CN115664781A - System safety management method, system, equipment and medium for self-service equipment - Google Patents

System safety management method, system, equipment and medium for self-service equipment Download PDF

Info

Publication number
CN115664781A
CN115664781A CN202211295695.1A CN202211295695A CN115664781A CN 115664781 A CN115664781 A CN 115664781A CN 202211295695 A CN202211295695 A CN 202211295695A CN 115664781 A CN115664781 A CN 115664781A
Authority
CN
China
Prior art keywords
authorization
information
equipment
self
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211295695.1A
Other languages
Chinese (zh)
Inventor
张涛
李军
王勇
汪林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Financial Information Technology Co Ltd
Original Assignee
Inspur Financial Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Financial Information Technology Co Ltd filed Critical Inspur Financial Information Technology Co Ltd
Priority to CN202211295695.1A priority Critical patent/CN115664781A/en
Publication of CN115664781A publication Critical patent/CN115664781A/en
Pending legal-status Critical Current

Links

Images

Abstract

The invention discloses a system safety management method, a system, equipment and a medium for self-service equipment, wherein the method comprises the following steps: an authorization management platform is built, self-service equipment information is obtained, and core authorization information is built based on the authorization management platform and the self-service equipment information; detecting an equipment end operation request, and executing equipment end authorization management operation based on the core authorization information and the equipment end operation request; detecting the authorization state of the equipment end, and executing application layer authorization management operation based on the core authorization information and the authorization state of the equipment end; the invention can realize a new authorization management means on the basis of not changing the basic functions of the AP, the SP and the hardware, achieves the aim of safety management, fundamentally solves the potential safety hazard of equipment by the joint operation of the AP, the SP and the hardware firmware bottom layer, and realizes the maximum safety and confidentiality through the logic design of hardware equipment binding.

Description

System safety management method, system, equipment and medium for self-service equipment
Technical Field
The invention relates to the technical field of system security management, in particular to a system security management method, a system, equipment and a medium for self-service equipment, which are applied to the field of self-service cash equipment.
Background
At present, a CEN/XFS is used as a standard interface which plays a key role in development of self-Service cash equipment and is a technical specification which is inevitably and deeply known by vast self-Service cash equipment developers, and a software part of the self-Service cash equipment mainly comprises an Application program (AP-Application), a middleware program (SP-Service Provider), a device driver (Drivers), a Maintenance tool (Maintenance) and the like, wherein the Application program (hereinafter referred to as AP for short) and the middleware program (hereinafter referred to as SP for short) are positioned at two ends of the CEN specification, so that equipment manufacturers only need to develop the SP which meets the CEN specification, a client can select other manufacturers to develop the AP which meets the CEN specification, and a software system of the whole equipment can smoothly run; the XFS Manager is needed to perform transfer work between the AP and the SP, generally, an XFS Manager program is provided by a CEN authority, entity files are three dll dynamic link libraries 'msxfs.dll', 'XFS _ conf.dll' and 'XFS _ supp.dll', the specific functions of the three libraries are specifically explained in the XFS Manager detailed solution, here, only the three libraries need to be known to provide a series of library functions for the AP to call, the SP also provides dll for the XFS Manager to call, namely, the XFS Manager plays a role of a 'transfer station' between the AP and the SP.
From the above background, it can be seen that in the existing self-service cash device system, the SP and the hardware bottom layer are both parts for passively receiving commands and unconditionally executing commands, and there is no any protection measure in itself, so the following problems are liable to exist in the architecture scheme:
on the first hand, although the existing self-service cash equipment system can prevent general virus or Trojan invasion by antivirus and Trojan software, the system can not limit other useful personnel to use modified terminal application software to replace the original regular application software, thereby achieving the purpose of illegal occupation;
in the second aspect, in the existing self-service cash equipment system, even under the condition that application software is not replaced, some personnel can enter a management background of the self-service cash equipment through other ways, so that the purpose of illegal encroachment is achieved;
in the third aspect, in the existing self-service cash equipment system, if the anti-virus and Trojan horse software is not installed, the possibility of illegal invasion is higher;
therefore, in summary, for the existing self-service cash device, it is necessary to perform combined security management from the SP layer and the hardware firmware bottom layer of the self-service cash device system, so as to improve the security of the self-service cash device.
Disclosure of Invention
The invention aims to provide a system safety management method, a system, equipment and a medium for self-service equipment, aiming at the problems in the prior art, so as to realize combined safety management from a manufacturer SP layer and a hardware firmware bottom layer of a self-service cash equipment system, further improve the safety of the self-service cash equipment and solve the problems in the prior art.
In order to achieve the purpose, the specific technical scheme of the invention is as follows:
in one aspect, the invention provides a system safety management method for self-service equipment, which comprises the following steps:
and (3) permission allocation:
an authorization management platform is set up, self-service equipment information is obtained, and core authorization information is set up based on the authorization management platform and the self-service equipment information;
and issuing the authority of the equipment end:
detecting an equipment side operation request, and executing equipment side authorization management operation based on the core authorization information and the equipment side operation request;
and issuing application layer authority:
and detecting the authorization state of the equipment terminal, and executing application layer authorization management operation based on the core authorization information and the authorization state of the equipment terminal.
As an improved scheme, the self-service equipment information comprises: self-service equipment identification information and self-service equipment user information;
the establishing of the core authorization information based on the authorization management platform and the self-service equipment information comprises:
in the authorization management platform, setting authorization information and authorization time limit information about the self-service equipment identification information based on the self-service equipment user information;
binding the authorization information, the authorization time limit information and the self-service equipment identification information according to the self-service equipment user information to obtain authorization binding information;
and setting the authorization binding information as the core authorization information.
As an improved scheme, the device side authorizes management operation, including:
when the equipment side operation request exists, confirming an equipment side and a mobile side corresponding to the equipment side operation request; executing an authorization request step based on the equipment terminal, the mobile terminal and the authorization management platform;
and after the authorization request step is executed, selecting to give authorization permission to the equipment terminal based on the authorization management platform and the core authorization information.
As an improvement, the authorization request step includes:
generating a first equipment end password based on the hardware information and the time information of the equipment end;
generating a verification two-dimensional code based on the first equipment-side password;
and transmitting the password of the first equipment terminal to the authorization management platform based on the mobile terminal and the verification two-dimensional code.
As an improved scheme, the selecting to give the authorization permission to the device side based on the authorization management platform and the core authorization information includes:
identifying the hardware information, the time information and the mobile terminal user information corresponding to the transmitted first equipment password through the authorization management platform;
checking whether first authorization binding information matching the hardware information with the mobile terminal user information exists in the core authorization information; if the first operation authorization information exists, encrypting and generating first operation authorization information based on first authorization time limit information in the first authorization binding information and the time information; writing the first operation authorization information into the equipment terminal based on the mobile terminal;
and the equipment end receives and decrypts the written first operation authorization information to obtain authorization permission.
As an improved scheme, the device side authorization state includes: the device side is authorized to permit and the device side is not authorized to permit;
the executing the application layer authorization management operation based on the core authorization information and the device side authorization state comprises:
identifying the device side authorization status;
when the authorization state of the equipment terminal is that the equipment terminal is authorized to permit, detecting whether an application layer calling request exists; and if so, executing the authorization management operation of the application layer based on the application layer calling request and the first authorization binding information.
As an improvement, the application layer authorizes management operations, including:
confirming the hardware to be called and the middleware to be served corresponding to the application layer calling request;
generating a first authorization key for the to-be-serviced middleware based on the first authorization binding information;
verifying the validity of the first authorization key based on the hardware information of the hardware to be called;
and calling the hardware to be called to respond to the application layer calling request based on the validity.
On the other hand, the invention also provides a system safety management system for self-service equipment, which comprises:
the system comprises an authority distribution module, an equipment side authority issuing module and an application layer authority issuing module;
the authority distribution module is used for building an authorization management platform, acquiring self-service equipment information and building core authorization information based on the authorization management platform and the self-service equipment information;
the device side authority issuing module is used for detecting a device side operation request and executing device side authorization management operation based on the core authorization information and the device side operation request;
and the application layer authority issuing module is used for detecting the authorization state of the equipment end and executing application layer authorization management operation based on the core authorization information and the authorization state of the equipment end.
In another aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the system security management method for self-service equipment.
In another aspect, the present invention further provides a computer device, where the computer device includes a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus; wherein:
the memory is used for storing a computer program;
the processor is used for executing the steps of the system safety management method for the self-service equipment by running the program stored in the memory.
The technical scheme of the invention has the beneficial effects that:
1. the system safety management method for the self-service equipment can realize a new authorization management means on the basis of not changing basic functions of the AP, the SP and the hardware, achieves a safety management target, ensures the safety of the AP, the SP and the hardware in the operation process, ensures that the AP, the SP and the hardware are not tampered, can ensure that the AP, the SP and the hardware cannot continue to work even if the AP, the SP and the hardware are tampered, further combines and operates from the bottom layers of the AP, the SP and the hardware firmware, fundamentally solves the potential safety hazard of the equipment, and realizes the maximum safety and confidentiality through the logic design of binding of the hardware equipment.
2. The system safety management system for the self-service equipment can realize a new authorization management means by mutually matching the authority distribution module, the equipment end authority issuing module and the application layer authority issuing module on the basis of not changing the basic functions of the AP, the SP and the hardware, achieves the safety management target, ensures the safety of the AP, the SP and the hardware in the operation process, ensures that the AP, the SP and the hardware are not tampered, can also ensure that the AP, the SP and the hardware cannot work continuously even if the AP, the SP and the hardware are tampered, further solves the safety hazard of the equipment fundamentally, and also realizes the maximum safety and confidentiality by the logic design of hardware equipment binding.
3. The computer readable storage medium can realize the cooperation of the guide authority distribution module, the equipment side authority issuing module and the application layer authority issuing module, and further realize the system safety management method for the self-service equipment.
4. The computer equipment can realize the storage and the execution of the computer readable storage medium, thereby realizing the system safety management method for the self-service equipment.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic flow chart of a system security management method for a self-service device according to embodiment 1 of the present invention;
fig. 2 is a detailed flowchart of a system security management method for a self-service device according to embodiment 1 of the present invention;
fig. 3 is a schematic structural diagram of a system security management system for self-service equipment according to embodiment 2 of the present invention;
FIG. 4 is a schematic structural diagram of a computer apparatus according to embodiment 4 of the present invention;
the reference numerals in the drawings are as follows:
1501. a processor; 1502. a communication interface; 1503. a memory; 1504. a communication bus.
Detailed Description
The following detailed description of the preferred embodiments of the present invention, taken in conjunction with the accompanying drawings, will make the advantages and features of the present invention more comprehensible to those skilled in the art, and will thus provide a clear and concise definition of the scope of the present invention.
In the description of the present invention, it should be noted that the described embodiments of the present invention are a part of the embodiments of the present invention, and not all embodiments; all other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," and the like in the description and in the claims, as well as in the drawings, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments herein described are capable of operation in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, apparatus, article, or device that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or device.
Example 1
The embodiment provides a system security management method for self-service equipment, as shown in fig. 1 and 2, including the following steps:
s100, authority distribution:
s110, an authorization management platform is built, self-service equipment information is obtained, and core authorization information is built based on the authorization management platform and the self-service equipment information;
s200, equipment side authority issuing:
s210, detecting an equipment side operation request, and executing equipment side authorization management operation based on the core authorization information and the equipment side operation request;
s300, issuing application layer authority:
s310, detecting the authorization state of the equipment terminal, and executing application layer authorization management operation based on the core authorization information and the authorization state of the equipment terminal.
As an embodiment of the present invention, the self-service device information includes: self-service equipment identification information and self-service equipment user information; the self-service equipment identification information includes but is not limited to a code of the self-service equipment, a bank name corresponding to the self-service equipment, a bank code, a branch name, a branch code and the like; the self-service equipment user information comprises but is not limited to the job number, the name, the job level and the like of all users who register to use the self-service equipment;
the establishing of the core authorization information based on the authorization management platform and the self-service equipment information comprises:
in the authorization management platform, setting authorization information and authorization time limit information about the self-service equipment identification information based on the self-service equipment user information; binding the authorization information, the authorization time limit information and the self-service equipment identification information according to the self-service equipment user information to obtain authorization binding information; setting the authorization binding information as the core authorization information; in this step, the authorization management platform is a management website associated with the self-service equipment, and implementers and managers can log in the management website through a bank or a company intranet respectively to generate authority tasks related to the self-service equipment corresponding to certain self-service equipment identification information, or authorize the tasks, so that different authorization information and authorization time limit information can be generated for a batch of or individual equipment and certain tasks, and finally the information is bound to realize operation authority control; the authorization information represents the division of the use permission, such as whether the use permission of a certain task exists or not, the authorization time limit information represents the permission duration of a certain task, and the like; tasks referred to herein include, but are not limited to, certain operating instructions or types for the self-service device; furthermore, the authorization information can be stored in a management website, and management personnel can inquire historical authorization information in the website, further implement personnel information and other related information, and also can generate general (or specific) authorization information in the website; in this embodiment, when the AP, SP, hardware firmware of the device is upgraded, the authorization management platform writes encrypted general authorization information that can be used only once in the AP, SP, hardware firmware upgrade package to complete batch upgrade work, and then performs authority authorization on the upgrade of the firmware, and also can add specific information (such as a self-service device identification information bank name, a bank code, a branch name, a branch code, etc.) into the general authorization information to ensure that the authorization information can only be used for a certain self-service device, thereby preventing cross-device embezzlement;
as an embodiment of the present invention, the device side authorization management operation includes: when the equipment end operation request exists, the equipment use is required, and the authorization verification is required, so that the equipment end and the mobile end corresponding to the equipment end operation request are confirmed; executing an authorization request step based on the equipment terminal, the mobile terminal and the authorization management platform; and after the authorization request step is executed, authorization permission is given to the equipment side based on the authorization management platform and the core authorization information.
As an embodiment of the present invention, the authorization request step includes: generating a first equipment end password based on the hardware information and the time information of the equipment end; generating a verification two-dimensional code based on the first equipment-side password; transmitting the first equipment terminal password to the authorization management platform based on the mobile terminal and the verification two-dimensional code; the step is that an APP bound by an equipment terminal and an SP generates a local password (a first equipment terminal password) which is valid only once according to the specific hardware information and the local date and time (time information) of the local, and generates a dynamic two-dimensional code (a check two-dimensional code) on the basis of the local password;
as an embodiment of the present invention, the selecting to give the authorization permission to the device side based on the authorization management platform and the core authorization information includes: identifying the hardware information, the time information and the mobile terminal user information corresponding to the transmitted first equipment password through the authorization management platform; checking whether first authorization binding information matched with the hardware information and the mobile terminal user information exists in the core authorization information; if the first operation authorization information exists, encrypting and generating first operation authorization information based on first authorization time limit information in the first authorization binding information and the time information; writing the first operation authorization information into the equipment terminal based on the mobile terminal; the equipment end receives and decrypts the written first operation authorization information to obtain authorization permission; the method comprises the steps that an implementer scans two-dimensional code (check two-dimensional code) information generated by equipment through a mobile phone wechat applet and uploads the two-dimensional code to an authorization management platform of a server, the authorization management platform acquires the mobile terminal user information of the implementer through the wechat applet of the implementer and checks whether first authorization binding information matching the hardware information and the mobile terminal user information exists in the core authorization information, if so, the implementer is legal, and encrypted authorization information (first operation authorization information) is displayed back at a mobile phone terminal of the implementer; the enforcement personnel writes the encrypted authorization information (first operation authorization information) into the APP bound by the equipment end and the SP, and the equipment automatically decrypts to obtain authorization so as to obtain permission; in this step, in order to further ensure the confidentiality, there are the following more specific steps: the client side carries out primary encryption and transmits the primary encryption to the server after scanning codes of only one time of effective local passwords generated by specific hardware information of the equipment side and the local date and time through a preset national password symmetric or asymmetric algorithm and a preset secret key, the server side carries out decryption after receiving the local passwords to obtain the local passwords, then carries out authority verification by using the local passwords, carries out secondary encryption on authorization information after passing the verification, replies an encryption result to the client side, the equipment side finally writes the encryption result into the equipment side again through the client side, and the equipment side carries out decryption to obtain the authorization information; because the authorization information is also associated with the authorization time limit information, the equipment can only normally work within a certain authorization period, and the security is very high;
as an embodiment of the present invention, the device side authorization status includes: the device side is authorized to permit and the device side is not authorized to permit; the executing of the application layer authorization management operation based on the core authorization information and the device side authorization state comprises:
identifying the device side authorization state;
when the authorization state of the equipment terminal is that the equipment terminal is authorized to permit, the equipment can be used, so that whether an application layer calling request exists in the equipment terminal is detected; if the request exists, the fact that an implementer calls the firmware of the equipment end is indicated, and therefore the application layer authorization management operation is executed based on the application layer calling request and the first authorization binding information.
As an embodiment of the present invention, the authorization management operation of the application layer includes:
in this embodiment, the authorization management of the application layer mainly relates to the authorization management of the hardware firmware, the management of the AP, and the management of the SP; in the embodiment, when the bottom layer of the hardware firmware is set to receive the SP instruction, the security verification of the authorization information is carried out, and for the instruction which does not pass the security verification, the hardware does not execute the command; setting the hardware firmware to be an undegradable version, and preventing from avoiding safety verification in a version rollback mode; moreover, the SP can be authorized by technical means, and the file can not be tampered; moreover, the AP can be authorized through the SP, and the file cannot be tampered;
confirming the hardware to be called and the middleware (SP) to be served corresponding to the application layer calling request; generating a first authorization key for the to-be-serviced middleware based on the first authorization binding information; verifying the validity of the first authorization key based on the hardware information of the hardware to be called; calling the to-be-called hardware to respond to the application layer calling request based on the legality, namely calling the to-be-called hardware to respond to the application layer calling request when a first authorization secret key is legal (the local secret key corresponds to authorization confidence), wherein the step is that when a certain hardware firmware is called, a local secret key (a first authorization secret key) is generated according to hardware firmware information, and when an SP (service provider) is started, the hardware interacts with the SP for authorization information and the local secret key to ensure that work is carried out under SP authorization (and under the condition that the local secret key corresponds to the authorization confidence); further, all the calling and working of the firmware are ensured to be carried out under authorization; correspondingly, for the AP, in this embodiment, the AP is bound with the SP, and the device side cannot use the unbound AP, thereby preventing illegal external operations, such as modification, deletion, and the like;
when the method is implemented, the following premises of deployment environment are provided: firstly, a hardware firmware version, SP (service provider) running version and AP (access point) running version are deployed at an equipment end, so that the equipment can run safely to acquire authorization, check the authorization and execute authorized operation; secondly, the mobile terminal small program and the authorization management platform are pre-configured for cooperative work; in addition, when the equipment end is installed for the first time, authorization must be carried out, otherwise, the equipment cannot run, and the safety is further improved.
Example 2
The present embodiment provides a system security management system for self-service devices based on the same inventive concept as the method for system security management for self-service devices described in embodiment 1, as shown in fig. 3, including: the system comprises an authority distribution module, an equipment side authority issuing module and an application layer authority issuing module;
the authority distribution module is used for building an authorization management platform, acquiring self-service equipment information and building core authorization information based on the authorization management platform and the self-service equipment information;
as an embodiment of the present invention, the self-service device information includes: self-service equipment identification information and self-service equipment user information;
as an embodiment of the present invention, the authority distribution module constructs core authorization information based on the authorization management platform and the self-service device information, including: the authority distribution module is arranged in the authorization management platform and sets authorization information and authorization time limit information about the self-service equipment identification information based on the self-service equipment user information; the authority distribution module binds the authorization information, the authorization time limit information and the self-service equipment identification information according to the self-service equipment user information to obtain authorization binding information; and the authority distribution module sets the authorization binding information as the core authorization information.
The device side authority issuing module is used for detecting a device side operation request and executing device side authorization management operation based on the core authorization information and the device side operation request;
as an embodiment of the present invention, the device side authorization management operation includes: when the equipment side operation request exists, the equipment side authority issuing module confirms the equipment side and the mobile side corresponding to the equipment side operation request; the equipment side authority issuing module executes an authorization request step based on the equipment side, the mobile side and the authorization management platform; after the device side permission issuing module executes the authorization request step, the device side permission issuing module selects to give authorization permission to the device side based on the authorization management platform and the core authorization information.
As an embodiment of the present invention, the authorization request step includes: the equipment side authority issuing module generates a first equipment side password based on the hardware information and the time information of the equipment side; the equipment side authority issuing module generates a check two-dimensional code based on the first equipment side password; and the equipment side authority issuing module transmits the first equipment side password to the authorization management platform based on the mobile terminal and the verification two-dimensional code.
As an implementation manner of the present invention, the method for giving authorization permission to the device side by the device side permission issuing module based on the authorization management platform and the core authorization information includes: the equipment side authority issuing module identifies the hardware information, the time information and the mobile terminal user information corresponding to the transmitted first equipment password through the authorization management platform; the equipment side authority issuing module checks whether first authorization binding information of which the hardware information is matched with the mobile terminal user information exists in the core authorization information; if the first authorization binding information exists, the equipment side authority issuing module encrypts and generates first operation authorization information based on the first authorization time limit information and the time information in the first authorization binding information; the equipment side authority issuing module writes the first operation authorization information into the equipment side based on the mobile side; and the equipment end receives and decrypts the written first operation authorization information to obtain authorization permission.
And the application layer authority issuing module is used for detecting the authorization state of the equipment end and executing application layer authorization management operation based on the core authorization information and the authorization state of the equipment end.
As an embodiment of the present invention, the device side authorization status includes: the device side is authorized to permit and the device side is not authorized to permit;
as an implementation manner of the present invention, the application layer authority issuing module executes an application layer authorization management operation based on the core authorization information and the device side authorization state, including: the application layer authority issuing module identifies the authorization state of the equipment terminal; when the authorization state of the equipment terminal is that the equipment terminal is authorized and permitted, the application layer authority issuing module detects whether an application layer calling request exists; and if so, the application layer authority issuing module executes the application layer authorization management operation based on the application layer calling request and the first authorization binding information.
As an embodiment of the present invention, the application layer authorization management operation includes: the application layer authority issuing module confirms the hardware to be called and the middleware to be served corresponding to the application layer calling request; the application layer authority issuing module generates a first authorization key related to the to-be-serviced middleware based on the first authorization binding information; the application layer authority issuing module verifies the validity of the first authorization key based on the hardware information of the hardware to be called; and the application layer authority issuing module calls the hardware to be called to respond to the application layer calling request based on the legality.
Example 3
The present embodiments provide a computer-readable storage medium, comprising:
the storage medium is used for storing computer software instructions for implementing the system safety management method for self-service equipment in embodiment 1, and includes a program for executing the method for implementing the system safety management method for self-service equipment; specifically, the executable program may be embedded in the system security management system for self-service equipment described in embodiment 2, so that the system security management system for self-service equipment may implement the system security management method for self-service equipment described in embodiment 1 by executing the embedded executable program.
Furthermore, the computer-readable storage medium of the present embodiments may take any combination of one or more readable storage media, where a readable storage medium includes an electronic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof.
Example 4
The present embodiment provides an electronic device, as shown in fig. 4, the electronic device may include: the system comprises a processor 1501, a communication interface 1502, a memory 1503 and a communication bus 1504, wherein the processor 1501, the communication interface 1502 and the memory 1503 complete communication with each other through the communication bus 1504.
A memory 1503 for storing a computer program;
the processor 1501 is configured to implement the steps of the system security management method for self-service devices in embodiment 1 described above when executing the computer program stored in the memory 1503.
As an embodiment of the present invention, the communication bus mentioned in the terminal may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 4, but this does not indicate only one bus or one type of bus.
As an embodiment of the present invention, the communication interface is used for communication between the terminal and another device.
As an embodiment of the present invention, the Memory may include a Random Access Memory (RAM), or may include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
As an embodiment of the present invention, the Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
Different from the prior art, the method, the system, the equipment and the medium for the system safety management for the self-service equipment can realize a new authorization management means on the basis of not changing basic functions of the AP, the SP and the hardware, achieve a safety management target, ensure the safety of the AP, the SP and the hardware in the operation process and ensure that the AP, the SP and the hardware are not tampered, even if the AP, the SP and the hardware are tampered, the method can also ensure that the AP, the SP and the hardware can not work continuously, and further the bottom layer of the AP, the SP and the hardware firmware is operated jointly, so that the potential safety hazard of the equipment is fundamentally solved.
It should be understood that, in various embodiments herein, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments herein.
It should also be understood that, in the embodiments herein, the term "and/or" is only one kind of association relation describing an associated object, and means that there may be three kinds of relations. For example, a and/or B, may represent: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
Those of ordinary skill in the art will appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the components and steps of the various examples have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided herein, it should be understood that the disclosed system, apparatus, and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one type of logical functional division, and other divisions may be realized in practice, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may also be an electric, mechanical or other form of connection.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purposes of the embodiments herein.
In addition, functional units in the embodiments herein may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present invention may be implemented in a form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes performed by the present specification and drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A system safety management method for self-service equipment is characterized by comprising the following steps:
and (3) permission allocation:
an authorization management platform is set up, self-service equipment information is obtained, and core authorization information is set up based on the authorization management platform and the self-service equipment information;
and issuing the authority of the equipment end:
detecting an equipment side operation request, and executing equipment side authorization management operation based on the core authorization information and the equipment side operation request;
issuing application layer authority:
and detecting the authorization state of the equipment terminal, and executing application layer authorization management operation based on the core authorization information and the authorization state of the equipment terminal.
2. The system safety management method for the self-service equipment according to claim 1, characterized in that:
the self-service device information includes: self-service equipment identification information and self-service equipment user information;
the establishing of the core authorization information based on the authorization management platform and the self-service equipment information comprises the following steps:
in the authorization management platform, setting authorization information and authorization time limit information about the self-service equipment identification information based on the self-service equipment user information;
binding the authorization information, the authorization time limit information and the self-service equipment identification information according to the self-service equipment user information to obtain authorization binding information;
and setting the authorization binding information as the core authorization information.
3. The system safety management method for the self-service equipment according to claim 2, characterized in that:
the device side authorization management operation comprises:
when the equipment terminal operation request exists, confirming an equipment terminal and a mobile terminal corresponding to the equipment terminal operation request; executing an authorization request step based on the equipment terminal, the mobile terminal and the authorization management platform;
and after the authorization request step is executed, selecting to give authorization permission to the equipment terminal based on the authorization management platform and the core authorization information.
4. The system safety management method for the self-service equipment according to claim 3, characterized in that:
the authorization request step includes:
generating a first equipment end password based on the hardware information and the time information of the equipment end;
generating a verification two-dimensional code based on the first equipment-side password;
and transmitting the password of the first equipment terminal to the authorization management platform based on the mobile terminal and the verification two-dimensional code.
5. The system safety management method for the self-service equipment according to claim 4, characterized in that:
the selecting to give the authorization permission to the device side based on the authorization management platform and the core authorization information comprises:
identifying the hardware information, the time information and the mobile terminal user information corresponding to the transmitted first equipment password through the authorization management platform;
checking whether first authorization binding information matching the hardware information with the mobile terminal user information exists in the core authorization information; if the first operation authorization information exists, encrypting and generating first operation authorization information based on first authorization time limit information in the first authorization binding information and the time information; writing the first operation authorization information into the equipment terminal based on the mobile terminal;
and the equipment end receives and decrypts the written first operation authorization information to obtain authorization permission.
6. The system safety management method for the self-service equipment according to claim 5, characterized in that:
the device side authorization state comprises: the device side is authorized to permit and the device side is not authorized to permit;
the executing of the application layer authorization management operation based on the core authorization information and the device side authorization state comprises:
identifying the device side authorization status;
when the authorization state of the equipment terminal is that the equipment terminal is authorized to permit, detecting whether an application layer calling request exists; and if so, executing the authorization management operation of the application layer based on the application layer calling request and the first authorization binding information.
7. The system safety management method for the self-service equipment according to claim 6, characterized in that:
the application layer authorizes management operations, including:
confirming the hardware to be called and the middleware to be served corresponding to the application layer calling request;
generating a first authorization key for the to-be-serviced middleware based on the first authorization binding information;
verifying the validity of the first authorization key based on the hardware information of the hardware to be called;
and calling the hardware to be called to respond to the application layer calling request based on the validity.
8. A system safety management system for self-service equipment is characterized by comprising: the system comprises an authority distribution module, an equipment side authority issuing module and an application layer authority issuing module;
the authority distribution module is used for building an authorization management platform, acquiring self-service equipment information and building core authorization information based on the authorization management platform and the self-service equipment information;
the device side authority issuing module is used for detecting a device side operation request and executing device side authorization management operation based on the core authorization information and the device side operation request;
and the application layer authority issuing module is used for detecting the authorization state of the equipment end and executing application layer authorization management operation based on the core authorization information and the authorization state of the equipment end.
9. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, carries out the steps of the method for system security management for self-service devices of any one of claims 1 to 7.
10. A computer device, comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory communicate with each other via the communication bus; wherein:
the memory is used for storing a computer program;
the processor is used for executing the steps of the system safety management method for the self-service equipment in any one of claims 1-7 by running the program stored in the memory.
CN202211295695.1A 2022-10-21 2022-10-21 System safety management method, system, equipment and medium for self-service equipment Pending CN115664781A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211295695.1A CN115664781A (en) 2022-10-21 2022-10-21 System safety management method, system, equipment and medium for self-service equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211295695.1A CN115664781A (en) 2022-10-21 2022-10-21 System safety management method, system, equipment and medium for self-service equipment

Publications (1)

Publication Number Publication Date
CN115664781A true CN115664781A (en) 2023-01-31

Family

ID=84989999

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211295695.1A Pending CN115664781A (en) 2022-10-21 2022-10-21 System safety management method, system, equipment and medium for self-service equipment

Country Status (1)

Country Link
CN (1) CN115664781A (en)

Similar Documents

Publication Publication Date Title
US7146645B1 (en) Dedicated applications for user stations and methods for downloading dedicated applications to user stations
KR100733732B1 (en) Securing operation activation in a telecommunication system
CN104881602B (en) Unmanned participation and the device authorization of safety
CN102144193B (en) Method for granting authorization to access a computer-based object in an automation system, computer program, and automation system
EP2765750B1 (en) Controlling application access to mobile device functions
CN104010044A (en) Application limitation installing method, manager and terminal based on trusted execution environment technology
CN104021333A (en) Mobile security fob
CN102737200A (en) Software activation using digital licenses
CN101194229A (en) Updating of data instructions
JP2008146479A (en) Software component, software component management method and software component management system
CN104243491A (en) Trusted security service control method and system
CN111222160A (en) Intelligent contract execution method and system
US9858061B2 (en) Tamperproof installation of building control software in approved runtime environments
EP1950680A1 (en) Communication terminal device, server terminal device, and communication system using the same
US11722307B2 (en) Electronic device for processing digital key, and operation method therefor
CN102067147B (en) Verification key handling
CN103559430B (en) application account management method and device based on Android system
CN105743651A (en) Method and apparatus for utilizing card application in chip security domain, and application terminal
CN109067755B (en) Access control method and system for security switch
CN115664781A (en) System safety management method, system, equipment and medium for self-service equipment
KR100590587B1 (en) Method for deleting an application provider security domain of smart card with plural security domains
US20190251021A1 (en) Testing network framework and information management method applied thereto
JP2007179357A (en) Method for installing computer program
CN111159693B (en) Electronic equipment permission verification method, device and system and readable medium
JP2019110452A (en) Terminal system, terminal and module

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication