Background technology
Bank card (BANKCard) is more and more universal as the means of payment, common bank card paying system comprises point of sales terminal (PointOfSale, POS), POS receives single system (POSP), code keypad (PINPAD) and hardware encipher machine (HardwareandSecurityModule, HSM).Wherein POS terminal can accept bank card information, has communication function, and the equipment that the instruction accepting teller completes financial transaction information and exchanges for information about; POS receives single system and manages concentratedly POS terminal, comprises parameter downloads, and key is downloaded, and accepts, processes or forward the transaction request of POS terminal, and to POS terminal loopback transaction results information, is the system of centralized management and transaction processing; Code keypad (PINPAD) is that the key relevant to various financial transaction carries out safe storage protection, and is encrypted the safety equipment of protection to PIN; Hardware encipher machine (HSM) is the peripheral hardware devices be encrypted transmission data, for the encryption and decryption of PIN, the correctness verifying message and document source and storage key.Personal identification code (PersonalIdentificationNumber, PIN), i.e. personal identification number are the data messages identifying holder's identity legitimacy in on-line transaction, and in cyber-net system, any link does not allow to occur in mode expressly; Terminal master key (TerminalMasterKey, TMK), during POS terminal work, to the master key that working key is encrypted, encrypting storing is in system database; POS terminal is widely used in bank card and pays occasion, and such as manufacturer's shopping, hotel accommodations etc. are a kind of indispensable modernization means of payment, has incorporated the various occasions of people's life.Bank card; particularly debit card; generally all be provided with PIN by holder; carrying out in payment process; POS terminal is except above sending the data such as the magnetic track information of bank card; also want holder to input the identity legitimacy of PIN for issuing bank checking holder, guarantee bank card safety of payment, the property safety of protection holder.Reveal to prevent PIN or be cracked; require from terminal to issuing bank in whole information interactive process; whole process carries out safety encipher protection to PIN; do not allow any link in computer network system; PIN occurs in mode expressly, and the POS terminal therefore accepting input PIN at present all requires to be equipped with key management system.
The key code system of POS terminal is divided into secondary: terminal master key (TMK) and working key (WK).Wherein TMK is in WK renewal process, is encrypted protection to WK.Every platform POS terminal has unique TMK, must have safeguard protection, guarantee can only write device and participate in calculate, can not read; TMK is a very crucial root key, if TMK is intercepted, working key is just cracked than being easier to, by serious threat bank card safety of payment.So can secure download TMK to POS terminal, become the key of whole POS terminal security.Conclude existing TMK download scenarios below as follows:
1, the female POS scheme of key: user receives the single system hardware encipher machine traffic encryption key the same with key female POS input at POS.POS terminal receives single system initiating terminal master key download request by the female POS of key to POS, POS receives single system and drives hardware encipher machine stochastic generation terminal master key, and by traffic encryption key encrypted transmission to the female POS of key, POS terminal is transferred to again after the female POS traffic encryption key deciphering of key, POS terminal obtains terminal master key expressly, be saved in POS terminal code keypad, thus realize POS terminal and POS and receive the synchronous of terminal master key between single system.
2, IC-card decrypt scheme: user injects the same traffic encryption key in POS receipts single system hardware encipher machine with IC-card.IC-card is inserted POS terminal by user, POS terminal receives single system initiating terminal master key download request to POS, POS receives single system and drives hardware encipher machine stochastic generation terminal master key, and by traffic encryption key encrypted transmission to POS terminal, traffic encryption key decryption terminal master key ciphertext in POS terminal IC-card, obtain terminal master key expressly, be saved in POS terminal code keypad, thus realize POS terminal and POS and receive the synchronous of terminal master key between single system.
Above-mentioned two schemes has following shortcoming: terminal master key expressly appears at outside safety equipment, and for taking precautions against Key Exposure risk, the download of terminal master key must control to carry out at the safe machine room of administrative center, by manually concentrating download terminal master key.Thus bring that " maintenance centre's machine room workload is large; Need to be transported to administrative center's safe machine room download key after equipment dispatches from the factory and just can be deployed to trade company, transportation cost rises; In order to concentrate under fill key, need a large amount of staff and working time, maintenance cost is large, maintenance period is long " etc. problem.
Summary of the invention
For solving the problems of the technologies described above, the technical scheme that the present invention adopts is to provide a kind of method of batch capture and upload transfers key, comprises step:
S1, be stored in operating terminal from POS terminal collect and transmit cipher key T K;
S2, judge whether operating terminal performs upload operation, if so, perform step S3;
Whether S3, the transmission security key TK data upload that stored by operating terminal to MTMS system, and judge to upload and complete, and if so, enter step S4, if not, return step S2, wherein, transmission security key TK data comprise transmission security key encrypt data and signed data;
S4, judge whether that in addition transmission security key TK data transfer to operating terminal from POS terminal, if so, return step S1.
Another technical scheme of the present invention is for providing a kind of operating terminal, and described operating terminal comprises:
Acquisition module, for being stored in operating terminal from POS terminal collect and transmit cipher key T K;
First judge module, for judging whether operating terminal performs upload operation;
Second judge module, for depositing the transmission security key TK data upload of operating terminal storage to MTMS system, and judges to upload whether complete, wherein, transmission security key TK data comprise transmission security key encrypt data and signed data;
3rd judge module, for judging whether that transmission security key TK data transfer to operating terminal from POS terminal in addition;
Beneficial effect of the present invention: when supporting that the POS terminal that remote terminal master key is downloaded is keeped in repair, maintenance personal to need the transmission security key TK data upload that collects from POS terminal with operating terminal, to servers such as MTMS systems, to be distributed afterwards by MTMS system.Operating terminal and MTMS system are generally by wireless transmission, and the transmission time can be long, if often keeped in repair a POS terminal, uploading of transmission security key TK data is carried out with regard to single, the efficiency of maintenance POS terminal can be reduced like this, process also can be made complicated, increase error probability.
When using the method maintenance POS terminal of batch capture of the present invention and upload transfers cipher key T K data, after operating terminal gathers TK data, after can selecting to upload or be stored in operating terminal immediately, batch is uploaded, before there will not be after each POS terminal maintenance, need manually to upload immediately, cause inefficiency and upload confusion, the present invention is when TK data are stored into certain data volume, TK data are uploaded in pressure, improve maintenance efficiency, guarantee again the order of TK data upload and ageing.
Embodiment
By describing technology contents of the present invention, structural attitude in detail, realized object and effect, accompanying drawing is coordinated to be explained in detail below in conjunction with embodiment.
For solving the technical matters existed in background technology, the present invention adopts a kind of new master key download scenarios, TK(TransmissionKey is produced at random by POS terminal, transmission security key), TK after producing is stored in the code keypad of POS terminal, and TK is sent to KMS(KeyManagementSystem, key management system, for office terminal master key TMK by transmission mode required under various application scenarios) in.
As POS terminal application download terminal master key TMK, KMS system uses TK ciphering terminal master key TMK, and the terminal master key ciphertext after encryption is sent to POS terminal, POS terminal is decrypted master key ciphertext with TK after receiving, obtain terminal master key TMK, and terminal master key TMK is kept in code keypad.
So, by TK ciphering terminal master key TMK, enable TMK carry out remote transmission, facilitate the secure download of TMK.
In some scenarios, operating terminal is adopted to gather the TK of POS terminal generation, and be responsible for TK being transferred to MTMS system (MaterialTrackingManagementSystem by operating terminal, Tracing Material system, mainly use in plant produced), TK is managed by MTMS systematic unity, and TK is sent to corresponding KMS system, described course of conveying is by CA center (CertificateAuthority, certificate authority, adopt PublicKeyInfrastructure public key infrastructure technology, network ID authentication service is provided specially, be responsible for signing and issuing and managing digital certificate, and there is third party's trust authority that is authoritative and fairness) differentiate operating terminal, the identity of MTMS system and KMS system.
POS terminal produces TK, and gathers TK by operating terminal and be uploaded to the servers such as MTMS system, has following effect: one, improve TK acquisition time efficiency (can realize a key collection etc.); Two, can compatible various different model POS terminal; Three, it docks to unify to upload convenience and service by operating terminal, is conducive to transmission security; Four, the hardware resource of POS terminal can optimisedly utilize; Five, be conducive to improving TK and gather rights management; Six, the TK be conducive to gathering carries out incorporated management.
Adopt MTMS system conveniently to TK unified management, data search and the download of POS terminal during after-sales service later can be facilitated, can realize, by manufacture order bulk transfer TK, facilitating the transfer management of TK by MTMS system, prevent TK from misinformating to the object of mistake; Introducing CA center can prevent pseudo-terminal and pseudo-KMS system from stealing TK.
Above by being sent to bank's end after POS terminal collect and transmit cipher key T K, TMK is encrypted, then the transmission security of TMK can be ensured by the method for the TMK of POS terminal remote download after TK encryption.
TK under being uploaded to the server conditions such as MTMS system is being gathered by operating terminal, when the POS terminal supporting that remote terminal master key is downloaded is keeped in repair, maintenance personal to need with operating terminal, by collecting new transmission security key TK data upload from POS terminal to servers such as MTMS systems, to be distributed afterwards by MTMS system.When operating terminal and MTMS system are generally by wireless transmission, the transmission time can be long, if often keeped in repair a POS terminal, uploading of transmission security key TK data is carried out with regard to single, the efficiency of maintenance POS terminal can be reduced like this, process also can be made complicated, increase error probability.
Just the technical scheme that the present invention overcomes the problems referred to above is described in detail below.
Refer to Fig. 1, be the flowchart of the method for a kind of automated maintenance POS terminal of the present invention, the method comprising the steps of:
S1, be stored in operating terminal from POS terminal collect and transmit cipher key T K;
S2, judge whether operating terminal performs upload operation, if so, perform step S3;
Whether S3, the transmission security key TK data upload that stored by operating terminal to MTMS system, and judge to upload and complete, and if so, enter step S4, if not, return step S2, wherein, transmission security key TK data comprise transmission security key encrypt data and signed data;
S4, judge whether that in addition transmission security key TK data transfer to operating terminal from POS terminal, if so, return step S1.
In the present embodiment, also comprise step S5 after described step S4, when judging do not have transmission security key TK data to transfer to operating terminal from POS terminal, prompting gathers and uploads the number of successful transmission security key TK data.
In the present embodiment, described step S2 is specially: judge to stop the time of upload operation whether to exceed Preset Time, if then perform step S3.
In the present embodiment, described step S2 specifically also can be: judge whether the number being stored in the transmission security key TK data of operating terminal exceedes default number, if then perform step S3.
In the present embodiment, described step S2 also can be:
Judge whether the number of the transmission security key TK data stopping the time of upload operation whether to exceed Preset Time and be stored in operating terminal exceedes default number, if not, then judges whether operating terminal receives uploading instructions; Step S3 is performed when decision terminal receives uploading instructions.
Referring to Fig. 2, is the structured flowchart of a kind of operating terminal of the present invention.Above-mentioned a kind of transmission security key TK batch capture and the method uploaded are applied in this operating terminal.
This operating terminal 100 comprises acquisition module 10, first judge module 20, second judge module 30 and the 3rd judge module 40.
Described acquisition module 10 is for being stored in operating terminal from POS terminal collect and transmit cipher key T K.
Described first judge module 20, for judging whether operating terminal performs upload operation.
Described second judge module 30, for when the first judge module 20 Predicated execution upload operation, by the transmission security key TK data upload that stores to MTMS system, and judge to upload whether complete, wherein, transmission security key TK data comprise transmission security key encrypt data and signed data;
Described 3rd judge module 40, for when the transmission security key TK data upload of the second judge module 30 determining storage completes, judges whether that transmission security key TK data transfer to operating terminal from POS terminal in addition, if then notify that acquisition module performs acquisition operations;
In the present embodiment, described operating terminal 100 of going back also comprises display module, described display module is used for when the 3rd judge module 40 judges do not have transmission security key TK data to transfer to operating terminal from POS terminal, and display gathers and uploads the number of successful transmission security key TK data.
In the present embodiment, described first judge module stops the time of upload operation whether to exceed Preset Time, if then notify that the second judge module 30 performs upload operation specifically for judging.
In the present embodiment, described first judge module is specifically for judging whether the number being stored in the transmission security key TK data of operating terminal exceedes default number, if then notify that the second judge module 30 performs upload operation.
In the present embodiment, described first judge module 10 specifically comprises: the first judging unit and the second judging unit.
First judging unit is for judging whether the number of the transmission security key TK data stopping the time of upload operation whether to exceed Preset Time and be stored in operating terminal exceedes default number;
Second judging unit is used for when the first judging unit judges that the number of transmission security key TK data that the time of stopping upload operation not exceeding Preset Time and be stored in operating terminal does not exceed default number, judge whether operating terminal receives uploading instructions, if then notify that the second judge module performs upload operation.
Beneficial effect of the present invention: when using the method maintenance POS terminal of batch capture of the present invention and upload transfers cipher key T K data, after operating terminal gathers TK data, after can selecting to upload or be stored in operating terminal immediately, batch is uploaded, wherein operating terminal can gather the transmission security key TK data of a collection of POS terminal, before there will not be after each POS terminal maintenance, need manually to upload immediately, cause inefficiency and upload confusion; The present invention can when TK data be stored into certain data volume, force to upload TK data, improve maintenance efficiency and guarantee again the order of TK data upload and ageing.
The foregoing is only embodiments of the invention; not thereby the scope of the claims of the present invention is limited; every utilize instructions of the present invention and accompanying drawing content to do equivalent structure or equivalent flow process conversion; or be directly or indirectly used in other relevant technical fields, be all in like manner included in scope of patent protection of the present invention.