CN108875382B - Protection method for permanent anti-cutting machine of intelligent POS terminal - Google Patents
Protection method for permanent anti-cutting machine of intelligent POS terminal Download PDFInfo
- Publication number
- CN108875382B CN108875382B CN201810504447.0A CN201810504447A CN108875382B CN 108875382 B CN108875382 B CN 108875382B CN 201810504447 A CN201810504447 A CN 201810504447A CN 108875382 B CN108875382 B CN 108875382B
- Authority
- CN
- China
- Prior art keywords
- processor
- firmware
- secure
- boot
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07G—REGISTERING THE RECEIPT OF CASH, VALUABLES, OR TOKENS
- G07G1/00—Cash registers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a method for protecting an intelligent POS terminal from being permanently cut off, in the invention, a client customized signature of a security processor (SP for short) is used for preventing a compiled SP firmware from being illegally tampered or replaced, and the tamper prevention is realized by calculating a hash value of a compiled firmware program, then signing by using a private key of the signature and packaging signed information into the firmware. The replacement prevention is realized by configuring locking protection of SP internal Flash when SP firmware compiles codes, and the external part cannot read or rewrite the security program in the SP internal Flash. The SP uses a solidified security program to verify the authenticity and integrity of the firmware during boot-up.
Description
Technical Field
The invention belongs to the technical field of POS machine information safety, and particularly relates to a protection method for preventing a machine from being permanently switched for an intelligent POS terminal.
Background
The cutter is that lawless persons take charge of reducing the rate to obtain illegal benefits, and a POS terminal program distributed in a merchant hand is replaced by a system or a program connected to other operation and maintenance backgrounds by using a technical means, so that the benefits of the background operation and maintenance merchants are greatly damaged. The cutting machine is mainly divided into a permanent cutting machine and a running cutting machine. The permanent cutter means that the POS terminal operating system is completely replaced by a different system, and any operation can be performed on the system; the operation time cutting machine is to uninstall or delete the application program of the original merchant and install the other acquiring application program on the premise of not replacing the operating system so as to achieve the illegal purpose.
The prior art discloses a POS machine-cutting-prevention remote signature system and a POS machine-cutting-prevention remote signature method, and relates to the field of program devices. The system comprises: the POS machine, the server end and the remote signature client end are installed on the terminal; the server side is in bidirectional communication connection with the remote signature client side. The method comprises the following steps: the server generates a unique identity ID of a developer and a terminal used by the developer, and the remote signature client initiates a signature action and sends the unique identity ID to the server; the server side checks the unique identity ID, then signs the received program data and sends the program data to the remote signing client side; and the remote signature client receives the encrypted program to complete remote signature.
However, this method is complicated and not easy to implement.
The secure processor is generally abbreviated as SP, and the application processor is abbreviated as AP. An application processor (hereinafter referred to as AP) is an eFuse based on a chip to realize that a system program is illegally tampered or replaced, a hash value of a manufacturer root public key is written in the eFuse when the eFuse leaves a factory, the correctness of the root public key in an AP system is verified by utilizing the irreplaceability and replaceability of the eFuse when the AP is started, then the system program in the AP is gradually verified by using the root public key, and the system is forbidden to be started once the verification fails. Therefore, the authenticity and the integrity of the system program of the terminal are guaranteed, any unauthorized tampering or replacement can be verified, and the intelligent POS terminal system can not be tampered or replaced permanently.
Disclosure of Invention
In order to solve the above problems, the present invention aims to provide a protection method with high safety; when the authenticity and the integrity of software are guaranteed, a digital signature public and private key system is adopted for software downloaded into a POS machine to perform anti-cutting management, and the private key used for signature is prevented from leaking in the edition issuing process of a POS software program.
The invention also aims to provide a protection method for preventing the intelligent POS terminal from being permanently switched off.
In order to achieve the above object, the technical solution of the present invention is as follows.
The invention provides a method for protecting a permanent anti-tripping machine of an intelligent POS terminal, which comprises the following steps in the operation process of the POS terminal:
the method comprises the following steps: and (4) safe starting: starting a safety program when the POS terminal is started;
step two: secure processor SP custom signature: the SP user of the safety processor sets the using authority of the POS terminal;
step three: a starting-up identity authentication unit: the POS terminal carries out identity verification according to the set use authority when the POS terminal is started;
step four: periodic self-checking: the POS terminal periodically detects the self-set use authority.
Further, the step one specifically includes secure startup of the secure processor SP and the application processor AP, and the secure startup of the secure processor SP includes the following steps:
s1: after a secure processor SP chip is powered on, the secure processor SP secure Boot is operated, a stack is initialized, and hardware parameters are configured;
s2: the safety Boot firstly completes self verification and checks whether a safety mark of Flash exists;
s3: after the Boot self-verification is completed, verifying the signature of the SP firmware of the security processor to obtain the hash value of the SP firmware of the security processor;
s4: reading firmware of a secure processor SP from Flash and calculating a hash value;
s5: comparing the two hash values, and judging the authenticity and the integrity of the SP firmware of the safety processor;
s6: and if the verification is successful, loading the firmware of the secure processor SP for running, otherwise, prohibiting the starting of the system.
Further, the secure launch of the application processor AP comprises the steps of:
s1: boot ROM check Pre-loader:
when signing the Pre-loader, storing the root public key in the Pre-loader, and burning SHA256 of the root public key into an eFuse; when the system is started, the Boot ROM compares the hash value burnt in the eFuse with the hash value of the root public key stored in the Pre-loader, if the two values are the same, the Boot ROM obtains the root public key in the Pre-loader, checks the Pre-loader, and if the check is successful, the Boot ROM continues to load; otherwise, if the hash values are different or the verification fails, the starting is stopped;
s2: pre-loader check LK/trustzone:
during compiling, compiling the public key for verifying the LK/trustzone into the Pre-loader, and signing the LK/trustzone by using a private key; in the starting process, the Pre-loader uses a public key compiled into the Pre-loader to check the LK/trustzone, if the check is successful, the loading is continued, and if the check is failed, the loading is stopped;
s3: LK checks logo/Boot/recovery/system
During compiling, compiling a public key for checking LOGO/Boot/Recovery/system into LK, and signing the LOGO/Boot/Recovery/system by using a private key; in the starting process, the LK uses a public key compiled into the LK to verify the LOGO/Boot/Recovery/system, if the verification is successful, the loading is continued, and if the verification fails, the loading is stopped.
Further, the second step specifically includes the following steps:
s01: the terminal enables the client version number, and different client numbers correspond to a group of signature keys of the security processor SP;
s02: after the firmware of the secure processor SP is compiled, signing by different keys aiming at different clients, and simultaneously packaging the firmware and the client number of the specified client signature into a SYSTEM partition of an application processor AP;
s03: when the terminal is started, the application processor AP can upgrade the firmware of the security processor SP, so that the firmware operated by the security processor SP is consistent with the firmware of the specific client signature packaged in the application processor AP.
Further, the third step specifically includes performing secure Boot verification of the application processor AP and the secure processor SP after the system is started, and the trusted source verified by the application processor AP may ensure whether the secure processor SP signature firmware packaged in the application processor AP program is replaced or tampered, and the trusted source verified by the secure processor SP is burned into the secure processor SP chip at one time in the patch segment, and once the secure processor SP firmware packaged by the application processor AP does not pass the secure Boot verification burned into the secure processor SP chip, the secure processor SP may erase the application program, and the terminal enters an unavailable state.
Further, the fourth step is specifically that the POS terminal restarts the usage right set by itself every 24 hours to implement periodic self-checking.
The invention has the advantages that: compared with the prior art, the secure processor SP client customized signature is used for preventing the compiled secure processor SP firmware from being illegally tampered or replaced, a hash value is calculated for a compiled firmware program, then the signature is carried out by using a private key of the signature, the signed information is packaged into the firmware, the value of a fixed address in Flash is configured when a code is compiled, the value is safe when the value is 0, and the value is unsafe when the value is defaulted to 1. And the safety is that the Boot program segment can not be changed, a signature verification mechanism is adopted, and the signature is to calculate the compiled firmware program by using a private key to obtain a hash value for signature. And the signature verification is to verify the signature information of the secure processor SP by using a public key in the code to obtain a hash value when the signature is obtained, and compare whether the hash value calculated by firmware in the chip is consistent with the hash value obtained by signature verification to judge whether the program in the chip is tampered or replaced.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The permanent anti-cutting machine protection method for the intelligent POS terminal is simple to operate, good in using effect and easy to popularize widely.
In order to achieve the above object, the technical solution of the present invention is as follows.
The invention also provides a method for protecting the intelligent POS terminal from permanent tripping, which comprises the following steps in the operation process of the POS terminal:
the method comprises the following steps: and (4) safe starting: starting a safety program when the POS terminal is started;
step two: secure processor SP custom signature: the SP user of the safety processor sets the using authority of the POS terminal;
step three: a starting-up identity authentication unit: the POS terminal carries out identity verification according to the set use authority when the POS terminal is started;
step four: periodic self-checking: the POS terminal periodically detects the self-set use authority.
In this embodiment, the first step specifically includes the following steps:
s1: after a secure processor SP chip is powered on, the secure processor SP secure Boot is operated, a stack is initialized, and hardware parameters are configured;
s2: the safety Boot firstly completes self verification and checks whether a safety mark of Flash exists;
s3: after the Boot self-verification is completed, verifying the signature of the SP firmware of the security processor to obtain the hash value of the SP firmware of the security processor;
s4: reading firmware of a secure processor SP from Flash and calculating a hash value;
s5: comparing the two hash values, and judging the authenticity and the integrity of the SP firmware of the security processor;
s6: and if the verification is successful, loading the firmware of the secure processor SP for running, otherwise, prohibiting the starting of the system.
In this embodiment, the second step specifically includes the following steps:
s01: the terminal enables the client version number, and different client numbers correspond to a group of signature keys of the security processor SP;
s02: after the firmware of the secure processor SP is compiled, signing by different keys aiming at different clients, and simultaneously packaging the firmware and the client number of the specified client signature into a SYSTEM partition of an application processor AP;
s03: when the terminal is started, the application processor AP can upgrade the firmware of the security processor SP, so that the firmware operated by the security processor SP is consistent with the firmware of the specific client signature packaged in the application processor AP.
Further, the third step specifically includes performing secure Boot verification of the application processor AP and the secure processor SP after the system is started, and the trusted source verified by the application processor AP may ensure whether the secure processor SP signature firmware packaged in the application processor AP program is replaced or tampered, and the trusted source verified by the secure processor SP is burned into the secure processor SP chip at one time in the patch segment, and once the secure processor SP firmware packaged by the application processor AP does not pass the secure Boot verification burned into the secure processor SP chip, the secure processor SP may erase the application program, and the terminal enters an unavailable state.
In this embodiment, the fourth step is specifically that the POS terminal restarts the usage right set by itself every 24 hours to implement periodic self-checking.
The invention has the advantages that: compared with the prior art, the secure processor SP client customized signature is used for preventing the compiled secure processor SP firmware from being illegally tampered or replaced, a hash value is calculated for a compiled firmware program, then the signature is carried out by using a private key of the signature, the signed information is packaged into the firmware, the value of a fixed address in Flash is configured when a code is compiled, the value is safe when the value is 0, and the value is unsafe when the value is defaulted to 1. And the safety is that the Boot program segment can not be changed, a signature verification mechanism is adopted, and the signature is to calculate the compiled firmware program by using a private key to obtain a hash value for signature. And the signature verification is to verify the signature information of the secure processor SP by using a public key in the code to obtain a hash value when the signature is obtained, and compare whether the hash value calculated by firmware in the chip is consistent with the hash value obtained by signature verification to judge whether the program in the chip is tampered or replaced.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (2)
1. A protection method for preventing a POS terminal from being permanently switched is characterized by comprising the following steps in the operation process of the POS terminal:
the method comprises the following steps: and (4) safe starting: starting a safety program when the POS terminal is started;
step two: the secure processor SP client customizes the signature, specifically: s01: the terminal enables the client version number, and different client numbers correspond to a group of signature keys of the security processor SP;
s02: after the firmware of the secure processor SP is compiled, signing by different keys aiming at different clients, and simultaneously packaging the firmware and the client number of the specified client signature into a SYSTEM partition of an application processor AP;
s03: when the terminal is started, the application processor AP can upgrade the firmware of the security processor SP, so that the firmware operated by the security processor SP is consistent with the firmware of the specific client signature packaged in the application processor AP;
step three: starting up identity authentication: firstly, carrying out safe starting verification on an application processor AP and a safety processor SP after a system is started, wherein a trusted source verified by the application processor AP can ensure whether a safety processor SP signature firmware packaged in an application processor AP program is replaced or tampered, the trusted source verified by the safety processor SP is burned into a safety processor SP chip at one time in a chip segment, once the safety processor SP firmware packaged by the application processor AP and a safe Boot verified in the safety processor SP chip do not pass verification, the safety processor SP can erase the application program, and a terminal enters an unavailable state;
step four: periodic self-checking: the POS terminal periodically detects the self-set use authority;
the first step specifically includes the secure startup of the secure processor SP and the application processor AP, and the secure startup of the secure processor SP includes the following steps:
s1: after a secure processor SP chip is powered on, the secure processor SP secure Boot is operated, a stack is initialized, and hardware parameters are configured;
s2: the safety Boot firstly completes self verification and checks whether a safety mark of Flash exists;
s3: after the Boot self-verification is completed, verifying the signature of the SP firmware of the security processor to obtain the hash value of the SP firmware of the security processor;
s4: reading firmware of a secure processor SP from Flash and calculating a hash value;
s5: comparing the hash value obtained at step S3 with the hash value obtained at step S4, and determining authenticity and integrity of the secure processor SP firmware;
s6: if the verification is successful, loading the firmware of the secure processor SP for running, otherwise, forbidding the starting of the system;
the secure launch of the application processor AP comprises the following steps:
s1: boot ROM check Pre-loader:
when signing the Pre-loader, storing the root public key in the Pre-loader, and burning SHA256 of the root public key into an eFuse; when the system is started, the Boot ROM compares the hash value burnt in the eFuse with the hash value of the root public key stored in the Pre-loader, if the two values are the same, the Boot ROM obtains the root public key in the Pre-loader, checks the Pre-loader, and if the check is successful, the Boot ROM continues to load; otherwise, if the hash values are different or the verification fails, the starting is stopped;
s2: pre-loader check LK/trustzone:
during compiling, compiling the public key for verifying the LK/trustzone into the Pre-loader, and signing the LK/trustzone by using a private key; in the starting process, the Pre-loader uses a public key compiled into the Pre-loader to check the LK/trustzone, if the check is successful, the loading is continued, and if the check is failed, the loading is stopped;
s3: LK checks logo/Boot/recovery/system
During compiling, compiling a public key for checking LOGO/Boot/Recovery/system into LK, and signing the LOGO/Boot/Recovery/system by using a private key; in the starting process, the LK uses a public key compiled into the LK to verify the LOGO/Boot/Recovery/system, if the verification is successful, the loading is continued, and if the verification fails, the loading is stopped.
2. The method for protecting the permanent anti-tripping machine of the intelligent POS terminal according to claim 1, wherein the fourth step is to implement periodic self-checking for the use authority set by the POS terminal by restarting every 24 hours.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810504447.0A CN108875382B (en) | 2018-05-24 | 2018-05-24 | Protection method for permanent anti-cutting machine of intelligent POS terminal |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810504447.0A CN108875382B (en) | 2018-05-24 | 2018-05-24 | Protection method for permanent anti-cutting machine of intelligent POS terminal |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108875382A CN108875382A (en) | 2018-11-23 |
CN108875382B true CN108875382B (en) | 2022-05-10 |
Family
ID=64334225
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810504447.0A Active CN108875382B (en) | 2018-05-24 | 2018-05-24 | Protection method for permanent anti-cutting machine of intelligent POS terminal |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108875382B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110909360B (en) * | 2019-10-29 | 2022-05-27 | 百富计算机技术(深圳)有限公司 | Electronic equipment safe starting method and device based on dual systems |
CN110990084B (en) * | 2019-12-20 | 2023-01-24 | 紫光展讯通信(惠州)有限公司 | Chip secure starting method and device, storage medium and terminal |
CN112069515B (en) * | 2020-08-20 | 2023-10-13 | 博流智能科技(南京)有限公司 | Safe EFUSE burning method and system |
CN112035146B (en) * | 2020-09-11 | 2023-10-24 | 百富计算机技术(深圳)有限公司 | Firmware updating method, security apparatus, and computer-readable storage medium |
CN112804054A (en) * | 2021-01-27 | 2021-05-14 | 上海商米科技集团股份有限公司 | Financial POS (point of sale) key capacity expansion system and key interaction method between AP (access point) chip and SP (service provider) chip |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104200153A (en) * | 2014-09-12 | 2014-12-10 | 北京赛科世纪数码科技有限公司 | Start verification method and system |
CN105957276A (en) * | 2016-05-17 | 2016-09-21 | 福建新大陆支付技术有限公司 | Android system-based intelligent POS security system, starting method and data management control method |
CN106789075A (en) * | 2016-12-27 | 2017-05-31 | 艾体威尔电子技术(北京)有限公司 | POS digital signature is anti-to cut machine system |
CN107330333A (en) * | 2017-06-06 | 2017-11-07 | 百富计算机技术(深圳)有限公司 | Ensure the method and device of POS firmware safety |
CN107359999A (en) * | 2017-07-04 | 2017-11-17 | 深圳市智联物联科技有限公司 | A kind of uboot firmwares guard method |
-
2018
- 2018-05-24 CN CN201810504447.0A patent/CN108875382B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104200153A (en) * | 2014-09-12 | 2014-12-10 | 北京赛科世纪数码科技有限公司 | Start verification method and system |
CN105957276A (en) * | 2016-05-17 | 2016-09-21 | 福建新大陆支付技术有限公司 | Android system-based intelligent POS security system, starting method and data management control method |
CN106789075A (en) * | 2016-12-27 | 2017-05-31 | 艾体威尔电子技术(北京)有限公司 | POS digital signature is anti-to cut machine system |
CN107330333A (en) * | 2017-06-06 | 2017-11-07 | 百富计算机技术(深圳)有限公司 | Ensure the method and device of POS firmware safety |
CN107359999A (en) * | 2017-07-04 | 2017-11-17 | 深圳市智联物联科技有限公司 | A kind of uboot firmwares guard method |
Also Published As
Publication number | Publication date |
---|---|
CN108875382A (en) | 2018-11-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108875382B (en) | Protection method for permanent anti-cutting machine of intelligent POS terminal | |
US10719606B2 (en) | Security processor for an embedded system | |
CN104424441B (en) | Processing system | |
JP5740646B2 (en) | How to download software | |
EP2693789B1 (en) | Mobile terminal encryption method, hardware encryption device and mobile terminal | |
US20140250290A1 (en) | Method for Software Anti-Rollback Recovery | |
US20110040960A1 (en) | Method and System for Securely Updating Field Upgradeable Units | |
GB2508251A (en) | Preventing tampering of device firmware by validation before boot | |
JP2007293873A (en) | Method for securing electronic device, security system, and electronic device | |
CN101983375A (en) | Binding a cryptographic module to a platform | |
CN110990084A (en) | Chip secure starting method and device, storage medium and terminal | |
CN111162911B (en) | PLC firmware upgrading system and method | |
US20100100966A1 (en) | Method and system for blocking installation of some processes | |
US20230046161A1 (en) | Network device authentication | |
CN102880828A (en) | Intrusion detection and recovery system aiming at virtualization support environment | |
CN107172100A (en) | A kind of local security updates the method and device of BIOS mirror images | |
CN110245495B (en) | BIOS checking method, configuration method, device and system | |
CN116070217A (en) | Safe starting system and method for chip module | |
CN114363008A (en) | Virtual equipment authentication method and device, electronic equipment and storage medium | |
KR20060132652A (en) | Method for detecting illegal modifications made to manufacturer software | |
CN111597560A (en) | Secure trusted module starting method and system | |
CN114444083B (en) | BMC-based server BIOS full life cycle safety protection system | |
CN108228219B (en) | Method and device for verifying BIOS validity during in-band refreshing of BIOS | |
CN111506897A (en) | Data processing method and device | |
CN112219186A (en) | Method for installing a program code package in a device, device and motor vehicle |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |