CN106991333A - A kind of safeguard method and device of data - Google Patents
A kind of safeguard method and device of data Download PDFInfo
- Publication number
- CN106991333A CN106991333A CN201710285513.5A CN201710285513A CN106991333A CN 106991333 A CN106991333 A CN 106991333A CN 201710285513 A CN201710285513 A CN 201710285513A CN 106991333 A CN106991333 A CN 106991333A
- Authority
- CN
- China
- Prior art keywords
- input
- signal
- safe
- communication connection
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to information security field, more particularly to a kind of safeguard method and device of data.The present invention by when safe end receive from input when being ready for secure data signal, the communication connection of cut-out input and application end and sets up the communication connection of input and safe end.So that before user's input secure data, disconnecting the communication connection of input and application end, can not also being obtained the input signal of input generation by assault even if application end, so that reaching effectively prevents data to be stolen, the purpose of Information Security is improved.
Description
Technical field
The present invention relates to information security field, more particularly to a kind of safeguard method and device of data.
Background technology
At present, on the market the structure of most POS as shown in figure 1, including input (touch-screen), display end (liquid crystal
Screen), application end and safe end;Wherein, application end includes application processor, and the data for handling common level of security are such as obtained
The input signal (data that user is inputted by touch-screen) of input is taken, on a display screen display information etc.;Safe end includes
Safe processor, storage and encryption and decryption hardware etc., all software and hardwares in safe end are all closings, controlled, believable, use
In the high data of processing level of security, information, encryption and the decryption of IC-card, magnetic card and contactless smart card are such as read.
Generally, application end operation Android system, Android system is an open system, and leak is more, is easily attacked by hacker
Hit.And the password that holder inputs on the touchscreen must be forwarded to peace by the POS with structure shown in Fig. 1 by application end
Quan Duan, when causing the holder to input password on the touchscreen, is easily monitored by the trojan horse program on Android system backstage, snatches password.
Therefore, the security of the POS with structure shown in Fig. 1 is poor.
In order to solve the above-mentioned technical problem, the patent document of Application No. 201310441921.7 provides a kind of Intelligent touch
Shield POS cipher safe protecting device and method, as shown in Fig. 2 being connect including FPGA module, display screen interface circuit, touch-screen
Mouth circuit and built-in hiding internal memory;The FPGA module connects POS display screen by display screen interface circuit, passes through touch-screen
Interface circuit connects POS touch-screen, and the FPGA module is used to realize electricity under the control that Android system drives and closed,
After the power-up, the control of display screen and touch-screen is obtained, the interface of display screen is carried out using built-in hiding internal memory as video memory
It has been shown that, computing is then encrypted to the password inputted by touch-screen and produces ciphertext, and by ciphertext scrambled transmission;It is described built-in
Hide internal memory be connected with FPGA module, for FPGA module acquisition display screen and touch-screen control after, one side conduct
Video memory carries out the interface display of display screen, and the data buffer storage of process is on the other hand encrypted.Above-mentioned patent document passes through physics
Isolation ensures safety, using built-in hiding internal memory as video memory, has prevented to be hidden in trojan horse program, the firmware of Android system bottom
Program, processor microcode etc. intercept and capture the possibility of password by way of copy system internal memory.
But, in the scheme that above-mentioned patent document is provided, when FPGA module is opened, be answering by operation Android system
Controlled with end.This is resulted in, and if Android system is by assault, application end can be controlled not enable FPGA module,
Forge a transaction interface, induction holder's input password, so as to reach the purpose snatched password on a display screen simultaneously.
The content of the invention
The technical problems to be solved by the invention are:The present invention provides a kind of safeguard method and device of data, has
Effect prevents data to be stolen, and improves the security of data.
In order to solve the above-mentioned technical problem, the technical solution adopted by the present invention is:
The present invention provides a kind of method for security protection of data, including:
When safe end receive from input when being ready for secure data signal, cut-out input and application end
Communication connection, and set up the communication connection of input and safe end.
The present invention also provides a kind of safety guard of data, including:
Handover module, for when safe end receive from input when being ready for secure data signal, cut off it is defeated
Enter end and the communication connection of application end, and set up the communication connection of input and safe end.
The beneficial effects of the present invention are:Be different from prior art control whether to cut off by application end or set up input with
The communication connection of application end, because application end is easily injected into code so that input is not performed and cut when inputting secure data
The operation that disconnected input is communicated to connect with application end, so as to cause data to be stolen;The present invention is by the high safe end of level of security
Directly receive input is ready for secure data signal, and cuts off input according to the control of secure data signal is ready for
With the communication connection of application end so that before user's input secure data, disconnect the communication connection of input and application end, even if
Application end can not also be obtained the input signal of input generation by assault, so that reaching effectively prevents data to be stolen, carry
The purpose of high Information Security.
Brief description of the drawings
Fig. 1 is a kind of POS structural representation;
Fig. 2 is a kind of structured flowchart of intelligent touch screen POS cipher safe protecting device;
Fig. 3 is a kind of FB(flow block) of the embodiment of the method for security protection of data;
Fig. 4 is a kind of structured flowchart of the embodiment of the safety guard of data;
Fig. 5 is a kind of the first implementation schematic diagram of safety guard of data;
Fig. 6 is a kind of schematic diagram of the safety guard of data;
Fig. 7 is a kind of the second implementation schematic diagram of safety guard of data;
Fig. 8 is a kind of 3rd implementation schematic diagram of the safety guard of data;
Label declaration:
1st, handover module;11st, first acquisition unit;12nd, the first control unit;13rd, second acquisition unit;14th, first block
Cut unit;15th, retransmission unit;16th, the 3rd acquiring unit;17th, the second interception unit;
2nd, module is set up;3rd, display end;4th, input;5th, application end;6th, safe end.
Embodiment
To describe technology contents, the objects and the effects of the present invention in detail, below in conjunction with embodiment and coordinate attached
Figure is explained.
The design of most critical of the present invention is:The letter whether input is inputting secure data is directly received by safe end
Number, and whether be connected according to the signal control signal with application end, improve the security of data.
Fig. 3 be refer to Fig. 8,
As shown in figure 3, the present invention provides a kind of method for security protection of data, including:
When safe end receive from input when being ready for secure data signal, cut-out input and application end
Communication connection, and set up the communication connection of input and safe end.
Further, it is described to be ready for secure data signal for signal of swiping the card.
Seen from the above description, safe end is used to handle the high data of level of security, such as reads IC-card, magnetic card and noncontact
Information, encryption and decryption of smart card etc..When user performs swiping card, safe end can receive signal of swiping the card, according to POS
The specific flow of machine is understood, input Password Operations are carried out after user card punching, therefore, when safe end, which is received, swipes the card signal,
I.e. before user's input password, by handover module so that touch-screen only has communication port with safe end, even if application end is hacked
Visitor's attack can not also obtain the touch signal of touch-screen generation, so as to reach the purpose for improving cipher safety.
Further, the communication connection of cut-out input and application end, and set up the communication connection of input and safe end,
Specially:
Obtain the level controling signal from safe end;
The communication connection of analog switch cut-out input and application end is controlled according to the level controling signal, and sets up defeated
Enter end and the communication connection of safe end.
Seen from the above description, after the physical connection of input and application end is disconnected, apparatus, only is not being destroyed
In application end it is that can not obtain the sensitive data of input by software attacks;The relevant sensitization data of all inputs can only be by
Safe end is obtained.This have the advantage that, the safety requirements of application end can be reduced, such as using the Android systems increased income
System, Linux etc., have numerous open sources can be used;And the safe end of core simplifies design by oneself designing, secrecy is reached
Purpose;The separate operation of two systems, does not interfere with each other.
Further, the communication connection of cut-out input and application end, and set up the communication connection of input and safe end,
Specially:
Obtain the input signal of input;
Intercept and send to the input signal of first port;The first port carries out data transmission with application end
COM1;
The input signal is forwarded to safe end by second port.
Seen from the above description, when not needing the secure data of input input sensitivity, input and application end are direct
Connection, does not influence real experiences;Only when needing to input sensitive coherent signal, just input and application end are disconnected, and will be defeated
Enter end and safe end links together, carry out sensitive secure data input.Control signal is connected with application end or safe end
Handover module must by safe end control, prevent application end resulted in the need for after being attacked handover module handoff functionality failure,
So that input is connected with application end always, sensitive data is caused to leak.
Further, the communication connection of cut-out input and application end, and set up the communication connection of input and safe end,
Specially:
Safe end obtains the input signal of input;
Intercept and send to the input signal of the 3rd port;3rd port is the communication ends of safe end and application end
Mouthful.
Further, in addition to:
When safe end, which receives the secure data input from input, finishes signal, input and application end are set up
Communication connection.
Seen from the above description, after safe end is completely received secure data, the communication of input and application end is set up
Connection so that application end can be triggered by input input instruction and perform corresponding operation.
As shown in figure 4, the present invention also provides a kind of safety guard of data, including:
Handover module 1, for when safe end 6 receive from input 4 when being ready for secure data signal, cut-out
Input 4 and the communication connection of application end 5, and set up the communication connection of input 4 and safe end 6.
Further, the handover module 1 includes:
First acquisition unit 11, for obtaining the level controling signal from safe end 6;
First control unit 12, for controlling analog switch cut-out input 4 and application according to the level controling signal
The communication connection at end 5, and set up the communication connection of input 4 and safe end 6.
Further, the handover module 1 includes:
Second acquisition unit 13, the input signal for obtaining input 4;
First interception unit 14, sends to the input signal of first port for intercepting;The first port be with
The COM1 that application end 5 carries out data transmission;
Retransmission unit 15, for the input signal to be forwarded into safe end 6 by second port.
Further, the handover module 1 includes:
3rd acquiring unit 16, the input signal of input 4 is obtained for safe end 6;
Second interception unit 17, sends to the input signal of the 3rd port for intercepting;3rd port is peace
Full end 6 and the COM1 of application end 5.
Further, it is characterised in that also include:
Module 2 is set up, for when safe end 6 receives the data input from input 4 and finishes signal, setting up input
End 4 and the communication connection of application end 5.
Embodiments of the invention one are:
The present embodiment provides a kind of method for security protection of data, including:
S1, when safe end 6 receive from input 4 when being ready for secure data signal, cut-out input 4 with should
With the communication connection at end 5, and the communication connection of input 4 and safe end 6 is set up;The secure data signal that is ready for is brush
Card signal;
Wherein, cut-out input 4 and the communication connection of application end 5, and set up the communication connection of input 4 and safe end 6
Method include implementations below:
First implementation:Obtain the level controling signal from safe end 6;Mould is controlled according to the level controling signal
Intend switch cutoff input 4 and the communication connection of application end 5, and set up the communication connection of input 4 and safe end 6;
Second implementation:Obtain the input signal of input 4;Intercept and send to the input signal of first port;
The first port is the COM1 carried out data transmission with application end 5;The input signal is forwarded by second port
To safe end 6;
3rd implementation:Safe end 6 obtains the input signal of input 4;Interception transmission is described defeated to the 3rd port
Enter signal;3rd port is safe end 6 and the COM1 of application end 5;
S2, when safe end 6 receive from input 4 secure data input finish signal when, set up input 4 with should
With the communication connection at end 5.
Embodiments of the invention two are:
As shown in figure 4, the present embodiment provides a kind of safety guard of data, including handover module 1 and set up module
2nd, display end 3, input 4, application end 5 and safe end 6;
The handover module 1, for when safe end 6 receive from input 4 when being ready for secure data signal,
Input 4 and the communication connection of application end 5 are cut off, and sets up the communication connection of input 4 and safe end 6;
It is described to set up module 2, for when safe end 6 receives the data input from input 4 and finishes signal, setting up
Input 4 and the communication connection of application end 5;
The display end 3 is used for the result for showing application end or display user interface.
Embodiments of the invention three are:
The present embodiment provides a kind of safety guard of data, including handover module 1, display end 3, input 4, application
End 5 and safe end 6;The display end 3 is used for the result for showing application end or display user interface.
Wherein, input 4 includes the input equipments such as touch-screen and keyboard;Safe end 6 includes meeting UPTS or PCI specification
Safe CPU, such as Freescale K21/K81, MAXIM MAX32555, Broadcom BCM58101, million news
MH1902;Application end 5 includes that Android or Linux universal cpu, such as high-pass processor MSM8909, MTK processing can be run
Device X30, the kylin processor of Huawei;
Wherein, the handover module 1 has following several implementations:
As shown in figure 5, the first implementation, which is the handover module 1, includes the control unit of first acquisition unit 11 and first
12;
The first acquisition unit 11, for obtaining the level controling signal from safe end 6;
First control unit 12, for according to the level controling signal control analog switch cut-out input 4 with
The communication connection of application end 5, and set up the communication connection of input 4 and safe end 6;
Wherein, analog switch includes single analog switch, multiway analog switch, throws analog switch or single-pole single-throw(SPST hilted broadsword more
Analog switch;
For example, the method for realizing handover module function using SGM3157 analog switch chips is:
As shown in fig. 6, the level controling signal output pin of safe end 6 is connected with the COM pins of SGM3157 chips, IN
Pin is connected with the output pin of input 4, and NO pins are connected with the input pin of safe end 6, and NC pins are defeated with application end 5
Enter pin connection;When safe end 6 exports low level control signal, IN pins and the conducting of NC pins, then input pin and application
Communication connection is set up at end 5;When safe end 6 export high-level control signal when, IN pins and NO pins conducting, then input 4 with
Safe end 6 sets up communication connection.
As shown in fig. 7, the second implementation, which is the handover module 1, includes second acquisition unit 13, the first interception unit
14 and retransmission unit 15;
The second acquisition unit 13, the input signal for obtaining input 4;
First interception unit 14, sends to the input signal of first port for intercepting;The first port
For the COM1 carried out data transmission with application end 5;
The retransmission unit 15, for the input signal to be forwarded into safe end 6 by second port;
Wherein, the handover module is realized by FPGA or CPLD chips.
As shown in figure 8, the 3rd implementation is, the handover module 1 includes the 3rd acquiring unit 16 and second and intercepts list
Member 17;
3rd acquiring unit 16, the input signal of input 4 is obtained for safe end 6;
Second interception unit 17, sends to the input signal of the 3rd port for intercepting;3rd port
For safe end 6 and the COM1 of application end 5;
Wherein, input 4 is directly connected with safe end 6, and application end 5 is connected with safe end 6.Usually normal operating
When, the input signal received is directly forwarded to application end 5 by safe end 6;If input secure data, such as PIN code is then pacified
6 intercepting input signals of full end, are not sent to application end 5 by input signal;
The forwarding of safe end 6 input signal can use software mode to application end 5:Safe end 6 first passes through integrated electricity all the way
Road bus receives input signal, then is connected by another road IC bus and application end 5, sends touch signals;This scheme
Because software is participated in, the response of touch screen has certain delay, causes touch screen response to have blunt;
Safe end 6 can also be by the way of DMA forwardings, and safe end 6 is total by the integrated circuit for wherein connecing input 4 all the way
Line and another road connect the IC bus of application end 5 directly by DMA transfer, it is not necessary to software intervention, improve response speed,
Reduce time delay.
In summary, a kind of safeguard method and device for data that the present invention is provided, the present invention is high by level of security
Safe end directly receive input be ready for secure data signal, and cut according to the control of secure data signal is ready for
The communication connection of disconnected input and application end so that before user's input secure data, disconnect the communication of input and application end
Connection, the input signal of input generation can not be also obtained even if application end, so that reaching effectively prevents data by assault
It is stolen, improves the purpose of Information Security.
Embodiments of the invention are the foregoing is only, are not intended to limit the scope of the invention, it is every to utilize this hair
The equivalents that bright specification and accompanying drawing content are made, or the technical field of correlation is directly or indirectly used in, similarly include
In the scope of patent protection of the present invention.
Claims (11)
1. a kind of method for security protection of data, it is characterised in that including:
When safe end receive from input when being ready for secure data signal,
The communication connection of input and application end is cut off, and sets up the communication connection of input and safe end.
2. the method for security protection of data according to claim 1, it is characterised in that described to be ready for secure data letter
Number to swipe the card signal.
3. the method for security protection of data according to claim 1, it is characterised in that cut-out input and application end it is logical
Letter connection, and the communication connection of input and safe end is set up, it is specially:
Obtain the level controling signal from safe end;
The communication connection of analog switch cut-out input and application end is controlled according to the level controling signal, and sets up input
With the communication connection of safe end.
4. the method for security protection of data according to claim 1, it is characterised in that cut-out input and application end it is logical
Letter connection, and the communication connection of input and safe end is set up, it is specially:
Obtain the input signal of input;
Intercept and send to the input signal of first port;The first port is the communication carried out data transmission with application end
Port;
The input signal is forwarded to safe end by second port.
5. the method for security protection of data according to claim 1, it is characterised in that cut-out input and application end it is logical
Letter connection, and the communication connection of input and safe end is set up, it is specially:
Safe end obtains the input signal of input;
Intercept and send to the input signal of the 3rd port;3rd port is safe end and the COM1 of application end.
6. the method for security protection of data according to claim 1, it is characterised in that also include:
When safe end, which receives the secure data input from input, finishes signal, the communication of input and application end is set up
Connection.
7. a kind of safety guard of data, it is characterised in that including:
Handover module, for when safe end receive from input when being ready for secure data signal, cut off input
With the communication connection of application end, and the communication connection of input and safe end is set up.
8. the safety guard of data according to claim 7, it is characterised in that the handover module includes:
First acquisition unit, for obtaining the level controling signal from safe end;
First control unit, the communication for controlling analog switch cut-out input and application end according to the level controling signal
Connection, and set up the communication connection of input and safe end.
9. the safety guard of data according to claim 7, it is characterised in that the handover module includes:
Second acquisition unit, the input signal for obtaining input;
First interception unit, sends to the input signal of first port for intercepting;The first port is and application end
The COM1 carried out data transmission;
Retransmission unit, for the input signal to be forwarded into safe end by second port.
10. the safety guard of data according to claim 7, it is characterised in that the handover module includes:
3rd acquiring unit, the input signal of input is obtained for safe end;
Second interception unit, sends to the input signal of the 3rd port for intercepting;3rd port be safe end with
The COM1 of application end.
11. the safety guard of data according to claim 7, it is characterised in that also include:
Module is set up, for when safe end receives the data input from input and finishes signal, setting up input with answering
With the communication connection at end.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710285513.5A CN106991333A (en) | 2017-04-27 | 2017-04-27 | A kind of safeguard method and device of data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710285513.5A CN106991333A (en) | 2017-04-27 | 2017-04-27 | A kind of safeguard method and device of data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106991333A true CN106991333A (en) | 2017-07-28 |
Family
ID=59417068
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710285513.5A Pending CN106991333A (en) | 2017-04-27 | 2017-04-27 | A kind of safeguard method and device of data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106991333A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114694326A (en) * | 2020-12-29 | 2022-07-01 | 腾讯科技(深圳)有限公司 | Extended display equipment of face payment equipment and face payment system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102769847A (en) * | 2011-05-05 | 2012-11-07 | 国民技术股份有限公司 | Safety communication method and equipment in wireless local area network |
| CN204102259U (en) * | 2014-10-10 | 2015-01-14 | 深圳长城开发科技股份有限公司 | A kind of POS terminal operating system hardware platform |
| CN104615552A (en) * | 2014-12-29 | 2015-05-13 | 浪潮(北京)电子信息产业有限公司 | Safe transmission method and system |
-
2017
- 2017-04-27 CN CN201710285513.5A patent/CN106991333A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102769847A (en) * | 2011-05-05 | 2012-11-07 | 国民技术股份有限公司 | Safety communication method and equipment in wireless local area network |
| CN204102259U (en) * | 2014-10-10 | 2015-01-14 | 深圳长城开发科技股份有限公司 | A kind of POS terminal operating system hardware platform |
| CN104615552A (en) * | 2014-12-29 | 2015-05-13 | 浪潮(北京)电子信息产业有限公司 | Safe transmission method and system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114694326A (en) * | 2020-12-29 | 2022-07-01 | 腾讯科技(深圳)有限公司 | Extended display equipment of face payment equipment and face payment system |
| CN114694326B (en) * | 2020-12-29 | 2023-08-08 | 腾讯科技(深圳)有限公司 | Expansion display device of face payment device and face payment system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20070199058A1 (en) | Method of using a security token | |
| CN103930899B (en) | Method for the management public data of input and private data at equipment | |
| EP3381003B1 (en) | System for and method of authenticating a user on a device | |
| WO2016192165A1 (en) | Data encryption method and apparatus | |
| WO2012000092A1 (en) | Seamless end-to-end data obfuscation and encryption | |
| CN205103825U (en) | Computer information safety control | |
| US20190377863A1 (en) | Password input method, computer device and storage medium | |
| CN101364187A (en) | Double operating system computer against worms | |
| WO2016192453A1 (en) | Safety control method and apparatus, and terminal | |
| CN101535957A (en) | System and method for sharing atrusted platform module | |
| CN106650514A (en) | Secure input system and method based on TrustZone technology | |
| CN106778337A (en) | Document protection method, device and terminal | |
| CN103198247A (en) | Computer safety protection method and computer safety protection system | |
| CN103198037A (en) | Reliable pipe control method and system for IO (input output) equipment | |
| CN102024115B (en) | Computer with user security subsystem | |
| US20120317410A1 (en) | Protecting data from data leakage or misuse while supporting multiple channels and physical interfaces | |
| CN208848330U (en) | A kind of double-core POS machine safety chip | |
| CN106991333A (en) | A kind of safeguard method and device of data | |
| CN106161481B (en) | A kind of device of mobile terminal physical button isolation safe module prevention security risk | |
| CN106548099A (en) | A kind of chip of circuit system safeguard protection | |
| Zhang | Trustfa: Trustzone-assisted facial authentication on smartphone | |
| CN109190407B (en) | High-performance encryption and decryption operation capability expansion method and system | |
| CN111522496A (en) | Control management system of VR and AR equipment | |
| CN103745170A (en) | Processing method and device for disk data | |
| CN105488924A (en) | POS high-end application system and solving method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170728 |