism of CPU, and are communicated by unix socket mode; Described Safety actuality storehouse, foreground provides API for systematic difference routine call, and is managed the Connecting quantity of SSL by configuration file, and background management unit is in charge of certificate, private key and execution SSL and is consulted.
In an embodiment of the present invention, described API does not have the real shielded physical file of authority access system, and it sets up SSL escape way, by sending instruction and described background management unit communication.
The invention has the beneficial effects as follows:
1, have employed access privilege control technology, ensure that application program runs the store path that authority cannot have access to certificate and private key, and private key all have passed encipherment protection;
2, adopt process address space isolation technology, sensitive data can be obtained by the mode scanning internal memory by effective means rogue program;
3, the design of Foreground and Background coded communication; Prevent from directly having access to crucial sensitive data.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of application routine access sensitive data in existing POS system.
Fig. 2 is the system framework schematic flow sheet adopting the inventive method.
Fig. 3 is the communication process schematic diagram of dynamic base application program and background management unit.
Embodiment
The invention provides a kind of safe socket layer method meeting PCI3.0 on financial POS, the SSL security module of POS system is divided into Safety actuality storehouse, foreground and background management unit two parts by the method, they realize address space isolation by the memory management unit MMU mechanism of CPU, and are communicated by unix socket mode; Described Safety actuality storehouse, foreground provides API for systematic difference routine call, and is managed the Connecting quantity of SSL by configuration file, and background management unit is in charge of certificate, private key and execution SSL and is consulted.
As shown in Figure 2, POS system SSL safety approach of the present invention is the MMU(Memory Management Unit by CPU, memory management unit) mechanism the inner space of system is divided into two-part space, this space can be defined as application space and system space, external application wants access system space, all first to submit instruction to by application space, build encrypted tunnel, in particular, SSL security module between these two spaces is mainly divided into the background management unit be located in system space and the Safety actuality storehouse, foreground being located at application space, Safety actuality storehouse, foreground provides API for application program, this API does not have the real shielded physical file of authority access system, it sets up SSL escape way, by sending instruction and described background management unit communication.Idiographic flow refers to Fig. 3.
The foregoing is only preferred embodiment of the present invention, all equalizations done according to the present patent application the scope of the claims change and modify, and all should belong to covering scope of the present invention.
Claims (1)
1. one kind meets the safe socket layer method of PCI3.0 on financial POS, it is characterized in that: the SSL security module of POS system is divided into Safety actuality storehouse, foreground and background management unit two parts, they realize address space isolation by the memory management unit MMU mechanism of CPU, and are communicated by unix socket mode; Described Safety actuality storehouse, foreground provides API for systematic difference routine call, and is managed the Connecting quantity of SSL by configuration file, and background management unit is in charge of certificate, private key and execution SSL and is consulted; Described API does not have the real shielded physical file of authority access system, and it sets up SSL escape way, by sending instruction and described background management unit communication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110429571.3A CN102571760B (en) | 2011-12-20 | 2011-12-20 | Secure sockets layer method for meeting programmable communications interface (PCI) 3.0 on financial point of sale (POS) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110429571.3A CN102571760B (en) | 2011-12-20 | 2011-12-20 | Secure sockets layer method for meeting programmable communications interface (PCI) 3.0 on financial point of sale (POS) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102571760A CN102571760A (en) | 2012-07-11 |
| CN102571760B true CN102571760B (en) | 2015-01-07 |
Family
ID=46416239
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110429571.3A Active CN102571760B (en) | 2011-12-20 | 2011-12-20 | Secure sockets layer method for meeting programmable communications interface (PCI) 3.0 on financial point of sale (POS) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102571760B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103065078A (en) * | 2013-01-04 | 2013-04-24 | 无锡矽鼎科技有限公司 | Method of loading client certificate for Android system by OpenSSL engine |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1577205A (en) * | 1995-02-13 | 2005-02-09 | 英特特拉斯特技术公司 | Systems and methods for secure transaction management and electronic rights protection |
| CN101155112A (en) * | 2006-09-29 | 2008-04-02 | 联想(北京)有限公司 | Virtual special terminal, network service system and service access method |
| CN101563882A (en) * | 2006-10-17 | 2009-10-21 | 塞姆泰克创新解决方案公司 | System and method for secure transaction |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060259438A1 (en) * | 2002-10-25 | 2006-11-16 | Randle William M | Secure multi function network for point of sale transactions |
-
2011
- 2011-12-20 CN CN201110429571.3A patent/CN102571760B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1577205A (en) * | 1995-02-13 | 2005-02-09 | 英特特拉斯特技术公司 | Systems and methods for secure transaction management and electronic rights protection |
| CN101155112A (en) * | 2006-09-29 | 2008-04-02 | 联想(北京)有限公司 | Virtual special terminal, network service system and service access method |
| CN101563882A (en) * | 2006-10-17 | 2009-10-21 | 塞姆泰克创新解决方案公司 | System and method for secure transaction |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102571760A (en) | 2012-07-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8438631B1 (en) | Security enclave device to extend a virtual secure processing environment to a client device | |
| CN105072125B (en) | A kind of http communication system and method | |
| US9432336B2 (en) | Secure electronic device application connection to an application server | |
| US10250387B1 (en) | Quantum computer resistant algorithm cryptographic key generation, storage, and transfer device | |
| US9674164B2 (en) | Method for managing keys in a manipulation-proof manner | |
| CN101809964A (en) | Method for securing information exchange, and corresponding device and computer software product | |
| JP2017514390A (en) | Method and system for protecting electronic data exchange between industrial programmable devices and portable programmable devices | |
| CN104065485A (en) | Power grid dispatching mobile platform safety guaranteeing and controlling method | |
| WO2014105914A1 (en) | Security enclave device to extend a virtual secure processing environment to a client device | |
| CN104182676A (en) | Intelligent terminal data encryption method and device | |
| CN103916363A (en) | Communication security management method and system for encryption machine | |
| CN101833620A (en) | Custom security JDBC driver-based database protective method | |
| US8832446B2 (en) | Secure data transfer in an automation network | |
| CN205584238U (en) | Network data encryption equipment | |
| CN107155184B (en) | WIFI module with secure encryption chip and communication method thereof | |
| CN102710638A (en) | Device and method for isolating data by adopting non-network manner | |
| US9536116B2 (en) | Active component embedded in cable | |
| CN103457723B (en) | A kind of encryption method and the encryption device based on it | |
| CN102571760B (en) | Secure sockets layer method for meeting programmable communications interface (PCI) 3.0 on financial point of sale (POS) | |
| JP2023510002A (en) | System and method for secure data transfer using air gapping hardware protocol | |
| CN105678542B (en) | payment service interaction method, payment terminal and payment cloud terminal | |
| CN103269301A (en) | Desktop type IPSecVPN cryptographic machine and networking method | |
| CN103701589A (en) | Information transmission method and device based on virtual desktop system and relevant equipment | |
| CN108243186B (en) | System and method for remotely operating a programmable logic controller | |
| CN108809938B (en) | Remote control implementation method and system for password equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |