CN108875382B - Protection method for permanent anti-cutting machine of intelligent POS terminal - Google Patents

Protection method for permanent anti-cutting machine of intelligent POS terminal Download PDF

Info

Publication number
CN108875382B
CN108875382B CN201810504447.0A CN201810504447A CN108875382B CN 108875382 B CN108875382 B CN 108875382B CN 201810504447 A CN201810504447 A CN 201810504447A CN 108875382 B CN108875382 B CN 108875382B
Authority
CN
China
Prior art keywords
processor
firmware
secure
boot
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810504447.0A
Other languages
Chinese (zh)
Other versions
CN108875382A (en
Inventor
欧阳伟权
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Topwise Communication Co ltd
Original Assignee
Shenzhen Topwise Communication Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Topwise Communication Co ltd filed Critical Shenzhen Topwise Communication Co ltd
Priority to CN201810504447.0A priority Critical patent/CN108875382B/en
Publication of CN108875382A publication Critical patent/CN108875382A/en
Application granted granted Critical
Publication of CN108875382B publication Critical patent/CN108875382B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07GREGISTERING THE RECEIPT OF CASH, VALUABLES, OR TOKENS
    • G07G1/00Cash registers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a method for protecting an intelligent POS terminal from being permanently cut off, in the invention, a client customized signature of a security processor (SP for short) is used for preventing a compiled SP firmware from being illegally tampered or replaced, and the tamper prevention is realized by calculating a hash value of a compiled firmware program, then signing by using a private key of the signature and packaging signed information into the firmware. The replacement prevention is realized by configuring locking protection of SP internal Flash when SP firmware compiles codes, and the external part cannot read or rewrite the security program in the SP internal Flash. The SP uses a solidified security program to verify the authenticity and integrity of the firmware during boot-up.

Description

Protection method for permanent anti-cutting machine of intelligent POS terminal
Technical Field
The invention belongs to the technical field of POS machine information safety, and particularly relates to a protection method for preventing a machine from being permanently switched for an intelligent POS terminal.
Background
The cutter is that lawless persons take charge of reducing the rate to obtain illegal benefits, and a POS terminal program distributed in a merchant hand is replaced by a system or a program connected to other operation and maintenance backgrounds by using a technical means, so that the benefits of the background operation and maintenance merchants are greatly damaged. The cutting machine is mainly divided into a permanent cutting machine and a running cutting machine. The permanent cutter means that the POS terminal operating system is completely replaced by a different system, and any operation can be performed on the system; the operation time cutting machine is to uninstall or delete the application program of the original merchant and install the other acquiring application program on the premise of not replacing the operating system so as to achieve the illegal purpose.
The prior art discloses a POS machine-cutting-prevention remote signature system and a POS machine-cutting-prevention remote signature method, and relates to the field of program devices. The system comprises: the POS machine, the server end and the remote signature client end are installed on the terminal; the server side is in bidirectional communication connection with the remote signature client side. The method comprises the following steps: the server generates a unique identity ID of a developer and a terminal used by the developer, and the remote signature client initiates a signature action and sends the unique identity ID to the server; the server side checks the unique identity ID, then signs the received program data and sends the program data to the remote signing client side; and the remote signature client receives the encrypted program to complete remote signature.
However, this method is complicated and not easy to implement.
The secure processor is generally abbreviated as SP, and the application processor is abbreviated as AP. An application processor (hereinafter referred to as AP) is an eFuse based on a chip to realize that a system program is illegally tampered or replaced, a hash value of a manufacturer root public key is written in the eFuse when the eFuse leaves a factory, the correctness of the root public key in an AP system is verified by utilizing the irreplaceability and replaceability of the eFuse when the AP is started, then the system program in the AP is gradually verified by using the root public key, and the system is forbidden to be started once the verification fails. Therefore, the authenticity and the integrity of the system program of the terminal are guaranteed, any unauthorized tampering or replacement can be verified, and the intelligent POS terminal system can not be tampered or replaced permanently.
Disclosure of Invention
In order to solve the above problems, the present invention aims to provide a protection method with high safety; when the authenticity and the integrity of software are guaranteed, a digital signature public and private key system is adopted for software downloaded into a POS machine to perform anti-cutting management, and the private key used for signature is prevented from leaking in the edition issuing process of a POS software program.
The invention also aims to provide a protection method for preventing the intelligent POS terminal from being permanently switched off.
In order to achieve the above object, the technical solution of the present invention is as follows.
The invention provides a method for protecting a permanent anti-tripping machine of an intelligent POS terminal, which comprises the following steps in the operation process of the POS terminal:
the method comprises the following steps: and (4) safe starting: starting a safety program when the POS terminal is started;
step two: secure processor SP custom signature: the SP user of the safety processor sets the using authority of the POS terminal;
step three: a starting-up identity authentication unit: the POS terminal carries out identity verification according to the set use authority when the POS terminal is started;
step four: periodic self-checking: the POS terminal periodically detects the self-set use authority.
Further, the step one specifically includes secure startup of the secure processor SP and the application processor AP, and the secure startup of the secure processor SP includes the following steps:
s1: after a secure processor SP chip is powered on, the secure processor SP secure Boot is operated, a stack is initialized, and hardware parameters are configured;
s2: the safety Boot firstly completes self verification and checks whether a safety mark of Flash exists;
s3: after the Boot self-verification is completed, verifying the signature of the SP firmware of the security processor to obtain the hash value of the SP firmware of the security processor;
s4: reading firmware of a secure processor SP from Flash and calculating a hash value;
s5: comparing the two hash values, and judging the authenticity and the integrity of the SP firmware of the safety processor;
s6: and if the verification is successful, loading the firmware of the secure processor SP for running, otherwise, prohibiting the starting of the system.
Further, the secure launch of the application processor AP comprises the steps of:
s1: boot ROM check Pre-loader:
when signing the Pre-loader, storing the root public key in the Pre-loader, and burning SHA256 of the root public key into an eFuse; when the system is started, the Boot ROM compares the hash value burnt in the eFuse with the hash value of the root public key stored in the Pre-loader, if the two values are the same, the Boot ROM obtains the root public key in the Pre-loader, checks the Pre-loader, and if the check is successful, the Boot ROM continues to load; otherwise, if the hash values are different or the verification fails, the starting is stopped;
s2: pre-loader check LK/trustzone:
during compiling, compiling the public key for verifying the LK/trustzone into the Pre-loader, and signing the LK/trustzone by using a private key; in the starting process, the Pre-loader uses a public key compiled into the Pre-loader to check the LK/trustzone, if the check is successful, the loading is continued, and if the check is failed, the loading is stopped;
s3: LK checks logo/Boot/recovery/system
During compiling, compiling a public key for checking LOGO/Boot/Recovery/system into LK, and signing the LOGO/Boot/Recovery/system by using a private key; in the starting process, the LK uses a public key compiled into the LK to verify the LOGO/Boot/Recovery/system, if the verification is successful, the loading is continued, and if the verification fails, the loading is stopped.
Further, the second step specifically includes the following steps:
s01: the terminal enables the client version number, and different client numbers correspond to a group of signature keys of the security processor SP;
s02: after the firmware of the secure processor SP is compiled, signing by different keys aiming at different clients, and simultaneously packaging the firmware and the client number of the specified client signature into a SYSTEM partition of an application processor AP;
s03: when the terminal is started, the application processor AP can upgrade the firmware of the security processor SP, so that the firmware operated by the security processor SP is consistent with the firmware of the specific client signature packaged in the application processor AP.
Further, the third step specifically includes performing secure Boot verification of the application processor AP and the secure processor SP after the system is started, and the trusted source verified by the application processor AP may ensure whether the secure processor SP signature firmware packaged in the application processor AP program is replaced or tampered, and the trusted source verified by the secure processor SP is burned into the secure processor SP chip at one time in the patch segment, and once the secure processor SP firmware packaged by the application processor AP does not pass the secure Boot verification burned into the secure processor SP chip, the secure processor SP may erase the application program, and the terminal enters an unavailable state.
Further, the fourth step is specifically that the POS terminal restarts the usage right set by itself every 24 hours to implement periodic self-checking.
The invention has the advantages that: compared with the prior art, the secure processor SP client customized signature is used for preventing the compiled secure processor SP firmware from being illegally tampered or replaced, a hash value is calculated for a compiled firmware program, then the signature is carried out by using a private key of the signature, the signed information is packaged into the firmware, the value of a fixed address in Flash is configured when a code is compiled, the value is safe when the value is 0, and the value is unsafe when the value is defaulted to 1. And the safety is that the Boot program segment can not be changed, a signature verification mechanism is adopted, and the signature is to calculate the compiled firmware program by using a private key to obtain a hash value for signature. And the signature verification is to verify the signature information of the secure processor SP by using a public key in the code to obtain a hash value when the signature is obtained, and compare whether the hash value calculated by firmware in the chip is consistent with the hash value obtained by signature verification to judge whether the program in the chip is tampered or replaced.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The permanent anti-cutting machine protection method for the intelligent POS terminal is simple to operate, good in using effect and easy to popularize widely.
In order to achieve the above object, the technical solution of the present invention is as follows.
The invention also provides a method for protecting the intelligent POS terminal from permanent tripping, which comprises the following steps in the operation process of the POS terminal:
the method comprises the following steps: and (4) safe starting: starting a safety program when the POS terminal is started;
step two: secure processor SP custom signature: the SP user of the safety processor sets the using authority of the POS terminal;
step three: a starting-up identity authentication unit: the POS terminal carries out identity verification according to the set use authority when the POS terminal is started;
step four: periodic self-checking: the POS terminal periodically detects the self-set use authority.
In this embodiment, the first step specifically includes the following steps:
s1: after a secure processor SP chip is powered on, the secure processor SP secure Boot is operated, a stack is initialized, and hardware parameters are configured;
s2: the safety Boot firstly completes self verification and checks whether a safety mark of Flash exists;
s3: after the Boot self-verification is completed, verifying the signature of the SP firmware of the security processor to obtain the hash value of the SP firmware of the security processor;
s4: reading firmware of a secure processor SP from Flash and calculating a hash value;
s5: comparing the two hash values, and judging the authenticity and the integrity of the SP firmware of the security processor;
s6: and if the verification is successful, loading the firmware of the secure processor SP for running, otherwise, prohibiting the starting of the system.
In this embodiment, the second step specifically includes the following steps:
s01: the terminal enables the client version number, and different client numbers correspond to a group of signature keys of the security processor SP;
s02: after the firmware of the secure processor SP is compiled, signing by different keys aiming at different clients, and simultaneously packaging the firmware and the client number of the specified client signature into a SYSTEM partition of an application processor AP;
s03: when the terminal is started, the application processor AP can upgrade the firmware of the security processor SP, so that the firmware operated by the security processor SP is consistent with the firmware of the specific client signature packaged in the application processor AP.
Further, the third step specifically includes performing secure Boot verification of the application processor AP and the secure processor SP after the system is started, and the trusted source verified by the application processor AP may ensure whether the secure processor SP signature firmware packaged in the application processor AP program is replaced or tampered, and the trusted source verified by the secure processor SP is burned into the secure processor SP chip at one time in the patch segment, and once the secure processor SP firmware packaged by the application processor AP does not pass the secure Boot verification burned into the secure processor SP chip, the secure processor SP may erase the application program, and the terminal enters an unavailable state.
In this embodiment, the fourth step is specifically that the POS terminal restarts the usage right set by itself every 24 hours to implement periodic self-checking.
The invention has the advantages that: compared with the prior art, the secure processor SP client customized signature is used for preventing the compiled secure processor SP firmware from being illegally tampered or replaced, a hash value is calculated for a compiled firmware program, then the signature is carried out by using a private key of the signature, the signed information is packaged into the firmware, the value of a fixed address in Flash is configured when a code is compiled, the value is safe when the value is 0, and the value is unsafe when the value is defaulted to 1. And the safety is that the Boot program segment can not be changed, a signature verification mechanism is adopted, and the signature is to calculate the compiled firmware program by using a private key to obtain a hash value for signature. And the signature verification is to verify the signature information of the secure processor SP by using a public key in the code to obtain a hash value when the signature is obtained, and compare whether the hash value calculated by firmware in the chip is consistent with the hash value obtained by signature verification to judge whether the program in the chip is tampered or replaced.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (2)

1. A protection method for preventing a POS terminal from being permanently switched is characterized by comprising the following steps in the operation process of the POS terminal:
the method comprises the following steps: and (4) safe starting: starting a safety program when the POS terminal is started;
step two: the secure processor SP client customizes the signature, specifically: s01: the terminal enables the client version number, and different client numbers correspond to a group of signature keys of the security processor SP;
s02: after the firmware of the secure processor SP is compiled, signing by different keys aiming at different clients, and simultaneously packaging the firmware and the client number of the specified client signature into a SYSTEM partition of an application processor AP;
s03: when the terminal is started, the application processor AP can upgrade the firmware of the security processor SP, so that the firmware operated by the security processor SP is consistent with the firmware of the specific client signature packaged in the application processor AP;
step three: starting up identity authentication: firstly, carrying out safe starting verification on an application processor AP and a safety processor SP after a system is started, wherein a trusted source verified by the application processor AP can ensure whether a safety processor SP signature firmware packaged in an application processor AP program is replaced or tampered, the trusted source verified by the safety processor SP is burned into a safety processor SP chip at one time in a chip segment, once the safety processor SP firmware packaged by the application processor AP and a safe Boot verified in the safety processor SP chip do not pass verification, the safety processor SP can erase the application program, and a terminal enters an unavailable state;
step four: periodic self-checking: the POS terminal periodically detects the self-set use authority;
the first step specifically includes the secure startup of the secure processor SP and the application processor AP, and the secure startup of the secure processor SP includes the following steps:
s1: after a secure processor SP chip is powered on, the secure processor SP secure Boot is operated, a stack is initialized, and hardware parameters are configured;
s2: the safety Boot firstly completes self verification and checks whether a safety mark of Flash exists;
s3: after the Boot self-verification is completed, verifying the signature of the SP firmware of the security processor to obtain the hash value of the SP firmware of the security processor;
s4: reading firmware of a secure processor SP from Flash and calculating a hash value;
s5: comparing the hash value obtained at step S3 with the hash value obtained at step S4, and determining authenticity and integrity of the secure processor SP firmware;
s6: if the verification is successful, loading the firmware of the secure processor SP for running, otherwise, forbidding the starting of the system;
the secure launch of the application processor AP comprises the following steps:
s1: boot ROM check Pre-loader:
when signing the Pre-loader, storing the root public key in the Pre-loader, and burning SHA256 of the root public key into an eFuse; when the system is started, the Boot ROM compares the hash value burnt in the eFuse with the hash value of the root public key stored in the Pre-loader, if the two values are the same, the Boot ROM obtains the root public key in the Pre-loader, checks the Pre-loader, and if the check is successful, the Boot ROM continues to load; otherwise, if the hash values are different or the verification fails, the starting is stopped;
s2: pre-loader check LK/trustzone:
during compiling, compiling the public key for verifying the LK/trustzone into the Pre-loader, and signing the LK/trustzone by using a private key; in the starting process, the Pre-loader uses a public key compiled into the Pre-loader to check the LK/trustzone, if the check is successful, the loading is continued, and if the check is failed, the loading is stopped;
s3: LK checks logo/Boot/recovery/system
During compiling, compiling a public key for checking LOGO/Boot/Recovery/system into LK, and signing the LOGO/Boot/Recovery/system by using a private key; in the starting process, the LK uses a public key compiled into the LK to verify the LOGO/Boot/Recovery/system, if the verification is successful, the loading is continued, and if the verification fails, the loading is stopped.
2. The method for protecting the permanent anti-tripping machine of the intelligent POS terminal according to claim 1, wherein the fourth step is to implement periodic self-checking for the use authority set by the POS terminal by restarting every 24 hours.
CN201810504447.0A 2018-05-24 2018-05-24 Protection method for permanent anti-cutting machine of intelligent POS terminal Active CN108875382B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810504447.0A CN108875382B (en) 2018-05-24 2018-05-24 Protection method for permanent anti-cutting machine of intelligent POS terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810504447.0A CN108875382B (en) 2018-05-24 2018-05-24 Protection method for permanent anti-cutting machine of intelligent POS terminal

Publications (2)

Publication Number Publication Date
CN108875382A CN108875382A (en) 2018-11-23
CN108875382B true CN108875382B (en) 2022-05-10

Family

ID=64334225

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810504447.0A Active CN108875382B (en) 2018-05-24 2018-05-24 Protection method for permanent anti-cutting machine of intelligent POS terminal

Country Status (1)

Country Link
CN (1) CN108875382B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110909360B (en) * 2019-10-29 2022-05-27 百富计算机技术(深圳)有限公司 Electronic equipment safe starting method and device based on dual systems
CN110990084B (en) * 2019-12-20 2023-01-24 紫光展讯通信(惠州)有限公司 Chip secure starting method and device, storage medium and terminal
CN112069515B (en) * 2020-08-20 2023-10-13 博流智能科技(南京)有限公司 Safe EFUSE burning method and system
CN112035146B (en) * 2020-09-11 2023-10-24 百富计算机技术(深圳)有限公司 Firmware updating method, security apparatus, and computer-readable storage medium
CN112804054A (en) * 2021-01-27 2021-05-14 上海商米科技集团股份有限公司 Financial POS (point of sale) key capacity expansion system and key interaction method between AP (access point) chip and SP (service provider) chip

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104200153A (en) * 2014-09-12 2014-12-10 北京赛科世纪数码科技有限公司 Start verification method and system
CN105957276A (en) * 2016-05-17 2016-09-21 福建新大陆支付技术有限公司 Android system-based intelligent POS security system, starting method and data management control method
CN106789075A (en) * 2016-12-27 2017-05-31 艾体威尔电子技术(北京)有限公司 POS digital signature is anti-to cut machine system
CN107330333A (en) * 2017-06-06 2017-11-07 百富计算机技术(深圳)有限公司 Ensure the method and device of POS firmware safety
CN107359999A (en) * 2017-07-04 2017-11-17 深圳市智联物联科技有限公司 A kind of uboot firmwares guard method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104200153A (en) * 2014-09-12 2014-12-10 北京赛科世纪数码科技有限公司 Start verification method and system
CN105957276A (en) * 2016-05-17 2016-09-21 福建新大陆支付技术有限公司 Android system-based intelligent POS security system, starting method and data management control method
CN106789075A (en) * 2016-12-27 2017-05-31 艾体威尔电子技术(北京)有限公司 POS digital signature is anti-to cut machine system
CN107330333A (en) * 2017-06-06 2017-11-07 百富计算机技术(深圳)有限公司 Ensure the method and device of POS firmware safety
CN107359999A (en) * 2017-07-04 2017-11-17 深圳市智联物联科技有限公司 A kind of uboot firmwares guard method

Also Published As

Publication number Publication date
CN108875382A (en) 2018-11-23

Similar Documents

Publication Publication Date Title
CN108875382B (en) Protection method for permanent anti-cutting machine of intelligent POS terminal
US10719606B2 (en) Security processor for an embedded system
CN104424441B (en) Processing system
JP5740646B2 (en) How to download software
EP2693789B1 (en) Mobile terminal encryption method, hardware encryption device and mobile terminal
US20140250290A1 (en) Method for Software Anti-Rollback Recovery
US20110040960A1 (en) Method and System for Securely Updating Field Upgradeable Units
GB2508251A (en) Preventing tampering of device firmware by validation before boot
JP2007293873A (en) Method for securing electronic device, security system, and electronic device
CN101983375A (en) Binding a cryptographic module to a platform
CN110990084A (en) Chip secure starting method and device, storage medium and terminal
CN111162911B (en) PLC firmware upgrading system and method
US20100100966A1 (en) Method and system for blocking installation of some processes
US20230046161A1 (en) Network device authentication
CN102880828A (en) Intrusion detection and recovery system aiming at virtualization support environment
CN107172100A (en) A kind of local security updates the method and device of BIOS mirror images
CN110245495B (en) BIOS checking method, configuration method, device and system
CN116070217A (en) Safe starting system and method for chip module
CN114363008A (en) Virtual equipment authentication method and device, electronic equipment and storage medium
KR20060132652A (en) Method for detecting illegal modifications made to manufacturer software
CN111597560A (en) Secure trusted module starting method and system
CN114444083B (en) BMC-based server BIOS full life cycle safety protection system
CN108228219B (en) Method and device for verifying BIOS validity during in-band refreshing of BIOS
CN111506897A (en) Data processing method and device
CN112219186A (en) Method for installing a program code package in a device, device and motor vehicle

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant