WO2018040922A1 - Data isolation system and method, and method using data isolation system - Google Patents

Data isolation system and method, and method using data isolation system Download PDF

Info

Publication number
WO2018040922A1
WO2018040922A1 PCT/CN2017/097808 CN2017097808W WO2018040922A1 WO 2018040922 A1 WO2018040922 A1 WO 2018040922A1 CN 2017097808 W CN2017097808 W CN 2017097808W WO 2018040922 A1 WO2018040922 A1 WO 2018040922A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
area
application
application area
default
Prior art date
Application number
PCT/CN2017/097808
Other languages
French (fr)
Chinese (zh)
Inventor
孟陆强
洪逸轩
Original Assignee
福建联迪商用设备有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 福建联迪商用设备有限公司 filed Critical 福建联迪商用设备有限公司
Publication of WO2018040922A1 publication Critical patent/WO2018040922A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07GREGISTERING THE RECEIPT OF CASH, VALUABLES, OR TOKENS
    • G07G1/00Cash registers
    • G07G1/12Cash registers electronically operated
    • G07G1/14Systems including one or more distant stations co-operating with a central processing unit
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present invention relates to the field of data security of a POS terminal under multiple users, and more particularly to a data isolation system.
  • Applications stored in POS terminals may belong to different owners, such as banks, customers, supermarkets, etc., and applications may contain sensitive information that is not desired to be accessed by other applications, if not The way to achieve isolation between different user applications, private data in a user's application may be maliciously accessed and modified by other applications, resulting in security issues and property damage.
  • the technical problem to be solved by the present invention is to provide a data isolation system, a method, and a method for utilizing a data isolation system, which realize isolation of application data between different users.
  • a technical solution adopted by the present invention is: providing a data isolation system, including a user POS machine, a server, a signature module, and at least one user module, wherein the user POS machine is connected to the server
  • the server is connected to the signature module, and the signature module is connected to the user module
  • the user POS machine includes a default application area and at least one user application area; and the default application area is used for storing user sharing.
  • An application and a default digital certificate is configured to store an application of the authorized user and the user digital certificate
  • the user module includes the user digital certificate corresponding to the authorized user; Digital signature;
  • the server contains a user application.
  • the signature module is a POS machine.
  • the server is a PC with a download function.
  • the signature module is connected to the server through a USB interface.
  • the user POS storage area is divided into at least two areas, one of the areas is set as a default application area, and the other area is set as a user application area;
  • S202 Install a default digital certificate in the default application area, and install a user digital certificate of the authorized user in the user application area.
  • S301 Determine whether an area to be downloaded is a default application area; if yes, proceed to step S305.
  • S304 Decapsulate the certificate target file by using the default digital certificate, and download the decapsulated digital certificate in an area to which the program to be downloaded belongs;
  • S305 Download the digitally signed program target file, verify and decapsulate the program target file by using the digital certificate, and save the decapsulated application in the area of the to-be-downloaded program. .
  • step S301, the step S302 further includes the following steps:
  • step S3011 determining whether the area to which the program to be downloaded belongs is present; if yes, proceeding to step S304 after step S302; if not, proceeding to step S302 and then performing step S303.
  • a data isolation system can be implemented by maliciously accessing and modifying other applications, thereby providing an application area. Only one user, one user's application software only exists in one application area, so that data in one application area can access each other, and data between different application areas cannot access each other; by digital signature method, A user software can only be downloaded to the user application area, and cannot be maliciously downloaded to other user application areas.
  • the isolation of application data between different users is realized.
  • FIG. 1 is a diagram of a data isolation system provided by the present invention.
  • FIG. 2 is a flow chart of a data isolation method provided by the present invention.
  • FIG. 3 is a flow chart of an application embodiment of a method for isolating data by using a data isolation system according to the present invention
  • FIG. 4 is a flow chart of another application embodiment of a method for isolating data by using a data isolation system provided by the present invention.
  • the present invention provides a data isolation system, including a user POS machine, a server, a signature module, and at least one user module, where the user POS machine is connected to the server, the server and the signature.
  • the module is connected to the user module;
  • the user POS machine includes a default application area and at least one user application area;
  • the default application area is used to store an application shared by the user and a default digital certificate;
  • the user application area is configured to store an application of the authorized user and the user digital certificate;
  • the user module includes the user digital certificate corresponding to the authorized user;
  • the signature module is used for digital signature;
  • the server includes User application.
  • the signature module is a POS machine, that is, a POS machine dedicated to digital signatures.
  • the digital signature refers to a function of digitally encrypting a file or program using a digital certificate, and the expression is a common expression in the art.
  • the server is a PC with a download function.
  • the signature module is connected to the server through a USB interface.
  • there is a one-to-one correspondence between the application area and the user that is, one application area belongs to only one user, and one user's application software exists only in one application area. Data in one application area can be accessed from each other, and data between different application areas cannot be accessed from each other. Based on the above description, after the program is downloaded, it is necessary to explain to the user POS machine which application area of the user POS machine the program is to be saved.
  • the program is directly saved in the application area; if the application area does not exist in the user POS machine, the user POS machine creates the corresponding application area and then saves the program to the specified application area.
  • the application area mechanism ensures that programs and data in different application areas cannot access each other. However, this does not guarantee that the application Appl belonging to the application area Areal is maliciously downloaded to the application area Area2, so that Appl can access the data of Area2.
  • the present invention provides a data isolation method.
  • the data isolation method provided by the present invention includes the following steps:
  • the user POS storage area is divided into at least two areas, one of the areas is set as a default application area, and the other area is set as a user application area;
  • S202 Install a default digital certificate in the default application area, and install a user digital certificate of the authorized user in the user application area.
  • step S201 divides the storage area in the user POS machine into a plurality of user application areas, and the application area and the user have a one-to-one correspondence, that is: one application area belongs to only one user, one user The application software only exists in one application area. Data in one application area can be accessed from each other, and data between different application areas cannot be accessed from each other.
  • the default application area is an application that stores default digital certificates, system programs, and user shares.
  • Step S202 is to install a default digital certificate in the default application area by using a digital signature mechanism, and install a digital certificate of the user of the authorized user in the user application area; and the digital signature mechanism ensures that the application of the user cannot be Malicious download to other user application areas.
  • the user POS machine there is a default application area in the user POS machine, and a default digital certificate is stored in the default application area. If the user wants to download the application in the default application area, the application can be downloaded after being digitally signed by the signature module; if the user wants to download the application to the non-existent user application area, the user POS machine needs to The user application area is created, and the user's digital certificate needs to be downloaded to the created user application area before the application can be downloaded to the created user application area. [0031] In the process of downloading the user digital certificate, the user digital certificate is digitally signed by the signature module to generate a certificate object file, and after the user POS machine uses the default digital certificate to verify the certificate object file, the user application can be downloaded.
  • the user has been authenticated by the user POS machine, and the created user application area belongs to the user only, and other users cannot download the application into the user application area.
  • To download an application to this user application area it must be authenticated by the user's digital certificate before it can be downloaded to this user application area.
  • the application of this user application area belongs to this user only.
  • the method for isolating data by using a data isolation system includes the following steps:
  • S301 Determine whether the area to be downloaded is the default application area; if yes, proceed to step S305.
  • S302. Download the digitally signed certificate object file, and verify the certificate object file by using the default digital certificate.
  • S304 Decapsulate the certificate target file by using the default digital certificate, and download the decapsulated digital certificate in an area to which the program to be downloaded belongs;
  • S305 Download the digitally signed program target file, verify and decapsulate the program target file by using the digital certificate, and save the decapsulated application in the area of the to-be-downloaded program. .
  • step S301 and the step S302 further include the following steps:
  • step S3011 determining whether the area to which the program to be downloaded belongs is present; if yes, proceeding to step S304 after step S302; if not, proceeding to step S302 and then performing step S303.
  • the application area there is a one-to-one correspondence between the application area and the user, that is, one application area belongs to only one user, and one user's application software exists only in one application area. Data in one application area can be accessed from each other, and data between different application areas cannot be accessed from each other.
  • the program After the program is downloaded, it is necessary to explain to the user POS machine which application area of the user POS machine the program is to be saved. If the application area exists in the user POS machine, the program is directly saved in the application area; in the user POS machine If the application area does not exist, the user POS machine creates the corresponding application area and then saves the program to the specified application area.
  • the application area mechanism ensures that programs and data in different application areas cannot access each other. However, this does not guarantee that the application Appl belonging to the application area Areal is maliciously downloaded to the application area Area2, so that Appl can access the data of Area2.
  • the user POS machine has planned the default application area Areal of the user POS machine, and preloads the digital certificate Crtl corresponding to the default application area. If the program Appl sent by the user wants to download to Areal, first digitally sign Appl using the private key corresponding to Crtl, generate the target file Sgnl, and then download Sgnl to the user POS machine, and the user POS machine will save Appl to the system. . If the user's program App2 wants to download to Area2, you must first download the certificate Crt2 corresponding to Area2 to the user's POS machine.
  • the Crt2 certificate needs to be digitally signed with the private key corresponding to Crtl, then generate the target file Crt2', and then download Crt2' to the user's P OS machine, and the user POS machine will save the Crt2 certificate to the system.
  • the App2 is digitally signed with the private key corresponding to Crt2, and then the target file Sgn2 is generated, and then Sgn2 is downloaded to the user POS machine, and the user PO S machine saves App2 to the system.
  • the method for isolating data by using a data isolation system includes the following steps:
  • step S402 determining whether the area to be downloaded the program has the user digital certificate; if yes, proceed to step S405; if not, proceed to step S403;
  • S404 Download the certificate target file, verify, unpack the certificate target file, and save the user digital certificate by using the default digital certificate.
  • S405. Perform digital signature on the download application by using the user digital certificate private key to generate an application target file.
  • step S404 Verify, unpack the application target file by using the user digital certificate, and save the application.
  • step S404 is the following steps:
  • S4042 download the certificate target file
  • step S4045 verifying the certificate object file by using the default digital certificate, proceeding to step S4046;
  • S4046 Decapsulate the certificate target file by using the default digital certificate, and save the user digital certificate.
  • the user POS machine has planned the default application area Areal of the user POS machine, and preloads the digital certificate Crtl corresponding to the default application area. If the program Appl sent by the user wants to download to Areal, first digitally sign Appl using the private key corresponding to Crtl, generate the target file Sgnl, and then download Sgnl to the user POS machine, and the user POS machine will save Appl to the system. . If the user's program App2 wants to download to Area2, you must first download the certificate Crt2 corresponding to Area2 to the user's POS machine. The Crt2 certificate needs to be digitally signed with the private key corresponding to Crtl, then generate the target file Crt2', and then download Crt2' to the user POS machine.
  • the user POS machine will save the Crt2 certificate to the system.
  • the App2 number is first signed with the private key corresponding to Crt2, and the target file Sgn2 is generated, and then Sgn2 is downloaded to the user POS machine, and the user POS machine saves App2 to the system.
  • the application may be directly digitally signed to form a program target file, and the user digital certificate is used to After the program object file is verified and unsealed, the application is saved in the user application area of the user.
  • the present invention ensures that Appl located in Areal cannot access data in Area2 through the application area mechanism, and App2 located in Area2 cannot access data in Area1;
  • the invention has the beneficial effects that: the private data in the application belonging to one user different from the prior art may be maliciously accessed and modified by other applications, thereby causing security problems and property losses, and the present invention provides a data isolation.
  • the system, the method and the method for using the data isolation system by dividing the application area, make one application area belong to only one user, and one user's application software exists only in one application area, so that data in one application area can mutually Access, and data between different application areas cannot access each other; by means of digital signature, a user software can only be downloaded to the user application area, and cannot be maliciously downloaded to other user application areas.
  • the isolation of application data between different users is realized.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Disclosed are a data isolation system and method, and a method using the data isolation system. The data isolation system comprises: a user POS machine, a server, a signature module, and at least one user module. The user POS machine is connected to the server, the server is connected to the signature module, and the signature module is connected to the user module. The user POS machine comprises a default application area and at least one user application area. The default application area is used for storing application programs and default digital certificates which are shared by users. The user application area is used for storing application programs and user digital certificates of authorized users. The user module comprises the user digital certificates of the corresponding authorized users. The signature module is used for making a digital signature. The sever comprises user application programs. The present invention realizes data isolation between different application areas, and software of a current user cannot be downloaded to other user application areas.

Description

发明名称:数据隔离系统、 方法及利用数据隔离系统的方法 技术领域  Title of Invention: Data Isolation System, Method, and Method of Utilizing Data Isolation System
[0001] 本发明涉及 POS终端在多用户下的数据安全领域, 尤其涉及一种数据隔离系统 [0001] The present invention relates to the field of data security of a POS terminal under multiple users, and more particularly to a data isolation system.
、 方法及利用数据隔离系统的方法。 , methods and methods of using data isolation systems.
背景技术  Background technique
[0002] 随着电子技术的发展, POS终端的存储容量不断扩大。 客户可能要求能够下载 多个应用程序到同一台 POS终端中, 即存储于 POS终端中的应用程序可以有多个  [0002] With the development of electronic technology, the storage capacity of POS terminals continues to expand. Customers may be required to be able to download multiple applications to the same POS terminal, ie multiple applications stored in the POS terminal can have multiple
[0003] 存储于 POS终端中的应用程序可能属于不同的所有者, 比如: 银行、 客户和超 市等, 而应用程序中可能包含敏感信息, 这些敏感信息不希望被其它应用程序 访问, 如果没有一种方式实现不同用户应用程序之间的隔离, 那么属于一个用 户的应用程序中的私有数据可能会被其它应用程序恶意访问及修改, 从而带来 安全问题和财产损失。 [0003] Applications stored in POS terminals may belong to different owners, such as banks, customers, supermarkets, etc., and applications may contain sensitive information that is not desired to be accessed by other applications, if not The way to achieve isolation between different user applications, private data in a user's application may be maliciously accessed and modified by other applications, resulting in security issues and property damage.
技术问题  technical problem
[0004] 本发明主要解决的技术问题是提供一种数据隔离系统、 方法及利用数据隔离系 统的方法, 实现了不同用户间的应用程序数据的隔离。  The technical problem to be solved by the present invention is to provide a data isolation system, a method, and a method for utilizing a data isolation system, which realize isolation of application data between different users.
问题的解决方案  Problem solution
技术解决方案  Technical solution
[0005] 为解决上述技术问题, 本发明采用的一个技术方案是: 提供一种数据隔离系统 , 包括用户 POS机、 服务器、 签名模块和至少一个用户模块, 所述用户 POS机与 所述服务器相连, 所述服务器与所述签名模块相连, 所述签名模块与所述用户 模块相连; 所述用户 POS机包括一个默认应用区和至少一个用户应用区; 所述默 认应用区用于存储用户共享的应用程序和默认数字证书; 所述用户应用区用于 存储授权用户的应用程序和用户数字证书; 所述用户模块包含有对应的所述授 权用户的所述用户数字证书; 所述签名模块用于数字签名; 所述服务器包含有 用户应用程序。 [0006] 其中, 所述签名模块为 POS机。 [0005] In order to solve the above technical problem, a technical solution adopted by the present invention is: providing a data isolation system, including a user POS machine, a server, a signature module, and at least one user module, wherein the user POS machine is connected to the server The server is connected to the signature module, and the signature module is connected to the user module; the user POS machine includes a default application area and at least one user application area; and the default application area is used for storing user sharing. An application and a default digital certificate; the user application area is configured to store an application of the authorized user and the user digital certificate; the user module includes the user digital certificate corresponding to the authorized user; Digital signature; the server contains a user application. [0006] wherein the signature module is a POS machine.
[0007] 其中, 所述服务器为具有下载功能的 PC机。  [0007] wherein the server is a PC with a download function.
[0008] 其中, 所述签名模块通过 USB接口与所述服务器相连。  [0008] The signature module is connected to the server through a USB interface.
[0009] 为解决上述技术问题, 本发明采用的另一个技术方案是: 提供一种数据隔离方 法, 包括以下步骤:  [0009] In order to solve the above technical problem, another technical solution adopted by the present invention is: Providing a data isolation method, including the following steps:
[0010] S201、 把用户 POS机存储区划分成至少两个区域, 将其中一个区域设置成默认 应用区, 将其他区域设置成用户应用区;  [0010] S201. The user POS storage area is divided into at least two areas, one of the areas is set as a default application area, and the other area is set as a user application area;
[0011] S202、 在所述默认应用区中安装默认数字证书, 在所述用户应用区安装授权用 户的用户数字证书。 [0011] S202. Install a default digital certificate in the default application area, and install a user digital certificate of the authorized user in the user application area.
[0012] 为解决上述技术问题, 本发明采用的另一个技术方案是: 提供一种利用数据隔 离系统对数据进行隔离的方法, 包括以下步骤:  [0012] In order to solve the above technical problem, another technical solution adopted by the present invention is: Providing a method for isolating data by using a data isolation system, comprising the following steps:
[0013] S301、 判断待下载程序的所属区域是否为默认应用区; 若是, 则进行步骤 S305[0013] S301: Determine whether an area to be downloaded is a default application area; if yes, proceed to step S305.
; 若否, 则进行步骤 S302; If not, proceed to step S302;
[0014] S302、 将经过数字签名的证书目标文件下载, 使用所述默认数字证书对所述证 书目标文件进行验证; [0014] S302. Download the digitally signed certificate object file, and verify the certificate object file by using the default digital certificate.
[0015] S303、 在剩余的用户 POS机存储区中划分一个区域作为所述待下载程序的所属 区域;  [0015] S303. Divide an area in the remaining user POS storage area as an area to which the program to be downloaded belongs;
[0016] S304、 使用所述默认数字证书对所述证书目标文件进行解封并将解封后的数字 证书下载在所述待下载程序的所属区域;  [0016] S304: Decapsulate the certificate target file by using the default digital certificate, and download the decapsulated digital certificate in an area to which the program to be downloaded belongs;
[0017] S305、 将经过数字签名的程序目标文件下载, 使用所述数字证书对所述程序目 标文件进行验证、 解封, 并将解封后的应用程序保存于所述待下载程序的所属 区域。 [0017] S305. Download the digitally signed program target file, verify and decapsulate the program target file by using the digital certificate, and save the decapsulated application in the area of the to-be-downloaded program. .
[0018] 其中, 所述步骤 S301、 所述步骤 S302之间还包括以下步骤:  [0018] wherein, the step S301, the step S302 further includes the following steps:
[0019] S3011、 判断所述待下载程序的所属区域是否存在; 若存在, 则进行步骤 S302 之后直接进行步骤 S304; 若不存在, 则进行步骤 S302之后进行步骤 S303。 [0019] S3011, determining whether the area to which the program to be downloaded belongs is present; if yes, proceeding to step S304 after step S302; if not, proceeding to step S302 and then performing step S303.
发明的有益效果  Advantageous effects of the invention
有益效果  Beneficial effect
[0020] 本发明的有益效果是: 区别于现有技术的属于一个用户的应用程序中的私有数 据可能会被其它应用程序恶意访问及修改, 从而带来安全问题和财产损失, 本 发明提供一种数据隔离系统、 方法及利用数据隔离系统的方法, 通过划分应用 区的方法, 使得一个应用区只属于一个用户, 一个用户的应用软件也只存在于 一个应用区内, 这样处于一个应用区的数据可以互相访问, 而处于不同应用区 之间的数据不能够互相访问; 通过数字签名的方法, 使一用户软件只能下载到 本用户应用区, 而不能够恶意下载到其他的用户应用区。 通过本发明, 实现了 不同用户间的应用程序数据的隔离。 [0020] The beneficial effects of the present invention are: a private number in an application belonging to a user that is different from the prior art According to the invention, a data isolation system, a method and a method for using the data isolation system can be implemented by maliciously accessing and modifying other applications, thereby providing an application area. Only one user, one user's application software only exists in one application area, so that data in one application area can access each other, and data between different application areas cannot access each other; by digital signature method, A user software can only be downloaded to the user application area, and cannot be maliciously downloaded to other user application areas. Through the invention, the isolation of application data between different users is realized.
对附图的简要说明  Brief description of the drawing
附图说明  DRAWINGS
[0021] 图 1是本发明提供的数据隔离系统图;  1 is a diagram of a data isolation system provided by the present invention;
[0022] 图 2是本发明提供的数据隔离方法流程图; 2 is a flow chart of a data isolation method provided by the present invention;
[0023] 图 3是本发明提供的利用数据隔离系统对数据进行隔离的方法一应用实施例流 程图;  3 is a flow chart of an application embodiment of a method for isolating data by using a data isolation system according to the present invention;
[0024] 图 4是本发明提供的利用数据隔离系统对数据进行隔离的方法另一应用实施例 流程图。  4 is a flow chart of another application embodiment of a method for isolating data by using a data isolation system provided by the present invention.
具体实施方式 detailed description
[0025] 请参阅图 1, 本发明提供一种数据隔离系统, 包括用户 POS机、 服务器、 签名 模块和至少一个用户模块, 所述用户 POS机与所述服务器相连, 所述服务器与所 述签名模块相连, 所述签名模块与所述用户模块相连; 所述用户 POS机包括一个 默认应用区和至少一个用户应用区; 所述默认应用区用于存储用户共享的应用 程序和默认数字证书; 所述用户应用区用于存储授权用户的应用程序和用户数 字证书; 所述用户模块包含有对应的所述授权用户的所述用户数字证书; 所述 签名模块用于数字签名; 所述服务器包含有用户应用程序。 优选的, 所述签名 模块为 POS机, 即专用于数字签名的 POS机。 所述数字签名是指利用数字证书对 文件或程序进行数字加密的功能, 此表述在本领域为常用表述。 优选的, 所述 服务器为具有下载功能的 PC机。 优选的, 所述签名模块通过 USB接口与所述服 务器相连。 [0026] 在本发明中, 应用区和用户之间是一一对应的关系, 即: 一个应用区只属于一 个用户, 一个用户的应用软件也只存在于一个应用区内。 处于一个应用区的数 据可以互相访问, 而处于不同应用区之间的数据不能够互相访问。 基于以上说 明, 程序下载吋, 要向用户 P0S机说明该程序要保存于用户 P0S机的哪个应用区 。 用户 POS机中若存在该应用区, 则将程序直接保存于该应用区; 用户 POS机中 若不存在该应用区, 则用户 POS机创建相应应用区后再将程序保存到指定应用区 中。 通过应用区的机制保证不同应用区的程序、 数据无法互相访问。 但这还无 法保证属于应用区 Areal的应用程序 Appl被恶意下载到应用区 Area2, 从而 Appl 可以访问 Area2的数据。 Referring to FIG. 1, the present invention provides a data isolation system, including a user POS machine, a server, a signature module, and at least one user module, where the user POS machine is connected to the server, the server and the signature. The module is connected to the user module; the user POS machine includes a default application area and at least one user application area; the default application area is used to store an application shared by the user and a default digital certificate; The user application area is configured to store an application of the authorized user and the user digital certificate; the user module includes the user digital certificate corresponding to the authorized user; the signature module is used for digital signature; the server includes User application. Preferably, the signature module is a POS machine, that is, a POS machine dedicated to digital signatures. The digital signature refers to a function of digitally encrypting a file or program using a digital certificate, and the expression is a common expression in the art. Preferably, the server is a PC with a download function. Preferably, the signature module is connected to the server through a USB interface. In the present invention, there is a one-to-one correspondence between the application area and the user, that is, one application area belongs to only one user, and one user's application software exists only in one application area. Data in one application area can be accessed from each other, and data between different application areas cannot be accessed from each other. Based on the above description, after the program is downloaded, it is necessary to explain to the user POS machine which application area of the user POS machine the program is to be saved. If the application area exists in the user POS machine, the program is directly saved in the application area; if the application area does not exist in the user POS machine, the user POS machine creates the corresponding application area and then saves the program to the specified application area. The application area mechanism ensures that programs and data in different application areas cannot access each other. However, this does not guarantee that the application Appl belonging to the application area Areal is maliciously downloaded to the application area Area2, so that Appl can access the data of Area2.
[0027] 因此, 本发明提供了一种数据隔离方法。 请参阅图 2, 本发明提供的数据隔离 方法, 包括以下步骤: [0027] Accordingly, the present invention provides a data isolation method. Referring to FIG. 2, the data isolation method provided by the present invention includes the following steps:
[0028] S201、 把用户 POS机存储区划分成至少两个区域, 将其中一个区域设置成默认 应用区, 将其他区域设置成用户应用区;  [0028] S201. The user POS storage area is divided into at least two areas, one of the areas is set as a default application area, and the other area is set as a user application area;
[0029] S202、 在所述默认应用区中安装默认数字证书, 在所述用户应用区安装授权用 户的用户数字证书。 [0029] S202. Install a default digital certificate in the default application area, and install a user digital certificate of the authorized user in the user application area.
[0030] 在本发明中, 步骤 S201将用户 POS机中的存储区划分成多个用户应用区, 应用 区和用户之间是一一对应的关系, 即: 一个应用区只属于一个用户, 一个用户 的应用软件也只存在于一个应用区内。 处于一个应用区的数据可以互相访问, 而处于不同应用区之间的数据不能够互相访问。 而默认应用区则是存储默认数 字证书、 系统程序和用户共享的应用程序。 步骤 S202则是利用数字签名机制, 在所述默认应用区中安装默认数字证书, 在所述用户应用区安装授权用户的用 户数字证书; 通过数字签名机制, 可以确保本用户的应用程序不能够被恶意下 载到其他用户应用区。 通过以上阐述, 使用本发明吋, 用户 POS机中存在默认应 用区, 默认应用区中存放有默认数字证书。 用户若是想要把应用程序下载在默 认应用区, 应用程序则被签名模块进行数字签名后才可以被下载; 若是用户想 要把应用程序下载到非存在的用户应用区中, 用户 POS机则需创建用户应用区, 并且需将该用户的用户数字证书先下载到创建的用户应用区后, 才可以把应用 程序下载到创建的用户应用区。 [0031] 在下载用户数字证书的过程中, 用户数字证书经过签名模块数字签名生成证书 目标文件, 并经过用户 POS机利用默认数字证书对证书目标文件验证解封后, 才 可以被下载下用户应用区中。 此吋, 该用户已经通过用户 POS机授权认证, 创建 的用户应用区只属于该用户, 其他用户不能够将应用程序下载到此用户应用区 中。 要将应用程序下载到此用户应用区, 必须经过该用户的用户数字证书授权 认证后才可以被下载到此用户应用区, 此用户应用区的应用程序也只属于该用 户。 [0030] In the present invention, step S201 divides the storage area in the user POS machine into a plurality of user application areas, and the application area and the user have a one-to-one correspondence, that is: one application area belongs to only one user, one user The application software only exists in one application area. Data in one application area can be accessed from each other, and data between different application areas cannot be accessed from each other. The default application area is an application that stores default digital certificates, system programs, and user shares. Step S202 is to install a default digital certificate in the default application area by using a digital signature mechanism, and install a digital certificate of the user of the authorized user in the user application area; and the digital signature mechanism ensures that the application of the user cannot be Malicious download to other user application areas. Through the above description, using the present invention, there is a default application area in the user POS machine, and a default digital certificate is stored in the default application area. If the user wants to download the application in the default application area, the application can be downloaded after being digitally signed by the signature module; if the user wants to download the application to the non-existent user application area, the user POS machine needs to The user application area is created, and the user's digital certificate needs to be downloaded to the created user application area before the application can be downloaded to the created user application area. [0031] In the process of downloading the user digital certificate, the user digital certificate is digitally signed by the signature module to generate a certificate object file, and after the user POS machine uses the default digital certificate to verify the certificate object file, the user application can be downloaded. In the district. In this case, the user has been authenticated by the user POS machine, and the created user application area belongs to the user only, and other users cannot download the application into the user application area. To download an application to this user application area, it must be authenticated by the user's digital certificate before it can be downloaded to this user application area. The application of this user application area belongs to this user only.
[0032] 请参阅图 3及图 4, 本发明提供的利用数据隔离系统对数据进行隔离的方法, 包 括以下步骤:  [0032] Referring to FIG. 3 and FIG. 4, the method for isolating data by using a data isolation system provided by the present invention includes the following steps:
[0033] S301、 判断待下载程序的所属区域是否为默认应用区; 若是, 则进行步骤 S305 [0033] S301: Determine whether the area to be downloaded is the default application area; if yes, proceed to step S305.
; 若否, 则进行步骤 S302; If not, proceed to step S302;
[0034] S302、 将经过数字签名的证书目标文件下载, 使用所述默认数字证书对所述证 书目标文件进行验证; [0034] S302. Download the digitally signed certificate object file, and verify the certificate object file by using the default digital certificate.
[0035] S303、 在剩余的用户 POS机存储区中划分一个区域作为所述待下载程序的所属 区域;  [0035] S303. Divide an area in the remaining user POS storage area as an area to which the program to be downloaded belongs;
[0036] S304、 使用所述默认数字证书对所述证书目标文件进行解封并将解封后的数字 证书下载在所述待下载程序的所属区域;  [0036] S304: Decapsulate the certificate target file by using the default digital certificate, and download the decapsulated digital certificate in an area to which the program to be downloaded belongs;
[0037] S305、 将经过数字签名的程序目标文件下载, 使用所述数字证书对所述程序目 标文件进行验证、 解封, 并将解封后的应用程序保存于所述待下载程序的所属 区域。 [0037] S305. Download the digitally signed program target file, verify and decapsulate the program target file by using the digital certificate, and save the decapsulated application in the area of the to-be-downloaded program. .
[0038] 其中, 所述步骤 S301、 所述步骤 S302之间还包括以下步骤:  [0038] The step S301 and the step S302 further include the following steps:
[0039] S3011、 判断所述待下载程序的所属区域是否存在; 若存在, 则进行步骤 S302 之后直接进行步骤 S304; 若不存在, 则进行步骤 S302之后进行步骤 S303。  [0039] S3011, determining whether the area to which the program to be downloaded belongs is present; if yes, proceeding to step S304 after step S302; if not, proceeding to step S302 and then performing step S303.
[0040] 在本发明中, 应用区和用户之间是一一对应的关系, 即: 一个应用区只属于一 个用户, 一个用户的应用软件也只存在于一个应用区内。 处于一个应用区的数 据可以互相访问, 而处于不同应用区之间的数据不能够互相访问。 基于以上说 明, 程序下载吋, 要向用户 POS机说明该程序要保存于用户 POS机的哪个应用区 。 用户 POS机中若存在该应用区, 则将程序直接保存于该应用区; 用户 POS机中 若不存在该应用区, 则用户 POS机创建相应应用区后再将程序保存到指定应用区 中。 通过应用区的机制保证不同应用区的程序、 数据无法互相访问。 但这还无 法保证属于应用区 Areal的应用程序 Appl被恶意下载到应用区 Area2, 从而 Appl 可以访问 Area2的数据。 [0040] In the present invention, there is a one-to-one correspondence between the application area and the user, that is, one application area belongs to only one user, and one user's application software exists only in one application area. Data in one application area can be accessed from each other, and data between different application areas cannot be accessed from each other. Based on the above description, after the program is downloaded, it is necessary to explain to the user POS machine which application area of the user POS machine the program is to be saved. If the application area exists in the user POS machine, the program is directly saved in the application area; in the user POS machine If the application area does not exist, the user POS machine creates the corresponding application area and then saves the program to the specified application area. The application area mechanism ensures that programs and data in different application areas cannot access each other. However, this does not guarantee that the application Appl belonging to the application area Areal is maliciously downloaded to the application area Area2, so that Appl can access the data of Area2.
[0041] 在本发明中优选的, 用户 POS机已规划好用户 POS机已有的默认应用区 Areal , 并预装默认应用区对应的数字证书 Crtl。 若用户幵发的程序 Appl想下载到 Areal , 先使用 Crtl对应的私钥对 Appl数字签名后, 生成目标文件 Sgnl,再将 Sgnl下载 到用户 POS机中, 用户 POS机才会保存 Appl到系统中。 若用户幵发的程序 App2 想下载到 Area2, 此吋要先下载 Area2对应的证书 Crt2到用户 POS机中。 Crt2证书 需先使用 Crtl对应的私钥数字签名后, 生成目标文件 Crt2',再将 Crt2'下载到用户 P OS机中,用户 POS机才会保存 Crt2证书到系统中。 之后, 先使用 Crt2对应的私钥 对 App2数字签名后, 生成目标文件 Sgn2,再将 Sgn2下载到用户 POS机中, 用户 PO S机才会保存 App2到系统中。  [0041] In the preferred embodiment of the present invention, the user POS machine has planned the default application area Areal of the user POS machine, and preloads the digital certificate Crtl corresponding to the default application area. If the program Appl sent by the user wants to download to Areal, first digitally sign Appl using the private key corresponding to Crtl, generate the target file Sgnl, and then download Sgnl to the user POS machine, and the user POS machine will save Appl to the system. . If the user's program App2 wants to download to Area2, you must first download the certificate Crt2 corresponding to Area2 to the user's POS machine. The Crt2 certificate needs to be digitally signed with the private key corresponding to Crtl, then generate the target file Crt2', and then download Crt2' to the user's P OS machine, and the user POS machine will save the Crt2 certificate to the system. After that, the App2 is digitally signed with the private key corresponding to Crt2, and then the target file Sgn2 is generated, and then Sgn2 is downloaded to the user POS machine, and the user PO S machine saves App2 to the system.
[0042] 在另一个优选的实施例中, 本发明提供的利用数据隔离系统对数据进行隔离的 方法, 其应用过程包括以下步骤:  [0042] In another preferred embodiment, the method for isolating data by using a data isolation system provided by the present invention includes the following steps:
[0043] S401、 判断待下载程序的所属区域是否为默认应用区; 若是, 则进行步骤 S405 ; 若否, 则进行步骤 S402;  [0043] S401, determining whether the area to be downloaded is the default application area; if yes, proceeding to step S405; if not, proceeding to step S402;
[0044] S402、 判断待下载程序的所属区域是否具有所述用户数字证书; 若是, 则进行 步骤 S405; 若否, 则进行步骤 S403;  [0044] S402, determining whether the area to be downloaded the program has the user digital certificate; if yes, proceed to step S405; if not, proceed to step S403;
[0045] S403、 向签名模块发出控制信号, 控制所述签名模块使用所述默认数字证书私 钥对待下载的所述用户数字证书进行数字签名, 并生成证书目标文件;  [0045] S403. Send a control signal to the signature module, and control the signature module to digitally sign the user digital certificate to be downloaded by using the default digital certificate private key, and generate a certificate target file.
[0046] S404、 下载所述证书目标文件, 使用所述默认数字证书验证、 解封所述证书目 标文件, 并保存所述用户数字证书;  [0046] S404. Download the certificate target file, verify, unpack the certificate target file, and save the user digital certificate by using the default digital certificate.
[0047] S405、 使用所述用户数字证书私钥对待下载应用程序进行数字签名, 生成应用 程序目标文件;  [0047] S405. Perform digital signature on the download application by using the user digital certificate private key to generate an application target file.
[0048] S406、 下载所述应用程序目标文件;  [0048] S406. Download the application target file.
[0049] S407、 使用所述用户数字证书验证、 解封所述应用程序目标文件, 并保存所述 应用程序。 [0050] 其中, 所述步骤 S404为以下步骤: [0049] S407. Verify, unpack the application target file by using the user digital certificate, and save the application. [0050] wherein, the step S404 is the following steps:
[0051] S4041、 判断所述所属区域是否存在; 若存在, 则进行步骤 S4044; 若不存在, 则进行步骤 S4042;  [0041] S4041, determining whether the belonging area exists; if yes, proceeding to step S4044; if not, proceeding to step S4042;
[0052] S4042、 下载所述证书目标文件; [0052] S4042: download the certificate target file;
[0053] S4043、 使用所述默认数字证书验证所述证书目标文件, 并创建所述所属区域 [0053] S4043: verify the certificate target file by using the default digital certificate, and create the belonging area
, 进行步骤 S4046; , proceeding to step S4046;
[0054] S4044、 下载所述证书目标文件; [0054] S4044. Download the certificate target file.
[0055] S4045、 使用所述默认数字证书验证所述证书目标文件, 进行步骤 S4046;  [0055] S4045, verifying the certificate object file by using the default digital certificate, proceeding to step S4046;
[0056] S4046、 使用所述默认数字证书解封所述证书目标文件, 并保存所述用户数字 证书。 [0056] S4046: Decapsulate the certificate target file by using the default digital certificate, and save the user digital certificate.
[0057] 在本实施例中, 用户 POS机已规划好用户 POS机已有的默认应用区 Areal , 并预 装默认应用区对应的数字证书 Crtl。 若用户幵发的程序 Appl想下载到 Areal , 先 使用 Crtl对应的私钥对 Appl数字签名后, 生成目标文件 Sgnl,再将 Sgnl下载到用 户 POS机中, 用户 POS机才会保存 Appl到系统中。 若用户幵发的程序 App2想下 载到 Area2, 此吋要先下载 Area2对应的证书 Crt2到用户 POS机中。 Crt2证书需先 使用 Crtl对应的私钥数字签名后, 生成目标文件 Crt2',再将 Crt2'下载到用户 POS 机中,  [0057] In this embodiment, the user POS machine has planned the default application area Areal of the user POS machine, and preloads the digital certificate Crtl corresponding to the default application area. If the program Appl sent by the user wants to download to Areal, first digitally sign Appl using the private key corresponding to Crtl, generate the target file Sgnl, and then download Sgnl to the user POS machine, and the user POS machine will save Appl to the system. . If the user's program App2 wants to download to Area2, you must first download the certificate Crt2 corresponding to Area2 to the user's POS machine. The Crt2 certificate needs to be digitally signed with the private key corresponding to Crtl, then generate the target file Crt2', and then download Crt2' to the user POS machine.
用户 POS机才会保存 Crt2证书到系统中。 之后, 先使用 Crt2对应的私钥对 App2数 字签名后, 生成目标文件 Sgn2,再将 Sgn2下载到用户 POS机中, 用户 POS机才会 保存 App2到系统中。 若该用户的用户应用区已经存在并且该用户的用户数字证 书已经存放于所述用户应用区中, 则可以直接对应用程序进行数字签名形成程 序目标文件, 再利用所述用户数字证书对所述程序目标文件进行验证解封后, 将应用程序保存于该用户的用户应用区中。  The user POS machine will save the Crt2 certificate to the system. After that, the App2 number is first signed with the private key corresponding to Crt2, and the target file Sgn2 is generated, and then Sgn2 is downloaded to the user POS machine, and the user POS machine saves App2 to the system. If the user application area of the user already exists and the user digital certificate of the user is already stored in the user application area, the application may be directly digitally signed to form a program target file, and the user digital certificate is used to After the program object file is verified and unsealed, the application is saved in the user application area of the user.
[0058] 上述的 "使用 Crtl对应的私钥对 Appl数字签名"是指利用 Crtl对应的私钥对 Appl 进行数据加密, 此说法在本领域很常见。  [0058] The above-mentioned "digital signature of Appl using the private key corresponding to Crtl" means that data is encrypted by Appl using the private key corresponding to Crtl, which is common in the art.
[0059] 综上所述, 本发明通过应用区机制, 保证位于 Areal中的 Appl无法访问 Area2中 的数据, 位于 Area2中的 App2无法访问 Areal中的数据;  [0059] In summary, the present invention ensures that Appl located in Areal cannot access data in Area2 through the application area mechanism, and App2 located in Area2 cannot access data in Area1;
通过数字签名机制, 保证 Sgnl无法下载到 Area2, Sgn2无法下载到 Areal。 本发明的有益效果是: 区别于现有技术的属于一个用户的应用程序中的私有数 据可能会被其它应用程序恶意访问及修改, 从而带来安全问题和财产损失, 本 发明提供一种数据隔离系统、 方法及利用数据隔离系统的方法, 通过划分应用 区的方法, 使得一个应用区只属于一个用户, 一个用户的应用软件也只存在于 一个应用区内, 这样处于一个应用区的数据可以互相访问, 而处于不同应用区 之间的数据不能够互相访问; 通过数字签名的方法, 使一用户软件只能下载到 本用户应用区, 而不能够恶意下载到其他的用户应用区。 通过本发明, 实现了 不同用户间的应用程序数据的隔离。 Through the digital signature mechanism, Sgnl cannot be downloaded to Ar ea 2, and Sgn2 cannot be downloaded to Areal. The invention has the beneficial effects that: the private data in the application belonging to one user different from the prior art may be maliciously accessed and modified by other applications, thereby causing security problems and property losses, and the present invention provides a data isolation. The system, the method and the method for using the data isolation system, by dividing the application area, make one application area belong to only one user, and one user's application software exists only in one application area, so that data in one application area can mutually Access, and data between different application areas cannot access each other; by means of digital signature, a user software can only be downloaded to the user application area, and cannot be maliciously downloaded to other user application areas. Through the invention, the isolation of application data between different users is realized.

Claims

权利要求书 Claim
一种数据隔离系统, 其特征在于: A data isolation system characterized by:
包括用户 POS机、 服务器、 签名模块和至少一个用户模块, 所述用户 POS机与所述服务器相连, 所述服务器与所述签名模块相连, 所述签 名模块与所述用户模块相连; The user POS machine is connected to the server, the server is connected to the signature module, and the signature module is connected to the user module.
所述用户 POS机包括一个默认应用区和至少一个用户应用区; 所述默 认应用区用于存储用户共享的应用程序和默认数字证书; 所述用户应 用区用于存储授权用户的应用程序和用户数字证书; 所述用户模块包 含有对应的所述授权用户的所述用户数字证书; 所述签名模块用于数 字签名; 所述服务器包含有用户应用程序。 The user POS machine includes a default application area and at least one user application area; the default application area is configured to store an application shared by the user and a default digital certificate; and the user application area is used to store an authorized user's application and user. a digital certificate; the user module includes the user digital certificate corresponding to the authorized user; the signature module is used for digital signature; and the server includes a user application.
根据权利要求 1所述的数据隔离系统, 其特征在于: 所述签名模块为 P OS机。 The data isolation system according to claim 1, wherein: said signature module is a P OS machine.
根据权利要求 1或 2所述的数据隔离系统, 其特征在于: 所述服务器为 具有下载功能的 PC机。 The data isolation system according to claim 1 or 2, wherein: said server is a PC having a download function.
根据权利要求 1或 2所述的数据隔离系统, 其特征在于: 所述签名模块 通过 USB接口与所述服务器相连。 The data isolation system according to claim 1 or 2, wherein: said signature module is connected to said server via a USB interface.
根据权利要求 3所述的数据隔离系统, 其特征在于: 所述签名模块通 过 USB接口与所述服务器相连。 The data isolation system according to claim 3, wherein: said signature module is connected to said server via a USB interface.
一种数据隔离方法, 其特征在于包括以下步骤: A data isolation method, comprising the steps of:
5201、 把用户 POS机存储区划分成至少两个区域, 将其中一个区域设 置成默认应用区, 将其他区域设置成用户应用区;  5201. Divide the user POS storage area into at least two areas, set one of the areas as a default application area, and set the other area as a user application area;
5202、 在所述默认应用区中安装默认数字证书, 在所述用户应用区安 装授权用户的用户数字证书。  5202. Install a default digital certificate in the default application area, and install a user digital certificate of the authorized user in the user application area.
一种利用权 1所述数据隔离系统对数据进行隔离的方法, 其特征在于 包括以下步骤: A method for isolating data by using the data isolation system of claim 1 is characterized by the following steps:
5301、 判断待下载程序的所属区域是否为默认应用区; 若是, 则进行 步骤 S305; 若否, 则进行步骤 S302;  5301, determining whether the area to be downloaded is the default application area; if yes, proceeding to step S305; if not, proceeding to step S302;
5302、 将经过数字签名的证书目标文件下载, 使用所述默认数字证书 对所述证书目标文件进行验证; 5302. Download the digitally signed certificate object file, and use the default digital certificate. Verifying the certificate object file;
5303、 在剩余的用户 POS机存储区中划分一个区域作为所述待下载程 序的所属区域;  5303. Divide an area in the remaining user POS storage area as the area to which the program to be downloaded belongs;
5304、 使用所述默认数字证书对所述证书目标文件进行解封并将解封 后的数字证书下载在所述待下载程序的所属区域;  S304: Decapsulating the certificate object file by using the default digital certificate, and downloading the decapsulated digital certificate in an area of the to-be-downloaded program;
5305、 将经过数字签名的程序目标文件下载, 使用所述数字证书对所 述程序目标文件进行验证、 解封, 并将解封后的应用程序保存于所述 待下载程序的所属区域。  5305. Download the digitally signed program target file, verify and decapsulate the program target file by using the digital certificate, and save the decapsulated application in the area to which the program to be downloaded belongs.
[权利要求 8] 根据权利要求 7所述的对数据进行隔离的方法, 其特征在于所述步骤 S  [Claim 8] The method of isolating data according to claim 7, wherein said step S
301、 所述步骤 S302之间还包括以下步骤:  301. The step S302 further includes the following steps:
S3011、 判断所述待下载程序的所属区域是否存在; 若存在, 则进行 步骤 S302之后直接进行步骤 S304; 若不存在, 则进行步骤 S302之后 进行步骤 S303。  S3011: Determine whether the area to which the program to be downloaded belongs is present; if yes, proceed to step S304 after step S302; if not, proceed to step S302 to perform step S303.
PCT/CN2017/097808 2016-08-29 2017-08-17 Data isolation system and method, and method using data isolation system WO2018040922A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610754507.5 2016-08-29
CN201610754507.5A CN106385314A (en) 2016-08-29 2016-08-29 Data isolation system, data isolation system and method for isolating data by using data isolation system

Publications (1)

Publication Number Publication Date
WO2018040922A1 true WO2018040922A1 (en) 2018-03-08

Family

ID=57917424

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/097808 WO2018040922A1 (en) 2016-08-29 2017-08-17 Data isolation system and method, and method using data isolation system

Country Status (2)

Country Link
CN (1) CN106385314A (en)
WO (1) WO2018040922A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106385314A (en) * 2016-08-29 2017-02-08 福建联迪商用设备有限公司 Data isolation system, data isolation system and method for isolating data by using data isolation system
CN108595948A (en) * 2018-04-19 2018-09-28 深圳鼎智通讯股份有限公司 A kind of Android intelligence POS terminal prepackage APP and its means of defence

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1959587A (en) * 2005-11-01 2007-05-09 联想(北京)有限公司 Method for realizing isolation among multiple users of using same computer
US20070245342A1 (en) * 2006-01-04 2007-10-18 Samsung Electronics Co., Ltd. Apparatus and method for installing software
CN104778794A (en) * 2015-04-24 2015-07-15 华为技术有限公司 Mobile payment device and method
CN105208046A (en) * 2015-10-30 2015-12-30 中国民生银行股份有限公司 Double-security certification method and device for intelligent POS (Point Of Sale) machine
CN106385314A (en) * 2016-08-29 2017-02-08 福建联迪商用设备有限公司 Data isolation system, data isolation system and method for isolating data by using data isolation system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102236755A (en) * 2011-05-04 2011-11-09 山东超越数控电子有限公司 One-machine multi-user security access control method
CN103295341B (en) * 2013-05-16 2015-12-30 中国工商银行股份有限公司 POS safety certification device, system and POS equipment safety authentication method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1959587A (en) * 2005-11-01 2007-05-09 联想(北京)有限公司 Method for realizing isolation among multiple users of using same computer
US20070245342A1 (en) * 2006-01-04 2007-10-18 Samsung Electronics Co., Ltd. Apparatus and method for installing software
CN104778794A (en) * 2015-04-24 2015-07-15 华为技术有限公司 Mobile payment device and method
CN105208046A (en) * 2015-10-30 2015-12-30 中国民生银行股份有限公司 Double-security certification method and device for intelligent POS (Point Of Sale) machine
CN106385314A (en) * 2016-08-29 2017-02-08 福建联迪商用设备有限公司 Data isolation system, data isolation system and method for isolating data by using data isolation system

Also Published As

Publication number Publication date
CN106385314A (en) 2017-02-08

Similar Documents

Publication Publication Date Title
CN108628658B (en) License management method and device for container
EP3479282B1 (en) Targeted secure software deployment
KR101770417B1 (en) Validating the identity of a mobile application for mobile application management
CN106063183B (en) Method and apparatus for cloud assisted cryptography
EP3491576B1 (en) Device programming with system generation
US8997198B1 (en) Techniques for securing a centralized metadata distributed filesystem
EP2791817B1 (en) Cryptographic certification of secure hosted execution environments
EP2913956B1 (en) Management control method and device for virtual machines
CN105446713B (en) Method for secure storing and equipment
EP3494508A1 (en) Counterfeit prevention
CN109634619A (en) Credible performing environment implementation method and device, terminal device, readable storage medium storing program for executing
CN110651261A (en) Secure memory device with unique identifier for authentication
JP2022529689A (en) Version history management using blockchain
CN110612699B (en) Method and system for protecting computing system memory and storage medium
EP2715634A1 (en) Dynamic platform reconfiguration by multi-tenant service providers
WO2015042981A1 (en) Encryption and decryption processing method, apparatus and device
CN101330428A (en) Apparatus for safe mobile client terminal of virtual special network and use method thereof
WO2018040922A1 (en) Data isolation system and method, and method using data isolation system
CN115473648A (en) Certificate signing and issuing system and related equipment
WO2015196525A1 (en) Encryption method and apparatus, and operation method and apparatus for kernel encryption data
WO2018233638A1 (en) Method and apparatus for determining security state of ai software system
KR20150030047A (en) Method and system for application authentication
JP7374112B2 (en) secure data processing
CN104580161A (en) Security-identity-document-based real-name software authentication method and device
US11340801B2 (en) Data protection method and electronic device implementing data protection method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17845224

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17845224

Country of ref document: EP

Kind code of ref document: A1