阅读说明：本技术 控制对***存储设备的信息的访问的系统和方法 (The system and method for controlling the access to the information of peripheral storage device ) 是由 C.冯德利佩 于 2019-05-23 设计创作，主要内容包括：一种用于对自助服务机执行维护操作的外围数字存储设备,其具有允许到自助服务机的连接的接口,其包括：提供存储区域的存储设备,其中存储区域被划分成分区的集合,当连接到自助服务机时,所述分区的集合可被自助服务机解释为用于文件操作的独立存储区域；控制单元,其被配置成通过拒绝或授权自助服务机对分区的访问来控制对分区的访问,这取决于可从自助服务机接收的用于为可连接到接口的每个分配的自助服务机提供对单独分区的访问的身份信息。(A kind of Peripheral digital storage equipment for self-service machine execution attended operation, it has the interface for the connection for allowing self-service machine, it includes: providing the storage equipment of storage region, wherein storage region is divided into the set of subregion, when being connected to self-service machine, the set of the subregion can be construed to the separate storage region for file operation by self-service machine；Control unit, it is configured to control the access to subregion by refusing or authorizing self-service machine to the access of subregion, this is depended on can be received for providing the identity information of the access to independent subregion to may be connected to the self-service machine of each distribution of interface from self-service machine.)

1. a kind of Peripheral digital stores equipment, there is the interface for the connection for allowing self-service machine, the Peripheral digital is deposited Equipment is stored up to be used to execute attended operation to the self-service machine comprising:

The storage equipment of storage region is provided, wherein the storage region is divided into the set of subregion, when be connected to it is described from When helping server, the set of the subregion can be regarded as the separate storage region for file operation by the self-service machine；

Control unit is configured to control by refusing or authorizing the self-service machine to the access of the subregion to institute The access of subregion is stated, this is depended on can be received for being that may be connected to each of described interface from the self-service machine The self-service machine of distribution provides the identity information of the access to independent subregion.

2. Peripheral digital according to claim 1 stores equipment, do not divided wherein the access control is configured to hide Subregion those of in the set of the subregion of self-service machine described in dispensing, and be configured to show be assigned to it is described from Those of help in the set of the subregion of server subregion.

3. Peripheral digital according to claim 1 stores equipment, wherein the set of the subregion includes read/write partition, institute Stating read/write partition allows independent read/write file of the self-service machine to the subregion by being assigned exclusively to the subregion Operation, thus avoids the data exchange between the different self-service machines.

4. Peripheral digital according to claim 1 stores equipment, wherein the subregion is by described control unit different It is logically and/or physically defined in rank, the rank includes: storage unit rank, storage chip rank, block rank, file system Irrespective of size is other.

5. storing equipment according to Peripheral digital described in preceding claims 4, wherein described control unit is configured to by only File and file-related information are provided when matching the identity of the self-service machine and when the identity mismatches The access of absolute file is refused to control the access to the file system.

6. storing equipment according to Peripheral digital described in preceding claims 5, wherein described control unit is configured to depend on The identity of the self-service machine modifies file system table, to allow only to the institute for being assigned to the self-service machine State the access of file.

7. storing equipment according to Peripheral digital described in preceding claims 4, wherein described control unit is configured to control fixed Partition table of the justice for the physical storage areas of each subregion in the set of the subregion, wherein depending on the Self-Service The identity of machine, described control unit are configured to modify the partition table and distribute to identified Self-Service only to provide The information of the subregion of machine.

8. Peripheral digital according to claim 1 stores equipment, wherein providing the subregion for being additional to the set of the subregion To allow only to carry out read access from server to all.

9. Peripheral digital according to claim 8 stores equipment, wherein additive partition storage is described outer for determining Enclose the certificate and/or cryptographic key of the identity of digital storage equipment and/or the self-service machine.

10. Peripheral digital according to claim 1 stores equipment, wherein control unit is configured to using being assigned to State self-service machine cryptographic key and/or using after input PIN addressable cryptographic key encrypt the subregion.

11. a kind of control is to the method for the access of Peripheral digital according to claim 1 storage equipment, the Peripheral digital Storage equipment has the interface for the connection for allowing self-service machine, is used to execute attended operation to the self-service machine, It the described method comprises the following steps:

- Peripheral digital storage equipment is inserted into the self-service machine；

- identity of the self-service machine is determined by described control unit；

- those of matching identity subregion is only provided from described control unit to the self-service machine；

- by the self-service machine assemble provided by subregion and file executed to the subregion write or read operation.

12. according to the method for claim 11, wherein the subregion is by described control unit in different logic and/or object It is defined in reason rank, the rank includes: storage unit rank, storage chip rank；Block rank, file system level.

13. according to the method for claim 12, wherein described control unit passes through only in the matching self-service machine File and file-related information are provided when the identity and the access for refusing absolute file when the identity mismatches comes Control the access to the file system.

14. the method according to claim 11, wherein described control unit depends on the body of the self-service machine Part file system table is modified, to allow the only access to the file for being assigned to the self-service machine.

15. according to the method for claim 12, wherein dynamically configuration definition is directed to the subregion to described control unit The partition table of the physical storage areas of each subregion in set, wherein depending on the identity of the self-service machine, institute It states control unit and is configured to modify the partition table only to provide the information for the subregion for distributing to identified self-service machine.

16. according to the method for claim 11, wherein additive partition is stored for determining the Peripheral digital storage equipment And/or the certificate and/or cryptographic key of the identity of the self-service machine, wherein the certificate and/or cryptographic key energy It is enough in the identity for determining the self-service machine.

17. according to the method for claim 11, comprising the following steps:

- remove the Peripheral digital from the self-service machine and store equipment；

- Peripheral digital storage equipment is inserted into personal computer；

- the Peripheral digital accessed in the personal computer in a non-standard manner stores equipment, to avoid Malware It is automatic installation or execution；

- data are transferred directly to the server for being protected against Malware by network from the personal computer.

Technical field

In the field of self-service machine (especially ATM (ATM)), it is necessary to execute by service engineer/technology The periodic maintenance that personnel carry out is to install the upgrading of software or repair with replacement part or with extraction and/or Download History. ATM is electronic wireless electrical communication equipment, enables the client of financial institution at any time and is not needing and bank's work Make to execute financial transaction in the case that personnel directly interact, such as cash withdraws deposit, deposit, shifts fund or obtain account information.

On most of modern times ATM, by the way that plastics atm card (or some other acceptable Payment Cards) is inserted into ATM Identify client, wherein certification be by client's input must in the chip (if card is so equipped) on card or distribution finance The matched PIN of the PIN(Personal Identification Number) stored in the database of mechanism.

Using ATM, client is able to access that their cash in banks or credit accounts, to carry out a variety of gold Melt transaction, such as cash withdraws deposit, queries the balance or credit mobile phone.

Very often, standard PC(personal computer of the self-service machine based on the interface with connection peripheral equipment).In The operating system run in self-service machine identifies peripheral equipment in automatic connection, and depends on the type of equipment and start Different operations (for example, automatic play).These, which are operated, which can be related to the installation of device driver, store data into periphery deposits It stores up equipment or loads data, start program etc. from peripheral storage device.

Very often, peripheral equipment passes through such as USB(universal serial bus), firewire, the serial connections such as RS232 connect It connects.The present invention is not limited to the types of external interface listed above.

Typical attack scene now is to damage self-service machine by using plug and play mechanism, for example, being inserted into Code is executed by automatic playing function after USB stick.In Self-Service environment, the protection to this attack is to get over Come more required.However problem is, complete plug-and-play feature can not be blocked as prevention, this is because this Limit the desired function of cash dispensing machine (ATM).For example, if not in white list (for example, as dynamic security external member The USB filter driver of partial maintenance) on input external equipment, then solution does not allow in usb driver rank The identification and processing of external equipment, applicant or US 2015/0206422 A1, US 2015/928400 the product of A1 be not nothing Condition effectively and do not indicate total solution.

But the method also has the disadvantage, this is because bedding and clothing can be distributed by being not filtered the USB driving of device exclusion Any other ATM or service laptop computer of business engineer is loaded into the Malware on memory stick.

The Malware in context applied herein is the abbreviation of the software of malice, is for referring to diversified forms Harmful or intrusive software (including computer virus, worm, Trojan Horse, extort software, spyware, ad ware, threatening Property software and other rogue programs) covering property term (umbrella term).It can take executable code, script, work The form of dynamic content and other softwares.Malware is defined by its malicious intent, to violate the requirement of computer user --- It and does not therefore include the software for causing mean no harm due to some defects.

USB driving usually by service engineer use with to the software on ATM carry out certification or will as record, list Deng data transmission to ATM and from ATM transmit.Example is the Cryp-TA-Stick(encryption technology people of the product for applicant Member's certification), to distribute independent access authority in execution (perfuming) maintenance for each service engineer.

CrypTA(trade mark) basis be the strong cipher algorithms combined with intelligent card chip (Crypto Control Unit).This chip is deposited Necessary key is stored up, the attacker allowed to can be stopped, and be directly or remotely to attempt but regardless of attack.

This equipment controls the access to ATM, and also information of the storage about ATM, such as event, history, document etc..This Information can be stored in shielded (encryption) or unprotected region.

If service engineer authorizes access right, it is able to access that this storage region.If ATM is infected by malware, Then Malware can be distributed to other ATM.

Due to the sophisticated functionality of USB storage device, simply stop any USB driving to the serviceability of ATM With seriously affecting.

Summary of the invention

The present invention provides a kind of Peripheral digital storage equipment for self-service machine execution attended operation, has and permits Perhaps the interface of the connection of self-service machine is arrived.Interface can be USB, firewire or allow to connect any parallel of peripheral storage device Or serial line interface, file can be preferably stored data as on the peripheral storage device.

Storage equipment includes providing the storage equipment of storage region.Storage region is nonvolatile memory, such as flash Memory, magnetic storage or optical memory.Other technologies are possible.

Storage region is divided into the set of subregion, can regard use as by self-service machine when being connected to self-service machine In the separate storage region of file operation.

In addition, storage equipment includes control unit, which is configured to by refusing or authorizing self-service machine Access to subregion is controlled the access right of subregion, this is depended on can be received for connecing to may be connected to from self-service machine The self-service machine of each distribution of mouth provides the identity information of the access to independent subregion.

It must be noted that control unit preferably includes Crypto Control Unit, which deposits in a secured manner Storage cryptographic key simultaneously allows Password Operations.

In this context, subregion can be realized on different stage.Subregion can be by control unit in different logics And/or defined in physics rank, the rank includes: storage unit rank, storage chip rank, block rank, file system level Not etc..

Subregion can be based on physical memory cell, so that a quantity of unit defines subregion.Control unit to operation be System provides several independent disks.It is still possible that the subregion that the grouping definition of each storage chip or chip is controlled by control unit, And chip has can be by a certain amount of storage unit by chip subregion.

Furthermore, it is possible to be to be sliced using subregion or disk.To one in storage region, hard disk or other secondary memories Or the creation of multiple areas or subregion enables operating system individually to manage the information in each area.This method be typically based on by The block that hard disk is grouped logic or physical memory cell provides.Disk will be stored in referred to as about the position of subregion and the information of size In the region of partition table, operating system reads the partition table before any other part of disk.Then, each subregion occurs Difference " logic " disk as the part using practical disk in an operating system.When the total storage region of driving be divided into it is different To driving subregion when piece.These pieces are referred to as subregion.Once creating the division, then it can be formatted such that that it can counted It is used on calculation machine.

In another approach, subregion can be realized on file system level.Control unit is with only certain files or mesh Record is provided to the mode of corresponding self-service machine to control and/or modify file system table stored in memory.In In this context, the grouping of file or catalogue forms (logic) subregion.Each visit to file system table from operating system It asks and is intercepted by control unit and modified or refuse if necessary.Using this earth's surface, control unit if necessary Block can be remapped to other storage regions.Moreover, control unit can replace or alternate file system table and distribute to from Help the available memory area of server.When in insertion storage equipment, the access of the limited grouping to file and catalogue is only authorized.

Has the advantages that flexible subregion using the method for file table and file system, so as to avoid following situations: at this Equipment is stored in situation and is easily finished idle storage, this needs mass data to be stored in thumb drives and it in certain ATM Its ATM only needs to occur in the case where seldom bit data.

In replacement method, the subregion with file system can be presented to have and fix greatly by the control unit for storing equipment Small PC, but " behind visible mutation system " using additional logic to manage free memory pool.In this case, storage is set Standby control unit firmware has the additional logic about used file system in these subregions.

In this context, control unit is able to use common storage pond to provide different file system tables, this is meaned Different blocks can be assigned to different self-service machines and different file system.Possible method will have the free time The shared free memory pool of block, the free block can be assigned to the different files of different self-service machines System.This allows the optimal use of storage resource.

In this case, only institute's distribution portion of the file system of subregion have to the overall assignment on memory stick it is important Property.

Alternative embodiment using the system of this subregion will simply use the operating system to self-service machine unknown Dedicated file systems.In this case, Malware cannot be incited somebody to action in the case where not being appreciated and understood by dedicated file systems Itself it is transferred to storage equipment.

But in this approach, it is desirable to using storage equipment on space all softwares need using proprietary API come Read and write data.

Another challenge is to design the file system of replacement, and intermediate for storage equipment removes and other types The case where USB stability problem is reliable.For file system common in the world Windows, Microsoft is several in the past A large amount of improvement has been made in year.

In a preferred embodiment, access control is configured to hide in the set for the subregion for not being assigned to self-service machine Those of subregion, and subregion those of is shown in the set for distributing to the subregion of self-service machine.In a preferred embodiment, only Show a subregion for write operation.It it is also possible to provide more than one subregion.Control unit identifies the identity of self-service machine, And those subregions only are provided to self-service machine or distribute to the subregion of self-service machine.

In a possible embodiment, depending on the identity of self-service machine, it is also possible to which there are different access limits.It reads Authorization is write to be controlled by control unit.

In a possible embodiment, there are at least two groupings of subregion.One grouping definition includes reading and/or writing subregion Subregion set, to allow to read and/or operating writing-file the independent of subregion by being assigned to the self-service machine of subregion, Thus the data exchange between different self-service machines is avoided；And the second packet of subregion includes at least one read-only point Area.

On this additive partition, certificate and/or cryptographic key be stored for determining Peripheral digital storage equipment and/or The identity of self-service machine.Key is able to use by self-service machine to identify that Peripheral digital stores equipment.Using the method, certainly Help server that can also refuse the digital storage equipment for not storing correct key.On the other hand, key can also be used to by storing Equipment identifies self-service machine.Self-service machine can read key and based on can by the controller of storage equipment identify it is close Key generates the data with signature.In the case where signature is properly generated, the controller for storing equipment is provided to distributing to The access of the subregion of self-service machine.In an alternate embodiment, self-service machine is from subregion load store equipment (for example, password Controller) public key or to its identity carry out encryption or cryptographic signatures, and attempt write-back encryption identity.Control unit intercepts Write operation and the identity for receiving encryption, are then transferred to Crypto Control Unit for the identity of encryption, the Crypto Control Unit decryption or Check identity signature and by identity in its secure storage store those of identity be compared.If relatively success, The subregion of self-service machine is distributed in table and offer inside control unit inspection.

Second subregion is only used for read-only purpose and is assemblied at self-service machine (ATM).This subregion includes to be communicated arrives From the data of server, such as the certificate for certification.Each sees identical sectional image from server.This subregion should Only it is written at the notebook of technical staff.Since this subregion is read-only, so can be answered from ATM without Malware Make this subregion.

If related data is replicated in other ways in the visible partition in independent subregion, Reading Sections also can It is skipped.

Further, it is possible to be encrypted or decrypted to subregion.Decryption and/or ciphering process can be by control units and its close Code controller executes.Encryption can be based on being assigned to self-service machine and/or use after inputting PIN by service engineer The cryptographic key of addressable cryptographic key.In the case where authorizing access right to the subregion distributed, subregion is decrypted and shows Out to self-service machine.

In the above description, subregion is read-only or is hidden as only safety measure.

Subregion can also be stored in a manner of encryption.Mainly make there are many example of encryption driving on the market With AES 256.In the case where CrypTA memory stick, it can be exported from the authentication data as PIN etc and data are solved Close key.

Another part of the invention is a kind of method for controlling the access to above-mentioned Peripheral digital storage equipment.

In order to execute attended operation to self-service machine, following steps are executed.

- Peripheral digital storage equipment is inserted into self-service machine；(being completed by service engineer)

- identity of self-service machine is determined by control unit；Identity can be determined as described above.

- those of matching identity subregion is only provided from control unit to self-service machine；

- provided subregion is assembled by self-service machine and file write-in or read operation are executed to subregion.

In another embodiment, the present invention includes the following steps

- from self-service machine remove Peripheral digital store equipment.This step is in self-service machine on digital storage equipment It reads and/or write-in data executes later.Service engineer has manually removed Peripheral digital and has stored equipment.After that, Information in storage equipment must be transferred

- Peripheral digital storage equipment is inserted into personal computer；Similarly this step is executed by service engineer.

- the Peripheral digital accessed in personal computer in a non-standard manner stores equipment, to avoid oneself of Malware Dynamic installation executes；

- data are transferred directly to the server for being protected against Malware by network from personal computer.

Above-mentioned technology prevents from Malware spreading to another ATM from an ATM.

For the notebook of technical staff for spreading Malware, the present invention can use following countermeasure in order to prevent:

- notebook is equipped with the anti-virus of the prior art and/or the situation of anti-intrusion software.

- notebook OS and Add-ons are reinforced with being attached.

Software on-notebook does not assemble subregion for operating system known file system partitioning, but with proprietary side Formula accesses them, so that the standard mechanism for starting any Malware automatically does not work.

- notebook itself is not assessed the data on memory stick, but the data of subregion are simply transferred to clothes It is engaged in device and shifting from server, which is assumed immune to Malware.This is a kind of E2E solution.

Detailed description of the invention

Fig. 1 shows Peripheral digital storage equipment, with interface, control unit, Crypto Control Unit, has storage chip Storage region and across by several storage chips subregion,

Fig. 2 shows Peripheral digitals to store equipment, with interface, control unit, Crypto Control Unit, depositing with storage chip Storage area domain and subregion based on physical memory chips,

Fig. 3 shows storage region with partition table, by the subregion of partition table and file system table reference in subregion,

Fig. 4 shows storage region, with several file system tables in partition table, a subregion and subregion,

Fig. 5 shows the example of mode of the certificate from CrypTA database to ATM.

Specific embodiment

Fig. 1 shows Peripheral digital storage equipment 1, can have the size of standard USB stick.Peripheral digital storage Equipment includes interface 2, which extends shell to be connected to self-service machine.Interface can be inserted into Self-Service Plug in the USB socket of machine.Other interfaces are also possible.Interface is connected to control unit 3.In the case of a usb interface, Control unit 3 provides USB standard communication.In a preferred embodiment, control unit is the USB controller with additional functional. Cipher processor 4 is arranged in control unit 3,4 encryption data of cipher processor and by encryption key and signature store In it is locally stored.This Crypto Control Unit provides additional functional to control unit.Crypto Control Unit allows to single by control The received data of member are encrypted, and the data are then stored in storage region 5.Moreover, Crypto Control Unit allows It examines and signs and solve confidential information.Control unit 3 be determined by the information of interface directly with memory or and cipher control Device communication.Additionally, control unit prevents the access to the storage region of unauthenticated self-service machine.By passing through interface Identity information is provided to control unit to execute certification.Identity information is transferred to Crypto Control Unit by control unit, the password control Device processed uses various technical checking information.

Storage region 5 includes several storage chips 6, can be flash memory chip.It is able to use different storage skills Art.Storage region can be divided into several subregions 8a-8d.Fig. 1 shows logical partition, wherein each partition spans are passed through Several storage chips.Under comparing Fig. 2 shows the physical extent 7a-7c based on storage chip.One subregion can include One or several chips.In the case, storage equipment 1 may manage several independent physical disks or volume.It is being connected to certainly In the case where helping server, several independent disks are identifiable.

However, the configuration in Fig. 1 provides only one single physical disk, the partition table to the self-service machine with partition table Storage region is divided into several logical partitions of several logical partitions by reference.As described above, configuration is depended on, if machine is certainly The identity of body has gone through, then control unit provides only those subregions (physics or logic) to self-service machine.

Fig. 3 shows the storage region 6 for being divided into several logical partitions.Each subregion 8a-8c is deposited by being generally stored inside The partition table 9 at the beginning in storage area domain 6 is quoted.When reading information from storage equipment, partition table is usually loaded first.In this hair In the case where bright, before shifting to self-service machine, partition table is modified only comprising should be by Self-Service by control unit Those addressable subregions of machine.In addition, being stopped by control unit to the storage region for not being allowed to be accessed by self-service machine All write operations.Using this method, prevent from authorizing uncontrolled access right to entire storage region.9 referred partitions of partition table, And especially it is also generally stored in the file system table 10a-10c at the beginning of subregion.File system table, which defines, to be stored in The structure of file system in each subregion.

Fig. 4 shows with a logical partition but has the another method of several file system table 11a-11d.Each The block of the file system of file system table Management Representative file and folder structure.Depending on the identity of self-service machine, control Unit provides one of the file system table that a file system of self-service machine is distributed in management.Moreover, in this case, Write operation is gone through by control unit, and only authorization is attempted to access the operation of those of distributed file system.

It must be noted that one or more subregions can be read-only, and one or more subregions can be by self-service Server may have access to.

Fig. 5 shows the example of mode of the certificate from CrypTA database to ATM.In CrypTA database, storage is closed In the information of the Service Technicians of all registrations.Server of the position of CryptTA database in safe DN calculating center On.The database is for storage service technical staff and notebook, (the also referred to as Peripheral digital storage of CryptTA USB cyberdog Equipment) and/or ATM relationship.In access of the control to ATM, any combination of these information is all possible.Based on being deposited The information of storage, certificate are authorized to, release, cancel or refuse.CrypTA server based in database information and by agency, Technical staff's notebook, CryptTA USB cyberdog and the received information of ATM execute this operation.Reverse proxy has control From internet to the function of the access of the CrypTA server in DN calculating center.CrypTA server is used for for generating The more new data of CrypTA cyberdog, in particular for obtaining the certificate of the access to ATM.Internet reversed generation can passed through Reason updates CrypTA USB cyberdog after being connected to technical staff's notebook.Also it can will be stored on CryptTA cyberdog Data be transferred to CrypTA server.The software upgrading CryptTA USB cyberdog using referred to as CryptTA client it Afterwards, the connection to CrypTA server is established via notebook, cyberdog is used in ATM.In ATM, cyberdog by with In certification and data transmission, and allow the access to ATM.Cyberdog is used as key.Depending on database and update Information, cyberdog authorization access the different stage and component of ATM.