Chapter 3 System Security
Business card system in a sense part of the enterprise network construction, but because of its application particularity, in essence, it is a private network, which is a small LAN. It's only exit is through the link to the bank. From other places there is no way to enter the card system. We recommend using a separate network card. - Upadted: 2/8/2013 - From: GZCTZN.CN - Hits: 2035 - |
The third chapter system security
Safety 1, communication link.
Business card systems in a sense is a part of enterprisenetwork construction, but because of its particularity, in fact it is a special network, which is a small local area network. It is the only outlet to the bank through the link.From other place is in no way into the card system. We recommend the use of independent network card.
The server through the firewall access card network, for each sub system workstation must be authorizationaccess server.
And the Bank of communications, we use the card front-end and bank front line straight not through the switch,and can ensure the reliability and safety of transmission.
2, the security of data communication
In system network communication lines, because thepublic and computer easy operation, the electronicfinancial crime may succeed through the following threemain methods: one is stolen customer savings card PIN;two is forged and tampered with financial transaction information; three is to steal (physical and electronic) key.Therefore, the network data security system must be established to complete, so be sure three give tit for tat of the precautionary principle:
(1) did not allow the PIN code in the lines of communication and computer storage media to beoperated on
(2) for the identification of any transaction information
(3) establish a strict system of key management
For these reasons, we developed the following scheme:
2.1 the specific data packet format
And the bank work together to develop a data message format, regulation between the different meaning between the fields of the message. Even if the data packetinterception, interception is difficult to understand the meaning.
2.2 data communication encryption
In order to guarantee the security of data transmission,we in the communication process, packets of dataencryption. At present, using the DES encryption algorithm. In the system, we set two key, the master keyand key. The key is used for data communication of eachpacket is encrypted, and the master key is used to exchange secret.
Safety 3, business card
3.1 Mifare card itself has high security, has beenaccepted, the card and the reader communication between three transformer enterprises inspectiontechnology, the legitimacy of the card read-write deviceand the mutual business experience, legitimacy is thereader to verify the IC card, IC card to verify the legitimacy reader; Mifare card in the prior to data exchange and reader three mutual authentication, but also in the communication process of RF signal allencryption, to ensure that the data on the card is not illegal modification.
3.2 the authorization to read and write control, the IC cardread-write equipment must first obtain the passwordauthorization before read write system, while the cardinitialization must be by a higher authority cardauthorization, and can only on special authorizationequipment; recharge only special teller card can open,recharge record include the teller card number.
3.3 black and white list validation mechanism. Whetheron-line transaction or offline transactions, will once againproved the effectiveness of cards, to ensure that no danger of anything going wrong.
4 security, database
4.1. using the network database sql-server as businesscard database, by setting different database in differentadministrator access to ensure the security of database.
4.2. on account of key data fields algorithm specific,generate a unique enterprise inspection item, if theaccount is illegal change, the system automatically to freeze the account.
5, the Internet safety cross enterprise zone
Application mechanism of proxy server, security of database security. A workstation as a cardcommunication proxy server, proxy server provides the query interface to the outside, it does not store any data,only accepts the user's query and forwarding the data server, the database server to protect against attack.Such as the WEB search service, multimedia querymachine (Chu Moping), telephone voice query wasrunning on the proxy server.
A special communication software running in the server,the timing for card subsystem and each enterprise zone of exchange data, all communication data packetencryption algorithm and dynamic key encryption andtight exchange mechanism, ensure data security.
6, the system reliability design
6.1. server and workstation can achieve double hot backup
6.2. server and workstation can realize double disk mirroring, and to install antivirus software
Automatic backup of 6.3. server database
6.4. when the card network failure, system workstations can off grid operation
6.5. when the 485 line break, fee charging terminal canrun offline
| Current document: Chapter 3 System Security |
|