CN101155112B - Virtual special terminal, network service system and service access method - Google Patents
Virtual special terminal, network service system and service access method Download PDFInfo
- Publication number
- CN101155112B CN101155112B CN200610140646A CN200610140646A CN101155112B CN 101155112 B CN101155112 B CN 101155112B CN 200610140646 A CN200610140646 A CN 200610140646A CN 200610140646 A CN200610140646 A CN 200610140646A CN 101155112 B CN101155112 B CN 101155112B
- Authority
- CN
- China
- Prior art keywords
- terminal
- network service
- virtual
- specialized hardware
- special
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention provides a virtual specialized terminal used in network service system of server containing terminal as client-side and for providing network service, comprising a VT virtual machine, a specialized operation system on the VT virtual machine; a specialized client-side software operated on the specialized operation system; and a hardware part containing safety chip and hardware part of specialized hardware, wherein the said safety chip stores a terminal identification for terminal authentication and the said specialized hardware stores authentication information for authenticating. The said VT virtual machine makes the specialized hardware virtual for the specialized operation system therefore the said specialized operation system can visit to the specialized hardware, so that the specialized client-side software is accessed to network service using terminal identification and authentication information in the specialized hardware.
Description
Technical field
The present invention relates to the network service field, particularly, relate to the virtual special terminal, network service system and the service assess method that adopt in a kind of network service system, according to the present invention, utilize virtual technology with the virtual virtual special terminal that turns to of terminal, thus, server can be realized the safety certification to this virtual special terminal reliably, inserts so that service to be provided.
Background technology
Fig. 1 shows the structure of present private network interactive service system (is example with the banking system).As shown in Figure 1, this private network interactive service system comprises: terminal (client) and banking system server.Terminal utilizes special line to connect with the banking system server, and this terminal uses the DES/3DES algorithm to carry out encrypted transmission with the banking system server.Described terminal is equipped with specialized hardware, and described terminal is equipped with private client software.
In this private network interactive service system,, do not carry out the authentication of terminal equipment in the transaction, but prove by the key of DES algorithm owing to be private line access.In addition, owing to be private line access, transaction message only needs the DES/3DES algorithm to guarantee transmission security.In addition, owing to be provided with the terminal-specific hardware and software, Malware can not load on platform, and the possibility that hardware/operating system/application software is attacked is very little.
Now, along with generation and the development based on the Net silver service (Internet banking) of internet, what terminal was used is open computing platform (common PC), therefore only uses user's password/password or certificate to guarantee transaction security.Malware can be attacked client software easily, steal user profile, perhaps gains password by cheating from other local directly access bank systems by fraudulent mean.
Therefore, it is extremely urgent improving fail safe.But in order to solve the safety issue of Net silver, it is infeasible simply above-mentioned private network interactive service system (at the POS/ATM system of bank) transplanting being come.Reason is because in current Net silver system, use be non-trustable network, must authenticate terminal, the POS scheme is not supported such authentication now.In addition, because what use is non-trustable network, be the security requirement of not satisfying Network Transmission only with symmetry algorithms such as DES/3DES.In addition, because terminal is common PC, the specialized hardware of terminal loads is easy to by Malware visit/attack, and the private client software of terminal also is easy to be subjected to malware attacks (as shown in Figure 2).
Summary of the invention
The objective of the invention is to propose the virtual special terminal, network service system and the service assess method that adopt in a kind of network service system, according to the present invention, utilize virtual technology with the virtual virtual special terminal that turns to of terminal, thus, server can be realized the safety certification to this virtual special terminal reliably, inserts so that service to be provided.
To achieve these goals,, proposed a kind of virtual special terminal that adopts at the network service system that comprises as the terminal of client and the server that is used for providing services on the Internet, having comprised: the VT virtual machine according to the present invention; The special purpose operating system that forms on the VT virtual machine; The private client software of on special purpose operating system, operating; And the hardware components that comprises safety chip and specialized hardware, described safety chip has been preserved the terminal iidentification that is used for terminal authentication, and described specialized hardware has been preserved the authentication information that is used to authenticate; Wherein, described VT virtual machine only provides the virtual of specialized hardware for special purpose operating system, thereby only make described special purpose operating system can visit described specialized hardware, so that utilize the authentication information in terminal iidentification and the specialized hardware to come the access network service by private client software.
Preferably, described terminal iidentification also is used for from terminal via the encryption of network to the message of server transmission.
Preferably, described special purpose operating system utilizes virtual technology to form on the VT virtual machine.
Preferably, described safety chip is the TPM chip.
Preferably, described network is an open network, comprises the internet.
Preferably, the described SSL that is encrypted as encrypts.
According to the present invention, a kind of network service system has also been proposed, comprising: at the virtual special terminal that forms as the terminal of client; Server is used for providing services on the Internet after the authentication success that utilizes terminal iidentification to terminal; And the network between virtual special terminal and server; Described virtual special terminal comprises: the VT virtual machine; The special purpose operating system that forms on the VT virtual machine; The private client software of on special purpose operating system, operating; And the hardware components that comprises safety chip and specialized hardware, described safety chip has been preserved terminal iidentification, and described terminal iidentification is used for terminal authentication, and described specialized hardware has been preserved the authentication information that is used to authenticate; Wherein, described VT virtual machine only provides the virtual of specialized hardware for special purpose operating system, thereby only make described special purpose operating system can visit described specialized hardware, so that utilize the authentication information in terminal iidentification and the specialized hardware to come the access network service by private client software.
Preferably, described server comprises: the transactional services module, be used for when authentication success, and allow the accessing terminal to network service, and the message of coming self terminal is decrypted; And authentication module, be used for utilizing the authentication information of terminal iidentification and specialized hardware to authenticate described terminal.
According to the present invention, a kind of service assess method has also been proposed, comprising: on terminal, form virtual special terminal as client; Described virtual special terminal comprises: the VT virtual machine; The special purpose operating system that forms on the VT virtual machine; The private client software of on special purpose operating system, operating; And the hardware components that comprises safety chip and specialized hardware; Under the control of VT virtual machine, described private client software utilizes described special purpose operating system to visit described specialized hardware, so that send server to by terminal iidentification and the authentication information of being stored in the safety chip of network with hardware components in the specialized hardware; Authentication information in server receiving terminal sign and the specialized hardware also authenticates, and when authentication success, allows the accessing terminal to network service.
Preferably, the transmission of messages between described virtual special terminal and the server realizes that by cipher mode described cipher mode comprises that SSL encrypts.
Description of drawings
Below in conjunction with the detailed description of preferred embodiment of accompanying drawing to being adopted, above-mentioned purpose of the present invention, advantage and feature will become apparent by reference, wherein:
Fig. 1 shows the schematic diagram of the private network interactive service system that is adopted at present in banking system;
Fig. 2 shows the schematic diagram of the possibility under attack of each assembly in the network service system that is adopted in the present Net silver system;
Fig. 3 shows the block diagram according to the virtual special terminal of the embodiment of the invention;
Fig. 4 shows the block diagram of the network service system that utilizes this virtual special terminal;
Fig. 5 shows the flow chart of the service assess method that utilizes this virtual special terminal; And
Fig. 6 shows the schematic diagram that the network service system according to the embodiment of the invention avoids attacking.
Embodiment
Main thought of the present invention is to propose a kind of virtual special terminal, the user can use this virtual terminal by untrusted network (for example internet), with remote server (as, ebanking server, bank paying gateway) reciprocal process in realize safety certification, access, visit and transaction, its fail safe is equivalent to fully even surpasses existing private network special-purpose terminal, but has lower cost.
Describe the preferred embodiments of the present invention below with reference to the accompanying drawings in detail.
Fig. 3 shows the block diagram according to the virtual special terminal of the embodiment of the invention.
As shown in Figure 3, virtual special terminal according to the present invention comprises: VT (Intel Virtualization Technology) virtual machine 102, be formed on special-purpose OS (operating system) 100 on the VT virtual machine 102, be formed on private client software 104 and hardware components 106 on the special-purpose OS 100, wherein this hardware components 106 comprises TPM (credible platform module) chip 108 and specialized hardware 110.
According to the present invention, adopt virtual technology, go up formation VT virtual machine 102 and on virtual machine 102, make up special purpose operating system 100 in terminal 10 (common PC), form virtual special terminal thus.
Particularly, special-purpose OS 100 is equivalent to the operating system on the special-purpose terminal platform of the prior art, can forbid the installation of any illegal software.Operation has private client software 104 on this special use OS 100, and forces private client software 104 visit given servers (for example Net silver system server) by this special use OS 100.
Specialized hardware 110 is equivalent to the specialized hardware on the special-purpose terminal platform of the prior art, has preserved the relevant authentication information that is used to authenticate.And TPM chip 108 is preserved terminal iidentification, is used for terminal authentication and by the encryption such as the message of Network Transmission such as internet.
The isolation that VT virtual machine 102 guarantees between different operating system, for example isolation between normal operations system and the special purpose operating system, thus make special purpose operating system not attacked by the potential safety hazard of other normal operations systems.In addition, 102 of VT virtual machines that forms on the terminal are for special purpose operating system provides the virtual of specialized hardware, thereby the visit of specialized hardware only is provided for special-purpose OS 100, and other OS can't visit specialized hardware.Thus, private client software 104 can utilize special purpose operating system 100 to visit specialized hardware 110, so that being sent to server by network, the authentication information in terminal iidentification and the specialized hardware authenticates, and when authentication success, the access network service.
When forming virtual special terminal, use the CPU and the chipset of virtual support technology.Motherboard is integrated with safety chip (TPM), and this TPM also can provide the cryptography service as terminal iidentification.In addition, motherboard is integrated with bank POS/ATM proprietary hardware chip, as the employed Renesas hardware at POS of VISA ePos.The VMM virtual machine is installed on hardware, and the complete virtual support technology of this virtual machine can hardware be virtual such as providing, multiple operating system switches, characteristic such as isolate between operating system.Common operating system is installed on the virtual machine,, finishes the application of common PC as windowsXP or Vi sta; Virtual machine is not this OS virtual private hardware chip, so the proprietary hardware chip of this common OS on can't access hardware.Special-purpose OS is installed on the virtual machine, and virtual machine is this OS virtual private hardware chip, and driving is provided, the special chip on can access hardware.Described special purpose operating system can be Windows, Linux or embedded OS, and this operating system has been controlled common application program installation and operation, prevents that Malwares such as virus, wooden horse from entering and attacking.Software service assembly based on safety chip is arranged in the special purpose operating system, be used for access security chip in this operating system.In addition, all private client software of bank POS/ATM has been installed, as the employed G﹠amp of VISA ePOS in the special purpose operating system; D EMV is at the software of e-POS, this software can with bank remote server communication, transaction.
Fig. 4 shows the block diagram of the network service system that utilizes this virtual special terminal.
As shown in Figure 4, described network service system comprises terminal 10, server 20 and network 30.Identical among the terminal 10 of Fig. 4 left part and Fig. 3, therefore repeat no more.
Described server 20 comprises: transactional services module 200, be used for when authentication success, and allow the accessing terminal to network service, and the message of coming self terminal is decrypted; And authentication module 202, be used for utilizing the authentication information of terminal iidentification and specialized hardware to authenticate described terminal. network 30 is between terminal 10 and server 200, the encrypting messages that is used between the two transmits, and can adopt such as cipher modes such as SSL (security socket layer) encryptions.
When landing client software and authentication, the user lands or switches to special-purpose OS, and network keeps clear.Land private client software, adopt the input user name/password, use card reader directly to read bank card that the user holds or directly read the account information that is stored securely in terminal (disk, TPM, specialized hardware etc.), this is all optional mode.The software service assembly that calls based on safety chip visits safety chip.The mode that safety chip adopts ssl protocol to arrange logon information, operations such as the key in the chip safe in utilization is encrypted, signature.Be sent to server, the service for checking credentials is landed in request.Server transactional services module will be landed request msg and be forwarded to corresponding authentication module and carry out authentication.Authentication module authentication by after return the response of landing success, authentication is not by returning the response of landing failure.Response results is returned client.
After landing successfully, user's requests transaction is as the inquiry account balance.The request message of client software generated query account balance.Safety chip is done request message operations such as signature and encryption, generates ciphertext (following ssl protocol).Then, be sent to server, server transactional services module is carried out service operations and is responded.At last, response results is back to terminal.
Fig. 5 shows the flow chart of the service assess method that utilizes this virtual special terminal.
As shown in Figure 5, in step 500, form the virtual special terminal of the invention described above on as the terminal of client; In step 502, under the control of VT virtual machine, described private client software utilizes described special purpose operating system to visit described specialized hardware 110, so that send server 20 to by the terminal iidentification stored in the safety chip 108 (for example, TPM chip) of network 30 with hardware components 106 and the authentication information in the specialized hardware 110; Then, in step 504, server 20 receiving terminals sign and this authentication information also authenticate, and when authentication success, allow terminal 10 access network services.
As mentioned above,, on common PC (personal computer) platform, make up virtual special-purpose terminal, guarantee that specialized hardware and private client software is not by malware attacks according to the present invention.In addition, adopt the SSL encrypted transmission and force the accesses network address, solved the transmission security that private network equipment is transplanted to public network.In addition, in the present invention, terminal adopts the TPM chip to provide the authentication of equipment to realize.At this, Fig. 6 shows the schematic diagram that the network service system according to the embodiment of the invention avoids attacking, and has shown that the present invention has prevented the various attack of Malware in this locality or the Network Transmission, thereby higher fail safe is provided.
As mentioned above, the present invention need in the network service of tight security such as network bank business based system etc. can be applied to.
Although below show the present invention in conjunction with the preferred embodiments of the present invention, one skilled in the art will appreciate that under the situation that does not break away from the spirit and scope of the present invention, can carry out various modifications, replacement and change to the present invention.Therefore, the present invention should not limited by the foregoing description, and should be limited by claims and equivalent thereof.
Claims (10)
1. one kind at the virtual special terminal that comprises as the terminal of client and be used for providing the network service system of the server of specific network service to adopt, and comprising:
The VT virtual machine;
The special purpose operating system that is exclusively used in described specific network service that forms on the VT virtual machine;
The private client software of on special purpose operating system, operating that is exclusively used in described specific network service; And
Comprise safety chip and the hardware components that is exclusively used in the specialized hardware of described specific network service, described safety chip has been preserved the terminal iidentification that is used for terminal authentication, and described specialized hardware has been preserved the authentication information of the authentication that is used for described specific network service;
Wherein, described VT virtual machine only provides the virtual of specialized hardware for special purpose operating system, thereby only make described special purpose operating system can visit described specialized hardware, so that utilize the authentication information in terminal iidentification and the specialized hardware to come the access network service by private client software.
2. virtual special terminal according to claim 1 is characterized in that described terminal iidentification also is used for from terminal via the encryption of network to the message of server transmission.
3. virtual special terminal according to claim 1 is characterized in that described special purpose operating system utilizes virtual technology to form on the VT virtual machine.
4. virtual special terminal according to claim 1 is characterized in that described safety chip is the TPM chip.
5. virtual special terminal according to claim 1 is characterized in that described network is an open network, comprises the internet.
6. virtual special terminal according to claim 2 is characterized in that the described SSL of being encrypted as encrypts.
7. network service system comprises:
At the virtual special terminal that forms as the terminal of client;
Be used to provide the server of specific network service, be used for after the authentication success that utilizes terminal iidentification and authentication information to terminal, providing services on the Internet; And
Network between virtual special terminal and server;
Described virtual special terminal comprises:
The VT virtual machine;
The special purpose operating system that is exclusively used in described specific network service that forms on the VT virtual machine;
The private client software of on special purpose operating system, operating that is exclusively used in described specific network service; And
Comprise safety chip and the hardware components that is exclusively used in the specialized hardware of described specific network service, described safety chip has been preserved terminal iidentification, described terminal iidentification is used for terminal authentication, and described specialized hardware has been preserved the authentication information of the authentication that is used for described specific network service;
Wherein, described VT virtual machine only provides the virtual of specialized hardware for special purpose operating system, thereby only make described special purpose operating system can visit described specialized hardware, so that utilize the authentication information in terminal iidentification and the specialized hardware to come the access network service by private client software.
8. system according to claim 7 is characterized in that described server comprises:
The transactional services module is used for when authentication success, allows the accessing terminal to network service, and the message of coming self terminal is decrypted;
Authentication module is used for utilizing the authentication information of terminal iidentification and specialized hardware to authenticate described terminal.
9. service assess method at specific network service comprises:
On terminal, form virtual special terminal as client; Described virtual special terminal comprises: the VT virtual machine; The special purpose operating system that is exclusively used in described specific network service that forms on the VT virtual machine; The private client software of on special purpose operating system, operating that is exclusively used in described specific network service; And comprise safety chip and be exclusively used in the hardware components of the specialized hardware of described specific network service;
Under the control of VT virtual machine, described private client software utilizes described special purpose operating system to visit described specialized hardware, so that send server to by the authentication information that is used for the authentication of described specific network service in the terminal iidentification stored in the safety chip of network with hardware components and the specialized hardware;
Authentication information in server receiving terminal sign and the specialized hardware also authenticates, and when authentication success, allows the accessing terminal to network service.
10. method according to claim 9 is characterized in that the transmission of messages between described virtual special terminal and the server realizes by cipher mode, and described cipher mode comprises that SSL encrypts.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610140646A CN101155112B (en) | 2006-09-29 | 2006-09-29 | Virtual special terminal, network service system and service access method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610140646A CN101155112B (en) | 2006-09-29 | 2006-09-29 | Virtual special terminal, network service system and service access method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101155112A CN101155112A (en) | 2008-04-02 |
| CN101155112B true CN101155112B (en) | 2010-05-12 |
Family
ID=39256561
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610140646A Active CN101155112B (en) | 2006-09-29 | 2006-09-29 | Virtual special terminal, network service system and service access method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101155112B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110047609A1 (en) * | 2008-04-23 | 2011-02-24 | Hideaki Tetsuhashi | Information processing system, information processing device, mobile communication device, and method for managing user information used for them |
| CN102194063A (en) * | 2010-03-12 | 2011-09-21 | 北京路模思科技有限公司 | Method and system for secure management and use of key and certificate based on virtual machine technology |
| CN103164260B (en) * | 2011-12-15 | 2016-06-01 | 中国银联股份有限公司 | Application management system and method for mobile terminal |
| CN102571760B (en) * | 2011-12-20 | 2015-01-07 | 福建联迪商用设备有限公司 | Secure sockets layer method for meeting programmable communications interface (PCI) 3.0 on financial point of sale (POS) |
| CN103246544B (en) * | 2013-04-09 | 2016-02-24 | 何钦淋 | virtual hardware driving method |
| CN103281185A (en) * | 2013-05-08 | 2013-09-04 | 深圳创维数字技术股份有限公司 | Method and system for controlling resource access of terminal |
| WO2015165095A1 (en) * | 2014-04-30 | 2015-11-05 | 华为技术有限公司 | Method for creating virtual base station, and base station cloud device |
| CN113127148B (en) * | 2021-03-09 | 2024-04-09 | 中国科学院信息工程研究所 | Active dynamic measurement method and system for virtualized environment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050138370A1 (en) * | 2003-12-23 | 2005-06-23 | Goud Gundrala D. | Method and system to support a trusted set of operational environments using emulated trusted hardware |
| CN1808456A (en) * | 2006-02-24 | 2006-07-26 | 上海方正信息安全技术有限公司 | Method of adding trusted platform on portable terminal |
| CN1808457A (en) * | 2006-02-24 | 2006-07-26 | 上海方正信息安全技术有限公司 | Portable trusted platform module supporting remote dynamic management |
-
2006
- 2006-09-29 CN CN200610140646A patent/CN101155112B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050138370A1 (en) * | 2003-12-23 | 2005-06-23 | Goud Gundrala D. | Method and system to support a trusted set of operational environments using emulated trusted hardware |
| CN1808456A (en) * | 2006-02-24 | 2006-07-26 | 上海方正信息安全技术有限公司 | Method of adding trusted platform on portable terminal |
| CN1808457A (en) * | 2006-02-24 | 2006-07-26 | 上海方正信息安全技术有限公司 | Portable trusted platform module supporting remote dynamic management |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101155112A (en) | 2008-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6462103B2 (en) | Protecting the results of privileged computing operations | |
| CN101155112B (en) | Virtual special terminal, network service system and service access method | |
| US8997192B2 (en) | System and method for securely provisioning and generating one-time-passwords in a remote device | |
| US9053313B2 (en) | Method and system for providing continued access to authentication and encryption services | |
| US8156331B2 (en) | Information transfer | |
| CN102523089B (en) | Secondary credentials for batch system | |
| JP2016158270A (en) | Validation of inclusion of platform within data center | |
| CN104718526A (en) | Secure mobile framework | |
| US20080120511A1 (en) | Apparatus, and associated method, for providing secure data entry of confidential information | |
| CN103067399A (en) | A wireless transmitting/receiving unit | |
| CN101897166A (en) | Systems and methods for establishing a secure communication channel using a browser component | |
| US20150067793A1 (en) | Method for Secure, Entryless Login Using Internet Connected Device | |
| US20140067689A1 (en) | Security module and method of securing payment information | |
| US20100257359A1 (en) | Method of and apparatus for protecting private data entry within secure web sessions | |
| US10949530B2 (en) | Transaction method, transaction information processing method, transaction terminal, and server | |
| KR20090001385A (en) | Method of generation for a multiple of one time password and smartcard and terminal therefor | |
| CN112862484A (en) | Secure payment method and device based on multi-terminal interaction | |
| Otterbein et al. | The German eID as an authentication token on android devices | |
| KR102081875B1 (en) | Methods for secure interaction between users and mobile devices and additional instances | |
| US20080222700A1 (en) | Challenge/Response in a Multiple Operating System Environment | |
| US11481759B2 (en) | Method and system for implementing a virtual smart card service | |
| US20210383000A1 (en) | Method, server and system for securing an access to data managed by at least one virtual payload | |
| KR101551918B1 (en) | Security data authentication service method and system using rack type security server | |
| TWI778319B (en) | Method for cross-platform authorizing access to resources and authorization system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |