CN102610034B - Safety auditing method and safety content display list generating method required by safety auditing - Google Patents
Safety auditing method and safety content display list generating method required by safety auditing Download PDFInfo
- Publication number
- CN102610034B CN102610034B CN201210047318.6A CN201210047318A CN102610034B CN 102610034 B CN102610034 B CN 102610034B CN 201210047318 A CN201210047318 A CN 201210047318A CN 102610034 B CN102610034 B CN 102610034B
- Authority
- CN
- China
- Prior art keywords
- interface
- application program
- safety
- content list
- key value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention relates to a safety auditing method at the password non-inputting state and a safety content display list generating method required by safety auditing. The safety auditing method at the password non-inputting state includes the following steps of S01, acquiring key values; S02, extracting current display interface or interface digest of the current display interface of application program; S03, judging whether the current display interface or the interface digest containing display characteristics of the current display interface of the application program is located in a preset safety content display list, if yes, feeding back the key values to the application program, if not, abandoning feeding back the key value to the application program or modifying the key value to be error characters to be fed back to the application program. The safety auditing method is used for guaranteeing display safety of the interface needing to acquire character type key values of the passwords at the password non-inputting state and stopping prompts from inducing card owners to input passwords on the unsafe condition.
Description
Technical field
The present invention relates to information security and financial transaction, security audit and required safe displaying content list generation method thereof while relating in particular to a kind of non-Password Input state.
Background technology
In financial POS process of exchange, need holder to input the legitimacy of password (PIN) checking transaction.PIN is the extremely sensitive information of holder, and POS must protect PIN, Leakage prevention.In the system of POS, PIN input and encryption offer application call by first floor system by the form of API (interface).When this API input of application call PIN, be to obtain expressly PIN data.
Domestic traditional POS application program can get around the safe API that bottom provides, and by showing epigamic prompt text, deception holder inputs PIN data and the program that is employed obtains 3.
For preventing this type of risk, in prior art, there is following standard, if the character of whole screen display comprises ' P '/' p ', ' I '/' i ', three characters of ' N '/' n ' (" PIN "), or the word such as " close " " code ", no matter be continuous appearance, or appear at different local with the form of single character, all assert that this screen comprises responsive prompting, may induce holder to input PIN, there is certain risk.When this type of screen prompt of code requirement occurs, first floor system does not allow to return to password key to application program.
Fig. 1 reads password under Password Input state in prior art, and under this state, equipment is that the Special safety interface providing by bottom obtains password, can expressly not stolen; Fig. 2 is the schematic diagram that reads key value under non-Password Input state; Fig. 3 is that application program is walked around the Special safety interface that bottom provides, and by showing inductivity prompt text, deception holder inputs code data, thereby obtains code data.
So can find out that said method exists following shortcoming: the method for existing strick precaution inductivity prompting only limits to the character content that statistical screens shows, cannot identify image, therefore application program is used image to show inductivity input, or utilize screen directly to draw mode a little, first floor system is difficult to effectively identification.Still there is in actual applications security hole in the method.
Summary of the invention
Security audit and required safe displaying content list generation method thereof when the technical matters that the present invention mainly solves is to provide a kind of non-Password Input state, be used for ensureing the interface display safety that needs to obtain code characters type key assignments under non-Password Input state, stop induction prompting holder to input password in unsafe situation.
For solving the problems of the technologies described above, the technical scheme that the present invention adopts is: a kind of method of security audit when non-Password Input state is provided, comprises the following steps:
S01, obtain key value;
S02, extract the current display interface of described application program or the interface of current display interface summary;
Whether S03, the interface summary that judges the current display interface of described application program or have current display interface indicating characteristic be in preset safe displaying content list; If so, return to key value to application program; If not, do not return to key value or key value is changed to the character that reports an error to application program and return to application program.
Wherein, between described step S01, S02, also comprise step S011: judge whether described key value belongs to code characters type key assignments; If so, carry out step S02; If not, return to key value to application program.
Wherein, before described step S01, also comprise step S00: judge that whether the signature file of application program to be written into is by checking; If so, be written into application program; If not, refusal is written into application program.
Wherein, the generating mode of described interface summary is: the display interface that utilizes hash algorithm application programs need to obtain code characters type key assignments is processed and generated.
Wherein, the key value of obtaining in described step S01 is to obtain by the input of physical button or touch-screen virtual key.
For solving the problems of the technologies described above, another technical solution used in the present invention is: a kind of digest column table generating method is provided, comprises the following steps:
The interface that S1, extraction application program need to be obtained code characters type key assignments in the time of non-Password Input state;
S2, the described interface that need to obtain code characters type key assignments or interface summary are added in safe displaying content list.
Wherein, after step S2, also comprise step S3: by associated the executable file work of described safe displaying content list and described application program, and the file after association is carried out to digital signature.
Wherein, step S3 is specially: the executable file of described safe displaying content list and described application program is merged, and file after being combined carries out digital signature.
Wherein, utilize hash algorithm to process the described interface that need to obtain code characters type key assignments, thus the interface summary with indicating characteristic forming.
Wherein, described step S1 is: extract all interfaces that application program need to be obtained code characters type key assignments in the time of non-Password Input state.
The invention has the beneficial effects as follows: the method that is different from existing strick precaution inductivity prompting in prior art only limits to the character content that statistical screens shows, cannot identify image, therefore application program is used image to show inductivity input, or utilize screen directly to draw mode a little, first floor system is difficult to effectively identification, still there is in actual applications security hole, security audit and required safe displaying content list generation method thereof while the invention provides a kind of non-Password Input state, by extracting the interface summary that application program needs to be returned the interface of code characters type key assignments or has current display interface indicating characteristic under non-password state that is written into of current operation, and described interface or interface summary are contrasted with preset safe displaying content list, and to not existing the application program in preset safe displaying content list to return to the character that reports an error, here, it is the key value that can not infer input by the character that reports an error.So be used for ensureing the interface display safety that needs to be returned code characters type key assignments under non-Password Input state, stop induction prompting holder to input password in unsafe situation.
Accompanying drawing explanation
Fig. 1 is the schematic diagram that reads password in prior art under Password Input state;
Fig. 2 is the schematic diagram that reads key value under non-Password Input state;
Fig. 3 is the schematic diagram of gaining holder by cheating under non-Password Input state and input password;
One process flow diagram of the method for security audit when Fig. 4 is the non-Password Input of the present invention;
One embodiment process flow diagram of the method for security audit when Fig. 5 is the non-Password Input of the present invention;
One embodiment process flow diagram of the method for security audit when Fig. 6 is the non-Password Input of the present invention;
Fig. 7 is a process flow diagram of digest column table generating method of the present invention;
Fig. 8 is an embodiment process flow diagram of digest column table generating method of the present invention;
Fig. 9 is an embodiment process flow diagram of digest column table generating method of the present invention.
Embodiment
By describing technology contents of the present invention, structural attitude in detail, being realized object and effect, below in conjunction with embodiment and coordinate accompanying drawing to be explained in detail.
In the art, PIN (Personal Identification Number, password): individual recognition code.In financial field, refer to holder's card password.
Code characters type button: refer to form all button set of legal password, it is different and different to the well-formed definition of password that application is looked concrete in the definition of this set, typical PC password, code characters type button has A-Z, a-z, 0-9 etc.In the card password of financial field, code characters type button only limits to 0-9 digital keys.
Functional form button: refer to the set of all non-code characters type buttons, as navigation key, enter key, cancel key etc. up and down.The feature of functional form button is not possess to infer password or potential password key assignments.
Password Input state: refer to that the state of Password Input is undertaken by the special purpose system input interface that calls first floor system and provide application program.This state is exclusively used in Password Input and encryption.Under this state, key value is directly read and encrypts by this interface, and after Password Input completes, encrypted password returns to application program and processes.This process feeds back to application program without code characters.Therefore this state can not cause the leakage of password.As shown in Figure 1.
Non-Password Input state: refer to that application program walks around above-mentioned password input interface and read by other approach the state of key assignments.As shown in Figure 2.
Refer to Fig. 4, in some embodiment as shown in Figure 4, the invention provides a kind of digest column table generating method, comprise the following steps:
The interface that S1, extraction application program need to be obtained code characters type key assignments in the time of non-Password Input state;
S2, the described interface that need to obtain code characters type key assignments or interface summary are added in safe displaying content list.
In certain embodiments, also can carry out safety detection before adding the described interface that need to be returned code characters type key assignments or interface summary to step in safe displaying content list.Safety detection process is as follows: if there is responsive character or picture in screen, not by detecting.Described responsive character or picture refer to that having induction points out holder to input character or the picture of password.Pass through said process, the present invention will list the list of safe displaying contents in by the interface of detecting, so just can ensure the interface display safety that needs to be returned code characters type key assignments under non-Password Input state, stop induction prompting holder to input password in unsafe situation.
As a further improvement on the present invention, need to be returned the interface of code characters type key assignments be all interfaces that application program need to be returned code characters type key assignments to described application program.So just all interfaces can be increased to the summary lists of safe displaying contents, more safe.
In some embodiment as shown in Figure 5, after step S2, also comprise step S3: by associated the executable file work of described safe displaying content list and described application program, and the file after association is carried out to digital signature.This process is by associated the executable file work of the summary lists of safe displaying contents and the application program of current operation, and the overall digital signature of being carried out can not be changed with assurance.In some preferred embodiment, digital signature technology used is RSA, is the most influential public key encryption algorithm at present, and it can resist up to the present known all cryptographic attacks, is recommended as public key data encryption standard by ISO.
Here, the digital signature technology that the present invention uses is not only RSA, can also be other digital signature technologies.
In some embodiment as shown in Figure 6, preferred, step S3 is specially: by the executable file merging of described safe displaying content list and described application program, and file after being combined carries out digital signature.
In some embodiment as shown in Figure 6, the present invention utilizes hash algorithm to process the described interface that need to obtain code characters type key assignments, thus the interface summary with indicating characteristic forming.
The present invention utilizes hash algorithm extract the indicating characteristic at the detected interface of passing through and form the summary with indicating characteristic, then the summary lists of these summaries being added to safe displaying contents.By above-mentioned ciphering process, more guarantee that application program needs to be returned the interface display safety of code characters type key assignments under non-Password Input state, stop induction prompting holder to input password in unsafe situation.And can there is good Information Compression advantage for giant-screen graphical interfaces, the size of the definitive document of reduction file.
In certain embodiments, the summary technology that the present invention utilizes is not only the eigenwert algorithms such as HASH, MD5, can also be other cryptographic algorithm such as DES.
In other some embodiment, also can being written into application program needing to be returned the interface of code characters type key assignments (representing with the form of original display dot matrix content) under non-Password Input state and directly join in safe displaying content list current operation.
Refer to Fig. 7, in some embodiment as shown in Figure 7, while the invention provides a kind of non-Password Input state, the method for security audit, is characterized in that, comprises the following steps:
S01, obtain key value;
S02, extract the current display interface of described application program or the interface of current display interface summary;
Whether S03, the interface summary that judges the current display interface of described application program or have current display interface indicating characteristic be in preset safe displaying content list; If so, return to key value to application program; If not, do not return to key value or key value is changed to the character that reports an error to application program and return to application program.
By the description of above-mentioned steps, be not difficult to find out: under non-password state, need the interface or its interface with current display interface indicating characteristic that are returned code characters type key value to make a summary by the application program that is written into of extracting current operation, and described interface or its summary are contrasted with preset safe displaying content list, and to not existing the application program in preset safe displaying content list to return to the character that reports an error, here, be the key value that can not infer input by the character that reports an error.So be used for ensureing the interface display safety that needs to be returned code characters type key value under non-Password Input state, stop induction prompting holder to input password in unsafe situation.At this, described code characters type key value is obtained by previously described code characters type key-press input.
In certain embodiments of the present invention, the key value of obtaining in described step S01 is to obtain by the input of physical button or touch-screen virtual key.In some other embodiment of the present invention, described key value can also be operated and be obtained by copy-paste.
In certain embodiments of the present invention, described key value is digital key assignments.In some other embodiment, described key value can also be alphabet key, punctuate button or other are as special character buttons such as "@, #, $, %, & ".
In some embodiment as shown in Figure 8, between described step S01, S02, also comprise step S011: judge whether described key value belongs to code characters type key assignments; If so, carry out step S02; If not, return to key value to application program.So just can under non-password state, need whether the key value being returned is code characters type key value by the application program that is written into that judges current operation, and in the situation that being not code characters type key value, described key value directly returns to key value to application program, so more accurately ensure for code characters type key assignments the interface display safety that needs to be returned code characters type key value under non-Password Input state, stop induction prompting holder to input password in unsafe situation.
In some embodiment as shown in Figure 9, before described step S01, also comprise step S00: judge that whether the signature file of application program to be written into is by checking; If so, be written into application program; If not, refusal is written into application program.
As known in foregoing description, when terminal operating, if be written into application program, must treat the signature file of the application program being written into and verify, only have by verifying that rear application program just can be written into operation.Here, signature file is the signature file through described step 3 obtains above.So just prevent not through the intrusion of the rogue program of middle certification authentication above.
In certain embodiments of the present invention, the generating mode of described interface summary is: the display interface that utilizes hash algorithm application programs need to obtain code characters type key assignments is processed and generated.
Indicating characteristic formation that the present invention utilizes hash algorithm to extract the detected interface of passing through have the summary of indicating characteristic, then add these summaries to safe displaying content list.By above-mentioned ciphering process, more guarantee that application program needs to be returned the interface display safety of code characters type under non-Password Input state, stop induction prompting holder to input password in unsafe situation.And can there is good Information Compression advantage for giant-screen graphical interfaces, the size of the definitive document of reduction file.
In certain embodiments, the summary technology that the present invention utilizes is not only the eigenwert algorithms such as HASH, MD5, can also be other cryptographic algorithm such as DES.
In other some embodiment, also can being written into application program needing to be returned the interface of code characters type (representing with the form of original display dot matrix content) under non-Password Input state and directly join in safe displaying content list current operation.So can find out, the content of current screen prompting, even only have the screen in the displaying contents of a dot matrix or summary and preset safe displaying content list inconsistent, also can be compared discovery, be therefore cannot forge one to walk around the screen that screen detects and induce holder to input password.
In sum, the method that is different from existing strick precaution inductivity prompting in prior art only limits to the character content that statistical screens shows, cannot identify image, therefore application program is used image to show inductivity input, or utilize screen directly to draw mode a little, first floor system is difficult to effectively identification, still there is in actual applications security hole, security audit and required safe displaying content list generation method thereof while the invention provides a kind of non-Password Input state, by extracting the interface summary that application program needs to be returned the interface of code characters type key assignments or has current display interface indicating characteristic under non-password state that is written into of current operation, and described interface or interface summary are contrasted with preset safe displaying content list, and to not existing the application program in preset safe displaying content list to return to the character that reports an error, here, it is the key value that can not infer input by the character that reports an error.So be used for ensureing the interface display safety that needs to be returned code characters type key assignments under non-Password Input state, stop induction prompting holder to input password in unsafe situation.
The foregoing is only embodiments of the invention; not thereby limit the scope of the claims of the present invention; every equivalent structure transformation that utilizes instructions of the present invention and accompanying drawing content to do, or be directly or indirectly used in other relevant technical fields, be all in like manner included in scope of patent protection of the present invention.
Claims (8)
1. a method for security audit when non-Password Input state, is characterized in that, comprises the following steps:
S01, obtain key value;
S02, the extraction current display interface of application program or the interface of current display interface summary, the corresponding interface that display interface is extracted refers to the interface of original display dot matrix content, and the corresponding interface of extracting of making a summary, the interface of display interface is referred to picture interface;
Whether S03, the interface summary that judges the current display interface of described application program or have current display interface indicating characteristic be in preset safe displaying content list; If so, return to key value to application program; If not, do not return to key value or key value is changed to the character that reports an error to application program and return to application program;
Between described step S01, S02, also comprise step S011: judge whether described key value belongs to code characters type key assignments; If so, carry out step S02; If not, return to key value to application program;
The generating mode of described interface summary is: the display interface that utilizes hash algorithm application programs need to obtain code characters type key assignments is processed and generated.
2. the method for security audit when non-Password Input state according to claim 1, is characterized in that, before described step S01, also comprises step S00: judge that whether the signature file of application program to be written into is by checking; If so, be written into application program; If not, refusal is written into application program.
3. the method for security audit when non-Password Input state according to claim 1, is characterized in that: the key value of obtaining in described step S01 is to obtain by the input of physical button or touch-screen virtual key.
4. a safe displaying content list generation method, is characterized in that, comprises the following steps:
S1, extraction application program need to be obtained interface or the interface summary of code characters type key assignments in the time of non-Password Input state, and the corresponding interface that display interface is extracted refers to the interface of original display dot matrix content; The corresponding interface of extracting of making a summary, the interface of display interface is referred to picture interface;
S2, the described interface that need to obtain code characters type key assignments or interface summary are added in safe displaying content list, to carry out before this safety detection, if there is responsive character or picture in screen,, not by detecting, described responsive character or picture refer to that having induction points out holder to input character or the picture of password;
The generating mode of described interface summary is: the display interface that utilizes hash algorithm application programs need to obtain code characters type key assignments is processed and generated.
5. safe displaying content list generation method according to claim 4, it is characterized in that, after step S2, also comprise step S3: by associated the executable file work of described safe displaying content list and described application program, and the file after association is carried out to digital signature.
6. safe displaying content list generation method according to claim 5, is characterized in that, step S3 is specially: the executable file of described safe displaying content list and described application program is merged, and file after being combined carries out digital signature.
7. according to the safe displaying content list generation method described in claim 5 or 6, it is characterized in that: utilize hash algorithm to process the described interface that need to obtain code characters type key assignments, thus the interface summary with indicating characteristic forming.
8. according to the safe displaying content list generation method described in claim 5 or 6, it is characterized in that, described step S1 is: extract all interfaces that application program need to be obtained code characters type key assignments in the time of non-Password Input state.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210047318.6A CN102610034B (en) | 2012-02-27 | 2012-02-27 | Safety auditing method and safety content display list generating method required by safety auditing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210047318.6A CN102610034B (en) | 2012-02-27 | 2012-02-27 | Safety auditing method and safety content display list generating method required by safety auditing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102610034A CN102610034A (en) | 2012-07-25 |
| CN102610034B true CN102610034B (en) | 2014-06-25 |
Family
ID=46527372
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210047318.6A Active CN102610034B (en) | 2012-02-27 | 2012-02-27 | Safety auditing method and safety content display list generating method required by safety auditing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102610034B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101593324A (en) * | 2009-06-17 | 2009-12-02 | 浙江师范大学 | The network multi-level measures and procedures for the examination and approval and system based on dependable computing application technique |
| CN101964041A (en) * | 2010-09-25 | 2011-02-02 | 合肥工业大学 | Perceptual hashing-based practical and safe image forensic system and forensic method |
| CN102223374A (en) * | 2011-06-22 | 2011-10-19 | 熊志海 | Third-party authentication security protection system and third-party authentication security protection method based on online security protection of electronic evidence |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6782477B2 (en) * | 2002-04-16 | 2004-08-24 | Song Computer Entertainment America Inc. | Method and system for using tamperproof hardware to provide copy protection and online security |
-
2012
- 2012-02-27 CN CN201210047318.6A patent/CN102610034B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101593324A (en) * | 2009-06-17 | 2009-12-02 | 浙江师范大学 | The network multi-level measures and procedures for the examination and approval and system based on dependable computing application technique |
| CN101964041A (en) * | 2010-09-25 | 2011-02-02 | 合肥工业大学 | Perceptual hashing-based practical and safe image forensic system and forensic method |
| CN102223374A (en) * | 2011-06-22 | 2011-10-19 | 熊志海 | Third-party authentication security protection system and third-party authentication security protection method based on online security protection of electronic evidence |
Non-Patent Citations (2)
| Title |
|---|
| 刘文哲.浅析数据加密技术在电子商务交易安全中的应用.《西安航空技术高等专科学校学报》.2007,第25卷(第1期),第52-55页. |
| 浅析数据加密技术在电子商务交易安全中的应用;刘文哲;《西安航空技术高等专科学校学报》;20070131;第25卷(第1期);第52-55页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102610034A (en) | 2012-07-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2639674C2 (en) | Authentication method and system | |
| US10417399B2 (en) | Accessing a secured software application | |
| CN110555706A (en) | Face payment security method and platform based on security unit and trusted execution environment | |
| CN102576435B (en) | Handy terminal and payment method used for the handy terminal | |
| CN101334884A (en) | Method and system for enhancing bank transfer safety | |
| CN104537300A (en) | Safe password setting and verifying mode | |
| CN107864124A (en) | A kind of end message method for security protection, terminal and bluetooth lock | |
| CN102609656A (en) | USB (universal serial bus) key safety enhancing method and USB key safety enhancing system based on image identification | |
| CN106534479A (en) | Cell phone password protection system based on implicit code identification and implicit conversion | |
| CN104680376B (en) | A kind of Transaction Information verification method and device | |
| US20070245155A1 (en) | Information processing apparatus having a user authentication function | |
| KR101392537B1 (en) | User memory method using plural one time password | |
| CN103051618A (en) | Terminal authentication equipment and network authentication method | |
| KR20070024100A (en) | Network security system by using image key input and its method | |
| CN102610034B (en) | Safety auditing method and safety content display list generating method required by safety auditing | |
| US10845990B2 (en) | Method for executing of security keyboard, apparatus and system for executing the method | |
| CN102592101A (en) | Method and system for protecting LED display management software safety | |
| CN106355078A (en) | Intelligent password protecting system based on multifunctional-key behavior recognition | |
| KR101000575B1 (en) | Authentication protocol based on composed image | |
| CN102654896A (en) | Method for digital signature device to display key information of transaction data | |
| CN108563934B (en) | Fingerprint unlocking method and device | |
| KR101152610B1 (en) | The Method of Virtual Keyboard | |
| CN114510688A (en) | Equipment unlocking method and device, computer readable storage medium and electronic equipment | |
| KR101860443B1 (en) | Password management system and method using wearable augmented reality device | |
| US20130340091A1 (en) | Method of creating ui layouts with desired level of entropy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |