CN116939601A - Mobile portable business processing equipment - Google Patents
Mobile portable business processing equipment Download PDFInfo
- Publication number
- CN116939601A CN116939601A CN202311118315.1A CN202311118315A CN116939601A CN 116939601 A CN116939601 A CN 116939601A CN 202311118315 A CN202311118315 A CN 202311118315A CN 116939601 A CN116939601 A CN 116939601A
- Authority
- CN
- China
- Prior art keywords
- data packet
- service
- data
- service data
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012545 processing Methods 0.000 title claims abstract description 102
- 238000004891 communication Methods 0.000 claims abstract description 138
- 238000012550 audit Methods 0.000 claims description 31
- 238000012795 verification Methods 0.000 claims description 19
- 239000000284 extract Substances 0.000 claims description 16
- 238000004806 packaging method and process Methods 0.000 claims description 11
- 230000003993 interaction Effects 0.000 claims description 7
- 238000000034 method Methods 0.000 description 17
- 230000008569 process Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 230000011664 signaling Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Embodiments of the present disclosure provide a mobile portable business processing device. Comprising the following steps: the system comprises a service module, a security module and a communication module which are sequentially connected by a data exchange channel, wherein the service module and the communication module are not provided with any direct connection data exchange channel and control circuit, and the three modules are provided with independent hardware main control chips and independent operation systems. The service module classifies and marks the service data to be sent according to the data classification and marking rules to obtain a service data packet to be output and sends the service data packet to the security module; when the security module is communicated with the communication between the service module and the communication module, determining a to-be-output service data packet conforming to a preset security policy as an output service data packet, and sending the output service data packet to the communication module, wherein the output service data packet comprises to-be-sent service data encrypted by the preset security policy; and the communication module converts and encapsulates the output service data packet into a communication data packet by using a communication protocol and an application protocol and sends the communication data packet to the cloud platform and/or other service processing equipment.
Description
Technical Field
Embodiments of the present disclosure relate to the field of mobile portable devices, and in particular, to a mobile portable business processing device.
Background
With the development of network communication technology, service convenience and universality are improved for the use of mobile terminals, safety risks are increased, and sensitive service data are easy to leak. Therefore, in the prior art, encryption technology is generally adopted to encrypt sensitive service data in the mobile terminal so as to ensure the security of the data.
However, various novel network attack means of the Internet and loopholes of the mobile terminal body exist today, so that the information security of the mobile terminal is seriously threatened.
Disclosure of Invention
The embodiment of the disclosure aims to provide mobile portable business processing equipment, which solves the problem that the security of mobile terminal business data is affected by network potential safety hazards and mobile terminal body loopholes in the prior art, and ensures the independence of control of a security module, the legality of control of the business module and the security of the mobile portable business processing equipment data by adopting the idea that the business module, the security module and the communication module are mutually independent.
In order to achieve the above objective, an embodiment of the present disclosure provides a mobile portable service processing device, including a service module, a security module, and a communication module that are sequentially connected through a data exchange channel, where no direct connection data exchange channel and no control circuit exists between the service module and the communication module, and the service module, the security module, and the communication module respectively have a hardware main control chip and an operating system that are independent of each other. The service module is used for carrying out data classification and identification on locally generated service data to be sent according to data classification and identification rules in a preset security policy set by the security module, and packaging the locally generated service data to be sent into a service data packet to be output and sending the service data packet to the security module, wherein the service data packet to be output comprises the service data to be sent and a data packet header carrying the identification; the security module is configured to block or communicate communication between the service module and the communication module, and determine whether the to-be-output service data packet conforms to the preset security policy when the service module is in communication with the communication module, determine the to-be-output service data packet conforming to the preset security policy as an output service data packet and send the output service data packet to the communication module, or discard the to-be-output service data packet not conforming to the preset security policy; the communication module is configured to convert and encapsulate the output service data packet into a communication data packet by using a communication protocol and an application protocol, and send the communication data packet to a cloud platform and/or other service processing devices, where the security module is further configured to determine whether the to-be-output service data packet conforms to the data classification and identification rule, extract to-be-sent service data in the to-be-output service data packet, where the to-be-sent service data packet carries an encrypted output identification, encrypt the to-be-sent service data by using the preset security policy, encapsulate the encrypted to-be-sent service data and the data packet header corresponding to the to-be-sent service data, and determine that the to-be-sent service data packet is the output service data packet.
In some embodiments of the present disclosure, the communication module is further configured to establish a service connection with the cloud platform through a network, and/or establish a direct service connection with other service processing devices.
In some embodiments of the present disclosure, the security module is further configured to collect personal identity information of a user, and communicate between the service module and the communication module when the personal identity information is verified locally, and block communication between the service module and the communication module when the personal identity information is verified locally.
In some embodiments of the present disclosure, the preset security policy further includes an output type legal data set, and the security module is further configured to determine whether the to-be-output service data packet conforms to the data classification and identification rule, extract the to-be-transmitted service data in the to-be-output service data packet with an audit output identification carried in the data packet header when the to-be-output service data packet conforms to the data classification and identification rule, match the to-be-transmitted service data with fixed information in the output type legal data set, and encapsulate the to-be-transmitted service data successfully matched with the data packet header corresponding thereto and determine the to-be-transmitted service data packet as the output service data packet.
In some embodiments of the present disclosure, the communication module is further configured to receive a communication data packet from a cloud platform and/or other service processing devices, parse the communication data packet according to a communication protocol and an application protocol, obtain service data to be processed, perform data classification and identification on the service data to be processed according to the data classification and identification rule, and encapsulate the service data to be input into a service data packet to be sent to the security module, where the service data packet to be input includes the service data to be processed and a data packet header carrying the identification; the security module is further configured to determine, when the service module is in communication with the communication module, whether the to-be-input service data packet conforms to the preset security policy, determine the to-be-input service data packet conforming to the preset security policy as an input service data packet and send the input service data packet to the service module, or discard the to-be-input service data packet not conforming to the preset security policy; the service module is also used for executing corresponding service operation according to the input service data packet.
In some embodiments of the present disclosure, the security module is further configured to determine whether the to-be-input service data packet conforms to the data classification and identification rule, extract the to-be-processed service data in the to-be-input service data packet carrying a decryption input identifier in the data packet header when the to-be-input service data packet conforms to the data classification and identification rule, decrypt the to-be-processed service data by using the preset security policy, and encapsulate and determine the decrypted to-be-processed service data and the data packet header corresponding to the to-be-processed service data as the input service data packet; or the security module is further configured to determine whether the to-be-input service data packet accords with the data classification and identification rule, extract the to-be-processed service data in the to-be-input service data packet with the audit input identification carried in the data packet header when the to-be-input service data packet accords with the data classification and identification rule, match the to-be-processed service data with a fixed data type and format in an input class legal data set in the preset security policy, and package the to-be-processed service data successfully matched with the data packet header corresponding to the to-be-processed service data and determine the to-be-input service data packet.
In some embodiments of the present disclosure, the service module is further configured to perform data classification and identification on locally generated service data to be stored according to the data classification and identification rule, and encapsulate the service data to be stored into a data packet to be stored and send the data packet to the security module, where the data packet to be stored includes the service data to be stored and a packet header carrying the identification; the security module is further configured to determine whether the to-be-stored data packet accords with the data classification and identification rule, extract the to-be-stored service data in the to-be-stored data packet carrying an encrypted storage identification in the data packet header when the to-be-stored data packet accords with the data classification and identification rule, encrypt the to-be-stored service data by using the preset security policy, and encapsulate and determine the encrypted to-be-stored service data and the data packet header corresponding to the encrypted to-be-stored service data as a storage service data packet to be stored locally; the security module is also used for prompting the acquisition of personal identity information of a user to carry out local verification when receiving a request for calling or exporting the storage service data packet.
In some embodiments of the present disclosure, the preset security policy further includes a collaboration data set, where the collaboration data set is used for auditing to-be-audited collaboration data in a to-be-audited collaboration service data packet, the to-be-audited collaboration data is interaction data locally generated by each module in the mobile portable service processing device and used for guaranteeing the collaboration of each module, the to-be-audited collaboration service data packet is obtained by packaging the to-be-audited collaboration data after data classification and identification according to the data classification and identification rule, the to-be-audited collaboration service data packet includes the to-be-audited collaboration data and data packet header carrying identification, and the security module is further configured to determine whether the to-be-audited collaboration service data packet accords with the data classification and identification rule, extract the to-be-audited collaboration data in the to-audited collaboration service data packet carrying the collaboration identification when the to-audited collaboration service data packet accords with the data classification and identification rule, and match the to-audited collaboration service data packet header and the data packet in the preset security policy.
In some embodiments of the present disclosure, the local memory in the business module operates in a read-only mode.
In some embodiments of the present disclosure, the security module is further configured to verify feature information of a designated core device in the service module.
Additional features and advantages of embodiments of the present disclosure will be set forth in the detailed description which follows.
Drawings
The accompanying drawings are included to provide a further understanding of embodiments of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain, without limitation, the embodiments of the disclosure. In the drawings:
fig. 1 is a schematic architecture diagram of a mobile portable business processing device 10 provided in an embodiment of the present disclosure;
fig. 2 is an interaction schematic diagram of transmitting message data between a mobile portable service processing device a and a service processing device B according to an embodiment of the present disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings. It will be apparent that the described embodiments are some, but not all, of the embodiments of the present disclosure. All other embodiments, which can be made by those skilled in the art based on the described embodiments of the present disclosure without the need for creative efforts, are also within the scope of the protection of the present disclosure.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which the presently disclosed subject matter belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the specification and relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
It can be understood that in the prior art, although the security of the sensitive service data can be ensured by the mobile terminal through a data encryption manner, the problem that the sensitive service data of the mobile terminal is acquired in a plaintext form due to the fact that the service flow directly skips the encryption process after the mobile terminal body is attacked and taken over cannot be avoided. On the other hand, under the condition that the system is directly connected with the Internet, sensitive plaintext data in the service system is exposed in a public network environment and cannot guarantee the safety of the sensitive plaintext data.
To solve the above-described problems, an embodiment of the present disclosure proposes a mobile portable service processing apparatus 10, as shown in fig. 1, the mobile portable service processing apparatus 10 including: the service module 11, the security module 12 and the communication module 13 are sequentially connected through the data exchange channel 14, no direct connection data exchange channel and control circuit exists between the service module 11 and the communication module 13, only the communication module 13 establishes service connection with the cloud platform through a network, and/or establishes direct service connection with other service processing devices (including other mobile portable service processing devices, vehicle-mounted service processing devices and the like) so as to transmit communication data packets. The connection mode of the data exchange channels among the modules is wired connection. In addition, the service module 11, the security module 12 and the communication module 13 respectively have a hardware main control chip and an operating system which are independent, each module in the mobile portable service processing device 10 is controlled by the independent operating system and the hardware main control chip, functions of each module are independent, when the security module 12 executes the security policy, no call-type dependency relationship with other modules exists, no process crossing exists, and meanwhile, the service module 11 is not directly connected with the outside, so that the problem of security reduction of the mobile portable service processing device caused by external attack or body defect of the service module is avoided. In addition, in the embodiment of the present disclosure, the hardware main control chip and the operating system corresponding to each of the service module 11, the security module 12 and the communication module 13 are not specifically limited in model and type, and may be selected according to specific requirements. The service module 11 may include devices related to service processing in a mobile portable service processing device, such as an audio/video acquisition device, a positioning device, a multimedia playing device, and so on.
The service module 11 generates various data locally, including to-be-transmitted service data that needs to be interacted with the cloud platform and/or other service processing devices locally, to-be-checked cooperative data that ensures that each module in the mobile portable service processing device 10 can work cooperatively, to-be-stored service data that needs to be stored in the security module 12, and so on. The processing manner is different for the above-mentioned different data, and the processing procedure of the service data to be transmitted will be described in detail below.
The service module 11 is configured to perform data classification and identification on locally generated service data to be sent according to data classification and identification rules in a preset security policy set by the security module, and encapsulate the locally generated service data to be sent into a service data packet to be output, and send the service data packet to the security module 12, where the service data packet to be output includes the service data to be sent and a packet header carrying the identification.
The data classification and identification rules comprise processing rules for various data, wherein for the to-be-transmitted service data which is required to be interacted with a cloud platform and/or other service processing equipment locally, whether the to-be-transmitted data is required to be audited and output or encrypted and output can be distinguished according to the data sensitivity which is determined by a user, the to-be-transmitted data is classified and identified, different audit output identifications are respectively and correspondingly arranged in a data packet header in different service data which is required to be audited and output, and different encrypted output identifications are respectively and correspondingly arranged in the data packet header in different service data which is required to be encrypted and output. In addition, the data packet header includes, but is not limited to, other information related to the data to be transmitted, such as a sequence number, the use of the data packet, data summary information (including data type, format, length, etc.), and the like.
The service data to be audited and output may include receipt service data to be returned after executing an instruction sent by the cloud platform and/or other service processing devices, trigger state service data to be sent to the cloud platform and/or other service processing devices after being triggered to execute a service operation according to a preset trigger rule, or non-sensitive data to be sent to the cloud platform and/or other service processing devices after a user actively performs a service operation (such as actively starting positioning state change data generated by a positioning operation). And the data to be output by encryption can include sensitive service data such as message data, audio-video data, etc.
When the service module 11 sends the to-be-output service data packet to the security module 12 and the security module 12 communicates the communication between the service module 11 and the communication module 13, the security module 12 determines whether the to-be-output service data packet conforms to the preset security policy, determines the to-be-output service data packet conforming to the preset security policy as an output service data packet and sends the output service data packet to the communication module 13, or discards the to-be-output service data packet not conforming to the preset security policy.
Wherein the security module 12 blocks or communicates the communication between the service module 11 and the communication module 13 by collecting personal identity information of the user of the mobile portable service processing device 10 and performing local authentication. And when the personal identity information fails to be verified locally, the communication between the service module 11 and the communication module 13 is blocked. The personal identity information may be biometric information of the user, such as one or a combination of fingerprint information, face information, voiceprint information, iris information, and the like. After the security module collects the personal identity information of the user, the personal identity information can be matched with the legal identity information stored locally, so that the operation legitimacy of the user is determined. In addition, the verification mechanism for blocking or communicating the communication between the service module 11 and the communication module 13 may be set according to the user requirement, for example, when the mobile portable service processing device 10 needs to be started, or according to the specified scenario required by the user, which is not specifically limited in the embodiments of the present disclosure.
In addition, the personal identity information of the user can also be used for verifying the login authority of the mobile portable service processing device 10, when the user needs to log in the mobile portable service processing device 10, the personal identity information of the user needs to be collected through the security module 12 and matched with the locally stored legal identity information, and after the matching is successful, the user is allowed to log in the device.
In addition, the personal identity information of the user can also be used for verifying the login authority of the cloud platform, when the user needs to log in the cloud platform through the mobile portable service processing equipment 10, the personal identity information of the user needs to be collected through the security module 12, the personal identity information is encrypted and then transmitted to the cloud platform through the communication module 13, the cloud platform matches the personal identity information with legal identity information, and after the matching is successful, the user is allowed to log in the cloud platform.
When the security module 12 communicates with the communication module 11 and the communication module 13, the security module 12 starts to process all received data packets, no matter what type of data packet is received, it needs to determine whether the identifier carried in the data packet header of the data packet accords with the data classification and identification rule, for example, whether the identifier carried in the data packet header matches any one of the encrypted output class identifier, the audit output class identifier, the decryption input class identifier, the audit input class identifier, the encrypted storage class identifier, the audit cooperative class identifier, and the like, if so, it determines that the data packet accords with the data classification and identification rule, then further processing is performed on the received data packet, otherwise, if it determines that the identifier carried in the data packet does not accord with the data classification and identification rule, that is, if the identifier carried in the data packet does not match the identifier, then the data packet is directly discarded, and the unknown and illegal data packet is blocked from passing through the security module 12, and further ensuring the data security of the mobile portable service processing device 10.
In the embodiment of the present disclosure, when the security module 12 receives the to-be-output service data packet, first, it is also required to determine whether the identifier carried in the packet header of the to-be-output service data packet meets the identifier set in the data classification and identifier rule, if it is determined that the to-be-output service data packet meets the data classification and identifier rule, further processing is performed on the to-be-output service data packet, and if it is determined that the to-be-output service data packet does not meet the data classification and identifier rule, the to-be-output service data packet is directly discarded. And for processing the service data to be encrypted and output, when the service data packet to be output accords with the data classification and identification rule, extracting the service data to be transmitted in the service data packet to be output, which carries the encrypted output identification, from the data packet header, encrypting the service data to be transmitted by utilizing the preset security policy, and packaging the encrypted service data to be transmitted and the data packet header corresponding to the encrypted service data to be transmitted and determining the encrypted service data packet to be the output service data packet. The encryption algorithm in the preset security policy is an encryption algorithm which is suitable for being pre-agreed by both communication parties in the embodiment of the disclosure, for example, a cryptographic SM4 encryption algorithm of the state secret, and the like, and can be selected according to specific requirements of the embodiment of the disclosure.
In addition, the security module 12 may perform a local signature when encrypting the service data to be transmitted, so as to obtain the identity source data of the service data to be transmitted, so as to verify the other party of communication.
The communication module 13 converts and encapsulates the output service data packet into a communication data packet by using a communication protocol and an application protocol, and sends the communication data packet to the cloud platform and/or other service processing devices. When communication service association directly occurs between the mobile portable service processing device 10 and other service processing devices that communicate with each other, for example, a pass-through mode of an intercom, the communication protocol and the application protocol are pre-agreed protocols between the two parties of communication. When all the mobile portable service processing devices 10 communicating with each other described in the embodiments of the present disclosure are in communication service contact via the cloud platform, the communication protocol is a standard protocol complied with by both communication parties, and the application protocol is a protocol agreed in advance between the communication modules 13 in all the mobile portable service processing devices 10 and the cloud platform. When the communication module 13 converts and encapsulates the output service data packet, the necessary information in the packet header of the output service data packet and the processed service data to be sent can be extracted, and the output service data packet is converted and encapsulated into a communication data packet by using an application protocol and a communication protocol.
When the mobile portable service processing device 10 is started, and the service module 11 needs to log on the cloud platform, the personal identity information (including the biometric information of the user) of the user can be collected through the security module 12, and then encrypted and sent to the cloud platform for verification by the communication module 13, and authentication information (such as preset identity information or equipment information of the user) in the security module 12 can be also called through the communication module 13 and sent to the cloud platform for verification, so that security verification when the communication module 13 is remotely connected with the cloud platform is realized.
In one implementation manner of the embodiment of the present disclosure, when the service data to be sent is service data that needs to be audited and output, the preset security policy further includes an output-class legal data set, where the data set may be used to audit all service data to be sent from a local generation destination (including a cloud platform and/or other service processing devices), and the data in the output-class legal data set is non-sensitive data of fixed information (for example, including a data type, a data format and a fixed content of data content) that are predefined by both communication service parties, and the non-sensitive data does not include any fuzzy data that cannot fix information. The output type legal data set comprises different output type legal data subsets according to different service data which are locally generated and need to be audited, for example, the data subsets corresponding to receipt service data are output type legal receipt service data subsets, the data subsets corresponding to trigger state service data are output type legal trigger state service data subsets, and the data subsets corresponding to user active service operation data are output type legal active service operation data subsets. Similarly, for the to-be-output service data packet including the service data to be audited and output, the security module 12 also first determines whether the to-be-output service data packet accords with the data classification and identification rule, and when the to-be-output service data packet accords with the data classification and identification rule, performs targeted processing on the service data to be audited and output in the to-be-transmitted service data, and directly discards the to-be-output service data packet which does not accord with the data classification and identification rule. And extracting the service data to be transmitted in the service data packet to be output, which is in accordance with the data classification and identification rule, wherein the data packet header carries audit output identification, matching the service data to be transmitted with the fixed information in the output legal data set, packaging the successfully matched service data to be transmitted with the data packet header corresponding to the successfully matched service data to be output, and determining the successfully matched service data to be output, or directly discarding the service data packet to be output corresponding to the service data to be transmitted, which is failed to be matched. The security module 12 may find the corresponding data subset according to different audit identifiers carried in the received to-be-output service data packet, so as to match to-be-sent service data in the to-be-output service data packet with fixed information in the corresponding data subset. The matching of the fixed information includes matching of data types, data formats and data contents, and when the matching is successful, the matching of the service data to be sent is indicated, so that when the security hole exists in the service module 11, the sensitive output service data (for example, message data, audio/video data and the like) is prevented from being falsely transmitted as the output service data to be checked, thereby causing leakage of the sensitive service data, ensuring that the sensitive service data can be encrypted and output by the security module 12, and improving the security of the sensitive service data. In addition, for the successfully matched service data to be sent, that is, the service data to be sent which is audited to pass is packaged into an output service data packet, so that the known data can be sent out, the unknown and illegal data are discarded uniformly, and the controllability and legality of the output data of the mobile portable service processing equipment 10 are further improved.
In one implementation of the disclosed embodiments, the mobile portable business processing device 10 may receive data in addition to sending data to a cloud platform and/or other business processing devices. The communication module 13 receives a communication data packet from the cloud platform and/or other service processing devices, analyzes the communication data packet according to a communication protocol and an application protocol to obtain service data to be processed, classifies and identifies the service data to be processed according to the data classification and identification rule, encapsulates the service data to be input into a service data packet to be sent to the security module, wherein the service data packet to be input comprises the service data to be processed and a data packet header carrying the identification. And according to the data classification and identification rules, the service data to be processed is subjected to data classification and identification, for example, when the service data to be processed is plaintext service data, the service data to be processed can be divided into service data needing to be audited and input, and when the service data to be processed is ciphertext service data, the service data to be processed can be divided into service data needing to be decrypted and input. The distinguishing of plaintext service data and ciphertext service data can be defined according to specific service requirements of objects connected with communication services, non-sensitive data of fixed data types and data formats, which are preset by two communication parties, are set as plaintext service data, and sensitive data are set as ciphertext service data. For example, traffic data requiring audit inputs may include device control signaling data, status synchronization data, etc., and traffic data requiring decryption inputs may include multimedia traffic data, message data, static files, etc. The communication module 13 can perform data classification and identification through data classification and identification rules in a preset security policy set in the security module 12, respectively set different audit input identifications in the data packet header corresponding to different service data needing audit input, and respectively set different decryption input identifications in the data packet header corresponding to different service data needing decryption input, so as to facilitate identification by the security module 12.
When the communication between the service module 11 and the communication module 13 is communicated through the security module 12, it is determined whether the to-be-input service data packet accords with the preset security policy, the to-be-input service data packet which accords with the preset security policy is determined as an input service data packet and sent to the service module 11, or the to-be-input service data packet which does not accord with the preset security policy is discarded. The service module 11 performs a corresponding service operation according to the input service data packet.
The security module 12 also needs to determine whether the received service data packet to be input accords with the data classification and identification rule, that is, whether the received service data packet to be input accords with the data classification and identification rule, for example, whether the identification carried in the packet header matches any one of the encryption output type identification, the audit output type identification, the decryption input type identification, the audit input type identification, the encryption storage type identification, the audit cooperative type identification, and the like, if so, the received data packet is determined to accord with the data classification and identification rule, further processing is performed on the received data packet, otherwise, if the identification carried in the data packet is determined not to accord with the data classification and identification rule, that is, the identification carried in the data packet is not matched with the data classification and identification rule, the data packet is directly discarded, and all unknown and illegal data packets are blocked from passing through the security module 12.
When the to-be-input service data packet accords with the data classification and identification rule and the to-be-processed service data is the service data to be decrypted and input, the security module 12 extracts the to-be-processed service data in the to-be-input service data packet carrying the decryption and input identification in the data packet header, decrypts the to-be-processed service data by utilizing the preset security policy, and encapsulates and determines the decrypted to-be-processed service data and the data packet header corresponding to the to-be-processed service data as the input service data packet. Or, to further ensure the validity and authenticity of the source of the input service data, the security module 12 may further verify the validity and authenticity of the identity source of the service data to be processed, decrypt the service data to be processed by using the preset security policy, and encapsulate the service data to be processed after verification and decryption and the packet header corresponding thereto to determine the service data packet to be input. In addition, the service data packet to be input corresponding to the service data to be processed, which fails in verification, is directly discarded. The validity and authenticity verification of the identity source of the service data to be processed may be implemented by a digital signature verification method, for example, and is not specifically limited in the embodiments of the present disclosure. The decrypted service data to be processed is only sent to the service module 11, so that the problem that the security of the decrypted service data to be processed cannot be ensured due to the fact that sensitive plaintext data is exposed in a public network environment as the decrypted service data to be processed is transmitted back to the communication module 13 is avoided.
When the to-be-input service data packet accords with the data classification and identification rule and the to-be-processed service data is the service data which needs to be audited and input, the security module 12 extracts the to-be-processed service data in the to-be-input service data packet with the audit input identification carried in the data packet header, matches the to-be-processed service data with the fixed data type and format in the input type legal data set in the preset security policy, packages the to-be-processed service data successfully matched with the data packet header corresponding to the to-be-processed service data and determines the to-be-input service data packet, or discards the to-be-input service data packet corresponding to the to-be-processed service data which fails to be matched. The input type legal data set can be used for auditing all business data which are transmitted from the outside (including a cloud platform and/or other business processing equipment) and need to be audited, the data in the input type legal data set are fixed data types and formats of non-sensitive data which are preset by both communication business parties, and the non-sensitive data do not comprise any data which cannot be fixed in data types and formats. The input type legal data set may further include different input type legal data subsets according to different service data, for example, the data subset corresponding to the device control signaling data is the input type legal device control signaling data subset, the data subset corresponding to the state synchronization data is the input type legal state synchronization data subset, and so on. The security module 12 may find a corresponding data subset according to the audit input identifier carried in the received service data packet to be input, so as to match the service data to be processed with the fixed data type and format in the corresponding data subset. When the fixed data type and the format are successfully matched, the matching of the service data to be processed is successful, so that the data with illegal data type and format is prevented from being transmitted to the service module 11, and legal control of the service module 11 is ensured.
The definition of the business data to be audited (including the business data to be processed to be audited and the business data to be sent to be audited and output) described above can be set according to the non-sensitive data identified by the user, for example, the equipment control signaling data. It should be noted that, the business data to be audited must be non-sensitive data of fixed information (for example, fixed content including data type, data format and data content) or non-sensitive data of fixed data type and format, where the non-sensitive data does not include any fuzzy data that cannot be fixed with information, or the non-sensitive data does not include any data that cannot be fixed with data type and format.
When the two parties of communication in which communication service connection occurs are different, the above-described objects of pre-specified fixed information and fixed data type and format are also different, for example, when communication service connection directly occurs between the mobile portable service processing device and other service processing devices in communication with each other as described in the embodiments of the present disclosure, the objects of pre-specified fixed information and fixed data type and format are the mobile portable service processing device and other service processing devices in communication with each other. When all the mobile portable service processing devices which are in communication with each other and described in the embodiments of the present disclosure are in communication service connection via the cloud platform, the objects of the fixed information and the fixed data type and format are pre-specified to be between the mobile portable service processing device and the cloud platform.
In another implementation manner of the embodiment of the present disclosure, the preset security policy further includes a collaboration data set, where the collaboration data set is used for auditing to-be-audited collaboration data in to-be-audited collaboration service data packets, where the to-be-audited collaboration data is interaction data locally generated by each module in the mobile portable service processing device 10 and used for ensuring that each module cooperates, and the to-be-audited collaboration service data packets are obtained by packaging after data classification and identification of the to-be-audited collaboration data according to the data classification and identification rule, where the to-be-audited collaboration service data packets include the to-be-audited collaboration data and a data packet header carrying the identification. After receiving the to-be-inspected cooperative service data packet, the security module 12 also first determines whether the to-be-inspected cooperative service data packet accords with the data classification and identification rule, and when the to-be-inspected cooperative service data packet accords with the data classification and identification rule, extracts the to-be-inspected cooperative data in the to-be-inspected cooperative service data packet carrying the audit cooperative identification in the data packet header, and matches the to-be-inspected cooperative data with fixed information in a cooperative data set in the preset security policy. The matching of the fixed information comprises matching of data types, data formats and data contents, and when the matching is successful, the matching of the cooperative data of the to-be-checked is successful, and the cooperative business data packet of the to-be-checked corresponding to the cooperative data of the to-be-checked, which is failed in matching, is directly discarded. The security module 12 determines the matched pending cooperative data and the packet header corresponding to the pending cooperative data as the cooperative service data packet.
Taking the security module 12 to audit the cooperative data of the to-be-audited, which is sent to the service module 12 by the communication module 13, the communication module 13 performs data classification and identification on the locally generated cooperative data of the to-be-audited according to the data classification and identification rules, encapsulates the data classification and identification into a cooperative data packet of the to-be-audited, and sends the cooperative data packet of the to-be-audited to the security module 11. The security module 12 determines whether the to-be-checked cooperative service data packet accords with the data classification and identification rule, when the to-be-checked cooperative service data packet accords with the data classification and identification rule, extracts the to-be-checked cooperative data in the to-be-checked cooperative service data packet carrying an audit cooperative identification in the data packet header, matches the to-be-checked cooperative data with fixed information in a cooperative data set in the preset security policy, determines the successfully matched to-be-checked cooperative data and the data packet header corresponding to the to-be-checked cooperative data as the cooperative service data packet, and then sends the cooperative service data packet to the service module 11 to execute corresponding service cooperative operation. In the embodiment of the disclosure, the security module 12 audits the co-operation data to be audited locally generated by the communication module 13, so that the security of the co-operation service data transmitted inwards by the communication module 13 is further ensured, illegal data is prevented from being transmitted to the service module 11, and legal control of the service module 11 is ensured.
In addition to the above data interaction examples from the communication module 13 to the service module 11, the data interaction method may further include interaction of the co-pending data between the three modules, no matter which two modules need to satisfy a rule, that is, all require participation of the audit of the security module 12, so that it is required to ensure that the data to be interacted must satisfy the data classification and identification rules in the preset security policy set by the security module, so as to facilitate the security module 12 to audit the fixed information. The types of collaborative data to be audited are not described in detail here.
In another implementation manner of the disclosed embodiment, when the service module 11 needs to store sensitive service data, for example, audio and video data, the service module 11 may perform data classification and identification on the locally generated service data to be stored according to the data classification and identification rule, and encapsulate the locally generated service data to be stored into a data packet to be stored and send the data packet to the security module 12, where the data packet to be stored includes the service data to be stored and a data packet header carrying the identification. When the security module 12 receives the data packet to be stored, firstly, whether the data packet to be stored accords with the data classification and identification rule is also judged first, when the data packet to be stored accords with the data classification and identification rule, the data packet to be stored in the data packet header carrying the encryption storage identification is extracted, the data packet to be stored is encrypted by utilizing the preset security policy, the encrypted data to be stored and the data packet header corresponding to the encrypted data to be stored are packaged as a storage service data packet to be stored in the security module 12, the security module 12 does not accept the plaintext storage operation, the fact that the locally stored sensitive service data is necessarily stored in an encrypted mode is further ensured, and the security of the locally stored data is ensured. The encryption algorithm in the preset security policy is an encryption algorithm which is suitable for being pre-agreed by both communication parties in the embodiment of the disclosure, for example, a cryptographic SM4 encryption algorithm of the state secret, and the like, and can be selected according to specific requirements of the embodiment of the disclosure.
In addition, for the encrypted service data to be stored that is locally stored by the security module 12, there may be two service calling modes, one is a cloud platform call, and the other is a local call or export.
In order to further ensure the security control of the mobile portable service processing device, in combination with the operation that the security module 12 collects the personal identity information of the user to perform verification, when the security module 12 receives a request for calling or exporting the stored service data packet (including the encrypted service data to be stored by the security module described above and the encrypted service data stored locally in the security module that is input externally), the security module 12 needs to collect the personal identity information of the user and perform local verification. In addition, when the related devices included in the service module 11 need to be used, the use authority of some related devices may also be set to the personal identity information verification of the user according to the user's needs. Furthermore, when the system of the service module 11 needs to be unlocked, the system can be realized by locally verifying the personal identity information of the user through the security module 12. In the embodiment of the present disclosure, the use scenario in which the security module 12 collects personal identity information of the user for verification is not limited, and the verification mechanism may be utilized in a specific scenario according to the specific requirements of the user.
In another implementation manner of the disclosed embodiment, in order to further ensure the security of the service module 11, the local memory in the service module 11 is operated in the read-only mode, so as not to reduce the operation experience of the user, the configuration information (for example, the brightness setting of the display screen, the setting of the service group, etc.) stored locally for each operation of the service module 11 may be stored in the security module 12 in the form of encrypted configuration information, and the service module 11 is not stored locally, and when the mobile portable service processing device 10 is started up each time, the encrypted configuration information is decrypted in the security module 12 and then reintroduced into the service module 11 for reconfiguration.
In another implementation of the disclosed embodiment, to further avoid the security risk generated by replacing the core device in the service module 11, the security module 12 may determine, according to a preset policy of a user, whether the specified core device is replaced by verifying the feature information of the specified core device in the service module 11. For example, the memory, the storage, and the chip in the service module 11 are set as the designated core device, and the feature information of the designated core device may be data information generated according to the ID number corresponding to the designated core device and the designated rule, or data information after the random number generated by the security module 12 is encrypted, etc., where in the embodiment of the present disclosure, the feature information of the designated core device and the generation manner thereof are not limited, as long as the feature information of the designated core device is unique identification information corresponding to the designated core device. For example, when a specified core device in the service module 11 is replaced, then the ID number is also changed, and the feature information generated from the new ID is different from the original feature information, so that the specified core device is found to be replaced. The above verification frequency of the feature information of the designated core device may be set according to the user requirement, for example, verification at power-on, or verification at fixed intervals, and if verification fails, the security module 12 immediately blocks communication and performs risk warning.
In another implementation manner of the embodiment of the present disclosure, in order to further ensure the security of the mobile portable service processing device 10, when the number of times the security module 12 discards the to-be-output service data packet and the to-be-input service data packet that do not conform to the preset security policy reaches a preset threshold (for example, a preset threshold set by a user according to a requirement), a risk alarm is prompted, and/or communication between the service module 11 and the communication module 13 is directly blocked. When the security module 12 collects personal identity information of the user and the number of times of local authentication failure reaches the set number of times set by the user according to the requirement, the mobile portable service processing device 10 can be directly locked, and/or the cloud platform can be notified according to the requirement of the user.
In addition, in order to further ensure the integrity and safety of the mobile portable service processing device 10, the complete machine anti-disassembly circuit can be designed, when the mobile portable service processing device 10 is in a working state, once the disassembly action occurs, the complete machine is triggered to be powered down, the memory of the three modules is emptied, and meanwhile, the mobile portable service processing device 10 can be locked and cannot be used.
According to the embodiment of the disclosure, each functional module in the mobile portable service processing equipment is set to be a three-weight discrete architecture, each module is provided with a hardware main control chip and an operating system which are independent, functions of each module are independent, the safety module has no calling type dependency relationship with other modules when executing a safety strategy, no process crossing exists, the three modules are sequentially connected through a wired data exchange channel, no direct connection data exchange channel and no control circuit exist between the service module and the communication module, and the independence of safety module control in the mobile portable service processing equipment, the legality of service module control and the safety of data of the mobile portable service processing equipment are ensured. Compared with the condition that each service logic unit is uniformly scheduled by a single main control unit in the prior art, the control independence of the security module in the mobile portable service processing equipment is ensured, and when the security problem occurs in the service module and/or the communication module, the overall security of the mobile portable service processing equipment is not reduced. Because the security module can block or communicate the communication between the service module and the communication module, and because the security module is used for processing the output service data by a preset security policy, including audit output of non-sensitive service data and encryption output of sensitive service data, the problem that the output data has security risk is avoided, and meanwhile, because of audit output of the non-sensitive service data, only the known service data meeting the fixed information can be output, and the unknown service data and the illegal service data not meeting the fixed information can not be output. In addition, the business data entering the business module is also subjected to data supervision by the security module, including auditing of data type and format of the business data input by auditing and decrypting of the business data input by decrypting, so that the security of the business module data is ensured, the business module is prevented from being threatened, and meanwhile, the sensitive business data sent to the business module after being decrypted by the security module is not exposed in a public network environment, so that the data security is improved. Meanwhile, the independence of the control of the security module and the legality of the control of the service module are ensured, the access of illegal information is blocked, and the mode and the technical means for decoding the encrypted data are effectively reduced. On the other hand, the security module can verify the local stored sensitive service data, related equipment in the calling service module and unlocking of the system by collecting the personal identity information of the user, so that the security of the local stored sensitive service data and the legal control of the mobile portable service processing equipment are further ensured.
In addition, the mobile portable service processing device described in the embodiments of the present disclosure includes, but is not limited to, a mobile handheld terminal, a wearable device, and the like, and is suitable for service scenarios with high requirements on data security level, such as industrial inspection scenarios, police scenarios, and the like.
The implementation process of the embodiment of the present disclosure is described below by taking the transmission of message data between the mobile portable service processing device a and the service processing device B as an example.
As shown in fig. 2, when the security module A2 determines that the communication between the service module A1 and the communication module A3 is communicated, it firstly determines whether the identifier carried in the packet header of the received packet to be output accords with the data classification and identification rule, for example, whether the identifier carried in the packet header matches any one of the encrypted output class identifier, the audit output class identifier, the decryption input class identifier, the audit input class identifier, the encryption storage class identifier, the audit cooperative class identifier, and the like, if so, it is determined that the packet accords with the data classification and identification rule, then further processing is performed on the received packet (act 201), otherwise, if it is determined that the identifier carried in the packet does not accord with the identifier carried in the packet, namely, if not, the packet is directly discarded. When the security module A2 determines that the to-be-output service data packet accords with the data classification and identification rule, extracting the message data in the to-be-output service data packet with an encrypted output identification carried in the data packet header, encrypting the message data by using the preset security policy, packaging the encrypted message data and the data packet header corresponding to the encrypted message data, determining the encrypted message data as the output service data packet, and transmitting the output service data packet to the communication module A3 (act 202), and the communication module A3 converts and packages the output service data packet into a communication data packet by using a communication protocol and an application protocol, and transmits the communication data packet to the service processing device B (act 203).
After receiving the communication data packet sent by the communication module A3 of the mobile portable service processing device a, the communication module B3 of the service processing device B analyzes the communication data packet according to the communication protocol and the application protocol to obtain encrypted message data, performs data classification and identification on the encrypted message data according to the data classification and identification rule, encapsulates the decrypted input identification in a data packet header together with the encrypted message data to form a service data packet to be input, and sends the service data packet to the security module B2 (act 204). When the security module B2 communicates the communication between the service module B1 and the communication module B3, it is also first determined whether the service data packet to be input accords with the data classification and identification rule, when the service data packet to be input accords with the data classification and identification rule, encrypted message data in the service data packet to be input carrying a decryption input identification in the data packet header is extracted, the encrypted message data is decrypted by using the preset security policy, the decrypted message data and the data packet header corresponding to the decrypted message data are packaged and determined as the input service data packet, and the input service data packet is sent to the service module B1 (act 205), so that the service module B1 processes the message data.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a system, or as a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of systems (devices), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.
Claims (10)
1. A mobile portable business processing device, comprising: the service module, the safety module and the communication module are sequentially connected through the data exchange channel, no direct connection data exchange channel and no control circuit exists between the service module and the communication module, wherein the service module, the safety module and the communication module are respectively provided with a hardware main control chip and an operating system which are independent,
the service module is used for carrying out data classification and identification on locally generated service data to be sent according to data classification and identification rules in a preset security policy set by the security module, and packaging the locally generated service data to be sent into a service data packet to be output and sending the service data packet to the security module, wherein the service data packet to be output comprises the service data to be sent and a data packet header carrying the identification;
The security module is configured to block or communicate communication between the service module and the communication module, and determine whether the to-be-output service data packet conforms to the preset security policy when the service module is in communication with the communication module, determine the to-be-output service data packet conforming to the preset security policy as an output service data packet and send the output service data packet to the communication module, or discard the to-be-output service data packet not conforming to the preset security policy;
the communication module is used for converting and packaging the output service data packet into a communication data packet by utilizing a communication protocol and an application protocol, sending the communication data packet to a cloud platform and/or other service processing equipment,
the security module is further configured to determine whether the to-be-output service data packet accords with the data classification and identification rule, extract the to-be-transmitted service data in the to-be-transmitted service data packet with an encrypted output identification in the data packet header when the to-be-output service data packet accords with the data classification and identification rule, encrypt the to-be-transmitted service data by using the preset security policy, and encapsulate and determine the encrypted to-be-transmitted service data and the data packet header corresponding to the to-be-transmitted service data as the output service data packet.
2. The mobile portable business processing device of claim 1, wherein the communication module is further configured to establish a business connection with a cloud platform via a network and/or establish a direct business connection with other business processing devices.
3. The mobile portable business processing device of claim 1, wherein the security module is further configured to collect personal identity information of a user, communicate between the business module and the communication module when the personal identity information is successfully verified locally, and block communication between the business module and the communication module when the personal identity information is failed locally.
4. The mobile portable business processing device of claim 1, wherein the preset security policy further comprises an output legal-like data set,
the security module is further configured to determine whether the to-be-output service data packet accords with the data classification and identification rule, extract to-be-transmitted service data in the to-be-output service data packet carrying an audit output identification in the data packet header when the to-be-output service data packet accords with the data classification and identification rule, match the to-be-transmitted service data with fixed information in the output legal data set, and encapsulate the to-be-transmitted service data successfully matched with the data packet header corresponding to the to-be-transmitted service data and determine to be the output service data packet.
5. The mobile portable business processing device of claim 1, wherein,
the communication module is further used for receiving a communication data packet from a cloud platform and/or other service processing equipment, analyzing the communication data packet according to a communication protocol and an application protocol to obtain service data to be processed, carrying out data classification and identification on the service data to be processed according to the data classification and identification rules, packaging the service data to be input into a service data packet to be sent to the security module, wherein the service data packet to be input comprises the service data to be processed and a data packet header carrying the identification;
the security module is further configured to determine, when the service module is in communication with the communication module, whether the to-be-input service data packet conforms to the preset security policy, determine the to-be-input service data packet conforming to the preset security policy as an input service data packet and send the input service data packet to the service module, or discard the to-be-input service data packet not conforming to the preset security policy;
the service module is also used for executing corresponding service operation according to the input service data packet.
6. The mobile portable business processing device of claim 5, wherein,
the security module is further configured to determine whether the to-be-input service data packet accords with the data classification and identification rule, extract the to-be-processed service data in the to-be-input service data packet carrying a decryption input identification in the data packet header when the to-be-input service data packet accords with the data classification and identification rule, decrypt the to-be-processed service data by using the preset security policy, and encapsulate and determine the decrypted to-be-processed service data and the data packet header corresponding to the to-be-processed service data as the input service data packet; or,
the security module is further configured to determine whether the to-be-input service data packet accords with the data classification and identification rule, extract the to-be-processed service data in the to-be-input service data packet carrying an audit input identification in the data packet header when the to-be-input service data packet accords with the data classification and identification rule, match the to-be-processed service data with a fixed data type and format in an input class legal data set in the preset security policy, and package the to-be-processed service data successfully matched with the data packet header corresponding to the to-be-processed service data and determine the to-be-input service data packet.
7. The mobile portable business processing device of claim 1, wherein,
the service module is further used for carrying out data classification and identification on locally generated service data to be stored according to the data classification and identification rules, and packaging the locally generated service data to be stored into a data packet to be stored and sending the data packet to the security module, wherein the data packet to be stored comprises the service data to be stored and a data packet header carrying the identification;
the security module is further configured to determine whether the to-be-stored data packet accords with the data classification and identification rule, extract the to-be-stored service data in the to-be-stored data packet carrying an encrypted storage identification in the data packet header when the to-be-stored data packet accords with the data classification and identification rule, encrypt the to-be-stored service data by using the preset security policy, and encapsulate and determine the encrypted to-be-stored service data and the data packet header corresponding to the encrypted to-be-stored service data as a storage service data packet to be stored locally;
the security module is also used for prompting the acquisition of personal identity information of a user to carry out local verification when receiving a request for calling or exporting the storage service data packet.
8. The mobile portable business processing device according to claim 1, wherein the preset security policy further comprises a collaboration data set, the collaboration data set is used for auditing the collaboration data in the collaboration business data packet to be audited, the collaboration data to be audited is interaction data locally generated by each module in the mobile portable business processing device and used for ensuring the collaboration of each module, the collaboration business data packet to be audited is obtained by packaging the collaboration data to be audited after data classification and identification according to the data classification and identification rule, the collaboration business data packet to be audited comprises the collaboration data to be audited and a data packet header carrying identification,
the security module is further configured to determine whether the to-be-checked cooperative service data packet accords with the data classification and identification rule, extract to-be-checked cooperative data in the to-be-checked cooperative service data packet carrying an audit cooperative identification in the data packet header when the to-be-checked cooperative service data packet accords with the data classification and identification rule, match the to-be-checked cooperative data with fixed information in a cooperative data set in the preset security policy, and determine the successfully matched to-be-checked cooperative data and the data packet header corresponding to the to-be-checked cooperative data as the cooperative service data packet.
9. The mobile portable business processing device of claim 1, wherein the local memory in the business module operates in a read-only mode.
10. The mobile portable business processing device of claim 1, wherein the security module is further configured to verify the characteristic information of the designated core device in the business module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311118315.1A CN116939601A (en) | 2023-08-31 | 2023-08-31 | Mobile portable business processing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311118315.1A CN116939601A (en) | 2023-08-31 | 2023-08-31 | Mobile portable business processing equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116939601A true CN116939601A (en) | 2023-10-24 |
Family
ID=88375505
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311118315.1A Pending CN116939601A (en) | 2023-08-31 | 2023-08-31 | Mobile portable business processing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116939601A (en) |
-
2023
- 2023-08-31 CN CN202311118315.1A patent/CN116939601A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112073375B (en) | Isolation device and isolation method suitable for client side of electric power Internet of things | |
| CN108965215B (en) | Dynamic security method and system for multi-fusion linkage response | |
| CN109041052B (en) | Safe communication method and system based on identification algorithm | |
| FI76469B (en) | KOMMUNIKATIONSSYSTEM FOER KABELTELEVISIONSNAET. | |
| CN107770182A (en) | The date storage method and home gateway of home gateway | |
| CN110891061B (en) | Data encryption and decryption method and device, storage medium and encrypted file | |
| CN110381075B (en) | Block chain-based equipment identity authentication method and device | |
| KR20140098872A (en) | security system and method using trusted service manager and biometric for web service of mobile nfc device | |
| US6396929B1 (en) | Apparatus, method, and computer program product for high-availability multi-agent cryptographic key recovery | |
| CN111756627A (en) | Cloud platform security access gateway of electric power monitored control system | |
| CN109151823B (en) | eSIM card authentication method and system | |
| CN112615866A (en) | Pre-authentication method, device and system for TCP connection | |
| CN117176384A (en) | TSN network data safety transmission method based on domestic data distribution service | |
| KR102190618B1 (en) | Apparatus and method for securing train control message | |
| CN113794563B (en) | Communication network security control method and system | |
| CN111769952A (en) | Data processing system of block chain sensor | |
| CN111356132B (en) | Bluetooth access control method, system, electronic equipment and storage medium | |
| CN116723555A (en) | Terminal access and data distribution method and system based on 5G-R | |
| CN117118628A (en) | Lightweight identity authentication method and device for electric power Internet of things and electronic equipment | |
| CN114928756B (en) | Video data protection, encryption and verification method, system and equipment | |
| CN116939601A (en) | Mobile portable business processing equipment | |
| CN112995119A (en) | Data monitoring method and device | |
| CN116980456A (en) | Vehicle-mounted service processing system | |
| CN116915956A (en) | Camera device | |
| CN110572352A (en) | intelligent distribution network security access platform and implementation method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |