CN110912709A - Client certificate anti-attack scheme of Android platform POS equipment - Google Patents
Client certificate anti-attack scheme of Android platform POS equipment Download PDFInfo
- Publication number
- CN110912709A CN110912709A CN201911190673.7A CN201911190673A CN110912709A CN 110912709 A CN110912709 A CN 110912709A CN 201911190673 A CN201911190673 A CN 201911190673A CN 110912709 A CN110912709 A CN 110912709A
- Authority
- CN
- China
- Prior art keywords
- cpu
- android
- information
- client
- client information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Cash Registers Or Receiving Machines (AREA)
Abstract
The invention relates to the technical field of Android platform intelligent POS payment, in particular to an Android platform POS equipment client certificate anti-attack scheme, which is specifically implemented in the following way: the method comprises the following steps: the Android CPU sends an information verification request to the safety CPU; step two: the safety CPU generates a random factor of the verification, stores the random factor in an internal memory and transmits the random factor back to the Android CPU; step three: the Android CPU transmits the random factors into an agreed secret derivation algorithm to generate a group of random authentication keys, and the authentication keys encrypt client information and then send the client information to the security CPU; step four: the security CPU generates the same authentication key according to the agreed secret derivation algorithm by using a random factor in the memory, and decrypts and restores the client information issued by the Android terminal; step five: and the safe CPU compares the restored Android terminal information with locally stored information, and if the client information is not stored locally or is a default value, the current client information is updated to the local storage.
Description
Technical Field
The invention relates to the technical field of Android platform intelligent POS payment, in particular to an anti-attack scheme for client certificates of Android platform POS equipment.
Background
With the development of mobile payment and new retail, intelligent POS are becoming more and more popular with merchants. The intelligent POS machine takes mobile payment as a basic function. A merchant management cloud platform matched with the intelligent POS is utilized to realize collection management, member management, shop management and the like. Meanwhile, security challenges are brought, and installation of unauthorized applications may jeopardize system security, steal user data, and destroy transaction security. And controlling the installation of the application and ensuring that only the authorized application can be installed and upgraded after signature verification. The security of the customized customer certificate for controlling application installation is particularly important, and as long as the security of the customer certificate is comprehensively protected, the security of the customer POS can be ensured only if unauthorized applications cannot be installed in the equipment.
Currently, most smart POS have two ways to customize a certificate at the customer, one is to compile the customer certificate directly into the firmware code. Another is to have the client certificate stored in a designated secure partition. Regardless of where it exists, FLASH copy security attacks are prone to exist because of the lack of secure mutual authentication.
Disclosure of Invention
Aiming at the problems, the invention provides an anti-attack scheme for the client certificate of the Android platform POS equipment, which ensures the safety of the client certificate through a mechanism that the intelligent POS is started and the safety CPU module performs one-time safety authentication, thereby ensuring the safety of the client POS.
In order to achieve the purpose, the invention is realized by the following technical scheme:
an anti-attack scheme for client certificates of Android platform POS equipment is specifically realized in the following manner:
the method comprises the following steps: an Android CPU in the equipment sends an information verification request to a safety CPU;
step two: the safety CPU generates a random factor of the verification, stores the random factor in an internal memory and transmits the random factor back to the Android CPU;
step three: the Android CPU transmits the random factors into an agreed secret derivation algorithm to generate a group of random authentication keys, and the authentication keys encrypt client information and then send the client information to the security CPU;
step four: the security CPU generates the same authentication key according to the agreed secret derivation algorithm by using a random factor in the memory, and decrypts and restores the client information issued by the Android terminal;
step five: and the safe CPU compares the restored Android terminal information with locally stored information, and if the client information is not stored locally or is a default value, the current client information is updated to the local storage.
Further, the client information includes Android CPU ID, FLASH ID, and client certificate information.
Further, the POS equipment stores the Android related information into a FLASH in the secure CPU piece during initial verification after production.
Compared with the prior art, the invention has the beneficial effects that:
according to the invention, through the interactive verification of the security authentication information in the starting process of the Android CPU and the security CPU, the security of the client certificate of the POS equipment is improved, and the situation that the security of the equipment and the payment security of the intelligent POS are influenced by installing unauthorized application after the client certificate is tampered can be effectively prevented.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention mainly comprises three parts: and the Android CPU, the safety CPU and the safety authentication information are interacted.
An anti-attack scheme for client certificates of Android platform POS equipment is specifically realized in the following manner:
the method comprises the following steps: an Android CPU in the equipment sends an information verification request to a safety CPU;
step two: the safety CPU generates a random factor of the verification, stores the random factor in an internal memory and transmits the random factor back to the Android CPU;
step three: the Android CPU transmits the random factors into an agreed secret derivation algorithm to generate a group of random authentication keys, and the authentication keys encrypt client information and then send the client information to the security CPU;
step four: the security CPU generates the same authentication key according to the agreed secret derivation algorithm by using a random factor in the memory, and decrypts and restores the client information issued by the Android terminal;
step five: and the safe CPU compares the restored Android terminal information with locally stored information, and if the client information is not stored locally or is a default value, the current client information is updated to the local storage.
The client information comprises Android CPU ID, FLASH ID and client certificate information.
Further, the POS equipment stores the Android related information into a FLASH in the secure CPU piece during initial verification after production.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (3)
1. An anti-attack scheme for client certificates of Android platform POS equipment is characterized by comprising the following specific implementation modes:
the method comprises the following steps: an Android CPU in the equipment sends an information verification request to a safety CPU;
step two: the safety CPU generates a random factor of the verification, stores the random factor in an internal memory and transmits the random factor back to the Android CPU;
step three: the Android CPU transmits the random factors into an agreed secret derivation algorithm to generate a group of random authentication keys, and the authentication keys encrypt client information and then send the client information to the security CPU;
step four: the security CPU generates the same authentication key according to the agreed secret derivation algorithm by using a random factor in the memory, and decrypts and restores the client information issued by the Android terminal;
step five: and the safe CPU compares the restored Android terminal information with locally stored information, and if the client information is not stored locally or is a default value, the current client information is updated to the local storage.
2. The Android platform POS device customer certificate anti-attack scheme of claim 1, wherein the customer information includes Android CPU ID, FLASH ID and customer certificate information.
3. The Android platform POS device customer certificate anti-attack scheme of claim 1, wherein the POS device stores Android end related information into a FLASH in a secure CPU slice during initial verification after production.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911190673.7A CN110912709B (en) | 2019-11-28 | 2019-11-28 | Client certificate anti-attack scheme of Android platform POS equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911190673.7A CN110912709B (en) | 2019-11-28 | 2019-11-28 | Client certificate anti-attack scheme of Android platform POS equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110912709A true CN110912709A (en) | 2020-03-24 |
| CN110912709B CN110912709B (en) | 2022-06-14 |
Family
ID=69820183
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911190673.7A Active CN110912709B (en) | 2019-11-28 | 2019-11-28 | Client certificate anti-attack scheme of Android platform POS equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110912709B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103093128A (en) * | 2013-01-06 | 2013-05-08 | 福建三元达通讯股份有限公司 | Embedded terminal software anti-copy and anti-plagiarism method |
| CN105491073A (en) * | 2016-01-21 | 2016-04-13 | 腾讯科技(深圳)有限公司 | Data downloading method, device and system |
-
2019
- 2019-11-28 CN CN201911190673.7A patent/CN110912709B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103093128A (en) * | 2013-01-06 | 2013-05-08 | 福建三元达通讯股份有限公司 | Embedded terminal software anti-copy and anti-plagiarism method |
| CN105491073A (en) * | 2016-01-21 | 2016-04-13 | 腾讯科技(深圳)有限公司 | Data downloading method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110912709B (en) | 2022-06-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11877213B2 (en) | Methods and systems for asset obfuscation | |
| US11989727B2 (en) | Payment system | |
| EP3410376B1 (en) | Credit payment method and device based on card emulation of mobile terminal | |
| WO2018121387A1 (en) | Security verification method, platform, apparatus and system | |
| WO2019050527A1 (en) | System and method for generating trust tokens | |
| AU2016317561A1 (en) | Secure binding of software application to a communication device | |
| US20170055146A1 (en) | User authentication and/or online payment using near wireless communication with a host computer | |
| JP2013512503A (en) | Secure mobile payment processing | |
| CN111160879B (en) | Hardware wallet and security improving method and device thereof | |
| CN111814132B (en) | Security authentication method and device, security authentication chip and storage medium | |
| US20160012399A1 (en) | Secure two-stage transactions | |
| US10990982B2 (en) | Authenticating a payment card | |
| CN108604280B (en) | Transaction method, transaction information processing method, transaction terminal and server | |
| US9246677B2 (en) | Method and system for secure data communication between a user device and a server | |
| CN110912709B (en) | Client certificate anti-attack scheme of Android platform POS equipment | |
| CN111953477B (en) | Terminal equipment, generation method of identification token of terminal equipment and interaction method of client | |
| CN109741050B (en) | Method for extending the life of a financial IC card and related method and apparatus | |
| GB2468890A (en) | Software and USB key for user authentication during credit and debit card transactions on a computer. | |
| US20170330177A1 (en) | Payment terminal authentication | |
| CN107918739B (en) | Data protection method and device and storage medium | |
| CN101588243A (en) | A kind of electronic transaction historical record querying method and system | |
| KR20090041473A (en) | Authentication server for validating product authenticity using otp electronic tag and method therefor | |
| CN112469035A (en) | Security activation and control method and communication system for remote equipment of Internet of things | |
| JP2008199206A (en) | Electronic money system, its settlement terminal and program | |
| CN108121903B (en) | Password management method and data encryption representation method based on logic encryption card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |