WO2017206698A1 - Device management method and system based on active template library (atl), and financial self-service device - Google Patents

Device management method and system based on active template library (atl), and financial self-service device Download PDF

Info

Publication number
WO2017206698A1
WO2017206698A1 PCT/CN2017/084062 CN2017084062W WO2017206698A1 WO 2017206698 A1 WO2017206698 A1 WO 2017206698A1 CN 2017084062 W CN2017084062 W CN 2017084062W WO 2017206698 A1 WO2017206698 A1 WO 2017206698A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
device management
service process
management service
layer application
Prior art date
Application number
PCT/CN2017/084062
Other languages
French (fr)
Chinese (zh)
Inventor
伍鹏辉
熊飞
陈明宇
梁建明
张雲瑞
罗忠明
Original Assignee
广州广电运通金融电子股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 广州广电运通金融电子股份有限公司 filed Critical 广州广电运通金融电子股份有限公司
Publication of WO2017206698A1 publication Critical patent/WO2017206698A1/en

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F19/00Complete banking systems; Coded card-freed arrangements adapted for dispensing or receiving monies or the like and posting such transactions to existing accounts, e.g. automatic teller machines
    • G07F19/20Automatic teller machines [ATMs]
    • G07F19/209Monitoring, auditing or diagnose of functioning of ATMs
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F19/00Complete banking systems; Coded card-freed arrangements adapted for dispensing or receiving monies or the like and posting such transactions to existing accounts, e.g. automatic teller machines
    • G07F19/20Automatic teller machines [ATMs]
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F19/00Complete banking systems; Coded card-freed arrangements adapted for dispensing or receiving monies or the like and posting such transactions to existing accounts, e.g. automatic teller machines
    • G07F19/20Automatic teller machines [ATMs]
    • G07F19/211Software architecture within ATMs or in relation to the ATM network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Definitions

  • the present invention relates to the field of financial self-service devices, and in particular, to an ATL (Active Template Library)-based device management method, system, and financial self-service device.
  • ATL Active Template Library
  • the ATM also known as ATM, is a highly sophisticated mechatronic device that uses a magnetic code card or smart card to implement self-service for financial transactions, replacing the work of bank counter personnel.
  • the existing ATM machine management system cannot realize resource sharing of hardware devices, and two or more upper layer applications cannot access the same hardware device at the same time.
  • the application APP1 opens the hardware device A, and the application APP2 can no longer open or access the hardware device A. After the application APP1 is disconnected from the device A, the application APP2 can access the hardware device A, thereby causing device resources. Waste, can not achieve resource sharing.
  • the hardware devices are not uniformly managed, so that any application APP can freely access the hardware devices, which poses a security risk and may cause some malicious programs to access the hardware devices.
  • the embodiment of the invention provides an ATL-based device management method, system and financial self-service device, which can solve the problem that the existing ATM machine management system cannot realize hardware device resource sharing.
  • the communication connection between the upper application and the hardware device is established in the same device management service process according to the priority order;
  • the lower-priority upper-layer application is used as a monitoring program to monitor communication between the current higher-priority upper-layer application and the hardware device.
  • it also includes:
  • the priority order is determined by a preset priority of an upper application.
  • the method further includes: performing encryption processing on the upper layer application in advance, specifically:
  • performing authorization verification on the upper layer application specifically includes:
  • the authorization verification fails.
  • An application authorization module configured to perform authorization verification on the upper application after receiving a communication connection request between the upper application and the hardware device;
  • a priority communication connection module configured to establish, in the same device management service process, a communication connection between the upper application and the hardware device in the same device management service process if the authorization verification is passed;
  • the communication monitoring module is configured to monitor, in the same device management service process, a lower priority upper layer application as a monitoring program to monitor communication between the current higher priority upper layer application and the hardware device.
  • it also includes:
  • connection module is rejected for rejecting the communication connection request if the authorization verification fails.
  • a pre-encryption module is further included, configured to perform encryption processing on the upper layer application in advance;
  • the pre-encryption module specifically includes:
  • a public key sending unit configured to send a public key in a key pair generated by an upper layer application to a device management service process
  • an encryption unit configured to encrypt the file feature code of the upper application by using a private key in the key pair to generate encrypted information.
  • the application authorization module includes:
  • a public key obtaining unit configured to acquire, from the device management service, a public key corresponding to the upper layer application
  • a decryption unit configured to decrypt the encrypted information of the upper application by using the obtained public key to obtain a feature information code
  • the comparison unit is configured to compare the feature information code with the file feature code of the upper application, and if the same, the authorization verification is passed, and if not, the authorization verification fails.
  • a financial self-service device provided by an embodiment of the present invention includes the device management system described above.
  • the upper layer application after receiving the communication connection request of the upper layer application and the hardware device, the upper layer application is authorized to be authenticated; if the authorization verification is passed, the upper layer application is established in the same device management service process according to the priority order. a communication connection between the program and the hardware device; wherein, in the same device management service process, the upper-level application with lower priority is used as a monitoring program to monitor communication between the current upper-level application with higher priority and the hardware device .
  • two or more upper-layer applications may establish a communication connection with the hardware device in the same device management service process according to the priority order, and communicate with the hardware device in the upper-layer application with higher priority.
  • the upper-level application with lower priority can be monitored, so that two or more upper-layer applications share the same hardware device through the same device management service process, thereby avoiding waste of device resources.
  • the hardware devices are uniformly managed, and any application accessing the hardware devices requires authorization verification, which improves the security performance of the devices.
  • FIG. 1 is a flowchart of an embodiment of an ATL-based device management method according to an embodiment of the present invention
  • FIG. 2 is a flowchart of another embodiment of an ATL-based device management method according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of generating an encryption information of an ATL-based device management method according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of a decryption authorization process of an ATL-based device management method according to an embodiment of the present invention
  • FIG. 5 is a structural diagram of a system framework in an application scenario of an ATL-based device management method according to an embodiment of the present invention
  • FIG. 6 is a structural diagram of a system framework in another application scenario of an ATL-based device management method according to an embodiment of the present invention.
  • FIG. 7 is a structural diagram of an embodiment of an ATL-based device management system according to an embodiment of the present invention.
  • FIG. 8 is a structural diagram of another embodiment of an ATL-based device management system according to an embodiment of the present invention.
  • FIG. 9 is a flowchart of operation steps of a financial self-service device adopting an ATL-based device management method according to an embodiment of the present invention.
  • the embodiments of the present invention provide an ATL-based device management method, system, and financial self-service device, which are used to solve the problem that the existing ATM machine management system cannot implement hardware device resource sharing.
  • an embodiment of an ATL-based device management method according to an embodiment of the present invention includes:
  • A101 After receiving the communication connection request of the upper application and the hardware device, performing authorization verification on the upper application;
  • the priority order is determined by the preset priority of the upper application.
  • the lower-priority upper-layer application is used as a monitoring program to monitor communication between the current higher-priority upper-layer application and the hardware device.
  • the authorization verification after receiving the communication connection request of the upper application and the hardware device, performing authorization verification on the upper application; if the authorization verification is passed, managing the service on the same device
  • the communication process of the upper layer application and the hardware device is established in the priority order; wherein, in the same device management service process, the upper layer application with lower priority is used as the monitoring program to monitor the current upper layer application with higher priority Communication between the program and the hardware device.
  • two or more upper-layer applications may establish a communication connection with the hardware device in the same device management service process according to the priority order, and the process of communicating with the hardware device in the upper-layer application with higher priority
  • the upper-level application with lower priority can be monitored, so that two or more upper-layer applications share the same hardware device through the same device management service process, thereby avoiding waste of device resources.
  • FIG. 2 another embodiment of an ATL-based device management method in the embodiment of the present invention includes:
  • the A201 After receiving the communication connection request of the upper application and the hardware device, the A201 obtains the public key corresponding to the upper application from the device management service;
  • the public key corresponding to the upper layer application may be obtained from the device management service.
  • the upper layer application may be encrypted in advance, including:
  • the file feature code K of the upper layer application is encrypted by using the private key B in the key pair to generate the encrypted information K1.
  • the encryption process is:
  • A202 Decrypt the encrypted information of the upper application by using the obtained public key to obtain a feature information code.
  • the public key corresponding to the upper application that initiated the request may be obtained from the public key list, and then the obtained public key may be used to the upper application.
  • the encrypted information is decrypted to obtain a feature information code.
  • step A203 comparing the feature information code and the file identifier of the upper application, if the same, then performing step A204, if not, executing step A206;
  • steps A201 to A203 are decryption authorization verification processes for the upper layer application, and the process corresponds to the encryption process.
  • the decryption authorization process is:
  • the communication connection between the upper application and the hardware device may be established in the priority order of the same device management service process, and the priority order is determined by the preset priority of the upper application.
  • the ATL-based device management method in this embodiment is mainly based on ATL to generate an out-of-process executable program type COM service program.
  • the service can realize unified management of hardware device communication, and the upper layer application accesses the hardware device by obtaining authorization of the device management service process.
  • A205 In the same device management service process, use a lower-priority upper-layer application as a monitoring program to monitor communication between the current higher-priority upper-layer application and the hardware device;
  • the upper-layer application with lower priority can be used as a monitoring program to monitor communication between the upper-layer application with higher priority and the hardware device in the same device management service process.
  • the ATL-based device management method of the present invention is described below through specific application scenarios.
  • the relationship between the upper layer application, the device management service process, and the hardware device is as shown in FIG. 5, and the device management service process and each upper layer application (the upper layer application 201, the upper layer) Application 202, upper application 203, etc.) communication connection, and also serial port (such as serial port 205, serial port 206, serial port 207, etc.) or USB interface (such as serial port 205, serial port 206, serial port 207, etc.) connected with hardware devices (such as device 211, device 212, device 213, etc.) USB208, USB209, USB210, etc.), the working principle is as follows:
  • the upper layer application normally connects to the hardware device: the upper layer application 201 sends a request to the device management service process 204 to perform a communication connection with the device 211, and the device management service process 204 performs an audit on the upper layer application 201 through the authorization module. After the approval is passed, the permission is allowed.
  • the upper application 201 communicates with the device 211;
  • Both the upper-layer application 202 and the upper-layer application 203 send a request to the device management service process 204 to perform a communication connection with the device 212.
  • the device management service process 204 reviews the upper layer application 202 and the upper layer application 203 through the authorization module. After the approval is passed, the upper layer application 202 and the upper layer application 203 are prioritized according to the preset priority, and the upper layer application 202 with high priority is prioritized.
  • the communication between the upper-layer application 202 and the device 212 is monitored by the device management service process 204.
  • the upper-layer application 203 is used as a monitoring program to monitor the communication between the upper-layer application 202 and the device 212. Both the upper layer application 202 and the upper layer application 203 can share the access device 212 through the device management service process 204;
  • the upper-layer application is unauthorized.
  • the upper-layer application 200 sends a request to the device management service process 204 to perform a communication connection with the device 213.
  • the device management service process 204 performs an authorization review on the upper-layer application 200 through the authorization module, and the audit result does not meet the requirements.
  • the device management service process 204 blocks communication between the upper application 200 and the device 213.
  • the ATL-based device management method can implement the upper-layer application to access the specified USB device at the same time.
  • the device is used.
  • the management service process 304 is in communication with each upper-layer application (such as the upper layer application 301, the upper layer application 302, and the upper layer application 303), and is also connected to each of the same type of USB connected to the hardware device (such as the device 308, the device 309, and the device 310).
  • the interface (such as USB port 305, USB port 306, USB port 307) is connected, and its working principle is as follows:
  • the upper layer application accesses the specified USB device: one device is connected with three identical hardware devices 308, 309, 310 of the same model with the same hardware parameter information, and the upper layer application 302 can access the same USB port 306 through the device management service process 304. Model USB device 309. Therefore, the upper layer application accesses the specified hardware device, and the upper layer application is prevented from randomly accessing the hardware device, resulting in uncertainty.
  • a plurality of upper-layer applications simultaneously access the specified same USB hardware device one device is connected with three identical USB hardware devices 308, 309, and 310 of the same model with the same hardware parameter information, and the upper-layer application 301 can access the specified device through the standby management service process 304.
  • the USB port device 307 is connected to the USB hardware device 310.
  • the upper layer application 303 can access the USB hardware device 308 connected to the designated USB port 305 through the standby management service process 304. Therefore, multiple upper-layer applications can access the same hardware device at the same time (the hardware parameters are the same, but the interfaces are different) to avoid waste of resources.
  • the operation steps of the financial self-service device adopting the ATL-based device management method are as follows:
  • the device is automatically connected according to the communication configuration to prevent other services or applications from using the device port.
  • the device management service process waits for a connection request of the upper application driver device
  • the upper application sends a request to connect the hardware device
  • the device management service process searches for the connected device port in the device pool, and binds the device connection information.
  • the upper layer application obtains the authorization verification, establish a communication channel with the hardware device, and the device management service process performs communication monitoring on the authorized communication channel, and generates a monitoring record;
  • step C Regardless of whether the upper application is authorized, return to step C and continue waiting after the request processing is completed.
  • an ATL-based device management system in the embodiment of the present invention includes:
  • the application authorization module 701 is configured to perform authorization verification on the upper layer application after receiving the communication connection request of the upper layer application and the hardware device;
  • the priority communication connection module 702 is configured to establish, in the same device management service process, a communication connection between the upper application program and the hardware device in the same device management service process if the authorization verification is passed;
  • the communication monitoring module 703 is configured to monitor, in the same device management service process, a lower-priority upper-layer application as a monitoring program to monitor communication between the current higher-priority upper-layer application and the hardware device.
  • two or more upper-layer applications may establish a communication connection with the hardware device in the same device management service process according to the priority order, and the process of communicating with the hardware device in the upper-layer application with higher priority
  • the upper-level application with lower priority can be monitored, so that two or more upper-layer applications share the same hardware device through the same device management service process, thereby avoiding waste of device resources.
  • FIG. 8 another embodiment of an ATL-based device management system in the embodiment of the present invention includes:
  • the application authorization module 801 is configured to perform authorization verification on the upper layer application after receiving the communication connection request of the upper layer application and the hardware device;
  • the priority communication connection module 802 is configured to establish, in the same device management service process, a communication connection between the upper layer application and the hardware device in the same device management service process, where the priority order is set by the upper layer application preset priority.
  • the communication monitoring module 803 is configured to monitor, in the same device management service process, a lower-priority upper-layer application as a monitoring program to monitor communication between the current higher-priority upper-layer application and the hardware device.
  • the device management system may further include:
  • connection connection module 804 is configured to reject the communication connection request if the authorization verification fails.
  • the device management system may further include a pre-encryption module 805, configured to perform encryption processing on the upper layer application in advance;
  • the pre-encryption module 805 specifically includes:
  • a public key sending unit 8051 configured to send a public key in a key pair generated by an upper layer application to a device management service process
  • the encryption unit 8052 is configured to encrypt the file feature code of the upper application by using a private key in the key pair to generate encrypted information.
  • the application authorization module 801 can include:
  • the public key obtaining unit 8011 is configured to obtain, from the device management service, a public key corresponding to the upper layer application;
  • the decrypting unit 8012 is configured to decrypt the encrypted information of the upper layer application by using the obtained public key to obtain a feature information code.
  • the comparing unit 8013 is configured to compare the feature information code with the file feature code of the upper application, and if the same, the authorization verification passes, and if not, the authorization verification fails.
  • the present invention also discloses a financial self-service device, which includes any of the ATL-based device management systems described in the foregoing embodiments. Therefore, the financial self-service device includes, but is not limited to, the technical features and technical effects of the device management system.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Finance (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A device management method and system based on an active template library (ATL), and a financial self-service device, for solving the problem that hardware device resources in existing ATM management systems cannot be shared. The method comprises: after receiving a communication connection request from an upper application for a hardware device, authorizing and verifying the upper application (A101); if the upper application passes the authorization and verification, establishing a communication connection between the upper application and a hardware device in order of priority, in the same single device management service process (A102); and in the same single device management service process, using an upper application with lower priority as a monitoring program, to monitor the communication between the current upper application with higher priority and the hardware device (A103). By means of the invention, two or more upper applications can share and access the same single hardware device by means of the same single device management service process, avoiding wasting device resources.

Description

基于ATL的设备管理方法、系统和金融自助设备ATL-based device management method, system and financial self-service device
本申请要求于2016年05月30日提交中国专利局、申请号为201610375226.9、发明名称为“基于ATL的设备管理方法、系统和金融自助设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese Patent Application No. 201610375226.9, entitled "ATL-based Equipment Management Method, System and Financial Self-Service Equipment", filed on May 30, 2016, the entire contents of which are hereby incorporated by reference. Combined in this application.
技术领域Technical field
本发明涉及金融自助设备领域,尤其涉及基于ATL(Active Template Library)的设备管理方法、系统和金融自助设备。The present invention relates to the field of financial self-service devices, and in particular, to an ATL (Active Template Library)-based device management method, system, and financial self-service device.
背景技术Background technique
自动取款机又称ATM,是一种高度精密的机电一体化装置,利用磁性代码卡或智能卡实现金融交易的自助服务,代替银行柜面人员的工作。The ATM, also known as ATM, is a highly sophisticated mechatronic device that uses a magnetic code card or smart card to implement self-service for financial transactions, replacing the work of bank counter personnel.
现有的ATM机管理系统无法实现硬件设备的资源共享,两个或多个上层应用程序不能同时访问同一个硬件设备。例如,应用程序APP1打开硬件设备A,这时应用程序APP2不能再打开或访问硬件设备A,必须等待应用程序APP1与设备A断开连接后,应用程序APP2才能访问硬件设备A,从而造成设备资源的浪费,不能实现资源共享。另外,硬件设备没有得到统一管理,以致任何应用程序APP都可以自由地访问硬件设备,存在安全风险,有可能导致某些恶意程序访问硬件设备。The existing ATM machine management system cannot realize resource sharing of hardware devices, and two or more upper layer applications cannot access the same hardware device at the same time. For example, the application APP1 opens the hardware device A, and the application APP2 can no longer open or access the hardware device A. After the application APP1 is disconnected from the device A, the application APP2 can access the hardware device A, thereby causing device resources. Waste, can not achieve resource sharing. In addition, the hardware devices are not uniformly managed, so that any application APP can freely access the hardware devices, which poses a security risk and may cause some malicious programs to access the hardware devices.
发明内容Summary of the invention
本发明实施例提供了基于ATL的设备管理方法、系统和金融自助设备,能够解决现有ATM机管理系统无法实现硬件设备资源共享的问题。The embodiment of the invention provides an ATL-based device management method, system and financial self-service device, which can solve the problem that the existing ATM machine management system cannot realize hardware device resource sharing.
本发明实施例提供的一种基于ATL的设备管理方法,包括:An ATL-based device management method provided by an embodiment of the present invention includes:
接收到上层应用程序与硬件设备的通讯连接请求后,对所述上层应用程序进行授权验证;After receiving the communication connection request of the upper application and the hardware device, performing authorization verification on the upper application;
若授权验证通过,在同一设备管理服务进程中按照优先级顺序建立上层应用程序与硬件设备的通讯连接;If the authorization verification is passed, the communication connection between the upper application and the hardware device is established in the same device management service process according to the priority order;
在同一设备管理服务进程中,将优先级较低的上层应用程序作为监控程序监视当前的优先级较高的上层应用程序与所述硬件设备之间的通讯。In the same device management service process, the lower-priority upper-layer application is used as a monitoring program to monitor communication between the current higher-priority upper-layer application and the hardware device.
可选地,还包括: Optionally, it also includes:
若授权验证不通过,拒绝所述通讯连接请求。If the authorization verification fails, the communication connection request is rejected.
可选地,所述优先级顺序由上层应用程序的预设优先级决定。Optionally, the priority order is determined by a preset priority of an upper application.
可选地,还包括:预先对上层应用程序进行加密处理,具体包括:Optionally, the method further includes: performing encryption processing on the upper layer application in advance, specifically:
发送上层应用程序生成的密钥对中的公钥至设备管理服务进程;Sending the public key in the key pair generated by the upper application to the device management service process;
采用所述密钥对中的私钥对所述上层应用程序的文件特征码进行加密,生成加密信息。Encrypting the file signature of the upper application by using a private key in the key pair to generate encrypted information.
可选地,对所述上层应用程序进行授权验证具体包括:Optionally, performing authorization verification on the upper layer application specifically includes:
从所述设备管理服务进行中获取所述上层应用程序对应的公钥;Obtaining, from the device management service, a public key corresponding to the upper layer application;
采用获取到的公钥对所述上层应用程序的加密信息进行解密,得到特征信息码;Decrypting the encrypted information of the upper application by using the obtained public key to obtain a feature information code;
对比所述特征信息码与所述上层应用程序的文件特征码,若相同,则授权验证通过,若不相同,则授权验证不通过。If the feature information code is compared with the file feature code of the upper application, if the verification is the same, the authorization verification is passed. If not, the authorization verification fails.
本发明实施例提供的一种基于ATL的设备管理系统,包括:An ATL-based device management system provided by an embodiment of the present invention includes:
应用程序授权模块,用于接收到上层应用程序与硬件设备的通讯连接请求后,对所述上层应用程序进行授权验证;An application authorization module, configured to perform authorization verification on the upper application after receiving a communication connection request between the upper application and the hardware device;
优先级通讯连接模块,用于若授权验证通过,在同一设备管理服务进程中按照优先级顺序建立上层应用程序与硬件设备的通讯连接;a priority communication connection module, configured to establish, in the same device management service process, a communication connection between the upper application and the hardware device in the same device management service process if the authorization verification is passed;
通讯监视模块,用于在同一设备管理服务进程中,将优先级较低的上层应用程序作为监控程序监视当前的优先级较高的上层应用程序与所述硬件设备之间的通讯。The communication monitoring module is configured to monitor, in the same device management service process, a lower priority upper layer application as a monitoring program to monitor communication between the current higher priority upper layer application and the hardware device.
可选地,还包括:Optionally, it also includes:
拒绝连接模块,用于若授权验证不通过,拒绝所述通讯连接请求。The connection module is rejected for rejecting the communication connection request if the authorization verification fails.
可选地,还包括预加密模块,用于预先对上层应用程序进行加密处理;Optionally, a pre-encryption module is further included, configured to perform encryption processing on the upper layer application in advance;
所述预加密模块具体包括:The pre-encryption module specifically includes:
公钥发送单元,用于发送上层应用程序生成的密钥对中的公钥至设备管理服务进程;a public key sending unit, configured to send a public key in a key pair generated by an upper layer application to a device management service process;
加密单元,用于采用所述密钥对中的私钥对所述上层应用程序的文件特征码进行加密,生成加密信息。And an encryption unit, configured to encrypt the file feature code of the upper application by using a private key in the key pair to generate encrypted information.
可选地,所述应用程序授权模块包括: Optionally, the application authorization module includes:
公钥获取单元,用于从所述设备管理服务进行中获取所述上层应用程序对应的公钥;a public key obtaining unit, configured to acquire, from the device management service, a public key corresponding to the upper layer application;
解密单元,用于采用获取到的公钥对所述上层应用程序的加密信息进行解密,得到特征信息码;a decryption unit, configured to decrypt the encrypted information of the upper application by using the obtained public key to obtain a feature information code;
对比单元,用于对比所述特征信息码与所述上层应用程序的文件特征码,若相同,则授权验证通过,若不相同,则授权验证不通过。The comparison unit is configured to compare the feature information code with the file feature code of the upper application, and if the same, the authorization verification is passed, and if not, the authorization verification fails.
本发明实施例提供的一种金融自助设备,包括上述的设备管理系统。A financial self-service device provided by an embodiment of the present invention includes the device management system described above.
从以上技术方案可以看出,本发明实施例具有以下优点:It can be seen from the above technical solutions that the embodiments of the present invention have the following advantages:
本发明实施例中,在接收到上层应用程序与硬件设备的通讯连接请求后,对所述上层应用程序进行授权验证;若授权验证通过,在同一设备管理服务进程中按照优先级顺序建立上层应用程序与硬件设备的通讯连接;其中,在同一设备管理服务进程中,将优先级较低的上层应用程序作为监控程序监视当前的优先级较高的上层应用程序与所述硬件设备之间的通讯。在本发明实施例中,两个或两个以上上层应用程序可以根据优先级顺序在同一设备管理服务进程中与硬件设备建立通讯连接,并且在优先级较高的上层应用程序与硬件设备通讯的过程中,优先级较低的上层应用程序可以进行监视,从而实现两个或多个上层应用程序通过同一设备管理服务进程共享访问同一硬件设备,避免造成设备资源的浪费。同时,使硬件设备得到统一管理,任何应用程序访问硬件设备均需经过授权验证,提高了设备的安全性能。In the embodiment of the present invention, after receiving the communication connection request of the upper layer application and the hardware device, the upper layer application is authorized to be authenticated; if the authorization verification is passed, the upper layer application is established in the same device management service process according to the priority order. a communication connection between the program and the hardware device; wherein, in the same device management service process, the upper-level application with lower priority is used as a monitoring program to monitor communication between the current upper-level application with higher priority and the hardware device . In the embodiment of the present invention, two or more upper-layer applications may establish a communication connection with the hardware device in the same device management service process according to the priority order, and communicate with the hardware device in the upper-layer application with higher priority. During the process, the upper-level application with lower priority can be monitored, so that two or more upper-layer applications share the same hardware device through the same device management service process, thereby avoiding waste of device resources. At the same time, the hardware devices are uniformly managed, and any application accessing the hardware devices requires authorization verification, which improves the security performance of the devices.
附图说明DRAWINGS
图1为本发明实施例中基于ATL的设备管理方法一个实施例流程图;FIG. 1 is a flowchart of an embodiment of an ATL-based device management method according to an embodiment of the present invention;
图2为本发明实施例中基于ATL的设备管理方法另一个实施例流程图;2 is a flowchart of another embodiment of an ATL-based device management method according to an embodiment of the present invention;
图3为本发明实施例中基于ATL的设备管理方法的加密信息生成原理图;3 is a schematic diagram of generating an encryption information of an ATL-based device management method according to an embodiment of the present invention;
图4为本发明实施例中基于ATL的设备管理方法的解密授权过程原理图; 4 is a schematic diagram of a decryption authorization process of an ATL-based device management method according to an embodiment of the present invention;
图5为本发明实施例中基于ATL的设备管理方法一个应用场景下的系统框架结构图;5 is a structural diagram of a system framework in an application scenario of an ATL-based device management method according to an embodiment of the present invention;
图6为本发明实施例中基于ATL的设备管理方法另一个应用场景下的系统框架结构图;6 is a structural diagram of a system framework in another application scenario of an ATL-based device management method according to an embodiment of the present invention;
图7为本发明实施例中基于ATL的设备管理系统一个实施例结构图;FIG. 7 is a structural diagram of an embodiment of an ATL-based device management system according to an embodiment of the present invention; FIG.
图8为本发明实施例中基于ATL的设备管理系统另一个实施例结构图;FIG. 8 is a structural diagram of another embodiment of an ATL-based device management system according to an embodiment of the present invention; FIG.
图9为本发明实施例中采用基于ATL的设备管理方法的金融自助设备的操作步骤流程图。FIG. 9 is a flowchart of operation steps of a financial self-service device adopting an ATL-based device management method according to an embodiment of the present invention.
具体实施方式detailed description
本发明实施例提供了基于ATL的设备管理方法、系统和金融自助设备,用于解决现有ATM机管理系统无法实现硬件设备资源共享的问题。The embodiments of the present invention provide an ATL-based device management method, system, and financial self-service device, which are used to solve the problem that the existing ATM machine management system cannot implement hardware device resource sharing.
为使得本发明的发明目的、特征、优点能够更加的明显和易懂,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,下面所描述的实施例仅仅是本发明一部分实施例,而非全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。In order to make the object, the features and the advantages of the present invention more obvious and easy to understand, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. The described embodiments are only a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
请参阅图1,本发明实施例中一种基于ATL的设备管理方法一个实施例包括:Referring to FIG. 1, an embodiment of an ATL-based device management method according to an embodiment of the present invention includes:
A101、接收到上层应用程序与硬件设备的通讯连接请求后,对所述上层应用程序进行授权验证;A101. After receiving the communication connection request of the upper application and the hardware device, performing authorization verification on the upper application;
A102、若授权验证通过,在同一设备管理服务进程中按照优先级顺序建立上层应用程序与硬件设备的通讯连接;A102. If the authorization verification is passed, the communication connection between the upper application and the hardware device is established in the same device management service process according to the priority order;
所述优先级顺序由上层应用程序的预设优先级决定。The priority order is determined by the preset priority of the upper application.
A103、在同一设备管理服务进程中,将优先级较低的上层应用程序作为监控程序监视当前的优先级较高的上层应用程序与所述硬件设备之间的通讯。A103: In the same device management service process, the lower-priority upper-layer application is used as a monitoring program to monitor communication between the current higher-priority upper-layer application and the hardware device.
本实施例中,在接收到上层应用程序与硬件设备的通讯连接请求后,对所述上层应用程序进行授权验证;若授权验证通过,在同一设备管理服 务进程中按照优先级顺序建立上层应用程序与硬件设备的通讯连接;其中,在同一设备管理服务进程中,将优先级较低的上层应用程序作为监控程序监视当前的优先级较高的上层应用程序与所述硬件设备之间的通讯。在本实施例中,两个或两个以上上层应用程序可以根据优先级顺序在同一设备管理服务进程中与硬件设备建立通讯连接,并且在优先级较高的上层应用程序与硬件设备通讯的过程中,优先级较低的上层应用程序可以进行监视,从而实现两个或多个上层应用程序通过同一设备管理服务进程共享访问同一硬件设备,避免造成设备资源的浪费。In this embodiment, after receiving the communication connection request of the upper application and the hardware device, performing authorization verification on the upper application; if the authorization verification is passed, managing the service on the same device The communication process of the upper layer application and the hardware device is established in the priority order; wherein, in the same device management service process, the upper layer application with lower priority is used as the monitoring program to monitor the current upper layer application with higher priority Communication between the program and the hardware device. In this embodiment, two or more upper-layer applications may establish a communication connection with the hardware device in the same device management service process according to the priority order, and the process of communicating with the hardware device in the upper-layer application with higher priority The upper-level application with lower priority can be monitored, so that two or more upper-layer applications share the same hardware device through the same device management service process, thereby avoiding waste of device resources.
为便于理解,下面对本发明实施例中的一种基于ATL的设备管理方法进行详细描述,请参阅图2,本发明实施例中一种基于ATL的设备管理方法另一个实施例包括:For ease of understanding, an ATL-based device management method in the embodiment of the present invention is described in detail below. Referring to FIG. 2, another embodiment of an ATL-based device management method in the embodiment of the present invention includes:
A201、接收到上层应用程序与硬件设备的通讯连接请求后,从所述设备管理服务进行中获取所述上层应用程序对应的公钥;After receiving the communication connection request of the upper application and the hardware device, the A201 obtains the public key corresponding to the upper application from the device management service;
首先,在接收到上层应用程序与硬件设备的通讯连接请求后,可以从所述设备管理服务进行中获取所述上层应用程序对应的公钥。First, after receiving the communication connection request of the upper layer application and the hardware device, the public key corresponding to the upper layer application may be obtained from the device management service.
需要说明的是,可以预先对上层应用程序进行加密处理,具体包括:It should be noted that the upper layer application may be encrypted in advance, including:
1、发送上层应用程序生成的密钥对(包括公钥A和私钥B)中的公钥A至设备管理服务进程,为方便公钥的管理,设备管理服务进程接收到来自上层应用程序的公钥A,并对公钥A进行管理,可以生成一个公钥列表;1. Send the public key A in the key pair generated by the upper application (including public key A and private key B) to the device management service process. To facilitate the management of the public key, the device management service process receives the upper application. Public key A, and manage public key A, can generate a public key list;
2、采用所述密钥对中的私钥B对所述上层应用程序的文件特征码K进行加密,生成加密信息K1。2. The file feature code K of the upper layer application is encrypted by using the private key B in the key pair to generate the encrypted information K1.
具体地,例如,如图3所示,在一个具体应用场景下,其加密过程为:Specifically, for example, as shown in FIG. 3, in a specific application scenario, the encryption process is:
S101:加载上层应用程序app.exe;S101: loading an upper application app.exe;
S102:从上层应用程序app.exe中提取文件特征码K;S102: extracting a file feature code K from an upper application app.exe;
S103:上层应用程序生成私钥B;S103: The upper application generates a private key B;
S104:用私钥B对提取的文件特征码K进行加密;S104: Encrypt the extracted file feature code K with the private key B;
S105:获得文件特征码的加密信息K1;S105: Obtain encrypted information K1 of the file feature code;
S106:将加密信息K1保存为加密信息文件app.key。 S106: The encrypted information K1 is saved as an encrypted information file app.key.
A202、采用获取到的公钥对所述上层应用程序的加密信息进行解密,得到特征信息码;A202. Decrypt the encrypted information of the upper application by using the obtained public key to obtain a feature information code.
当接收到上层应用程序与硬件设备的通讯连接请求时,可以从该公钥列表中获取到发起请求的上层应用程序对应的公钥,然后,可以采用获取到的公钥对所述上层应用程序的加密信息进行解密,得到特征信息码。When receiving the communication connection request of the upper application and the hardware device, the public key corresponding to the upper application that initiated the request may be obtained from the public key list, and then the obtained public key may be used to the upper application. The encrypted information is decrypted to obtain a feature information code.
A203、对比所述特征信息码与所述上层应用程序的文件特征码,若相同,则执行步骤A204,若不相同,则执行步骤A206;A203, comparing the feature information code and the file identifier of the upper application, if the same, then performing step A204, if not, executing step A206;
在得到特征信息码之后,可以对比所述特征信息码与所述上层应用程序的文件特征码,若相同,则执行步骤A204,若不相同,则执行步骤A206。可以理解的是,步骤A201~A203为对上层应用程序的解密授权验证过程,其过程与加密过程相对应。在一个具体的应用场景下,如图4所示,解密授权过程为:After obtaining the feature information code, the feature information code and the file feature code of the upper application may be compared. If they are the same, step A204 is performed. If not, step A206 is performed. It can be understood that steps A201 to A203 are decryption authorization verification processes for the upper layer application, and the process corresponds to the encryption process. In a specific application scenario, as shown in Figure 4, the decryption authorization process is:
S201:加载加密信息文件app.key;S201: Loading an encrypted information file app.key;
S202:获取加密信息K1;S202: Acquire encrypted information K1;
S203:调用上层应用程序生成的公钥A;S203: Calling the public key A generated by the upper application;
S204:用公钥A对加密信息K1进行解密;S204: decrypt the encrypted information K1 by using the public key A;
S205:获得解密的特征信息码K2;S205: obtaining the decrypted feature information code K2;
S206:加载上层应用程序app.exe;S206: loading the upper application app.exe;
S207:提取上层应用程序app.exe的文件特征码K;S207: Extract the file feature code K of the upper application app.exe;
S208:判断K2=K是否成立;S208: Determine whether K2=K is established;
S209:若不成立,则设备管理服务进程不对app.exe进行授权;S209: If not, the device management service process does not authorize app.exe;
S210:若成立,则设备管理服务进程对app.exe进行授权。S210: If established, the device management service process authorizes app.exe.
A204、若授权验证通过,在同一设备管理服务进程中按照优先级顺序建立上层应用程序与硬件设备的通讯连接;A204. If the authorization verification is passed, the communication connection between the upper application and the hardware device is established in the same device management service process according to the priority order;
若授权验证通过,可以在同一设备管理服务进程中按照优先级顺序建立上层应用程序与硬件设备的通讯连接,所述优先级顺序由上层应用程序的预设优先级决定。可以理解的是,本实施例中基于ATL的设备管理方法主要是基于ATL产生一个进程外的可执行程序类型的COM服务程序,该 服务可以实现对硬件设备通信进行统一管理,上层应用程序通过得到设备管理服务进程的授权来访问硬件设备。If the authorization verification is passed, the communication connection between the upper application and the hardware device may be established in the priority order of the same device management service process, and the priority order is determined by the preset priority of the upper application. It can be understood that the ATL-based device management method in this embodiment is mainly based on ATL to generate an out-of-process executable program type COM service program. The service can realize unified management of hardware device communication, and the upper layer application accesses the hardware device by obtaining authorization of the device management service process.
A205、在同一设备管理服务进程中,将优先级较低的上层应用程序作为监控程序监视当前的优先级较高的上层应用程序与所述硬件设备之间的通讯;A205. In the same device management service process, use a lower-priority upper-layer application as a monitoring program to monitor communication between the current higher-priority upper-layer application and the hardware device;
其中,在同一设备管理服务进程中,可以将优先级较低的上层应用程序作为监控程序监视当前的优先级较高的上层应用程序与所述硬件设备之间的通讯。The upper-layer application with lower priority can be used as a monitoring program to monitor communication between the upper-layer application with higher priority and the hardware device in the same device management service process.
A206、若授权验证不通过,拒绝所述通讯连接请求。A206. If the authorization verification fails, the communication connection request is rejected.
若授权验证不通过,可以认为发起请求的上层应用程序不合法,则拒绝所述通讯连接请求。If the authorization verification fails, it can be considered that the upper layer application that initiated the request is invalid, and the communication connection request is rejected.
为便于理解,下面通过具体的应用场景来对本发明的基于ATL的设备管理方法进行描述。请参阅图5,在一个具体的应用场景下,上层应用程序、设备管理服务进程和硬件设备之间的关系如图5所示,设备管理服务进程与各个上层应用程序(如上层应用201、上层应用202、上层应用203等)通讯连接,另外还与各个与硬件设备(如设备211、设备212、设备213等)连接的串口(如串口205、串口206、串口207等)或者USB接口(如USB208、USB209、USB210等)连接,其工作原理如下:For ease of understanding, the ATL-based device management method of the present invention is described below through specific application scenarios. Referring to FIG. 5, in a specific application scenario, the relationship between the upper layer application, the device management service process, and the hardware device is as shown in FIG. 5, and the device management service process and each upper layer application (the upper layer application 201, the upper layer) Application 202, upper application 203, etc.) communication connection, and also serial port (such as serial port 205, serial port 206, serial port 207, etc.) or USB interface (such as serial port 205, serial port 206, serial port 207, etc.) connected with hardware devices (such as device 211, device 212, device 213, etc.) USB208, USB209, USB210, etc.), the working principle is as follows:
1、上层应用程序正常连接硬件设备的情况:上层应用201向设备管理服务进程204发送请求与设备211进行通讯连接,设备管理服务进程204通过授权模块对上层应用201进行审核,审核通过后,允许上层应用201与设备211进行通讯;1. The upper layer application normally connects to the hardware device: the upper layer application 201 sends a request to the device management service process 204 to perform a communication connection with the device 211, and the device management service process 204 performs an audit on the upper layer application 201 through the authorization module. After the approval is passed, the permission is allowed. The upper application 201 communicates with the device 211;
2、上层应用程序正常数据共享设备情况:上层应用202与上层应用203都向设备管理服务进程204发送请求与设备212进行通讯连接。设备管理服务进程204通过授权模块对上层应用202和上层应用203进行审核,审核通过后,再根据预设的优先级对上层应用202和上层应用203进行优先级排序,优先级高的上层应用202先与设备212进行通讯连接,优先级低的上层应用203则在队列中,此时上层应用203作为监控程序通过设备管理服务进程204对上层应用202与设备212之间的通讯进行监视;这样 上层应用202和上层应用203都可以通过设备管理服务进程204共享访问设备212;2. Upper-layer application normal data sharing device: Both the upper-layer application 202 and the upper-layer application 203 send a request to the device management service process 204 to perform a communication connection with the device 212. The device management service process 204 reviews the upper layer application 202 and the upper layer application 203 through the authorization module. After the approval is passed, the upper layer application 202 and the upper layer application 203 are prioritized according to the preset priority, and the upper layer application 202 with high priority is prioritized. First, the communication between the upper-layer application 202 and the device 212 is monitored by the device management service process 204. The upper-layer application 203 is used as a monitoring program to monitor the communication between the upper-layer application 202 and the device 212. Both the upper layer application 202 and the upper layer application 203 can share the access device 212 through the device management service process 204;
3、上层应用程序未授权情况:上层应用200向设备管理服务进程204发送请求与设备213进行通讯连接,设备管理服务进程204通过授权模块对上层应用200进行授权审核,审核结果不符合要求,故设备管理服务进程204阻止上层应用200与设备213的通讯。3. The upper-layer application is unauthorized. The upper-layer application 200 sends a request to the device management service process 204 to perform a communication connection with the device 213. The device management service process 204 performs an authorization review on the upper-layer application 200 through the authorization module, and the audit result does not meet the requirements. The device management service process 204 blocks communication between the upper application 200 and the device 213.
当有多个相同型号的硬件参数信息完全一样的USB硬件设备,基于ATL的设备管理方法可实现上层应用程序同时分别访问指定的USB设备,请参阅图6,在具体的一个应用场景下,设备管理服务进程304与各个上层应用程序(如上层应用301、上层应用302、上层应用303)通讯连接,另外还与各个与硬件设备(如设备308、设备309、设备310)连接的相同型号的USB接口(如USB口305、USB口306、USB口307)连接,其工作原理如下:When there are multiple USB hardware devices with the same hardware parameter information of the same model, the ATL-based device management method can implement the upper-layer application to access the specified USB device at the same time. Referring to FIG. 6, in a specific application scenario, the device is used. The management service process 304 is in communication with each upper-layer application (such as the upper layer application 301, the upper layer application 302, and the upper layer application 303), and is also connected to each of the same type of USB connected to the hardware device (such as the device 308, the device 309, and the device 310). The interface (such as USB port 305, USB port 306, USB port 307) is connected, and its working principle is as follows:
上层应用访问指定的USB设备:一设备连接有三台相同型号的硬件参数信息完全一样的USB硬件设备308、309、310,上层应用302可通过设备管理服务进程304访问指定的USB口306连接的相同型号USB设备309。从而实现上层应用访问指定的硬件设备,避免上层应用程序随机地访问硬件设备,导致不确定性。The upper layer application accesses the specified USB device: one device is connected with three identical hardware devices 308, 309, 310 of the same model with the same hardware parameter information, and the upper layer application 302 can access the same USB port 306 through the device management service process 304. Model USB device 309. Therefore, the upper layer application accesses the specified hardware device, and the upper layer application is prevented from randomly accessing the hardware device, resulting in uncertainty.
多个上层应用同时访问指定的相同的USB硬件设备:一设备连接有三台相同型号的硬件参数信息完全一样的USB硬件设备308、309和310,上层应用301可通过备管理服务进程304访问指定的USB口307连接的USB硬件设备310,与此同时,上层应用303可通过备管理服务进程304访问指定的USB口305连接的USB硬件设备308。从而实现多个上层应用同时地、分别访问指定的相同硬件设备(硬件参数相同,但接口不同),避免造成资源浪费。A plurality of upper-layer applications simultaneously access the specified same USB hardware device: one device is connected with three identical USB hardware devices 308, 309, and 310 of the same model with the same hardware parameter information, and the upper-layer application 301 can access the specified device through the standby management service process 304. The USB port device 307 is connected to the USB hardware device 310. At the same time, the upper layer application 303 can access the USB hardware device 308 connected to the designated USB port 305 through the standby management service process 304. Therefore, multiple upper-layer applications can access the same hardware device at the same time (the hardware parameters are the same, but the interfaces are different) to avoid waste of resources.
在一个具体应用场景中,如图9所示,对采用基于ATL的设备管理方法的金融自助设备的操作步骤为:In a specific application scenario, as shown in FIG. 9, the operation steps of the financial self-service device adopting the ATL-based device management method are as follows:
A、工控机启动时,自动启动设备管理服务进程; A. When the industrial computer starts, the device management service process is automatically started;
B、设备管理服务进程启动时自动根据通信配置独占方式连接设备,以防止其他服务或应用使用该设备端口;B. When the device management service process starts, the device is automatically connected according to the communication configuration to prevent other services or applications from using the device port.
C、设备管理服务进程等待上层应用驱动设备的连接请求;C. The device management service process waits for a connection request of the upper application driver device;
D、上层应用通过发出连接硬件设备的请求;D. The upper application sends a request to connect the hardware device;
E、设备管理服务进程在设备池中查找已连接的设备端口,并进行绑定设备连接信息;E. The device management service process searches for the connected device port in the device pool, and binds the device connection information.
F、上层应用获得授权验证后与硬件设备建立通信通道,设备管理服务进程对所授权的通信通道进行通信监控,并生成监控记录;F. After the upper layer application obtains the authorization verification, establish a communication channel with the hardware device, and the device management service process performs communication monitoring on the authorized communication channel, and generates a monitoring record;
G、无论上层应用是否获得授权,在请求处理完成后返回步骤C继续等待。G. Regardless of whether the upper application is authorized, return to step C and continue waiting after the request processing is completed.
上面主要描述了一种基于ATL的设备管理方法,下面将对一种基于ATL的设备管理系统进行详细描述,请参阅图7,本发明实施例中一种基于ATL的设备管理系统包括:The ATL-based device management system is described in detail above. The ATL-based device management system is described in detail below. Referring to FIG. 7, an ATL-based device management system in the embodiment of the present invention includes:
应用程序授权模块701,用于接收到上层应用程序与硬件设备的通讯连接请求后,对所述上层应用程序进行授权验证;The application authorization module 701 is configured to perform authorization verification on the upper layer application after receiving the communication connection request of the upper layer application and the hardware device;
优先级通讯连接模块702,用于若授权验证通过,在同一设备管理服务进程中按照优先级顺序建立上层应用程序与硬件设备的通讯连接;The priority communication connection module 702 is configured to establish, in the same device management service process, a communication connection between the upper application program and the hardware device in the same device management service process if the authorization verification is passed;
通讯监视模块703,用于在同一设备管理服务进程中,将优先级较低的上层应用程序作为监控程序监视当前的优先级较高的上层应用程序与所述硬件设备之间的通讯。The communication monitoring module 703 is configured to monitor, in the same device management service process, a lower-priority upper-layer application as a monitoring program to monitor communication between the current higher-priority upper-layer application and the hardware device.
在本实施例中,两个或两个以上上层应用程序可以根据优先级顺序在同一设备管理服务进程中与硬件设备建立通讯连接,并且在优先级较高的上层应用程序与硬件设备通讯的过程中,优先级较低的上层应用程序可以进行监视,从而实现两个或多个上层应用程序通过同一设备管理服务进程共享访问同一硬件设备,避免造成设备资源的浪费。In this embodiment, two or more upper-layer applications may establish a communication connection with the hardware device in the same device management service process according to the priority order, and the process of communicating with the hardware device in the upper-layer application with higher priority The upper-level application with lower priority can be monitored, so that two or more upper-layer applications share the same hardware device through the same device management service process, thereby avoiding waste of device resources.
为便于理解,下面对本发明实施例中的一种基于ATL的设备管理系统进行详细描述,请参阅图8,本发明实施例中一种基于ATL的设备管理系统另一个实施例包括: For ease of understanding, an ATL-based device management system in the embodiment of the present invention is described in detail below. Referring to FIG. 8, another embodiment of an ATL-based device management system in the embodiment of the present invention includes:
应用程序授权模块801,用于接收到上层应用程序与硬件设备的通讯连接请求后,对所述上层应用程序进行授权验证;The application authorization module 801 is configured to perform authorization verification on the upper layer application after receiving the communication connection request of the upper layer application and the hardware device;
优先级通讯连接模块802,用于若授权验证通过,在同一设备管理服务进程中按照优先级顺序建立上层应用程序与硬件设备的通讯连接,所述优先级顺序由上层应用程序的预设优先级决定;The priority communication connection module 802 is configured to establish, in the same device management service process, a communication connection between the upper layer application and the hardware device in the same device management service process, where the priority order is set by the upper layer application preset priority. Decide
通讯监视模块803,用于在同一设备管理服务进程中,将优先级较低的上层应用程序作为监控程序监视当前的优先级较高的上层应用程序与所述硬件设备之间的通讯。The communication monitoring module 803 is configured to monitor, in the same device management service process, a lower-priority upper-layer application as a monitoring program to monitor communication between the current higher-priority upper-layer application and the hardware device.
在具体的一个实施例中,所述设备管理系统还可以包括:In a specific embodiment, the device management system may further include:
拒绝连接模块804,用于若授权验证不通过,拒绝所述通讯连接请求。The connection connection module 804 is configured to reject the communication connection request if the authorization verification fails.
在具体的一个实施例中,所述设备管理系统还可以包括预加密模块805,用于预先对上层应用程序进行加密处理;In a specific embodiment, the device management system may further include a pre-encryption module 805, configured to perform encryption processing on the upper layer application in advance;
所述预加密模块805具体包括:The pre-encryption module 805 specifically includes:
公钥发送单元8051,用于发送上层应用程序生成的密钥对中的公钥至设备管理服务进程;a public key sending unit 8051, configured to send a public key in a key pair generated by an upper layer application to a device management service process;
加密单元8052,用于采用所述密钥对中的私钥对所述上层应用程序的文件特征码进行加密,生成加密信息。The encryption unit 8052 is configured to encrypt the file feature code of the upper application by using a private key in the key pair to generate encrypted information.
在具体的一个实施例中,所述应用程序授权模块801可以包括:In a specific embodiment, the application authorization module 801 can include:
公钥获取单元8011,用于从所述设备管理服务进行中获取所述上层应用程序对应的公钥;The public key obtaining unit 8011 is configured to obtain, from the device management service, a public key corresponding to the upper layer application;
解密单元8012,用于采用获取到的公钥对所述上层应用程序的加密信息进行解密,得到特征信息码;The decrypting unit 8012 is configured to decrypt the encrypted information of the upper layer application by using the obtained public key to obtain a feature information code.
对比单元8013,用于对比所述特征信息码与所述上层应用程序的文件特征码,若相同,则授权验证通过,若不相同,则授权验证不通过。The comparing unit 8013 is configured to compare the feature information code with the file feature code of the upper application, and if the same, the authorization verification passes, and if not, the authorization verification fails.
本发明还公开一种金融自助设备,其包括上述实施例中描述的任意一种基于ATL的设备管理系统,因此,所述金融自助设备包括但不限于上述设备管理系统的技术特征和技术效果。 The present invention also discloses a financial self-service device, which includes any of the ATL-based device management systems described in the foregoing embodiments. Therefore, the financial self-service device includes, but is not limited to, the technical features and technical effects of the device management system.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
以上所述,以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员 应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。 The above embodiments are only used to illustrate the technical solutions of the present invention, and are not limited thereto; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art It should be understood that the technical solutions described in the foregoing embodiments may be modified, or some of the technical features may be equivalently replaced; and the modifications or substitutions do not deviate from the technical solutions of the embodiments of the present invention. The spirit and scope of the programme.

Claims (10)

  1. 一种基于ATL的设备管理方法,其特征在于,包括:An ATL-based device management method, comprising:
    接收到上层应用程序与硬件设备的通讯连接请求后,对所述上层应用程序进行授权验证;After receiving the communication connection request of the upper application and the hardware device, performing authorization verification on the upper application;
    若授权验证通过,在同一设备管理服务进程中按照优先级顺序建立上层应用程序与硬件设备的通讯连接;If the authorization verification is passed, the communication connection between the upper application and the hardware device is established in the same device management service process according to the priority order;
    在同一设备管理服务进程中,将优先级较低的上层应用程序作为监控程序监视当前的优先级较高的上层应用程序与所述硬件设备之间的通讯。In the same device management service process, the lower-priority upper-layer application is used as a monitoring program to monitor communication between the current higher-priority upper-layer application and the hardware device.
  2. 根据权利要求1所述的设备管理方法,其特征在于,还包括:The device management method according to claim 1, further comprising:
    若授权验证不通过,拒绝所述通讯连接请求。If the authorization verification fails, the communication connection request is rejected.
  3. 根据权利要求1或2所述的设备管理方法,其特征在于,所述优先级顺序由上层应用程序的预设优先级决定。The device management method according to claim 1 or 2, wherein the priority order is determined by a preset priority of an upper layer application.
  4. 根据权利要求1或2所述的设备管理方法,其特征在于,还包括:预先对上层应用程序进行加密处理,具体包括:The device management method according to claim 1 or 2, further comprising: performing encryption processing on the upper layer application in advance, specifically comprising:
    发送上层应用程序生成的密钥对中的公钥至设备管理服务进程;Sending the public key in the key pair generated by the upper application to the device management service process;
    采用所述密钥对中的私钥对所述上层应用程序的文件特征码进行加密,生成加密信息。Encrypting the file signature of the upper application by using a private key in the key pair to generate encrypted information.
  5. 根据权利要求4所述的设备管理方法,其特征在于,对所述上层应用程序进行授权验证具体包括:The device management method according to claim 4, wherein the performing the authorization verification on the upper layer application comprises:
    从所述设备管理服务进程中获取所述上层应用程序对应的公钥;Obtaining, from the device management service process, a public key corresponding to the upper application;
    采用获取到的公钥对所述上层应用程序的加密信息进行解密,得到特征信息码;Decrypting the encrypted information of the upper application by using the obtained public key to obtain a feature information code;
    对比所述特征信息码与所述上层应用程序的文件特征码,若相同,则授权验证通过,若不相同,则授权验证不通过。If the feature information code is compared with the file feature code of the upper application, if the verification is the same, the authorization verification is passed. If not, the authorization verification fails.
  6. 一种基于ATL的设备管理系统,其特征在于,包括:An ATL-based device management system, comprising:
    应用程序授权模块,用于接收到上层应用程序与硬件设备的通讯连接请求后,对所述上层应用程序进行授权验证;An application authorization module, configured to perform authorization verification on the upper application after receiving a communication connection request between the upper application and the hardware device;
    优先级通讯连接模块,用于若授权验证通过,在同一设备管理服务进程中按照优先级顺序建立上层应用程序与硬件设备的通讯连接; a priority communication connection module, configured to establish, in the same device management service process, a communication connection between the upper application and the hardware device in the same device management service process if the authorization verification is passed;
    通讯监视模块,用于在同一设备管理服务进程中,将优先级较低的上层应用程序作为监控程序监视当前的优先级较高的上层应用程序与所述硬件设备之间的通讯。The communication monitoring module is configured to monitor, in the same device management service process, a lower priority upper layer application as a monitoring program to monitor communication between the current higher priority upper layer application and the hardware device.
  7. 根据权利要求6所述的设备管理系统,其特征在于,还包括:The device management system according to claim 6, further comprising:
    拒绝连接模块,用于若授权验证不通过,拒绝所述通讯连接请求。The connection module is rejected for rejecting the communication connection request if the authorization verification fails.
  8. 根据权利要求6或7所述的设备管理系统,其特征在于,还包括预加密模块,用于预先对上层应用程序进行加密处理;The device management system according to claim 6 or 7, further comprising a pre-encryption module, configured to perform an encryption process on the upper layer application in advance;
    所述预加密模块具体包括:The pre-encryption module specifically includes:
    公钥发送单元,用于发送上层应用程序生成的密钥对中的公钥至设备管理服务进程;a public key sending unit, configured to send a public key in a key pair generated by an upper layer application to a device management service process;
    加密单元,用于采用所述密钥对中的私钥对所述上层应用程序的文件特征码进行加密,生成加密信息。And an encryption unit, configured to encrypt the file feature code of the upper application by using a private key in the key pair to generate encrypted information.
  9. 根据权利要求8所述的设备管理系统,其特征在于,所述应用程序授权模块包括:The device management system according to claim 8, wherein the application authorization module comprises:
    公钥获取单元,用于从所述设备管理服务进程中获取所述上层应用程序对应的公钥;a public key obtaining unit, configured to acquire a public key corresponding to the upper layer application from the device management service process;
    解密单元,用于采用获取到的公钥对所述上层应用程序的加密信息进行解密,得到特征信息码;a decryption unit, configured to decrypt the encrypted information of the upper application by using the obtained public key to obtain a feature information code;
    对比单元,用于对比所述特征信息码与所述上层应用程序的文件特征码,若相同,则授权验证通过,若不相同,则授权验证不通过。The comparison unit is configured to compare the feature information code with the file feature code of the upper application, and if the same, the authorization verification is passed, and if not, the authorization verification fails.
  10. 一种金融自助设备,其特征在于,包括如权利要求6至9中任一项所述的设备管理系统。 A financial self-service device, comprising the device management system according to any one of claims 6 to 9.
PCT/CN2017/084062 2016-05-30 2017-05-12 Device management method and system based on active template library (atl), and financial self-service device WO2017206698A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610375226.9 2016-05-30
CN201610375226.9A CN106097600B (en) 2016-05-30 2016-05-30 Device management method, system and financial self-service equipment based on ATL

Publications (1)

Publication Number Publication Date
WO2017206698A1 true WO2017206698A1 (en) 2017-12-07

Family

ID=57229591

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/084062 WO2017206698A1 (en) 2016-05-30 2017-05-12 Device management method and system based on active template library (atl), and financial self-service device

Country Status (2)

Country Link
CN (1) CN106097600B (en)
WO (1) WO2017206698A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106097600B (en) * 2016-05-30 2019-01-25 广州广电运通金融电子股份有限公司 Device management method, system and financial self-service equipment based on ATL
CN108933761A (en) * 2017-05-25 2018-12-04 深圳市鑫科蓝电子科技有限公司 A kind of the control flow encryption method and system of Intelligent hardware product

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2348088A (en) * 1999-03-15 2000-09-20 Vodafone Value Added And Data Radio modems
CN101499041A (en) * 2009-03-17 2009-08-05 成都优博创技术有限公司 Method for preventing abnormal deadlock of main unit during access to shared devices
CN102360312A (en) * 2011-10-31 2012-02-22 河南省电力公司计量中心 Equipment scheduling method
CN103902054A (en) * 2012-12-28 2014-07-02 鸿富锦精密工业(深圳)有限公司 Equipment sharing method and equipment sharing system
CN104820792A (en) * 2015-03-09 2015-08-05 中国科学院信息工程研究所 Method and apparatus for managing Android device and data channel system authority
CN104954223A (en) * 2015-05-26 2015-09-30 深圳市深信服电子科技有限公司 Data processing method and device based on virtual private network
CN106097600A (en) * 2016-05-30 2016-11-09 广州广电运通金融电子股份有限公司 Device management method based on ATL, system and financial self-service equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7302570B2 (en) * 2003-08-19 2007-11-27 International Business Machines Corporation Apparatus, system, and method for authorized remote access to a target system
CN103379659B (en) * 2012-04-17 2016-08-03 电信科学技术研究院 Access request implementation method and device under a kind of multipriority scene
CN102831357B (en) * 2012-08-24 2015-01-07 深圳市民德电子科技有限公司 Encryption and authentication protection method and system of secondary development embedded type application program

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2348088A (en) * 1999-03-15 2000-09-20 Vodafone Value Added And Data Radio modems
CN101499041A (en) * 2009-03-17 2009-08-05 成都优博创技术有限公司 Method for preventing abnormal deadlock of main unit during access to shared devices
CN102360312A (en) * 2011-10-31 2012-02-22 河南省电力公司计量中心 Equipment scheduling method
CN103902054A (en) * 2012-12-28 2014-07-02 鸿富锦精密工业(深圳)有限公司 Equipment sharing method and equipment sharing system
CN104820792A (en) * 2015-03-09 2015-08-05 中国科学院信息工程研究所 Method and apparatus for managing Android device and data channel system authority
CN104954223A (en) * 2015-05-26 2015-09-30 深圳市深信服电子科技有限公司 Data processing method and device based on virtual private network
CN106097600A (en) * 2016-05-30 2016-11-09 广州广电运通金融电子股份有限公司 Device management method based on ATL, system and financial self-service equipment

Also Published As

Publication number Publication date
CN106097600A (en) 2016-11-09
CN106097600B (en) 2019-01-25

Similar Documents

Publication Publication Date Title
US11558381B2 (en) Out-of-band authentication based on secure channel to trusted execution environment on client device
CN106453384B (en) Secure cloud disk system and secure encryption method thereof
CN109274652B (en) Identity information verification system, method and device and computer storage medium
Rao et al. Data security challenges and its solutions in cloud computing
CN105103119B (en) Data security service system
EP3014847B1 (en) Secure hybrid file-sharing system
CN106888084B (en) Quantum fort machine system and authentication method thereof
EP1914658B1 (en) Identity controlled data center
WO2021184755A1 (en) Application access method and apparatus, and electronic device and storage medium
US8572686B2 (en) Method and apparatus for object transaction session validation
CN106326763B (en) Method and device for acquiring electronic file
WO2017167019A1 (en) Cloud desktop-based processing method and apparatus, and computer storage medium
US8806602B2 (en) Apparatus and method for performing end-to-end encryption
US8752157B2 (en) Method and apparatus for third party session validation
CN103942896A (en) System for money withdrawing without card on ATM
CN107196932A (en) Managing and control system in a kind of document sets based on virtualization
CN103888429A (en) Virtual machine starting method, correlation devices and systems
US8572724B2 (en) Method and apparatus for network session validation
WO2017206698A1 (en) Device management method and system based on active template library (atl), and financial self-service device
CN106992978A (en) Network safety managing method and server
US9509503B1 (en) Encrypted boot volume access in resource-on-demand environments
CN113901507B (en) Multi-party resource processing method and privacy computing system
US8584201B2 (en) Method and apparatus for session validation to access from uncontrolled devices
US8572688B2 (en) Method and apparatus for session validation to access third party resources
CN111107105B (en) Identity authentication system and identity authentication method thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17805643

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17805643

Country of ref document: EP

Kind code of ref document: A1