WO2017107328A1 - Secure communication method and apparatus for self-service terminal device hardware - Google Patents

Secure communication method and apparatus for self-service terminal device hardware Download PDF

Info

Publication number
WO2017107328A1
WO2017107328A1 PCT/CN2016/077252 CN2016077252W WO2017107328A1 WO 2017107328 A1 WO2017107328 A1 WO 2017107328A1 CN 2016077252 W CN2016077252 W CN 2016077252W WO 2017107328 A1 WO2017107328 A1 WO 2017107328A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
check
module
local end
original
Prior art date
Application number
PCT/CN2016/077252
Other languages
French (fr)
Chinese (zh)
Inventor
熊飞
吴胜楠
陈明宇
张雲瑞
梁建明
李柯烨
Original Assignee
广州广电运通金融电子股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 广州广电运通金融电子股份有限公司 filed Critical 广州广电运通金融电子股份有限公司
Publication of WO2017107328A1 publication Critical patent/WO2017107328A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F19/00Complete banking systems; Coded card-freed arrangements adapted for dispensing or receiving monies or the like and posting such transactions to existing accounts, e.g. automatic teller machines
    • G07F19/20Automatic teller machines [ATMs]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Definitions

  • the present invention relates to the field of financial equipment, and in particular, to a secure communication method and apparatus for self-service terminal equipment hardware.
  • the embodiment of the invention provides a secure communication method and device for self-service terminal device hardware, which can solve the problem that the existing self-service terminal is vulnerable to criminal crimes by the criminals communicating with the host through the hardware of the software simulation device.
  • the local end generates a random number, and splitting the encrypted data into data blocks according to the random number includes:
  • the local end generates a random number within a preset range
  • the local end divides the encrypted data into the random number of data blocks.
  • the method for secure communication further includes: the local end pre-generating a pair of asymmetric keys, including a public key and a private key, and pre-importing the public key to the opposite end;
  • the local end encrypts the original data, and obtaining the encrypted data includes:
  • the local end combines the original data and corresponding time information into a data body
  • the local end encrypts the verification data body to obtain encrypted data
  • Decrypting the encrypted data by the peer end, and obtaining the original data includes:
  • the peer further includes:
  • the peer end performs data plausibility check on the original data, and if the check passes, the peer end operates according to the original data.
  • a random segmentation module configured to generate a random number, and divide the encrypted data into numbers according to the random number Block
  • a data packet module configured to package the data blocks one by one to generate a corresponding data packet
  • Parsing a merge module configured to parse and merge the data packet to obtain the encrypted data
  • a decryption module configured to decrypt the encrypted data to obtain the original data.
  • a data segmentation unit configured to divide the encrypted data into the random number of data blocks.
  • the secure communication device further includes:
  • a key generation module configured to generate a pair of asymmetric keys in advance, including a public key and a private key
  • a public key importing module configured to import the public key into the peer end in advance
  • the private key is used to encrypt the original data
  • the public key is used to decrypt the encrypted data.
  • the encryption module includes:
  • a first merging unit configured to combine the original data and corresponding time information into a data body
  • a second merging unit configured to combine the data body and the first operation result to obtain a check data body
  • the decryption module includes:
  • a decryption unit configured to decrypt the encrypted data to obtain a check data body to be tested
  • a second check operation unit configured to acquire a data body in the test data body to be tested, and perform a check operation on the acquired data body to obtain a second operation result
  • a checking unit configured to check whether the second operation result is consistent with the first operation result in the check data body to be tested
  • a data obtaining unit configured to acquire the original data in the data body when a check result of the check unit is YES.
  • the peer end further includes:
  • a plausibility checking module configured to perform data plausibility check on the original data
  • an operation module configured to perform operations according to the original data when the check of the plausibility check module passes.
  • the local end acquires original data that needs to be sent; the local end encrypts the original data to obtain encrypted data; then, the local end generates a random number, and encrypts according to the random number.
  • the data is divided into data blocks; the local end packs the data blocks one by one to generate a corresponding data packet; finally, the local end transmits the data packet to the opposite end, so that the opposite end will
  • the data packet is parsed and combined to obtain the encrypted data, and then the peer decrypts the encrypted data to obtain the original data.
  • the secure communication method of the self-service terminal device hardware is implemented in the local host of the self-service terminal, does not require network verification, and improves the security of the communication through random packetization, and prevents the criminals from simulating the hardware through the software. Host communication for financial crimes.
  • FIG. 1 is a flowchart of an embodiment of a method for securely communicating hardware of a self-service terminal device according to an embodiment of the present invention
  • FIG. 2 is a flowchart of another embodiment of a method for secure communication of hardware of a self-service terminal device according to an embodiment of the present invention
  • FIG. 3 is a structural diagram of a self-service terminal system in an application scenario according to a method for secure communication of hardware of a self-service terminal device according to an embodiment of the present invention
  • FIG. 4 is a structural diagram of data format in a data encryption communication process in an application scenario according to a method for secure communication of hardware of a self-service terminal device according to an embodiment of the present invention
  • FIG. 5 is a structural diagram of an embodiment of a secure communication device for a self-service terminal device hardware according to an embodiment of the present invention
  • FIG. 6 is a structural diagram of another embodiment of a secure communication device for a self-service terminal device hardware according to an embodiment of the present invention.
  • the embodiment of the invention provides a secure communication method and device for self-service terminal device hardware, which is used to solve the problem that the existing self-service terminal is vulnerable to financial crimes by the criminals communicating with the host through the hardware of the software simulation device.
  • an embodiment of a method for secure communication of a self-service terminal device hardware in an embodiment of the present invention includes:
  • the local end obtains the original data that needs to be sent
  • the local end can obtain the original data that needs to be sent. It should be noted that when the host of the self-service terminal communicates with the device hardware, the host is the local device, and the device hardware is the peer; and when the device hardware of the self-service terminal communicates with the host, the device hardware is the host, and the device is the host. For the opposite end.
  • the local end encrypts the original data to obtain encrypted data.
  • the local end After the local end obtains the original data to be sent, the local end can encrypt the original data to obtain encrypted data.
  • the local end generates a random number, and divides the encrypted data into data blocks according to the random number;
  • the local end can generate a random number, and divide the encrypted data into data blocks according to the random number.
  • the local end packs the data blocks one by one to generate corresponding data packets
  • the local end After the local end generates a random number and divides the encrypted data into data blocks according to the random number, the local end can pack the data blocks one by one to generate a corresponding data packet.
  • the local end transmits the data packet to the opposite end;
  • the local end can transmit the data packet to the opposite end.
  • the peer end parses and merges the data packet to obtain the encrypted data.
  • the peer decrypts the encrypted data to obtain the original data.
  • the local end obtains the original data that needs to be sent
  • the local end can obtain the original data that needs to be sent. It should be noted that when the host of the self-service terminal communicates with the device hardware, the host is the local device, and the device hardware is the peer; and when the device hardware of the self-service terminal communicates with the host, the device hardware is the host, and the device is the host. For the opposite end.
  • the local end combines the original data and the corresponding time information into a data body
  • the local end performs a check operation on the data body to obtain a first operation result
  • the local end After the local end merges the original data and the corresponding time information into a data body, the local end performs a check operation on the data body to obtain a first operation result.
  • the verification operation may be a CRC (Cyclic Redundancy Code) check, so that the final first operation result is a CRC check operation result.
  • the local end combines the data body and the first operation result to obtain a verification data body.
  • the local end may combine the data body and the first operation result to obtain a verification data body.
  • the data structure of the check data body may be preset, for example, the first operation result is placed at the head of the data structure, and the data body is placed after the first operation result.
  • the structure of the check data body can be customized, which is not limited in this embodiment.
  • the local end encrypts the check data body by using a private key to obtain encrypted data.
  • the local end may encrypt the check data volume by using a private key to obtain encrypted data.
  • the local end generates a pair of asymmetric keys, including a public key and a private key, and pre-imports the public key to the peer end, where the private key is used to encrypt the original data.
  • the public key is used to decrypt the encrypted data.
  • the local end generates a random number within a preset range
  • the local end Before the segmentation, the local end needs to generate a random number within a preset range, and the random number is random for both the local end and the opposite end, thereby preventing the criminals from being known and cracked in advance, thereby improving security.
  • the random number In order to improve the efficiency of data transmission, the random number is generally not too large.
  • the size of the encrypted data is 100 bytes. If the generated random number is 100, the size of the 100 bytes is divided into 100 words and 1 word.
  • the data block of the section which is very disadvantageous for subsequent data transmission. Therefore, in this embodiment, the random number is generated within a preset numerical range, thereby avoiding the problem that the random number is too large.
  • the local end divides the encrypted data into the random number of data blocks
  • the local end After the local end generates a random number in a preset range, the local end divides the encrypted data into the random number of data blocks. For example, when the random number is 5, the encrypted data is divided into 5 data blocks.
  • the local end packs the data blocks one by one to generate corresponding data packets.
  • the local end may pack the data blocks one by one to generate corresponding data packets. For example, when there are 5 data blocks, each data block is packed to generate 5 corresponding data packets. Specifically, the header and the trailer may be respectively added on a basis of one data block, so that one data block generates one data packet.
  • the local end transmits the data packet to the opposite end;
  • the local end After the data block is packaged one by one at the local end to generate a corresponding data packet, the local end transmits the data packet to the opposite end.
  • the peer end may parse and merge the data packet to obtain the encrypted data. Specifically, that is, the data packet is parsed into data blocks, and then all the data blocks are merged into the encrypted data.
  • the peer end decrypts the encrypted data by using a public key. If the decryption fails, step 37 is performed. If the decryption succeeds, the check data body to be tested is obtained.
  • the peer end may decrypt the encrypted data by using the public key. If the decryption fails, step 37 is performed. If the decryption succeeds, the check data body to be tested is obtained. It can be understood that the public key used for decryption is paired with the private key used for encryption, and the public key is pre-imported to the peer end, thereby preventing the criminal person from obtaining the public key on the opposite end by software means. .
  • the peer end acquires a data body in the data body to be tested, and performs a check operation on the obtained data body to obtain a second operation result.
  • the peer end After obtaining the check data body to be tested, the peer end can acquire the data body in the check data body to be tested, and perform a check operation on the obtained data body to obtain a second operation result. It should be noted that the verification operation method of step 32 should be consistent with the verification operation method used in step 23.
  • the peer end verifies that the second operation result is consistent with the first operation result in the test data body to be tested, if yes, step 34 is performed, if not, step 37 is performed;
  • the peer end may check whether the second operation result matches the first operation result in the test data body to be tested. If yes, step 34 is performed, and if not, the step is performed. 37. It can be understood that when the second operation result is consistent with the first operation result, it is indicated that the data body in the obtained test data body to be tested is consistent with the data body on the local end; otherwise, the check data body to be tested exists. The data is wrong and can be processed incorrectly.
  • the peer acquires the original data in the data body.
  • the peer end acquires the original data from the data body.
  • the peer end performs data plausibility check on the original data, if the check passes, step 36 is performed, and if the check fails, step 37 is performed;
  • the peer end operates according to the original data
  • the peer end can operate according to the original data.
  • the peer end performs data discarding processing.
  • the peer When the decryption of the encrypted data fails, or when the verification of the verification data body fails, or the data validity check of the obtained original data fails, the peer performs data discard processing on the data.
  • the host of the self-service terminal has a data security processing module 102 built therein, and a data security processing module 103 is built in the device hardware.
  • the system structure of the self-service terminal is as shown in FIG. 3 .
  • the self-service terminal host is installed with the upper layer software of the ATMC (system platform of an ATM machine), and the host communicates with the data security processing module 103 of the device hardware through the data security processing module 102 to implement communication between the host and the device hardware.
  • the following describes each link in the communication process please refer to Figure 3 and Figure 4.
  • Step 1 Add a hardware data security processing module 103 to the external communication interface in the device, that is, connect the original device connection cable to the hardware encryption module, and then the new communication interface is extracted by the encryption module to communicate with the host.
  • the connection uses this interface.
  • Step 2 The ATMC upper layer software 101 generates a pair of asymmetric keys: the public key is A, the private key is B, and the public key A is imported into the hardware device; the hardware device generates the data security processing module 103 through the hardware.
  • a pair of non-factory keys are: the public key is C, the private key is D, and C is sent to the ATMC software.
  • Step 2 The data security processing module 102 first copies the binary command data into the original binary data 205 buffer of the check data format 201, and the data collating submodule 302 adds the time information 204 according to the check data format 201, and then The time information 204 and the original binary data 205 are combined into a data body 202, and a CRC checksum operation is performed to generate a CRC check operation result.
  • the CRC 203 combines the CRC 203 and the data body 202 to generate a parity data format 201.
  • the data encryption sub-module 303 encrypts the data of the check data format 201 with the private key B to generate encrypted binary data 207 (hereinafter referred to as data B') of the encrypted data format 206, and then the data splitting module 304 assigns a packet number 212.
  • the data B' generates a random number according to the clock, and ensures that the size of each split binary data 210 is not less than 20 bytes, and then divides the data block according to the generated random number to obtain
  • the plurality of split binary data 210 adds a split header 209 and a split trailer 211 based on the divided binary data 210 (where the split header 209 includes a header identifier 0xBF, a packet number 212, a block number 213, and a block number 214
  • the split packet tail 211 is identified as 0xEF) to generate a data packet of the corresponding number of packetized data formats 208.
  • the generated packet of the packetized data format 208 is then transmitted to the data security processing module 103 in sequence via the serial port or USB.
  • Step 3 The data security processing module 103 receives the transmitted communication data in the data format of the packetized data format 208, and the merge submodule 307 in the data security processing module 103 analyzes the first packetized data format 208.
  • the block number 213 and the block number 214 (where the block number 213 is the number of blocks to be packetized, and the block number 214 is the block position index number of the packetized data) is received by the same packet of the same packetized data format 208, and the same packet is used.
  • the split binary data 210 in the unpacked data format 208 of the number 212 merges the data to obtain data of the encrypted data format 206 (hereinafter referred to as data B'), and the data decryption sub-module 308 decrypts the data B' using the public key A.
  • the data check sub-module 309 performs a CRC checksum operation on the data body 202 in the data B, and then checks with the CRC 203 in the check data format 201, and if the results do not match, Actively rejecting the original binary data 205 in the check data format 201 to the hardware command master 104, if the result of the check is met, the proofreading data is reasonable (refer to the security check operation) In the step), if the illegitimate, the original binary data 204 in the check data format 201 is rejected from being sent to the hardware command master 104, and if so, the original binary data 205 in the check data format 201 is sent to the hardware. Command master 104.
  • a data packet module 504 configured to package the data blocks one by one to generate a corresponding data packet
  • the opposite end B5 includes:
  • the parsing and merging module 506 is configured to parse and merge the data packet to obtain the encrypted data.
  • the decryption module 507 is configured to decrypt the encrypted data to obtain the original data.
  • the original data obtaining module 501 acquires the original data that needs to be sent; the encryption module 502 encrypts the original data to obtain the encrypted data; then, the random segmentation module 503 generates a random number, and encrypts according to the random number.
  • the data is divided into data blocks; the data packet module 504 packs the data blocks one by one to generate corresponding data packets; then, the transmission module 505 transmits the data packets to the pair. End B5; after the peer B5 receives the data packet, the parsing and merging module 506 parses and merges the data packet to obtain the encrypted data.
  • the decrypting module 507 decrypts the encrypted data to obtain the original data.
  • the secure communication device of the self-service terminal device hardware is implemented in the local host of the self-service terminal, does not require network verification, and improves the security of the communication through random packetization, and prevents the criminals from simulating the hardware and the host through the software. Communication for financial crimes.
  • FIG. 6 another embodiment of the secure communication device for the self-service terminal device hardware in the embodiment of the present invention includes :
  • the local A6 includes:
  • the original data obtaining module 601 is configured to obtain original data that needs to be sent;
  • the encryption module 602 is configured to encrypt the original data to obtain encrypted data.
  • the parsing and merging module 606 is configured to parse and merge the data packet to obtain the encrypted data.
  • the random slicing module 603 in this embodiment may include:
  • a key generation module 608 configured to generate a pair of asymmetric keys in advance, including a public key and a private key;
  • the public key importing module 609 is configured to import the public key to the opposite end B6 in advance;
  • the private key is used to encrypt the original data
  • the public key is used to decrypt the encrypted data.
  • a first merging unit 6021 configured to combine the original data and the corresponding time information into a data body
  • the first check operation unit 6022 is configured to perform a check operation on the data body to obtain a first operation. result
  • the encryption unit 6024 is configured to encrypt the verification data volume to obtain encrypted data.
  • the decryption module 607 includes:
  • a checking unit 6073 configured to check whether the second operation result is consistent with the first operation result in the test data body to be tested
  • a plausibility check module 610 configured to perform data plausibility check on the original data
  • the operation module 611 is configured to perform operations according to the original data when the check of the plausibility check module 610 passes.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. You can choose some or all of them according to actual needs.
  • the unit is to achieve the purpose of the solution of the embodiment.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computing Systems (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Disclosed is a secure communication method for self-service terminal device hardware, which is used for solving the problem that a conventional self-service terminal is vulnerable to a financial crime a criminal commits by simulating device hardware through software to communicate with a host. The method comprises: a local end acquiring original data needing to be sent; the local end encrypting the original data to obtain encrypted data; the local end generating a random number, and partitioning the encrypted data into a data block according to the random number; the local end packaging the data block one by one to generate a corresponding data packet; the local end transmitting the data packet to a peer end, such that the peer end parses and merges the data packet to obtain the encrypted data, and then the peer end decrypting the encrypted data to obtain the original data. Also provided is a secure communication apparatus for self-service terminal device hardware.

Description

一种自助终端设备硬件的安全通信方法和装置Safety communication method and device for self-service terminal equipment hardware
本申请要求于2015年12月22日提交中国专利局、申请号为201510981728.1、发明名称为“一种自助终端设备硬件的安全通信方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese Patent Application No. 201510981728.1, entitled "Safe Communication Method and Apparatus for Self-Service Terminal Equipment Hardware", filed on December 22, 2015, the entire contents of which are hereby incorporated by reference. Combined in this application.
技术领域Technical field
本发明涉及金融设备领域,尤其涉及一种自助终端设备硬件的安全通信方法和装置。The present invention relates to the field of financial equipment, and in particular, to a secure communication method and apparatus for self-service terminal equipment hardware.
背景技术Background technique
随着金融犯罪的手法不端提高,技术水平不断提升,虽然目前ATM机器的保险柜不容易接触到,但是犯罪分子可以通过软件模拟机芯硬件设备,布置在目标ATM机器上,达到不断的模拟存款业务,绕过了真实机芯设备,从而导致金融犯罪。犯罪人员通过测试工具,调用CEN XFS标准的命令,不需要打开保险柜门,就能把钞票从保险柜中轻松的拿出来,增加了风险。现有的安全技术是需要联网进行安全验证,会增加因联网验证所产生的未知风险,这样就大大降低ATMC软件对主机设备的安全实时检查和追踪,就会被犯罪人员有机可乘。With the improvement of financial crimes, the technical level is constantly improving. Although the safes of ATM machines are not easily accessible, criminals can simulate the movement hardware devices and arrange them on the target ATM machines to achieve continuous simulation. The deposit business bypassed the real movement equipment, which led to financial crimes. The criminals use the test tool to call the CEN XFS standard command, and it is easy to take out the banknotes from the safe without opening the safe door, increasing the risk. The existing security technology requires network security verification, which will increase the unknown risk caused by network authentication. This will greatly reduce the real-time security check and tracking of the host device by the ATMC software, which will be easily taken by criminals.
发明内容Summary of the invention
本发明实施例提供了一种自助终端设备硬件的安全通信方法和装置,能够解决现有自助终端容易遭到犯罪分子通过软件模拟设备硬件与主机通信进行金融犯罪的问题。The embodiment of the invention provides a secure communication method and device for self-service terminal device hardware, which can solve the problem that the existing self-service terminal is vulnerable to criminal crimes by the criminals communicating with the host through the hardware of the software simulation device.
本发明实施例提供的一种自助终端设备硬件的安全通信方法,应用于所述自助终端的主机与设备硬件之间的通信,包括:The method for the secure communication of the self-service terminal device hardware provided by the embodiment of the present invention is applied to the communication between the host of the self-service terminal and the device hardware, including:
本端获取需要发送的原始数据;The local end obtains the original data that needs to be sent;
所述本端对所述原始数据加密,得到加密数据;The local end encrypts the original data to obtain encrypted data;
所述本端生成随机数,并根据所述随机数将加密数据切分为数据块;The local end generates a random number, and divides the encrypted data into data blocks according to the random number;
所述本端将所述数据块一一打包,生成对应的数据包; The local end packs the data blocks one by one to generate corresponding data packets;
所述本端将所述数据包传输至对端,使得所述对端将所述数据包解析并合并,得到所述加密数据,然后所述对端对所述加密数据解密,得到所述原始数据。The local end transmits the data packet to the opposite end, so that the opposite end parses and merges the data packet to obtain the encrypted data, and then the peer end decrypts the encrypted data to obtain the original data.
可选地,所述本端生成随机数,并根据所述随机数将加密数据切分为数据块包括:Optionally, the local end generates a random number, and splitting the encrypted data into data blocks according to the random number includes:
所述本端生成一个预设范围内的随机数;The local end generates a random number within a preset range;
所述本端将所述加密数据切分为所述随机数个数据块。The local end divides the encrypted data into the random number of data blocks.
可选地,所述安全通信方法还包括:所述本端预先生成一对非对称密钥,包括公钥和私钥,并将所述公钥预先导入至所述对端;Optionally, the method for secure communication further includes: the local end pre-generating a pair of asymmetric keys, including a public key and a private key, and pre-importing the public key to the opposite end;
所述私钥用于对所述原始数据加密,所述公钥用于对所述加密数据解密。The private key is used to encrypt the original data, and the public key is used to decrypt the encrypted data.
可选地,所述本端对所述原始数据加密,得到加密数据包括:Optionally, the local end encrypts the original data, and obtaining the encrypted data includes:
所述本端将所述原始数据和对应的时间信息合并成数据体;The local end combines the original data and corresponding time information into a data body;
所述本端对所述数据体进行校验运算,得到第一运算结果;The local end performs a check operation on the data body to obtain a first operation result;
所述本端将所述数据体和所述第一运算结果合并,得到校验数据体;The local end combines the data body and the first operation result to obtain a verification data body;
所述本端对所述校验数据体加密,得到加密数据;The local end encrypts the verification data body to obtain encrypted data;
所述对端对所述加密数据解密,得到所述原始数据包括:Decrypting the encrypted data by the peer end, and obtaining the original data includes:
所述对端对所述加密数据解密,得到待测校验数据体;Decrypting the encrypted data by the peer end to obtain a check data body to be tested;
所述对端获取所述待测校验数据体中的数据体,并对获取到的数据体进行校验运算,得到第二运算结果;Obtaining, by the peer end, the data body in the data body to be tested, and performing a check operation on the obtained data body to obtain a second operation result;
所述对端校验所述第二运算结果与所述待测校验数据体中的第一运算结果是否相符,若相符,则获取所述数据体中的所述原始数据。And determining, by the peer end, whether the second operation result is consistent with the first operation result in the test data body to be tested, and if yes, acquiring the original data in the data body.
可选地,所述对端在得到所述原始数据之后还包括:Optionally, after the obtaining the original data, the peer further includes:
所述对端对所述原始数据进行数据合理性检查,若检查通过,则所述对端根据所述原始数据进行操作。The peer end performs data plausibility check on the original data, and if the check passes, the peer end operates according to the original data.
本发明实施例提供的一种自助终端设备硬件的安全通信装置,应用于所述自助终端的主机与设备硬件之间的通信,包括本端和对端,所述本端包括:The security communication device of the self-service terminal device hardware provided by the embodiment of the present invention is applied to the communication between the host and the device hardware of the self-service terminal, including the local end and the opposite end, and the local end includes:
原始数据获取模块,用于获取需要发送的原始数据;a raw data obtaining module, configured to obtain original data that needs to be sent;
加密模块,用于对所述原始数据加密,得到加密数据;An encryption module, configured to encrypt the original data to obtain encrypted data;
随机切分模块,用于生成随机数,并根据所述随机数将加密数据切分为数 据块;a random segmentation module, configured to generate a random number, and divide the encrypted data into numbers according to the random number Block
数据包模块,用于将所述数据块一一打包,生成对应的数据包;a data packet module, configured to package the data blocks one by one to generate a corresponding data packet;
传输模块,用于将所述数据包传输至所述对端;a transmission module, configured to transmit the data packet to the peer end;
所述对端包括:The opposite end includes:
解析合并模块,用于将所述数据包解析并合并,得到所述加密数据;Parsing a merge module, configured to parse and merge the data packet to obtain the encrypted data;
解密模块,用于对所述加密数据解密,得到所述原始数据。And a decryption module, configured to decrypt the encrypted data to obtain the original data.
可选地,所述随机切分模块包括:Optionally, the random segmentation module includes:
随机数生成单元,用于生成一个预设范围内的随机数;a random number generating unit for generating a random number within a preset range;
数据切分单元,用于将所述加密数据切分为所述随机数个数据块。And a data segmentation unit, configured to divide the encrypted data into the random number of data blocks.
可选地,所述安全通信装置还包括:Optionally, the secure communication device further includes:
密钥生成模块,用于预先生成一对非对称密钥,包括公钥和私钥;a key generation module, configured to generate a pair of asymmetric keys in advance, including a public key and a private key;
公钥导入模块,用于将所述公钥预先导入至所述对端;a public key importing module, configured to import the public key into the peer end in advance;
所述私钥用于对所述原始数据加密,所述公钥用于对所述加密数据解密。The private key is used to encrypt the original data, and the public key is used to decrypt the encrypted data.
可选地,所述加密模块包括:Optionally, the encryption module includes:
第一合并单元,用于将所述原始数据和对应的时间信息合并成数据体;a first merging unit, configured to combine the original data and corresponding time information into a data body;
第一校验运算单元,用于对所述数据体进行校验运算,得到第一运算结果;a first check operation unit, configured to perform a check operation on the data body to obtain a first operation result;
第二合并单元,用于将所述数据体和所述第一运算结果合并,得到校验数据体;a second merging unit, configured to combine the data body and the first operation result to obtain a check data body;
加密单元,用于对所述校验数据体加密,得到加密数据;An encryption unit, configured to encrypt the verification data body to obtain encrypted data;
所述解密模块包括:The decryption module includes:
解密单元,用于对所述加密数据解密,得到待测校验数据体;a decryption unit, configured to decrypt the encrypted data to obtain a check data body to be tested;
第二校验运算单元,用于获取所述待测校验数据体中的数据体,并对获取到的数据体进行校验运算,得到第二运算结果;a second check operation unit, configured to acquire a data body in the test data body to be tested, and perform a check operation on the acquired data body to obtain a second operation result;
校验单元,用于校验所述第二运算结果与所述待测校验数据体中的第一运算结果是否相符;a checking unit, configured to check whether the second operation result is consistent with the first operation result in the check data body to be tested;
数据获取单元,用于当所述校验单元的校验结果为是时,获取所述数据体中的所述原始数据。a data obtaining unit, configured to acquire the original data in the data body when a check result of the check unit is YES.
可选地,所述对端还包括:Optionally, the peer end further includes:
合理性检查模块,用于对所述原始数据进行数据合理性检查; a plausibility checking module, configured to perform data plausibility check on the original data;
操作模块,用于当所述合理性检查模块的检查通过时,根据所述原始数据进行操作。And an operation module, configured to perform operations according to the original data when the check of the plausibility check module passes.
从以上技术方案可以看出,本发明实施例具有以下优点:It can be seen from the above technical solutions that the embodiments of the present invention have the following advantages:
本发明实施例中,首先,本端获取需要发送的原始数据;所述本端对所述原始数据加密,得到加密数据;然后,所述本端生成随机数,并根据所述随机数将加密数据切分为数据块;所述本端将所述数据块一一打包,生成对应的数据包;最后,所述本端将所述数据包传输至对端,使得所述对端将所述数据包解析并合并,得到所述加密数据,然后所述对端对所述加密数据解密,得到所述原始数据。在本发明实施例中,该自助终端设备硬件的安全通信方法在自助终端本地主机内实现,无需联网验证,并通过随机分包来提升通信的安全性,防范了犯罪分子通过软件模拟设备硬件与主机通信进行金融犯罪。In the embodiment of the present invention, first, the local end acquires original data that needs to be sent; the local end encrypts the original data to obtain encrypted data; then, the local end generates a random number, and encrypts according to the random number. The data is divided into data blocks; the local end packs the data blocks one by one to generate a corresponding data packet; finally, the local end transmits the data packet to the opposite end, so that the opposite end will The data packet is parsed and combined to obtain the encrypted data, and then the peer decrypts the encrypted data to obtain the original data. In the embodiment of the present invention, the secure communication method of the self-service terminal device hardware is implemented in the local host of the self-service terminal, does not require network verification, and improves the security of the communication through random packetization, and prevents the criminals from simulating the hardware through the software. Host communication for financial crimes.
附图说明DRAWINGS
附图用来提供对本发明的进一步理解,并且构成说明书的一部分,与本发明实施例一起用于解释本发明,并不构成对本发明的限制。在附图中:The drawings are intended to provide a further understanding of the invention, and are intended to be a In the drawing:
图1为本发明实施例中一种自助终端设备硬件的安全通信方法一个实施例流程图;1 is a flowchart of an embodiment of a method for securely communicating hardware of a self-service terminal device according to an embodiment of the present invention;
图2为本发明实施例中一种自助终端设备硬件的安全通信方法另一个实施例流程图;2 is a flowchart of another embodiment of a method for secure communication of hardware of a self-service terminal device according to an embodiment of the present invention;
图3为本发明实施例中一种自助终端设备硬件的安全通信方法一个应用场景下的自助终端系统结构图;FIG. 3 is a structural diagram of a self-service terminal system in an application scenario according to a method for secure communication of hardware of a self-service terminal device according to an embodiment of the present invention; FIG.
图4为本发明实施例中一种自助终端设备硬件的安全通信方法一个应用场景下的数据加密通信过程中的数据格式结构图;4 is a structural diagram of data format in a data encryption communication process in an application scenario according to a method for secure communication of hardware of a self-service terminal device according to an embodiment of the present invention;
图5为本发明实施例中一种自助终端设备硬件的安全通信装置一个实施例结构图;FIG. 5 is a structural diagram of an embodiment of a secure communication device for a self-service terminal device hardware according to an embodiment of the present invention; FIG.
图6为本发明实施例中一种自助终端设备硬件的安全通信装置另一个实施例结构图。FIG. 6 is a structural diagram of another embodiment of a secure communication device for a self-service terminal device hardware according to an embodiment of the present invention.
具体实施方式 detailed description
本发明实施例提供了一种自助终端设备硬件的安全通信方法和装置,用于解决现有自助终端容易遭到犯罪分子通过软件模拟设备硬件与主机通信进行金融犯罪的问题。The embodiment of the invention provides a secure communication method and device for self-service terminal device hardware, which is used to solve the problem that the existing self-service terminal is vulnerable to financial crimes by the criminals communicating with the host through the hardware of the software simulation device.
为使得本发明的发明目的、特征、优点能够更加的明显和易懂,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,下面所描述的实施例仅仅是本发明一部分实施例,而非全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。In order to make the object, the features and the advantages of the present invention more obvious and easy to understand, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. The described embodiments are only a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
请参阅图1,本发明实施例中一种自助终端设备硬件的安全通信方法一个实施例包括:Referring to FIG. 1, an embodiment of a method for secure communication of a self-service terminal device hardware in an embodiment of the present invention includes:
11、本端获取需要发送的原始数据;11. The local end obtains the original data that needs to be sent;
首先,本端可以获取需要发送的原始数据。需要说明的是,当自助终端的主机向设备硬件进行通信时,该主体为本端,设备硬件为对端;而当自助终端的设备硬件向主机进行通信时,则设备硬件为本端,主机为对端。First, the local end can obtain the original data that needs to be sent. It should be noted that when the host of the self-service terminal communicates with the device hardware, the host is the local device, and the device hardware is the peer; and when the device hardware of the self-service terminal communicates with the host, the device hardware is the host, and the device is the host. For the opposite end.
12、该本端对该原始数据加密,得到加密数据;12. The local end encrypts the original data to obtain encrypted data.
在本端获取需要发送的原始数据之后,该本端可以对该原始数据加密,得到加密数据。After the local end obtains the original data to be sent, the local end can encrypt the original data to obtain encrypted data.
13、该本端生成随机数,并根据该随机数将加密数据切分为数据块;13. The local end generates a random number, and divides the encrypted data into data blocks according to the random number;
在该本端对该原始数据加密,得到加密数据之后,该本端可以生成随机数,并根据该随机数将加密数据切分为数据块。After the local data is encrypted at the local end, and the encrypted data is obtained, the local end can generate a random number, and divide the encrypted data into data blocks according to the random number.
14、该本端将该数据块一一打包,生成对应的数据包;14. The local end packs the data blocks one by one to generate corresponding data packets;
在该本端生成随机数,并根据该随机数将加密数据切分为数据块之后,该本端可以将该数据块一一打包,生成对应的数据包。After the local end generates a random number and divides the encrypted data into data blocks according to the random number, the local end can pack the data blocks one by one to generate a corresponding data packet.
15、该本端将该数据包传输至对端;15. The local end transmits the data packet to the opposite end;
在该本端将该数据块一一打包,生成对应的数据包之后,该本端可以将该数据包传输至对端。After the data block is packaged one by one at the local end to generate a corresponding data packet, the local end can transmit the data packet to the opposite end.
16、该对端将该数据包解析并合并,得到该加密数据;16. The peer end parses and merges the data packet to obtain the encrypted data.
在该本端将该数据包传输至对端之后,该对端可以将该数据包解析并合并,得到该加密数据。 After the local end transmits the data packet to the peer end, the peer end can parse and merge the data packet to obtain the encrypted data.
17、该对端对该加密数据解密,得到该原始数据。17. The peer decrypts the encrypted data to obtain the original data.
在该对端将该数据包解析并合并,得到该加密数据之后,该对端可以对该加密数据解密,得到该原始数据。After the data packet is parsed and combined at the opposite end to obtain the encrypted data, the peer end can decrypt the encrypted data to obtain the original data.
本实施例中,首先,本端获取需要发送的原始数据;该本端对该原始数据加密,得到加密数据;然后,该本端生成随机数,并根据该随机数将加密数据切分为数据块;该本端将该数据块一一打包,生成对应的数据包;最后,该本端将该数据包传输至对端,使得该对端将该数据包解析并合并,得到该加密数据,然后该对端对该加密数据解密,得到该原始数据。在本实施例中,该自助终端设备硬件的安全通信方法在自助终端本地主机内实现,无需联网验证,并通过随机分包来提升通信的安全性,防范了犯罪分子通过软件模拟设备硬件与主机通信进行金融犯罪。In this embodiment, first, the local end acquires original data that needs to be sent; the local end encrypts the original data to obtain encrypted data; then, the local end generates a random number, and divides the encrypted data into data according to the random number. The local end packs the data block one by one to generate a corresponding data packet; finally, the local end transmits the data packet to the opposite end, so that the opposite end parses and merges the data packet to obtain the encrypted data. The peer then decrypts the encrypted data to obtain the original data. In this embodiment, the secure communication method of the self-service terminal device hardware is implemented in the local host of the self-service terminal, does not require network verification, and improves the security of the communication through random packetization, and prevents the criminals from simulating the hardware and the host through the software. Communication for financial crimes.
为便于理解,下面对本发明实施例中的一种自助终端设备硬件的安全通信方法进行详细描述,请参阅图2,本发明实施例中一种自助终端设备硬件的安全通信方法另一个实施例包括:For the sake of understanding, a secure communication method for the self-service terminal device hardware in the embodiment of the present invention is described in detail below. Referring to FIG. 2, another embodiment of the secure communication method for the self-service terminal device hardware in the embodiment of the present invention includes :
21、本端获取需要发送的原始数据;21. The local end obtains the original data that needs to be sent;
首先,本端可以获取需要发送的原始数据。需要说明的是,当自助终端的主机向设备硬件进行通信时,该主体为本端,设备硬件为对端;而当自助终端的设备硬件向主机进行通信时,则设备硬件为本端,主机为对端。First, the local end can obtain the original data that needs to be sent. It should be noted that when the host of the self-service terminal communicates with the device hardware, the host is the local device, and the device hardware is the peer; and when the device hardware of the self-service terminal communicates with the host, the device hardware is the host, and the device is the host. For the opposite end.
22、该本端将该原始数据和对应的时间信息合并成数据体;22. The local end combines the original data and the corresponding time information into a data body;
在本端获取需要发送的原始数据之后,该本端可以将该原始数据和对应的时间信息合并成数据体。可以理解的是,该时间信息与原始数据是对应的,时间信息可以是记录了该原始数据生成的时间,或者是多个原始数据之间的时间顺序。After the local end obtains the original data that needs to be sent, the local end can combine the original data and the corresponding time information into a data body. It can be understood that the time information corresponds to the original data, and the time information may be the time when the original data is generated, or the time sequence between the plurality of original data.
23、该本端对该数据体进行校验运算,得到第一运算结果;23. The local end performs a check operation on the data body to obtain a first operation result;
在该本端将该原始数据和对应的时间信息合并成数据体之后,该本端对该数据体进行校验运算,得到第一运算结果。可以理解的是,该校验运算具体可以是CRC(Cyclic Redundancy Code,循环冗余)校验,从而最后的第一运算结果为CRC校验运算结果。After the local end merges the original data and the corresponding time information into a data body, the local end performs a check operation on the data body to obtain a first operation result. It can be understood that the verification operation may be a CRC (Cyclic Redundancy Code) check, so that the final first operation result is a CRC check operation result.
24、该本端将该数据体和该第一运算结果合并,得到校验数据体; 24. The local end combines the data body and the first operation result to obtain a verification data body.
在该本端对该数据体进行校验运算,得到第一运算结果之后,该本端可以将该数据体和该第一运算结果合并,得到校验数据体。其中,可以预设该校验数据体的数据结构,例如将第一运算结果放在数据结构的前头,数据体放在第一运算结果后面。具体地,该校验数据体的结构可以自定义,本实施例不对此进行限定。After the data processing is performed on the data body to obtain a first operation result, the local end may combine the data body and the first operation result to obtain a verification data body. The data structure of the check data body may be preset, for example, the first operation result is placed at the head of the data structure, and the data body is placed after the first operation result. Specifically, the structure of the check data body can be customized, which is not limited in this embodiment.
25、该本端采用私钥对该校验数据体加密,得到加密数据;25. The local end encrypts the check data body by using a private key to obtain encrypted data.
在该本端将该数据体和该第一运算结果合并,得到校验数据体之后,该本端可以采用私钥对该校验数据体加密,得到加密数据。需要说明的是,该本端预先生成一对非对称密钥,包括公钥和私钥,并将该公钥预先导入至该对端,其中,该私钥用于对该原始数据加密,该公钥用于对该加密数据解密。After the data body and the first operation result are combined at the local end to obtain a check data body, the local end may encrypt the check data volume by using a private key to obtain encrypted data. It should be noted that the local end generates a pair of asymmetric keys, including a public key and a private key, and pre-imports the public key to the peer end, where the private key is used to encrypt the original data. The public key is used to decrypt the encrypted data.
26、该本端生成一个预设范围内的随机数;26. The local end generates a random number within a preset range;
在切分前,该本端需要生成一个预设范围内的随机数,该随机数对于本端和对端来说都是随机的,从而避免犯罪人员提前获知而破解,提高安全性。其中,为了提高数据传输的效率,该随机数一般不能太大,比如,该加密数据大小为100字节,若生成的随机数为100,则将100字节大小的切分为100个1字节的数据块,这对于后续的数据传输来说是非常不利的。因此,本实施例中,该随机数在预设的数值范围内生成,避免了随机数过大的问题。Before the segmentation, the local end needs to generate a random number within a preset range, and the random number is random for both the local end and the opposite end, thereby preventing the criminals from being known and cracked in advance, thereby improving security. In order to improve the efficiency of data transmission, the random number is generally not too large. For example, the size of the encrypted data is 100 bytes. If the generated random number is 100, the size of the 100 bytes is divided into 100 words and 1 word. The data block of the section, which is very disadvantageous for subsequent data transmission. Therefore, in this embodiment, the random number is generated within a preset numerical range, thereby avoiding the problem that the random number is too large.
27、该本端将该加密数据切分为该随机数个数据块;27. The local end divides the encrypted data into the random number of data blocks;
在该本端生成一个预设范围内的随机数之后,该本端将该加密数据切分为该随机数个数据块。例如,随机数为5时,将该加密数据切分为5个数据块。After the local end generates a random number in a preset range, the local end divides the encrypted data into the random number of data blocks. For example, when the random number is 5, the encrypted data is divided into 5 data blocks.
28、该本端将该数据块一一打包,生成对应的数据包;28. The local end packs the data blocks one by one to generate corresponding data packets.
在该本端将该加密数据切分为该随机数个数据块之后,该本端可以将该数据块一一打包,生成对应的数据包。例如,当有5个数据块时,对每个数据块均进行打包,生成5个对应的数据包。具体可以为,在一个数据块的基础上分别增加包头和包尾,从而使一个数据块生成一个数据包。After the local end divides the encrypted data into the random number of data blocks, the local end may pack the data blocks one by one to generate corresponding data packets. For example, when there are 5 data blocks, each data block is packed to generate 5 corresponding data packets. Specifically, the header and the trailer may be respectively added on a basis of one data block, so that one data block generates one data packet.
29、该本端将该数据包传输至对端;29. The local end transmits the data packet to the opposite end;
在该本端将该数据块一一打包,生成对应的数据包之后,该本端将该数据包传输至对端。After the data block is packaged one by one at the local end to generate a corresponding data packet, the local end transmits the data packet to the opposite end.
30、该对端将该数据包解析并合并,得到该加密数据; 30. The peer end parses and merges the data packet to obtain the encrypted data.
该对端接收来自该本端的该数据包后,可以将该数据包解析并合并,得到该加密数据。具体地,也就是将数据包解析成数据块,然后将所有数据块合并成该加密数据。After receiving the data packet from the local end, the peer end may parse and merge the data packet to obtain the encrypted data. Specifically, that is, the data packet is parsed into data blocks, and then all the data blocks are merged into the encrypted data.
31、该对端采用公钥对该加密数据解密,若解密失败,则执行步骤37,若解密成功,则得到待测校验数据体;31. The peer end decrypts the encrypted data by using a public key. If the decryption fails, step 37 is performed. If the decryption succeeds, the check data body to be tested is obtained.
在得到该加密数据之后,该对端可以采用公钥对该加密数据解密,若解密失败,则执行步骤37,若解密成功,则得到待测校验数据体。可以理解的是,用来解密的公钥与加密时所用的私钥是成对的,并且公钥是预先导入至该对端上,避免了犯罪人员通过软件手段获取到对端上的公钥。After obtaining the encrypted data, the peer end may decrypt the encrypted data by using the public key. If the decryption fails, step 37 is performed. If the decryption succeeds, the check data body to be tested is obtained. It can be understood that the public key used for decryption is paired with the private key used for encryption, and the public key is pre-imported to the peer end, thereby preventing the criminal person from obtaining the public key on the opposite end by software means. .
32、该对端获取该待测校验数据体中的数据体,并对获取到的数据体进行校验运算,得到第二运算结果;32. The peer end acquires a data body in the data body to be tested, and performs a check operation on the obtained data body to obtain a second operation result.
在得到待测校验数据体之后,该对端可以获取该待测校验数据体中的数据体,并对获取到的数据体进行校验运算,得到第二运算结果。需要说明的是,步骤32的校验运算方法应该与步骤23所使用的校验运算方法保持一致。After obtaining the check data body to be tested, the peer end can acquire the data body in the check data body to be tested, and perform a check operation on the obtained data body to obtain a second operation result. It should be noted that the verification operation method of step 32 should be consistent with the verification operation method used in step 23.
33、该对端校验该第二运算结果与该待测校验数据体中的第一运算结果是否相符,若相符,则执行步骤34,若不符,则执行步骤37;33, the peer end verifies that the second operation result is consistent with the first operation result in the test data body to be tested, if yes, step 34 is performed, if not, step 37 is performed;
在得到第二运算结果之后,该对端可以校验该第二运算结果与该待测校验数据体中的第一运算结果是否相符,若相符,则执行步骤34,若不符,则执行步骤37。可以理解的是,当第二运算结果与第一运算结果相符时,说明得到的待测校验数据体中的数据体与本端上的数据体一致,否则,则待测校验数据体存在数据错误,可以做错误数据处理。After the second operation result is obtained, the peer end may check whether the second operation result matches the first operation result in the test data body to be tested. If yes, step 34 is performed, and if not, the step is performed. 37. It can be understood that when the second operation result is consistent with the first operation result, it is indicated that the data body in the obtained test data body to be tested is consistent with the data body on the local end; otherwise, the check data body to be tested exists. The data is wrong and can be processed incorrectly.
34、该对端获取该数据体中的该原始数据;34. The peer acquires the original data in the data body.
当第二运算结果与第一运算结果相符时,该对端从该数据体中获取该原始数据。When the second operation result matches the first operation result, the peer end acquires the original data from the data body.
35、该对端对该原始数据进行数据合理性检查,若检查通过,则执行步骤36,若检查不通过,则执行步骤37;The peer end performs data plausibility check on the original data, if the check passes, step 36 is performed, and if the check fails, step 37 is performed;
在该对端获取该数据体中的该原始数据之后,该对端可以对该原始数据进行数据合理性检查,若检查通过,则执行步骤36,若检查不通过,则执行步骤37。该数据合理性检查的检查标准可根据实际使用情况进行设定,例如可 以检查该原始数据的命令组合是否合理,或者其对应的时间信息是否合理等。After the peer end obtains the original data in the data body, the peer end may perform data plausibility check on the original data. If the check passes, step 36 is performed. If the check fails, step 37 is performed. The inspection criteria for the data plausibility check can be set according to the actual use, for example To check whether the command combination of the original data is reasonable, or whether the corresponding time information is reasonable or the like.
36、该对端根据该原始数据进行操作;36. The peer end operates according to the original data;
当该原始数据通过数据合理性检查之后,该对端可以根据该原始数据进行操作。After the original data passes the data plausibility check, the peer end can operate according to the original data.
37、该对端作数据丢弃处理。37. The peer end performs data discarding processing.
当加密数据解密失败时,或待测校验数据体校验失败时,或得到的原始数据的数据合理性检查不通过时,该对端对这些数据作数据丢弃处理。When the decryption of the encrypted data fails, or when the verification of the verification data body fails, or the data validity check of the obtained original data fails, the peer performs data discard processing on the data.
为便于理解,下面以一个实际应用场景对本发明实施例中的一种自助终端设备硬件的安全通信方法进行描述:For ease of understanding, a secure communication method of the self-service terminal device hardware in the embodiment of the present invention is described in an actual application scenario:
本应用场景中,该自助终端的主机内置有数据安全处理模块102,设备硬件中内置有数据安全处理模块103,该自助终端的系统结构如图3所示。自助终端主机安装有ATMC(一种ATM机的系统平台)上层软件,主机通过数据安全处理模块102与设备硬件的数据安全处理模块103通信,实现主机与设备硬件之间的通信。下面对通信过程中的各个环节进行描述,请参考图3和图4。In this application scenario, the host of the self-service terminal has a data security processing module 102 built therein, and a data security processing module 103 is built in the device hardware. The system structure of the self-service terminal is as shown in FIG. 3 . The self-service terminal host is installed with the upper layer software of the ATMC (system platform of an ATM machine), and the host communicates with the data security processing module 103 of the device hardware through the data security processing module 102 to implement communication between the host and the device hardware. The following describes each link in the communication process, please refer to Figure 3 and Figure 4.
密钥生成过程:Key generation process:
步骤1:在设备中的对外通信接口增加硬件的数据安全处理模块103,也就是将原有的设备连接线缆接入硬件加密模块,然后再由加密模块引出新的通信接口,与主机的通信连接就使用该接口。Step 1: Add a hardware data security processing module 103 to the external communication interface in the device, that is, connect the original device connection cable to the hardware encryption module, and then the new communication interface is extracted by the encryption module to communicate with the host. The connection uses this interface.
步骤2:在ATMC上层软件101生成一对非对称密钥为:公钥为A,私钥为B,同时将公钥A导入到硬件设备中;在硬件设备通过硬件的数据安全处理模块103生成一对非对策密钥为:公钥为C,私钥为D,同时将C发送给ATMC软件。Step 2: The ATMC upper layer software 101 generates a pair of asymmetric keys: the public key is A, the private key is B, and the public key A is imported into the hardware device; the hardware device generates the data security processing module 103 through the hardware. A pair of non-factory keys are: the public key is C, the private key is D, and C is sent to the ATMC software.
数据加密通信过程描述:Data Encryption Communication Process Description:
步骤1:ATMC上层软件101将二进制命令数据传送给数据安全处理模块102;Step 1: The ATMC upper layer software 101 transmits the binary command data to the data security processing module 102;
步骤2:数据安全处理模块102首先在二进制命令数据复制到校验数据格式201的原始的二进制数据205缓存中,数据整理子模块302在此基础上按校验数据格式201增加时间信息204,然后将时间信息204和原始的二进制数据205合并成数据体202,并且进行CRC校验和运算,生成CRC校验运算结果 CRC203,再将CRC203和数据体202合并生成校验数据格式201。数据加密子模块303用私钥B将校验数据格式201的数据进行加密生成加密数据格式206的加密后的二进制数据207(以下简称数据B’),然后数据拆分子模块304分配一个包编号212,并将数据B’根据时钟产生一个随机数,并且保证每个拆分后的二进制数据210的字节大小不少于20个字节,然后根据所产生的随机数进行切分数据块,得到若干块拆分后的二进制数据210,在分后的二进制数据210的基础上增加分割包头209和分割包尾211(其中分割包头209包括包头标识0xBF、包编号212、块数213和块序号214,分割包尾211标识为0xEF)生成对应数量的分包数据格式208的数据包。然后将所生成的分包数据格式208的数据包按顺序通过串口或者USB传输给数据安全处理模块103。Step 2: The data security processing module 102 first copies the binary command data into the original binary data 205 buffer of the check data format 201, and the data collating submodule 302 adds the time information 204 according to the check data format 201, and then The time information 204 and the original binary data 205 are combined into a data body 202, and a CRC checksum operation is performed to generate a CRC check operation result. The CRC 203 combines the CRC 203 and the data body 202 to generate a parity data format 201. The data encryption sub-module 303 encrypts the data of the check data format 201 with the private key B to generate encrypted binary data 207 (hereinafter referred to as data B') of the encrypted data format 206, and then the data splitting module 304 assigns a packet number 212. And the data B' generates a random number according to the clock, and ensures that the size of each split binary data 210 is not less than 20 bytes, and then divides the data block according to the generated random number to obtain The plurality of split binary data 210 adds a split header 209 and a split trailer 211 based on the divided binary data 210 (where the split header 209 includes a header identifier 0xBF, a packet number 212, a block number 213, and a block number 214 The split packet tail 211 is identified as 0xEF) to generate a data packet of the corresponding number of packetized data formats 208. The generated packet of the packetized data format 208 is then transmitted to the data security processing module 103 in sequence via the serial port or USB.
步骤3:数据安全处理模块103接收到传输过来的数据格式为分包数据格式208的通信数据,数据安全处理模块103中的合并子模块307通过分析传过来的第一个分包数据格式208中的块数213和块序号214(其中块数213为分包的块数量,块序号214为分包数据的块位置索引序号)进行接收后续的相同分包数据格式208的数据包,将相同包编号212的拆包数据格式208 中的拆分后的二进制数据210合并数据,得到加密数据格式206的数据(以下简称数据B’),数据解密子模块308使用公钥A解密数据B’,得到校验数据格式201的数据B,数据校验子模块309将数据B中的数据体202进行CRC校验和运算,再与校验数据格式201中的CRC203进行校验,如果结果不相符时就主动拒绝将校验数据格式201中的原始的二进制数据205往硬件命令主控104发送,如果校验的结果符合时,校对数据合理性(参考安全检查操作步骤),如果不可理也会拒绝将校验数据格式201中的原始的二进制数据204往硬件命令主控104发送,如果合理则将校验数据格式201中的原始的二进制数据205发送给硬件命令主控104。Step 3: The data security processing module 103 receives the transmitted communication data in the data format of the packetized data format 208, and the merge submodule 307 in the data security processing module 103 analyzes the first packetized data format 208. The block number 213 and the block number 214 (where the block number 213 is the number of blocks to be packetized, and the block number 214 is the block position index number of the packetized data) is received by the same packet of the same packetized data format 208, and the same packet is used. The split binary data 210 in the unpacked data format 208 of the number 212 merges the data to obtain data of the encrypted data format 206 (hereinafter referred to as data B'), and the data decryption sub-module 308 decrypts the data B' using the public key A. Checking the data B of the data format 201, the data check sub-module 309 performs a CRC checksum operation on the data body 202 in the data B, and then checks with the CRC 203 in the check data format 201, and if the results do not match, Actively rejecting the original binary data 205 in the check data format 201 to the hardware command master 104, if the result of the check is met, the proofreading data is reasonable (refer to the security check operation) In the step), if the illegitimate, the original binary data 204 in the check data format 201 is rejected from being sent to the hardware command master 104, and if so, the original binary data 205 in the check data format 201 is sent to the hardware. Command master 104.
步骤4:硬件命令主控104接收到二进制数据后进行命令处理。硬件命令主控104处理完成命令后将结果数据返回给数据安全处理模块103。Step 4: The hardware command master 104 performs command processing after receiving the binary data. The hardware command master 104 returns the result data to the data security processing module 103 after processing the completion command.
步骤5:数据安全处理模块103接收到返回的数据后,将返回的数据复制到校验数据格式215的原始的二进制数据219缓存中,然后数据整理子模块302在此基础上按校验数据格式215增加时间信息218,然后将时间信息218 和原始的二进制数据219合并成数据体216,并且进行CRC校验和运算,生成CRC校验运算结果CRC217,再将CRC217和数据体216合并生成校验数据格式215。数据加密子模块303使用私钥D,将校验数据格式215的数据加密成加密数据格式220的加密后的二进制数据221(以下简称数据D’),然后数据拆分子模块304分配一个包编号226,并将数据D’根据时钟产生一个随机数,并且保证每个拆分后的二进制数据224的字节大小不少于20个字节,然后根据所产生的随机数进行切分数据块,得到若干块拆分后的二进制数据224,在分后的二进制数据224的基础上增加分割包头223和分割包尾225(其中分割包头223包括包头标识0xBF、包编号226、块数227和块序号228,分割包尾225标识为0xEF)生成对应数量的分包数据格式222的数据包。然后将所生成的分包数据格式222的分割数据包按顺序通过串口或者USB传输给数据安全处理模块102。Step 5: After receiving the returned data, the data security processing module 103 copies the returned data into the original binary data 219 of the check data format 215, and then the data collating submodule 302 presses the check data format on this basis. 215 adds time information 218 and then time information 218 The original binary data 219 is merged into the data body 216, and a CRC checksum operation is performed to generate a CRC check operation result CRC217, and the CRC 217 and the data body 216 are combined to generate a check data format 215. The data encryption sub-module 303 encrypts the data of the check data format 215 into the encrypted binary data 221 of the encrypted data format 220 (hereinafter referred to as data D') using the private key D, and then the data splitting module 304 assigns a packet number 226. And the data D' generates a random number according to the clock, and ensures that the size of each split binary data 224 is not less than 20 bytes, and then divides the data block according to the generated random number to obtain A plurality of pieces of split binary data 224 are added to the divided binary data 224 to add a split header 223 and a split trailer 225 (where the split header 223 includes a header identifier 0xBF, a packet number 226, a block number 227, and a block number 228 The split packet tail 225 is identified as 0xEF) to generate a corresponding number of packets of the packet data format 222. The divided data packets of the generated packetized data format 222 are then transmitted to the data security processing module 102 in sequence through a serial port or USB.
步骤6:数据安全处理模块102接收到传输过来的数据格式为分包数据格式222的通信数据,数据安全处理模块103中的合并子模块307通过分析传过来的第一个分包数据格式222中的块数227和块序号228(其中块数227为分包的块数量,块序号228为分包数据的块位置索引序号)进行接收后续的相同分包数据格式222的数据包,将相同包编号226的拆包数据格式222 中的拆分后的二进制数据224合并数据,得到加密数据格式220的数据(以下简称数据D’),数据解密子模块308使用公钥C解密数据D’,得到校验数据格式215的数据D,数据校验子模块309将数据D中的数据体216进行CRC校验和运算,再与校验数据格式215中的CRC217进行校验,如果结果不相符时就主动拒绝将校验数据格式215中的原始的二进制数据219往ATMC上层软件101发送,如果校验的结果符合时,校对数据合理性(参考安全检查操作步骤),如果不可理也会拒绝将校验数据格式215中的原始的二进制数据219往ATMC上层软件101发送,如果合理则将校验数据格式215中的原始的二进制数据219发送给ATMC上层软件101。Step 6: The data security processing module 102 receives the transmitted communication data in the data format of the packetized data format 222, and the merge submodule 307 in the data security processing module 103 analyzes the first packetized data format 222. The block number 227 and the block number 228 (where the block number 227 is the number of blocks to be packetized, and the block number 228 is the block position index number of the packetized data) is received by the same packet of the same packetized data format 222, and the same packet is used. The split binary data 224 in the unpacked data format 222 of the number 226 merges the data to obtain data of the encrypted data format 220 (hereinafter referred to as data D'), and the data decryption sub-module 308 decrypts the data D' using the public key C. Checking the data D of the data format 215, the data check sub-module 309 performs a CRC checksum operation on the data body 216 in the data D, and then checks with the CRC 217 in the check data format 215, and if the results do not match, Proactively refuse to send the original binary data 219 in the check data format 215 to the ATMC upper layer software 101. If the result of the check is met, the proofreading data is reasonable (refer to the security check operation). Step), if it is irrational, the original binary data 219 in the check data format 215 is rejected from being sent to the ATMC upper layer software 101, and if so, the original binary data 219 in the check data format 215 is sent to the ATMC upper layer software. 101.
步骤7:ATMC上层软件101收到二进制数据D后,就可以得到由硬件设备返回的数据。此过程为一次完成的传输过程。Step 7: After receiving the binary data D, the ATMC upper layer software 101 can obtain the data returned by the hardware device. This process is a one-time transfer process.
安全检查操作步骤: Security check operation steps:
步骤1:根据密钥生成过程的步骤生成数据安全处理模块103的密钥。Step 1: Generate a key of the data security processing module 103 according to the steps of the key generation process.
步骤2:将数据安全处理模块103主控程序烧入模块中。Step 2: Burn the data security processing module 103 main control program into the module.
步骤3:数据安全处理模块103在首次通电后,数据安全处理模块103进入数据采样模式,此时会自动记录该模块的命令组合和命令组合所对应的时间。Step 3: After the data security processing module 103 is powered on for the first time, the data security processing module 103 enters the data sampling mode, and the time corresponding to the command combination and the command combination of the module is automatically recorded.
步骤4:采样完成后断开数据安全处理模块103的电源,再次上电时就会进入正常工作模式。在此模式中,首先会对来往的命令数据进行校验,然后就是校验命令组合的合理性以及时间的合理性(其中时间的命令组合不应该超过20%毫秒的误差)。Step 4: After the sampling is completed, the power of the data security processing module 103 is turned off, and when the power is turned on again, the normal working mode is entered. In this mode, the command data to and from is first checked, and then the rationality of the command combination and the reasonableness of the time are verified (where the command combination of time should not exceed 20% of the error).
步骤5:如果发生合理性异常,数据安全处理模块103就会终止服务,并记录其行为时间和数据内容,以备后查。Step 5: If a reasonableness exception occurs, the data security processing module 103 terminates the service and records its behavior time and data content for later investigation.
上面主要描述了一种自助终端设备硬件的安全通信方法,下面将对一种自助终端设备硬件的安全通信装置进行详细描述,请参阅图5,本发明实施例中一种自助终端设备硬件的安全通信装置一个实施例包括:The above describes a secure communication method for the self-service terminal device hardware. A secure communication device for the self-service terminal device hardware is described in detail below. Referring to FIG. 5, the security of the self-service terminal device hardware in the embodiment of the present invention is described. An embodiment of a communication device includes:
本端A5和对端B5;Local A5 and opposite end B5;
该本端A5包括:The local A5 includes:
原始数据获取模块501,用于获取需要发送的原始数据;The original data obtaining module 501 is configured to acquire original data that needs to be sent;
加密模块502,用于对该原始数据加密,得到加密数据;The encryption module 502 is configured to encrypt the original data to obtain encrypted data.
随机切分模块503,用于生成随机数,并根据该随机数将加密数据切分为数据块;The random segmentation module 503 is configured to generate a random number, and divide the encrypted data into data blocks according to the random number;
数据包模块504,用于将该数据块一一打包,生成对应的数据包;a data packet module 504, configured to package the data blocks one by one to generate a corresponding data packet;
传输模块505,用于将该数据包传输至该对端B5;a transmission module 505, configured to transmit the data packet to the opposite end B5;
该对端B5包括:The opposite end B5 includes:
解析合并模块506,用于将该数据包解析并合并,得到该加密数据;The parsing and merging module 506 is configured to parse and merge the data packet to obtain the encrypted data.
解密模块507,用于对该加密数据解密,得到该原始数据。The decryption module 507 is configured to decrypt the encrypted data to obtain the original data.
本实施例中,首先,原始数据获取模块501获取需要发送的原始数据;加密模块502对该原始数据加密,得到加密数据;然后,随机切分模块503生成随机数,并根据该随机数将加密数据切分为数据块;数据包模块504将该数据块一一打包,生成对应的数据包;接着,传输模块505将该数据包传输至该对 端B5;对端B5接收到该数据包后,解析合并模块506将该数据包解析并合并,得到该加密数据;最后,解密模块507对该加密数据解密,得到该原始数据。在本实施例中,该自助终端设备硬件的安全通信装置在自助终端本地主机内实现,无需联网验证,并通过随机分包来提升通信的安全性,防范了犯罪分子通过软件模拟设备硬件与主机通信进行金融犯罪。In this embodiment, first, the original data obtaining module 501 acquires the original data that needs to be sent; the encryption module 502 encrypts the original data to obtain the encrypted data; then, the random segmentation module 503 generates a random number, and encrypts according to the random number. The data is divided into data blocks; the data packet module 504 packs the data blocks one by one to generate corresponding data packets; then, the transmission module 505 transmits the data packets to the pair. End B5; after the peer B5 receives the data packet, the parsing and merging module 506 parses and merges the data packet to obtain the encrypted data. Finally, the decrypting module 507 decrypts the encrypted data to obtain the original data. In this embodiment, the secure communication device of the self-service terminal device hardware is implemented in the local host of the self-service terminal, does not require network verification, and improves the security of the communication through random packetization, and prevents the criminals from simulating the hardware and the host through the software. Communication for financial crimes.
为便于理解,下面对本发明实施例中的一种自助终端设备硬件的安全通信装置进行详细描述,请参阅图6,本发明实施例中一种自助终端设备硬件的安全通信装置另一个实施例包括:For the sake of understanding, a secure communication device for the self-service terminal device hardware in the embodiment of the present invention is described in detail below. Referring to FIG. 6, another embodiment of the secure communication device for the self-service terminal device hardware in the embodiment of the present invention includes :
本端A6和对端B6;Local A6 and opposite end B6;
该本端A6包括:The local A6 includes:
原始数据获取模块601,用于获取需要发送的原始数据;The original data obtaining module 601 is configured to obtain original data that needs to be sent;
加密模块602,用于对该原始数据加密,得到加密数据;The encryption module 602 is configured to encrypt the original data to obtain encrypted data.
随机切分模块603,用于生成随机数,并根据该随机数将加密数据切分为数据块;The random segmentation module 603 is configured to generate a random number, and divide the encrypted data into data blocks according to the random number;
数据包模块604,用于将该数据块一一打包,生成对应的数据包;a data packet module 604, configured to package the data blocks one by one to generate a corresponding data packet;
传输模块605,用于将该数据包传输至该对端B6;The transmission module 605 is configured to transmit the data packet to the opposite end B6;
该对端B6包括:The opposite end B6 includes:
解析合并模块606,用于将该数据包解析并合并,得到该加密数据;The parsing and merging module 606 is configured to parse and merge the data packet to obtain the encrypted data.
解密模块607,用于对该加密数据解密,得到该原始数据。The decryption module 607 is configured to decrypt the encrypted data to obtain the original data.
本实施例中该随机切分模块603可以包括:The random slicing module 603 in this embodiment may include:
随机数生成单元6031,用于生成一个预设范围内的随机数;The random number generating unit 6031 is configured to generate a random number within a preset range;
数据切分单元6032,用于将该加密数据切分为该随机数个数据块。The data segmentation unit 6032 is configured to divide the encrypted data into the random number of data blocks.
本实施例中该安全通信装置还可以包括:The secure communication device in this embodiment may further include:
密钥生成模块608,用于预先生成一对非对称密钥,包括公钥和私钥;a key generation module 608, configured to generate a pair of asymmetric keys in advance, including a public key and a private key;
公钥导入模块609,用于将该公钥预先导入至该对端B6;The public key importing module 609 is configured to import the public key to the opposite end B6 in advance;
该私钥用于对该原始数据加密,该公钥用于对该加密数据解密。The private key is used to encrypt the original data, and the public key is used to decrypt the encrypted data.
本实施例中该加密模块602可以包括:The encryption module 602 in this embodiment may include:
第一合并单元6021,用于将该原始数据和对应的时间信息合并成数据体;a first merging unit 6021, configured to combine the original data and the corresponding time information into a data body;
第一校验运算单元6022,用于对该数据体进行校验运算,得到第一运算 结果;The first check operation unit 6022 is configured to perform a check operation on the data body to obtain a first operation. result;
第二合并单元6023,用于将该数据体和该第一运算结果合并,得到校验数据体;a second merging unit 6023, configured to combine the data body and the first operation result to obtain a check data body;
加密单元6024,用于对该校验数据体加密,得到加密数据;The encryption unit 6024 is configured to encrypt the verification data volume to obtain encrypted data.
该解密模块607包括:The decryption module 607 includes:
解密单元6071,用于对该加密数据解密,得到待测校验数据体;The decrypting unit 6071 is configured to decrypt the encrypted data to obtain a check data body to be tested;
第二校验运算单元6072,用于获取该待测校验数据体中的数据体,并对获取到的数据体进行校验运算,得到第二运算结果;The second check operation unit 6072 is configured to acquire a data body in the test data body to be tested, and perform a check operation on the acquired data body to obtain a second operation result;
校验单元6073,用于校验该第二运算结果与该待测校验数据体中的第一运算结果是否相符;a checking unit 6073, configured to check whether the second operation result is consistent with the first operation result in the test data body to be tested;
数据获取单元6074,用于当该校验单元6073的校验结果为是时,获取该数据体中的该原始数据。The data obtaining unit 6074 is configured to acquire the original data in the data body when the verification result of the verification unit 6073 is YES.
本实施例中该对端B6还包括:The peer B6 in this embodiment further includes:
合理性检查模块610,用于对该原始数据进行数据合理性检查;a plausibility check module 610, configured to perform data plausibility check on the original data;
操作模块611,用于当该合理性检查模块610的检查通过时,根据该原始数据进行操作。The operation module 611 is configured to perform operations according to the original data when the check of the plausibility check module 610 passes.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部 单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. You can choose some or all of them according to actual needs. The unit is to achieve the purpose of the solution of the embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
以上所述,以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。 The above embodiments are only used to illustrate the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that The technical solutions described in the embodiments are modified, or the equivalents of the technical features are replaced by the equivalents of the technical solutions of the embodiments of the present invention.

Claims (10)

  1. 一种自助终端设备硬件的安全通信方法,应用于所述自助终端的主机与设备硬件之间的通信,其特征在于,包括:A secure communication method for a self-service terminal device hardware, which is applied to communication between a host of the self-service terminal and device hardware, and is characterized in that:
    本端获取需要发送的原始数据;The local end obtains the original data that needs to be sent;
    所述本端对所述原始数据加密,得到加密数据;The local end encrypts the original data to obtain encrypted data;
    所述本端生成随机数,并根据所述随机数将加密数据切分为数据块;The local end generates a random number, and divides the encrypted data into data blocks according to the random number;
    所述本端将所述数据块一一打包,生成对应的数据包;The local end packs the data blocks one by one to generate corresponding data packets;
    所述本端将所述数据包传输至对端,使得所述对端将所述数据包解析并合并,得到所述加密数据,然后所述对端对所述加密数据解密,得到所述原始数据。The local end transmits the data packet to the opposite end, so that the opposite end parses and merges the data packet to obtain the encrypted data, and then the peer end decrypts the encrypted data to obtain the original data.
  2. 根据权利要求1所述的安全通信方法,其特征在于,所述本端生成随机数,并根据所述随机数将加密数据切分为数据块包括:The secure communication method according to claim 1, wherein the local end generates a random number, and splitting the encrypted data into data blocks according to the random number includes:
    所述本端生成一个预设范围内的随机数;The local end generates a random number within a preset range;
    所述本端将所述加密数据切分为所述随机数个数据块。The local end divides the encrypted data into the random number of data blocks.
  3. 根据权利要求1所述的安全通信方法,其特征在于,所述安全通信方法还包括:所述本端预先生成一对非对称密钥,包括公钥和私钥,并将所述公钥预先导入至所述对端;The secure communication method according to claim 1, wherein the secure communication method further comprises: the local end pre-generating a pair of asymmetric keys, including a public key and a private key, and prepending the public key Imported to the opposite end;
    所述私钥用于对所述原始数据加密,所述公钥用于对所述加密数据解密。The private key is used to encrypt the original data, and the public key is used to decrypt the encrypted data.
  4. 根据权利要求1所述的安全通信方法,其特征在于,所述本端对所述原始数据加密,得到加密数据,具体包括:The secure communication method according to claim 1, wherein the local end encrypts the original data to obtain encrypted data, and specifically includes:
    所述本端将所述原始数据和对应的时间信息合并成数据体;The local end combines the original data and corresponding time information into a data body;
    所述本端对所述数据体进行校验运算,得到第一运算结果;The local end performs a check operation on the data body to obtain a first operation result;
    所述本端将所述数据体和所述第一运算结果合并,得到校验数据体;The local end combines the data body and the first operation result to obtain a verification data body;
    所述本端对所述校验数据体加密,得到加密数据;The local end encrypts the verification data body to obtain encrypted data;
    所述对端对所述加密数据解密,得到所述原始数据,具体包括:The peer end decrypts the encrypted data to obtain the original data, and specifically includes:
    所述对端对所述加密数据解密,得到待测校验数据体;Decrypting the encrypted data by the peer end to obtain a check data body to be tested;
    所述对端获取所述待测校验数据体中的数据体,并对获取到的数据体进行校验运算,得到第二运算结果;Obtaining, by the peer end, the data body in the data body to be tested, and performing a check operation on the obtained data body to obtain a second operation result;
    所述对端校验所述第二运算结果与所述待测校验数据体中的第一运算结 果是否相符,若相符,则获取所述数据体中的所述原始数据。The peer end verifies the second operation result and the first operation result in the test data body to be tested If they match, if they match, the original data in the data body is obtained.
  5. 根据权利要求4所述的安全通信方法,其特征在于,所述对端在得到所述原始数据之后还包括:The secure communication method according to claim 4, wherein the peer further comprises: after obtaining the original data:
    所述对端对所述原始数据进行数据合理性检查,若检查通过,则所述对端根据所述原始数据进行操作。The peer end performs data plausibility check on the original data, and if the check passes, the peer end operates according to the original data.
  6. 一种自助终端设备硬件的安全通信装置,应用于所述自助终端的主机与设备硬件之间的通信,其特征在于,包括本端和对端,所述本端包括:A secure communication device for the self-service terminal device hardware is applied to the communication between the host and the device hardware of the self-service terminal, and is characterized in that it includes a local end and a peer end, and the local end includes:
    原始数据获取模块,用于获取需要发送的原始数据;a raw data obtaining module, configured to obtain original data that needs to be sent;
    加密模块,用于对所述原始数据加密,得到加密数据;An encryption module, configured to encrypt the original data to obtain encrypted data;
    随机切分模块,用于生成随机数,并根据所述随机数将加密数据切分为数据块;a random segmentation module, configured to generate a random number, and divide the encrypted data into data blocks according to the random number;
    数据包模块,用于将所述数据块一一打包,生成对应的数据包;a data packet module, configured to package the data blocks one by one to generate a corresponding data packet;
    传输模块,用于将所述数据包传输至所述对端;a transmission module, configured to transmit the data packet to the peer end;
    所述对端包括:The opposite end includes:
    解析合并模块,用于将所述数据包解析并合并,得到所述加密数据;Parsing a merge module, configured to parse and merge the data packet to obtain the encrypted data;
    解密模块,用于对所述加密数据解密,得到所述原始数据。And a decryption module, configured to decrypt the encrypted data to obtain the original data.
  7. 根据权利要求6所述的安全通信装置,其特征在于,所述随机切分模块包括:The secure communication device according to claim 6, wherein the random segmentation module comprises:
    随机数生成单元,用于生成一个预设范围内的随机数;a random number generating unit for generating a random number within a preset range;
    数据切分单元,用于将所述加密数据切分为所述随机数个数据块。And a data segmentation unit, configured to divide the encrypted data into the random number of data blocks.
  8. 根据权利要求6所述的安全通信装置,其特征在于,所述安全通信装置还包括:The secure communication device of claim 6, wherein the secure communication device further comprises:
    密钥生成模块,用于预先生成一对非对称密钥,包括公钥和私钥;a key generation module, configured to generate a pair of asymmetric keys in advance, including a public key and a private key;
    公钥导入模块,用于将所述公钥预先导入至所述对端;a public key importing module, configured to import the public key into the peer end in advance;
    所述私钥用于对所述原始数据加密,所述公钥用于对所述加密数据解密。The private key is used to encrypt the original data, and the public key is used to decrypt the encrypted data.
  9. 根据权利要求6所述的安全通信装置,其特征在于,所述加密模块包括:The secure communication device according to claim 6, wherein the encryption module comprises:
    第一合并单元,用于将所述原始数据和对应的时间信息合并成数据体;a first merging unit, configured to combine the original data and corresponding time information into a data body;
    第一校验运算单元,用于对所述数据体进行校验运算,得到第一运算结果; a first check operation unit, configured to perform a check operation on the data body to obtain a first operation result;
    第二合并单元,用于将所述数据体和所述第一运算结果合并,得到校验数据体;a second merging unit, configured to combine the data body and the first operation result to obtain a check data body;
    加密单元,用于对所述校验数据体加密,得到加密数据;An encryption unit, configured to encrypt the verification data body to obtain encrypted data;
    所述解密模块包括:The decryption module includes:
    解密单元,用于对所述加密数据解密,得到待测校验数据体;a decryption unit, configured to decrypt the encrypted data to obtain a check data body to be tested;
    第二校验运算单元,用于获取所述待测校验数据体中的数据体,并对获取到的数据体进行校验运算,得到第二运算结果;a second check operation unit, configured to acquire a data body in the test data body to be tested, and perform a check operation on the acquired data body to obtain a second operation result;
    校验单元,用于校验所述第二运算结果与所述待测校验数据体中的第一运算结果是否相符;a checking unit, configured to check whether the second operation result is consistent with the first operation result in the check data body to be tested;
    数据获取单元,用于当所述校验单元的校验结果为是时,获取所述数据体中的所述原始数据。a data obtaining unit, configured to acquire the original data in the data body when a check result of the check unit is YES.
  10. 根据权利要求9所述的安全通信装置,其特征在于,所述对端还包括:The secure communication device according to claim 9, wherein the opposite end further comprises:
    合理性检查模块,用于对所述原始数据进行数据合理性检查;a plausibility checking module, configured to perform data plausibility check on the original data;
    操作模块,用于当所述合理性检查模块的检查通过时,根据所述原始数据进行操作。 And an operation module, configured to perform operations according to the original data when the check of the plausibility check module passes.
PCT/CN2016/077252 2015-12-22 2016-03-24 Secure communication method and apparatus for self-service terminal device hardware WO2017107328A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510981728.1A CN105574445B (en) 2015-12-22 2015-12-22 A kind of safety communicating method and device of self-help terminal equipment hardware
CN201510981728.1 2015-12-22

Publications (1)

Publication Number Publication Date
WO2017107328A1 true WO2017107328A1 (en) 2017-06-29

Family

ID=55884558

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/077252 WO2017107328A1 (en) 2015-12-22 2016-03-24 Secure communication method and apparatus for self-service terminal device hardware

Country Status (2)

Country Link
CN (1) CN105574445B (en)
WO (1) WO2017107328A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113993000A (en) * 2021-09-07 2022-01-28 朱磊 Transmission method, operation system and transmission equipment for field monitoring data
CN114124416A (en) * 2020-08-24 2022-03-01 中国航天系统工程有限公司 System and method for quickly exchanging data between networks
CN115996120A (en) * 2023-03-22 2023-04-21 江西经济管理干部学院 Computer data encryption and decryption method and system based on mobile storage device

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107908404A (en) * 2017-11-17 2018-04-13 深圳市泉眼网络科技有限公司 program packaging method, system and terminal device
CN108768930A (en) * 2018-04-09 2018-11-06 华北水利水电大学 A kind of encrypted transmission method of data
CN111654511A (en) * 2020-07-13 2020-09-11 中国银行股份有限公司 Chained data encryption method, chained data decryption method and corresponding systems
CN112307493B (en) * 2020-10-15 2024-02-09 上海东方投资监理有限公司 Project settlement data review sending method, system, terminal equipment and storage medium
CN113382021B (en) * 2021-08-11 2021-10-29 北京开科唯识技术股份有限公司 Financial data processing method
CN114125941B (en) * 2021-11-19 2023-08-29 深圳市欧瑞博科技股份有限公司 Data packetizing method and device, electronic equipment and storage medium
CN113938270A (en) * 2021-12-17 2022-01-14 北京华云安信息技术有限公司 Data encryption method and device capable of flexibly reducing complexity

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102135944A (en) * 2011-03-24 2011-07-27 深圳市华信安创科技有限公司 Method for safe data storage in mobile communication equipment
CN102332981A (en) * 2011-10-12 2012-01-25 深圳市沃达通实业有限公司 Three-layer key encryption method and bank transaction system
US20120036355A1 (en) * 2010-08-09 2012-02-09 Korea Electric Power Corporation Method and system for encrypting and decrypting transaction in power network
CN102932349A (en) * 2012-10-31 2013-02-13 成都主导软件技术有限公司 Data transmission method, device and system
CN104408834A (en) * 2014-12-05 2015-03-11 湖南长城信息金融设备有限责任公司 Method and system for controlling depositing and withdrawing safety based on safety core

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8100323B1 (en) * 2002-12-26 2012-01-24 Diebold Self-Service Systems Division Of Diebold, Incorporated Apparatus and method for verifying components of an ATM

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120036355A1 (en) * 2010-08-09 2012-02-09 Korea Electric Power Corporation Method and system for encrypting and decrypting transaction in power network
CN102135944A (en) * 2011-03-24 2011-07-27 深圳市华信安创科技有限公司 Method for safe data storage in mobile communication equipment
CN102332981A (en) * 2011-10-12 2012-01-25 深圳市沃达通实业有限公司 Three-layer key encryption method and bank transaction system
CN102932349A (en) * 2012-10-31 2013-02-13 成都主导软件技术有限公司 Data transmission method, device and system
CN104408834A (en) * 2014-12-05 2015-03-11 湖南长城信息金融设备有限责任公司 Method and system for controlling depositing and withdrawing safety based on safety core

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114124416A (en) * 2020-08-24 2022-03-01 中国航天系统工程有限公司 System and method for quickly exchanging data between networks
CN114124416B (en) * 2020-08-24 2024-03-08 中国航天系统工程有限公司 System and method for quickly exchanging data between networks
CN113993000A (en) * 2021-09-07 2022-01-28 朱磊 Transmission method, operation system and transmission equipment for field monitoring data
CN113993000B (en) * 2021-09-07 2024-04-02 上海叁零肆零科技有限公司 Transmission method, operation system and transmission equipment for field monitoring data
CN115996120A (en) * 2023-03-22 2023-04-21 江西经济管理干部学院 Computer data encryption and decryption method and system based on mobile storage device
CN115996120B (en) * 2023-03-22 2023-09-29 江西经济管理干部学院 Computer data encryption and decryption method and system based on mobile storage device

Also Published As

Publication number Publication date
CN105574445B (en) 2018-08-31
CN105574445A (en) 2016-05-11

Similar Documents

Publication Publication Date Title
WO2017107328A1 (en) Secure communication method and apparatus for self-service terminal device hardware
EP3603001B1 (en) Hardware-accelerated payload filtering in secure communication
CN101262405B (en) High-speed secure virtual private network channel based on network processor and its realization method
CN111131278B (en) Data processing method and device, computer storage medium and electronic equipment
KR100940525B1 (en) Apparatus and method for VPN communication in socket-level
CN103634114B (en) The verification method and system of intelligent code key
CN102780698A (en) User terminal safety communication method in platform of Internet of Things
CN103338215A (en) Method for establishing TLS (Transport Layer Security) channel based on state secret algorithm
CN109257744A (en) 5G data transmission method, system and 5G data send and receive device
CN107086915A (en) A kind of data transmission method, data sending terminal and data receiver
EP3157195A1 (en) Communication protocol testing method, and tested device and testing platform thereof
CN104837150B (en) IPv6 wireless sense network safety test systems
CN102970228B (en) A kind of message transmitting method based on IPsec and equipment
CN109614789A (en) A kind of verification method and equipment of terminal device
CN111130775A (en) Key negotiation method, device and equipment
CN109660568A (en) Method, equipment and the system of network talkback security mechanism are realized based on SRTP
CN104753879B (en) Method and system, the method and system of cloud service provider certification terminal of terminal authentication cloud service provider
CN106203188A (en) A kind of Unilateral Data Transferring System and method thereof adding MAC based on dual processors
CN105721161A (en) H<2>-MAC (Hash-based Message Authentication Code) message authentication IP (intellectual property) core hardware device based on bus
EP3361691B1 (en) Method and device for verifying validity of identity of entity
CN115865540B (en) Information security transmission method and device
CN110198320B (en) Encrypted information transmission method and system
CN107172462A (en) A kind of video-encryption and identity identifying method and security module
US20210203487A1 (en) Method for storing database security audit records
CN114884714A (en) Task processing method, device, equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16877142

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16877142

Country of ref document: EP

Kind code of ref document: A1