CN114143278B - Message processing method and server for supporting peripheral system cryptographic upgrade by core system - Google Patents

Message processing method and server for supporting peripheral system cryptographic upgrade by core system Download PDF

Info

Publication number
CN114143278B
CN114143278B CN202111425866.3A CN202111425866A CN114143278B CN 114143278 B CN114143278 B CN 114143278B CN 202111425866 A CN202111425866 A CN 202111425866A CN 114143278 B CN114143278 B CN 114143278B
Authority
CN
China
Prior art keywords
pinblock
bit
message
server
core system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111425866.3A
Other languages
Chinese (zh)
Other versions
CN114143278A (en
Inventor
李轶男
许海洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of China Ltd
Original Assignee
Bank of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of China Ltd filed Critical Bank of China Ltd
Priority to CN202111425866.3A priority Critical patent/CN114143278B/en
Publication of CN114143278A publication Critical patent/CN114143278A/en
Application granted granted Critical
Publication of CN114143278B publication Critical patent/CN114143278B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/90Buffering arrangements
    • H04L49/9057Arrangements for supporting packet reassembly or resequencing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a message processing method and a server for supporting the cryptographic upgrade of a peripheral system by a core system, which relate to the technical field of network security, wherein the method applied to a front gateway server comprises the following steps: receiving a secret-related transaction message sent by an interface platform; reading columns to which each uploading item belongs in the confidential transaction message, and determining a column to which PINBLOCK belongs, wherein PINBLOCK is one of the uploading items; when the column to which the PINBLOCK belongs is a 32-bit PINBLOCK column, compressing the 32-bit PINBLOCK into 16-bit PINBLOCK; and carrying out message recombination on the compressed 16-bit PINBLOCK and other uploading items except the PINBLOCK, and sending the recombined message to a core system. The invention can lead the core system to support the verification of the 16-bit or 32-bit PINBLOCK sent by the peripheral system on the premise of not modifying.

Description

Message processing method and server for supporting peripheral system cryptographic upgrade by core system
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and a server for processing a packet in which a core system supports a cryptographic upgrade of a peripheral system.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
The localization of the encryption algorithm is a part of the localization of the financial industry software, and a banking system is required to comprehensively implement the safe and controllable working requirements of an important information system and an infrastructure encryption algorithm in the financial field so as to complete the comprehensive application and transformation of the domestic encryption algorithm.
The core system has finished storing encryption and encrypting the cryptographic transformation of state with the front-end system of counter at present, support 3DES algorithm, cryptographic coexistence of 3DES state, can choose the cryptographic algorithm through the parameter control. However, the modification of the core system is not completed, and the core system still needs to be further modified by matching with each peripheral product so as to better support the national encryption algorithm upgrade of each associated product.
The situation mainly faces the problem:
1. because the original encryption algorithm of the peripheral system is 3DES, the online transaction interface of the core bank system is 16 bits in length relative to the PINBLOCK column, and after the encryption algorithm is updated to the national encryption algorithm, the peripheral system can send 32 bits of PINBLOCK to the core, so that all the transaction interfaces related to encryption of the core system are unavailable;
2. the core system on the Z/OS host system faces hundreds of millions of online transaction amount every day, the online interface architecture must be kept relatively stable, and particularly the online transaction interface cannot be changed greatly basically, otherwise, the online transaction interface is affected greatly;
3. because of the numerous peripheral systems involved, the simultaneous upgrade cannot be guaranteed due to various reasons during upgrade and reconstruction, namely, for the same online transaction, the conditions of simultaneously uploading the 3DES password and the national secret code PINBLOCK to the core system for verification are caused.
In view of the above problems, there are currently mainly two solutions:
1. the online interface of the core system is kept unchanged, and each peripheral system needs to compress 32-bit PINBLOCK generated after encryption of a national encryption algorithm into 16 bits and then send the 16 bits to the core system for encryption verification according to an original interface format;
2. the core system modifies the online interface, adjusts the PINBLOCK field of the transaction interface related to the encryption verification from 16 bits to 32 bits, and sends the peripheral systems to the core system for encryption verification according to a new interface format.
The current solution 1 mainly has the following 2 problems:
1. scalability problem: processing logic for implementing PINBLOCK compression is required for each peripheral system to be upgraded, development and test cost are increased, and if the compression algorithm finds that the problem needs to be modified later, a plurality of systems are involved for transformation;
2. transcoding problem: the code systems of the core system and the peripheral system are different, the interface platform is required to transcode, and the PINBLOCK is required to transcode and then compress, if the scheme 1 is adopted, the peripheral system is firstly transcoded from A to E and then compressed, the logic transcoded by the interface platform in common is advanced to each system to finish, and the development and test cost is increased.
Solution 2 mainly has the following 2 problems:
1. cost problem: if the core directly modifies the 16-bit PINBLOCK field into 32 bits, all peripheral systems using the interfaces are radiated to synchronously modify the interfaces, the core relates to a plurality of secret verification interfaces, and the peripheral systems related to each interface are also very many, so that the scheme brings huge reconstruction cost;
2. interface length problem: the length of the interface of the core system is 982 bits long at present, the remaining length of the interface of many online transactions is not longer than 16 bits, and the transaction cannot be matched and modified according to the scheme, if the transaction needs to be modified, the important adjustment of a public mechanism is involved.
Disclosure of Invention
The embodiment of the invention provides a message processing method for supporting the cryptographic upgrade of a peripheral system by a core system, which is used for carrying out low-cost and small-amount transformation on the whole, so that the core system supports the cryptographic verification of a 16-bit or 32-bit PINBLOCK sent by the peripheral system on the premise of not transforming. The method is applied to a front gateway server in a message transmission system, the message transmission system further comprises a core system, a peripheral system and an interface platform, the front gateway server is respectively connected with the core system and the interface platform, and the interface platform is further connected with the peripheral system, and the method comprises the following steps:
receiving a secret-related transaction message sent by an interface platform;
reading the column of each uploading item in the confidential transaction message, and determining that the column of PINBLOCK is 16-bit PINBLOCK column or 32-bit PINBLOCK column, wherein PINBLOCK is one of the uploading items;
when the column to which the PINBLOCK belongs is a 32-bit PINBLOCK column, compressing the 32-bit PINBLOCK into 16-bit PINBLOCK;
and carrying out message recombination on the compressed 16-bit PINBLOCK and other uploading items except the PINBLOCK, and sending the recombined message to a core system.
The embodiment of the invention provides a message processing method for supporting the cryptographic upgrade of a peripheral system by a core system, which is used for carrying out low-cost and small-amount transformation on the whole, so that the core system supports the cryptographic verification of a 16-bit or 32-bit PINBLOCK sent by the peripheral system on the premise of not transforming. The method is applied to an interface platform in a message transmission system, the message transmission system further comprises a core system, a peripheral system and a front gateway server, the interface platform is respectively connected with the peripheral system, the front gateway server and the core system, and the front gateway server is further connected with the core system, and the method comprises the following steps:
receiving a transaction message sent by a peripheral system through a designated interface, wherein the designated interface is an interface corresponding to a transaction code of a transaction;
reading the columns of all the uploading items in the transaction message, and determining whether the 16-bit PINBLOCK column and the 32-bit PINBLOCK column are empty;
if the 16-bit PINBLOCK field or the 32-bit PINBLOCK field is not null, determining that the transaction message is a secret-related transaction message, forwarding the secret-related transaction message to a front gateway server, compressing the 32-bit PINBLOCK in the secret-related transaction message into 16-bit PINBLOCK by the front gateway server, carrying out message recombination on the compressed 16-bit PINBLOCK and other uploading items except for the PINBLOCK, and sending the recombined message to a core system.
The embodiment of the invention also provides a front gateway server which is used for carrying out low-cost and small-amount transformation on the whole, so that a core system supports encryption verification of the 16-bit or 32-bit PINBLOCK sent by a peripheral system on the premise of not transforming. The prepositive gateway server is respectively connected with the core system server and the interface platform server, the interface platform server is also connected with the peripheral system server, and the prepositive gateway server comprises:
the front communication module is used for receiving the confidential transaction message sent by the interface platform server;
the front-end reading module is used for reading the column of each uploading item in the confidential transaction message, determining that the column of PINBLOCK is 16-bit PINBLOCK column or 32-bit PINBLOCK column, wherein PINBLOCK is one of the uploading items;
the compression module is used for compressing the 32-bit PINBLOCK into the 16-bit PINBLOCK when the field to which the PINBLOCK belongs is the 32-bit PINBLOCK field;
and the front-end communication module is also used for carrying out message recombination on the compressed 16-bit PINBLOCK and other uploading items except the PINBLOCK and sending the recombined message to the core system server.
The embodiment of the invention also provides an interface platform server which is used for carrying out low-cost and small-amount transformation on the whole, so that a core system supports encryption verification of the 16-bit or 32-bit PINBLOCK sent by a peripheral system on the premise of not transforming. The interface platform server is respectively connected with the peripheral system server, the front gateway server and the core system server, and the front gateway server is also connected with the core system server, and the interface platform server comprises:
the interface communication module is used for receiving a transaction message sent by the peripheral system server through a designated interface, wherein the designated interface is an interface corresponding to a transaction code of a transaction;
the interface reading module is used for reading the columns of all the uploading items in the transaction message and determining whether the 16-bit PINBLOCK column and the 32-bit PINBLOCK column are empty;
the interface communication module is further configured to determine that the transaction message is a secret-related transaction message when the 16-bit PINBLOCK field or the 32-bit PINBLOCK field is not empty, forward the secret-related transaction message to the front gateway server, so that the front gateway server compresses the 32-bit PINBLOCK in the secret-related transaction message into 16-bit PINBLOCK, and recombine the compressed 16-bit PINBLOCK with other overhead entries except for the PINBLOCK, and send the recombined message to the core system server.
The embodiment of the invention also provides a message transmission system which is used for carrying out low-cost and small-quantity transformation on the whole, so that the core system supports the encryption verification of the 16-bit or 32-bit PINBLOCK sent by the peripheral system on the premise of not transforming. The message transmission system comprises the front gateway server, the interface platform server, the core system server and the peripheral system server.
The embodiment of the invention also provides a computer device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the message processing method of supporting the cryptographic upgrade of the peripheral system by the core system when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the message processing method of the core system supporting the cryptographic upgrade of the peripheral system when being executed by a processor.
The embodiment of the invention also provides a computer program product, which comprises a computer program, and the computer program realizes the message processing method that the core system supports the cryptographic upgrade of the peripheral system when being executed by a processor.
In the embodiment of the invention, a front gateway server is arranged between an interface platform and a core system, when a peripheral system sends a secret-related transaction message to the core system, the interface platform connected with the peripheral system transmits the secret-related transaction message to the front gateway server, the front gateway server identifies which secret-related transaction messages comprise 32-bit PINBLOCK, compresses the 32-bit PINBLOCK into 16-bit PINBLOCK, and the compressed PINBLOCK is subjected to message recombination and then sent to the core system. In this way, the processing logic of the compressed PINBLOCK is placed on a public pre-gateway server, so that the transformation amount of a peripheral system and a core system can be reduced, the core system can receive all confidential transaction messages, and the encryption verification of 16-bit PINBLOCK and 32-bit PINBLOCK is realized through internal logic; and the peripheral systems are supported to be transformed one by one, the peripheral systems compatible with the 16-bit PINBLOCK and the 32-bit PINBLOCK are not required to be integrally finished at one time, the client can not sense the change of the key algorithm, and the client experience is improved. In addition, the embodiment of the invention ensures the smooth transition of the national upgrade of the core system and the peripheral system, and reduces the fault risk of each system during production.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. In the drawings:
FIG. 1 is a system architecture diagram of a message transmission system according to an embodiment of the present invention;
FIG. 2 is a diagram of another system architecture of a message transmission system according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a remote mode of implementation in the prior art;
FIG. 4 is a flowchart of a message processing method for supporting a peripheral system cryptographic upgrade by a core system applied to a pre-gateway server according to an embodiment of the present invention;
FIG. 5 is a flowchart of a message processing method for supporting a peripheral system cryptographic upgrade by a core system applied to a pre-gateway server according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a pre-gateway server according to an embodiment of the present invention;
FIG. 7 is a schematic diagram illustrating a structure of an interface platform server according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention will be described in further detail with reference to the accompanying drawings. The exemplary embodiments of the present invention and their descriptions herein are for the purpose of explaining the present invention, but are not to be construed as limiting the invention.
Technical terms related to the embodiments of the present invention will be briefly described below.
1、PIN
All Personal Identification Number, client personal password.
2、ZPK
The ZONE PIN KEY, which is a working KEY, is used to encrypt the plaintext PIN of the client that needs to be transmitted between two communication systems.
3、PINBLOCK
The PINBLOCK is currently mainly in a standard ANSI X9.8 Format (with primary account information), namely a data block obtained by bitwise exclusive-or of a customer plaintext PIN. The bank system generally adopts the PINBLOCK password block encrypted by the area PIN key ZPK in the interactive transmission process for the plaintext PIN input by the client.
4、3DES
The data is subjected to three encryption operations on the representation of the symmetric key algorithm.
5. Guomi (Chinese secret)
A block cipher algorithm, the block length is 128 bits, and the key length is 128 bits.
The embodiment of the invention provides a message processing method for supporting the cryptographic upgrade of a peripheral system by a core system, which is applied to a message transmission system. The main principle of the message transmission system is that a front gateway server is arranged on an x86 platform by a core, the related processing of each transaction interface of the core is unchanged, the front gateway server is used for processing the compatibility problem of the 32-bit PINBLOCK and the 16-bit PINBLOCK interfaces in the core, which are sent by a peripheral system, related interface change transactions which are related later are linked to the front gateway server through interface platforms (IPS-D and MCIS-CHL), and the front gateway server is used for carrying out preliminary processing and then routing to related host cores. The system architecture diagram is shown in fig. 1.
Referring to fig. 1, the message transmission system includes a peripheral system server, an interface platform server, a pre-gateway server and a core system server. The peripheral system server is respectively connected with the front gateway server and the core system server through the interface platform server, and the front gateway server is also connected with the core system server. When the interface platform server is directly connected with the core system server, the interface platform server is used for transmitting an un-confidential transaction message to the core system server; when the interface platform server is connected with the front gateway server, the interface platform server is used for sending the confidential transaction message to the front gateway server, and forwarding the message to the core system server after being processed by the front gateway server.
In the embodiment of the invention, the pre-gateway server is deployed on an x86 platform. If the peripheral system needs to communicate with the core system in the current architecture, the peripheral system needs to pass through an interface platform. After the preposed gateway server is newly added, if the preposed gateway server still sends the core system through the interface platform, each transaction needs to pass through the interface platform twice (the peripheral system transmits the message to the preposed gateway server through the interface platform, and the preposed gateway server sends the message to the core system through the interface platform), so that the pressure of the interface platform is increased, and the transaction link and the response time are correspondingly prolonged.
Considering that the number of messages processed by the front gateway server is large, in the embodiment of the invention, the front gateway server can firstly send the confidential transaction message to the CTG cluster, and the CTG cluster forwards the message to the core system so as to improve the throughput of the message and the overall performance of the message transmission system.
In order to improve the reliability and the operation performance of the system, the deployment mode adopts a cluster mode, and as shown in fig. 2, the service access is controlled by a load balancer, a front gateway server is connected with a CTG cluster by the load balancer, and a load balancing server can be also arranged between an interface platform server and the front gateway server. The front gateway server is deployed as LINUX cluster to run service application program.
Using X86 CTG mode with the core system, whether LOCAL mode or REMOTE mode is a concern. The LOCAL has to deploy the CTG and the application together, which is aggressive on the one hand, and cannot be monitored individually on the other hand, and does not support high availability, so the front gateway server adopts a Remote mode and is connected with the CTG cluster through the load equalizer. Specifically, the implementation principle of the Remote mode is shown in fig. 3.
In addition, because the front gateway server adopts the deployment of the x86 platform, the protocols adopted by the x86 platform and the core system are different, the front gateway server firstly carries out protocol conversion on the secret-related protocol message, converts the secret-related transaction message into a secret-related transaction message encoded by E code (a programming language), and then compresses the 32-bit PINBLOCK by using an E code PINBLOCK compression method (the existing method).
Referring to fig. 4, a message processing method for supporting a peripheral system cryptographic upgrade in a core system of a pre-gateway server is shown, and the method includes steps 401 to 404:
step 401, receiving a secret related transaction message sent by an interface platform.
The transaction message (including confidential transaction message and non-confidential transaction message) sent by the interface platform comprises a plurality of uploading items, wherein each uploading item is filled in a preset appointed column, for example, for an ATM withdrawal transaction, the uploading items such as a card number, a password, an amount and the like are included in the uploading items, the card number is filled in a first column according to the specification of a bank, the password is filled in a second column, and the amount is filled in a third column.
It should be noted that, in the embodiment of the present invention, the confidential transaction message refers to a message including a PIN, for example, when a customer needs to input the PIN of an account during withdrawal, the withdrawn transaction message is the confidential transaction message; for services such as those provided by a querying bank, the query transaction does not require the customer to enter a PIN, and the message of the query transaction is a non-confidential message.
And encrypting the PIN contained in the confidential transaction message by a bank, obtaining 32-bit PINBLOCK by encrypting the PIN by a national encryption algorithm, and obtaining 16-bit PINBLOCK by encrypting by a 3DES algorithm and the like. The peripheral system forms the encrypted PINBLOCK and other uploading items, such as card numbers, amounts and the like, into an confidential transaction message and transmits the confidential transaction message to the interface platform.
Step 402, reading the fields of each uploading item in the confidential transaction message, and determining that the field of the PINBLOCK is 16-bit PINBLOCK field or 32-bit PINBLOCK field, wherein PINBLOCK is one of the uploading items.
During the upgrade of the password, the uploaded message comprises a 32-bit PINBLOCK field and a 16-bit PINBLOCK field, if the password of the peripheral system is upgraded, the PINBLOCK is written into the 32-bit PINBLOCK field, and if the password is not upgraded, the PINBLOCK is written into the 16-bit PINBLOCK field, and the field in which the PINBLOCK is not written is empty. By reading the field in which the PINBLOCK is located, it is possible to distinguish whether the PINBLOCK is 16 bits or 32 bits. For example, if the 3 rd field is preset to be the field where 16 bits of PINBLOCK is located, the 4 th field is the field where 32 bits of PINBLOCK is located, when PINBLOCK is read in the 3 rd field, and the 4 th field is empty, it can be determined that 16 bits of PINBLOCK are included in the confidential transaction message; otherwise, it is determined that the confidential transaction message includes 32-bit PINBLOCK.
Step 403, compressing the 32-bit PINBLOCK into 16-bit PINBLOCK when the PINBLOCK field is a 32-bit PINBLOCK field.
Because the online transaction interface of the core system is 16 bits in length with respect to the PINBLOCK field before the transformation is completed, in order to enable the core system to receive the 32-bit PINBLOCK, the front gateway server compresses the 32-bit PINBLOCK into the 16-bit PINBLOCK so as to facilitate the core system to receive.
It should be noted that, when the 32-bit PINBLOCK is compressed into the 16-bit PINBLOCK, a compression algorithm existing in the prior art may be used, and a specific compression process is not described herein.
In the embodiment of the invention, when the column to which the PINBLOCK belongs is a 16-bit PINBLOCK column, the core system can normally receive the confidential transaction message, so that the message of all the uploading item combinations can be directly sent to the core system.
Since the columns in which the different bits of PINBLOCK are located are different, after the 32-bit PINBLOCK is compressed into the 16-bit PINBLOCK, the compressed 16-bit PINBLOCK is put into the 16-bit PINBLOCK column, and the 32-bit PINBLOCK in the 32-bit PINBLOCK column is deleted.
And 404, carrying out message recombination on the compressed 16-bit PINBLOCK and other uploading items except PINBLOCK, and sending the recombined message to a core system.
Before the message forwarding is completed by the pre-gateway server, some preparation work is needed, specifically, a KVMK Key table of the core system is updated, a Zone Master Key (ZMK) Key switch corresponding to the core system is set as a secret Key, and a Key value is updated as a secret Key value; the peripheral system then initiates a key exchange transaction to the core system, updating the ZPK key in the KVMK key table to the national key.
After receiving the confidential transaction message sent by the pre-gateway server, the core system uses the PINBLOCK, ZMK, ZPK with 16 bits to verify the password of the client. If the verification or transaction process times out, the core system feeds back a timeout error.
In the embodiment of the invention, a front gateway server is arranged between an interface platform and a core system, when a peripheral system sends a secret-related transaction message to the core system, the interface platform connected with the peripheral system transmits the secret-related transaction message to the front gateway server, the front gateway server identifies which secret-related transaction messages comprise 32-bit PINBLOCK, compresses the 32-bit PINBLOCK into 16-bit PINBLOCK, and the compressed PINBLOCK is subjected to message recombination and then sent to the core system. In this way, the processing logic of the compressed PINBLOCK is placed on a public pre-gateway server, so that the transformation amount of a peripheral system and a core system can be reduced, the core system can receive all confidential transaction messages, and the encryption verification of 16-bit PINBLOCK and 32-bit PINBLOCK is realized through internal logic; and the peripheral systems are supported to be transformed one by one, the peripheral systems compatible with the 16-bit PINBLOCK and the 32-bit PINBLOCK are not required to be integrally finished at one time, the client can not sense the change of the key algorithm, and the client experience is improved. In addition, the embodiment of the invention ensures the smooth transition of the national upgrade of the core system and the peripheral system, and reduces the fault risk of each system during production.
The embodiment of the invention also provides a message processing method for supporting the cryptographic upgrade of the peripheral system by the core system applied to the interface platform, as shown in fig. 5, the method comprises the steps 501 to 503:
step 501, receiving a transaction message sent by a peripheral system through a designated interface, wherein the designated interface is an interface corresponding to a transaction code of a transaction;
step 502, reading the columns of each uploading item in the transaction message, and determining whether the 16-bit PINBLOCK column and the 32-bit PINBLOCK column are empty;
in step 503, if the 16-bit PINBLOCK field or the 32-bit PINBLOCK field is not null, determining that the transaction message is a secret-related transaction message, forwarding the secret-related transaction message to the front gateway server, so that the front gateway server compresses the 32-bit PINBLOCK in the secret-related transaction message into 16-bit PINBLOCK, and recombining the compressed 16-bit PINBLOCK and other uploading items except for the PINBLOCK, and sending the recombined message to the core system.
The different transactions correspond to different transaction codes, for example, the ATM cash-out transaction corresponds to a transaction code, the deposit transaction corresponds to a transaction code, each transaction code corresponds to a designated interface in the interface platform, the interface defines fields of each uploading item in the transaction message, and the content of each transaction message is filled in according to the fields, for example, a first field is filled in with a card number, and a second field is filled in with an amount.
In another implementation, if the 16-bit PINBLOCK field and the 32-bit PINBLOCK field are empty, the transaction message is determined to be an unsecure transaction message, and the forwarding link may use an original forwarding link, so that the interface platform directly forwards the unsecure transaction message to the core system.
In the embodiment of the invention, a front gateway server is arranged between an interface platform and a core system, when a peripheral system sends a secret-related transaction message to the core system, the interface platform connected with the peripheral system transmits the secret-related transaction message to the front gateway server, the front gateway server identifies which secret-related transaction messages comprise 32-bit PINBLOCK, compresses the 32-bit PINBLOCK into 16-bit PINBLOCK, and the compressed PINBLOCK is subjected to message recombination and then sent to the core system. In this way, the processing logic of the compressed PINBLOCK is placed on a public pre-gateway server, so that the transformation amount of a peripheral system and a core system can be reduced, the core system can receive all confidential transaction messages, and the encryption verification of 16-bit PINBLOCK and 32-bit PINBLOCK is realized through internal logic; and the peripheral systems are supported to be transformed one by one, the peripheral systems compatible with the 16-bit PINBLOCK and the 32-bit PINBLOCK are not required to be integrally finished at one time, the client can not sense the change of the key algorithm, and the client experience is improved. In addition, the embodiment of the invention ensures the smooth transition of the national upgrade of the core system and the peripheral system, and reduces the fault risk of each system during production.
In the embodiment of the invention, the modification of each device is as follows:
front gateway server:
1. establishing connection with each related system (interface platform, core system);
2. completing message forwarding;
3. providing a public method for checking the E code byte array value not Null and not Null so as to determine whether to carry out protocol conversion on the confidential transaction message;
4. providing a common method of E-code PINBLOCK compression;
5. the host is accessed through CTG cluster Remote mode.
Core system: the core system modifies the online transaction interface description involving verification, adding a 32-bit long PINBLOCK field at the end of the online transaction interface description. The online transaction interface description is used for standardizing the type of the uploading item of the peripheral system uploading the core system, and adding a description of a 32-bit PINBLOCK field, namely, the peripheral system is allowed to write 32-bit PINBLOCK in the confidential transaction message, in other words, the 32-bit PINBLOCK field in the online transaction interface description is only used for the peripheral system to upload the national password PINBLOCK to an IPS (intrusion prevention system ) for use. Since this field is not used in the processing logic of the core system, no modification of the core system is involved.
And (3) an interface platform: and the interface is modified by matching with a front gateway server and a core system.
Peripheral system: after the encryption algorithm is updated to the national secret, the 32-bit national secret PINBLOCK is sent to an interface platform according to a core interface.
It can be seen that this architecture has very little impact and modification on the individual systems, except for the newly added pre-gateway server.
The embodiment of the invention also provides a front gateway server, which is described in the following embodiment. Because the principle of the device for solving the problem is similar to that of the message processing method for supporting the cryptographic upgrade of the peripheral system by the core system applied to the front gateway server, the implementation of the device can be referred to the implementation of the message processing method for supporting the cryptographic upgrade of the peripheral system by the core system applied to the front gateway server, and the repetition is omitted.
As shown in fig. 6, the pre-gateway server 600 includes a pre-communication module 601, a pre-reading module 602, and a compression module 603.
The front-end communication module 601 is configured to receive a secret-related transaction message sent by the interface platform server;
the pre-reading module 602 is configured to read fields to which each uploading item belongs in the confidential transaction message, determine that the field to which the pinlock belongs is a 16-bit pinlock field or a 32-bit pinlock field, where pinlock is one of the uploading items;
a compression module 603, configured to compress the 32-bit PINBLOCK into the 16-bit PINBLOCK when the field to which the PINBLOCK belongs is a 32-bit PINBLOCK field;
the pre-communication module 601 is further configured to perform message reassembly on the compressed 16-bit PINBLOCK and other uploading items except for the PINBLOCK, and send the reassembled message to the core system server.
In one implementation of the embodiment of the present invention, the front-end communication module is further configured to:
and when the column to which the PINBLOCK belongs is a 16-bit PINBLOCK column, sending all messages of the uploading item combination to the core system server.
In one implementation manner of the embodiment of the present invention, the pre-gateway server further includes:
the column changing module is used for placing the compressed 16-bit PINBLOCK into the 16-bit PINBLOCK column and deleting the 32-bit PINBLOCK in the 32-bit PINBLOCK column.
In one implementation manner of the embodiment of the present invention, the front-end communication module is configured to:
and sending the message to the CTG cluster, and forwarding the message to a core system server by the CTG cluster.
In one implementation of the embodiment of the present invention, the pre-gateway server is further configured to:
and a Remote mode is adopted, and the CTG cluster is connected with the CTG cluster through a load equalizer.
In the embodiment of the invention, a front gateway server is arranged between an interface platform and a core system, when a peripheral system sends a secret-related transaction message to the core system, the interface platform connected with the peripheral system transmits the secret-related transaction message to the front gateway server, the front gateway server identifies which secret-related transaction messages comprise 32-bit PINBLOCK, compresses the 32-bit PINBLOCK into 16-bit PINBLOCK, and the compressed PINBLOCK is subjected to message recombination and then sent to the core system. In this way, the processing logic of the compressed PINBLOCK is placed on a public pre-gateway server, so that the transformation amount of a peripheral system and a core system can be reduced, the core system can receive all confidential transaction messages, and the encryption verification of 16-bit PINBLOCK and 32-bit PINBLOCK is realized through internal logic; and the peripheral systems are supported to be transformed one by one, the peripheral systems compatible with the 16-bit PINBLOCK and the 32-bit PINBLOCK are not required to be integrally finished at one time, the client can not sense the change of the key algorithm, and the client experience is improved. In addition, the embodiment of the invention ensures the smooth transition of the national upgrade of the core system and the peripheral system, and reduces the fault risk of each system during production.
The embodiment of the invention also provides an interface platform server, as described in the following embodiment. Because the principle of the device for solving the problem is similar to that of the message processing method for supporting the cryptographic upgrade of the peripheral system by the core system applied to the interface platform server, the implementation of the device can be referred to the implementation of the message processing method for supporting the cryptographic upgrade of the peripheral system by the core system applied to the interface platform server, and the repetition is omitted.
Referring to fig. 7, the interface platform server 700 includes an interface communication module 701 and an interface reading module 702.
The interface communication module 701 is configured to receive a transaction message sent by the peripheral system server through a designated interface, where the designated interface is an interface corresponding to a transaction code of a transaction;
the interface reading module 702 is configured to read fields to which each uploading item belongs in the transaction message, and determine whether the 16-bit PINBLOCK field and the 32-bit PINBLOCK field are empty;
the interface communication module 701 is further configured to determine that the transaction message is a secret-related transaction message when the 16-bit PINBLOCK field or the 32-bit PINBLOCK field is not empty, forward the secret-related transaction message to the front gateway server, so that the front gateway server compresses the 32-bit PINBLOCK in the secret-related transaction message into the 16-bit PINBLOCK, and recombine the compressed 16-bit PINBLOCK with other uploading items except for the PINBLOCK, and send the recombined message to the core system server.
In one implementation of the embodiment of the present invention, the interface communication module is further configured to:
when the 16-bit PINBLOCK field and the 32-bit PINBLOCK field are empty, determining that the transaction message is an unpacked transaction message, and forwarding the unpacked transaction message to a core system server.
In the embodiment of the invention, a front gateway server is arranged between an interface platform and a core system, when a peripheral system sends a secret-related transaction message to the core system, the interface platform connected with the peripheral system transmits the secret-related transaction message to the front gateway server, the front gateway server identifies which secret-related transaction messages comprise 32-bit PINBLOCK, compresses the 32-bit PINBLOCK into 16-bit PINBLOCK, and the compressed PINBLOCK is subjected to message recombination and then sent to the core system. In this way, the processing logic of the compressed PINBLOCK is placed on a public pre-gateway server, so that the transformation amount of a peripheral system and a core system can be reduced, the core system can receive all confidential transaction messages, and the encryption verification of 16-bit PINBLOCK and 32-bit PINBLOCK is realized through internal logic; and the peripheral systems are supported to be transformed one by one, the peripheral systems compatible with the 16-bit PINBLOCK and the 32-bit PINBLOCK are not required to be integrally finished at one time, the client can not sense the change of the key algorithm, and the client experience is improved. In addition, the embodiment of the invention ensures the smooth transition of the national upgrade of the core system and the peripheral system, and reduces the fault risk of each system during production.
The embodiment of the invention also provides a computer device, fig. 8 is a schematic diagram of the computer device in the embodiment of the invention, where the computer device can implement all the steps in the message processing method that the core system in the above embodiment supports the cryptographic upgrade of the peripheral system, and the computer device specifically includes the following contents:
a processor (processor) 801, a memory (memory) 802, a communication interface (Communications Interface) 803, and a communication bus 804;
wherein the processor 801, the memory 802, and the communication interface 803 complete communication with each other through the communication bus 804; the communication interface 803 is used for realizing information transmission between related devices;
the processor 801 is configured to invoke a computer program in the memory 802, where the processor executes the computer program to implement the method for processing a message in which the core system supports cryptographic upgrade of a peripheral system in the above embodiment.
The embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the message processing method of the core system supporting the cryptographic upgrade of the peripheral system when being executed by a processor.
The embodiment of the invention also provides a computer program product, which comprises a computer program, and the computer program realizes the message processing method that the core system supports the cryptographic upgrade of the peripheral system when being executed by a processor.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (17)

1. The method is characterized in that the method is applied to a front gateway server in a message transmission system, the message transmission system further comprises a core system, a peripheral system and an interface platform, the front gateway server is respectively connected with the core system and the interface platform, and the interface platform is further connected with the peripheral system, and the method comprises the following steps:
receiving a secret-related transaction message sent by an interface platform;
reading the column of each uploading item in the confidential transaction message, and determining that the column of PINBLOCK is 16-bit PINBLOCK column or 32-bit PINBLOCK column, wherein PINBLOCK is one of the uploading items;
when the column to which the PINBLOCK belongs is a 32-bit PINBLOCK column, compressing the 32-bit PINBLOCK into 16-bit PINBLOCK;
and carrying out message recombination on the compressed 16-bit PINBLOCK and other uploading items except the PINBLOCK, and sending the recombined message to a core system.
2. The method of claim 1, wherein after determining that the field to which the pinlock belongs is a 16-bit pinlock field or a 32-bit pinlock field, the method further comprises:
when the column to which PINBLOCK belongs is a 16-bit PINBLOCK column, all messages of the uploading item combination are sent to the core system.
3. The method of claim 1, wherein prior to message reassembling the compressed 16-bit pinlock with the remaining upload items other than the pinlock, the method further comprises:
and placing the compressed 16-bit PINBLOCK into a 16-bit PINBLOCK field, and deleting the 32-bit PINBLOCK in the 32-bit PINBLOCK field.
4. A method according to any one of claims 1 to 3, wherein sending a message to a core system comprises:
and sending the message to the CTG cluster, and forwarding the message to a core system by the CTG cluster.
5. The method according to claim 4, wherein the method further comprises:
and a Remote mode is adopted, and the CTG cluster is connected with the CTG cluster through a load equalizer.
6. The method is characterized in that the method is applied to an interface platform in a message transmission system, the message transmission system further comprises a core system, a peripheral system and a front gateway server, the interface platform is respectively connected with the peripheral system, the front gateway server and the core system, and the front gateway server is further connected with the core system, and the method comprises the following steps:
receiving a transaction message sent by a peripheral system through a designated interface, wherein the designated interface is an interface corresponding to a transaction code of a transaction;
reading the columns of all the uploading items in the transaction message, and determining whether the 16-bit PINBLOCK column and the 32-bit PINBLOCK column are empty;
if the 16-bit PINBLOCK field or the 32-bit PINBLOCK field is not null, determining that the transaction message is a secret-related transaction message, forwarding the secret-related transaction message to a front gateway server, compressing the 32-bit PINBLOCK in the secret-related transaction message into 16-bit PINBLOCK by the front gateway server, carrying out message recombination on the compressed 16-bit PINBLOCK and other uploading items except for the PINBLOCK, and sending the recombined message to a core system.
7. The method of claim 6, wherein after reading the field to which each upload item in the transaction message belongs and determining whether the 16-bit PINBLOCK field and the 32-bit PINBLOCK field are empty, the method further comprises:
if the 16-bit PINBLOCK field and the 32-bit PINBLOCK field are empty, determining that the transaction message is an unpacked transaction message, and forwarding the unpacked transaction message to a core system.
8. The utility model provides a pre-gateway server, its characterized in that, pre-gateway server is connected with core system server and interface platform server respectively, interface platform server still is connected with peripheral system server, pre-gateway server includes:
the front communication module is used for receiving the confidential transaction message sent by the interface platform server;
the front-end reading module is used for reading the column of each uploading item in the confidential transaction message, determining that the column of PINBLOCK is 16-bit PINBLOCK column or 32-bit PINBLOCK column, wherein PINBLOCK is one of the uploading items;
the compression module is used for compressing the 32-bit PINBLOCK into the 16-bit PINBLOCK when the field to which the PINBLOCK belongs is the 32-bit PINBLOCK field;
and the front-end communication module is also used for carrying out message recombination on the compressed 16-bit PINBLOCK and other uploading items except the PINBLOCK and sending the recombined message to the core system server.
9. The pre-gateway server of claim 8, wherein the pre-communication module is further configured to:
and when the column to which the PINBLOCK belongs is a 16-bit PINBLOCK column, sending all messages of the uploading item combination to the core system server.
10. The pre-gateway server of claim 8, wherein the pre-gateway server further comprises:
the column changing module is used for placing the compressed 16-bit PINBLOCK into the 16-bit PINBLOCK column and deleting the 32-bit PINBLOCK in the 32-bit PINBLOCK column.
11. The pre-gateway server of any one of claims 8 to 10, wherein the pre-communication module is configured to:
and sending the message to the CTG cluster, and forwarding the message to a core system server by the CTG cluster.
12. The pre-gateway server of claim 11, wherein the pre-gateway server is further configured to:
and a Remote mode is adopted, and the CTG cluster is connected with the CTG cluster through a load equalizer.
13. An interface platform server, wherein the interface platform server is connected with a peripheral system server, a front gateway server and a core system server respectively, the front gateway server is also connected with the core system server, the interface platform server comprises:
the interface communication module is used for receiving a transaction message sent by the peripheral system server through a designated interface, wherein the designated interface is an interface corresponding to a transaction code of a transaction;
the interface reading module is used for reading the columns of all the uploading items in the transaction message and determining whether the 16-bit PINBLOCK column and the 32-bit PINBLOCK column are empty;
the interface communication module is further configured to determine that the transaction message is a secret-related transaction message when the 16-bit PINBLOCK field or the 32-bit PINBLOCK field is not empty, forward the secret-related transaction message to the front gateway server, so that the front gateway server compresses the 32-bit PINBLOCK in the secret-related transaction message into 16-bit PINBLOCK, and recombine the compressed 16-bit PINBLOCK with other overhead entries except for the PINBLOCK, and send the recombined message to the core system server.
14. The interface platform server of claim 13, wherein the interface communication module is further configured to:
when the 16-bit PINBLOCK field and the 32-bit PINBLOCK field are empty, determining that the transaction message is an unpacked transaction message, and forwarding the unpacked transaction message to a core system server.
15. A messaging system comprising a pre-gateway server according to any of claims 8 to 12, an interface platform server according to any of claims 13 to 14, a core system server and a peripheral system server.
16. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 7 when executing the computer program.
17. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when executed by a processor, implements the method of any of claims 1 to 7.
CN202111425866.3A 2021-11-26 2021-11-26 Message processing method and server for supporting peripheral system cryptographic upgrade by core system Active CN114143278B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111425866.3A CN114143278B (en) 2021-11-26 2021-11-26 Message processing method and server for supporting peripheral system cryptographic upgrade by core system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111425866.3A CN114143278B (en) 2021-11-26 2021-11-26 Message processing method and server for supporting peripheral system cryptographic upgrade by core system

Publications (2)

Publication Number Publication Date
CN114143278A CN114143278A (en) 2022-03-04
CN114143278B true CN114143278B (en) 2024-02-23

Family

ID=80388879

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111425866.3A Active CN114143278B (en) 2021-11-26 2021-11-26 Message processing method and server for supporting peripheral system cryptographic upgrade by core system

Country Status (1)

Country Link
CN (1) CN114143278B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114926296B (en) * 2022-06-08 2024-11-05 中国银行股份有限公司 Risk control method and device for new business types of banks

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN203786773U (en) * 2014-03-18 2014-08-20 北京银联商务有限公司 Mobile payment service platform
CN107563743A (en) * 2017-08-14 2018-01-09 福建新大陆支付技术有限公司 Lift the method and system of POS transaction securities
CN111311261A (en) * 2020-02-24 2020-06-19 中国工商银行股份有限公司 Security processing method, device and system for online transaction

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9996835B2 (en) * 2013-07-24 2018-06-12 Visa International Service Association Systems and methods for communicating token attributes associated with a token vault

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN203786773U (en) * 2014-03-18 2014-08-20 北京银联商务有限公司 Mobile payment service platform
CN107563743A (en) * 2017-08-14 2018-01-09 福建新大陆支付技术有限公司 Lift the method and system of POS transaction securities
CN111311261A (en) * 2020-02-24 2020-06-19 中国工商银行股份有限公司 Security processing method, device and system for online transaction

Also Published As

Publication number Publication date
CN114143278A (en) 2022-03-04

Similar Documents

Publication Publication Date Title
US10111268B2 (en) System and method for NFC peer-to-peer authentication and secure data transfer
US20200372503A1 (en) Transaction messaging
US6039245A (en) Financial transaction processing system and method
US9275380B1 (en) Card activated automated teller machine and method
CN102118426B (en) Network security payment terminal and network security payment method thereof
CN102457842B (en) A kind of transaction by mobile phone, Apparatus and system
CN114143278B (en) Message processing method and server for supporting peripheral system cryptographic upgrade by core system
TW202422436A (en) Digital payment processing method, device, equipment, system and medium
US7448071B2 (en) Dynamic downloading of keyboard keycode data to a networked client
CN102480725A (en) Remote payment method
US20030088691A1 (en) Method and system for scripting commands and data for use by a personal security device
CN101668018A (en) Network transmission method and system therefor
US7039952B2 (en) Using patterns to perform personal identification data substitution
CN113645248A (en) Data exchange system and method under cross-network environment
CN108205439A (en) Universal payment platform and its implementation
US7003797B2 (en) Secure personal identification number entry in a distributed network
CN113922976A (en) Equipment log transmission method and device, electronic equipment and storage medium
CN108234393A (en) Optimize the method and device of data link layer message
CN103944718B (en) Data processing method for ATM machine-core encryption and decryption device
US11928672B2 (en) Personalization method and system for financial IC card having dynamic verification code
CN103929449B (en) A kind of data transmission method and Website server, terminal
CN111222120B (en) Method for improving safety of financial self-service terminal
CN113611013A (en) Data transfer method, system and device
CN103905624A (en) Digital signature generation method and mobile phone terminal
CN107637014A (en) Configurable POS key is to generation method, storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant