阅读说明：本技术 一种安全智能卡系统及其密码服务方法 (Safety intelligent card system and its cipher service method ) 是由 彭金辉 王阳阳 雷宗华 张永安 马骥 王超 于 2020-03-27 设计创作，主要内容包括：本发明提出了一种安全智能卡系统及其密码服务方法,所述系统包括：接口模块、控制器及多个功能模块；接口模块电性连接于控制器,其用于向上位机提供扇区读写接口,以实现上位机与控制器之间的数据交互；控制器用于提供不同功能的扇区,以接收不同业务需求的数据包,每个扇区对应于指定的功能模块,控制器采用不同功能的扇区将不同业务需求的数据包分配给指定的功能模块；其中,不同功能的扇区是由控制器与上位机共同约定的；多个功能模块包括安全芯片和软密码模块,安全芯片电性连接于控制器,用于提供硬件加解密服务,软密码模块装设于控制器中,用于提供软件密码服务。本发明的安全智能卡系统实现对上位机提供高速密码服务。(The invention provides a safe intelligent card system and a password service method thereof, wherein the system comprises: the system comprises an interface module, a controller and a plurality of functional modules; the interface module is electrically connected with the controller and is used for providing a sector read-write interface for the upper computer so as to realize data interaction between the upper computer and the controller; the controller is used for providing sectors with different functions to receive data packets with different service requirements, each sector corresponds to a designated function module, and the controller adopts the sectors with different functions to distribute the data packets with different service requirements to the designated function module; the sectors with different functions are jointly appointed by the controller and the upper computer; the plurality of functional modules comprise a security chip and a soft password module, the security chip is electrically connected to the controller and used for providing hardware encryption and decryption services, and the soft password module is installed in the controller and used for providing software password services. The safe intelligent card system of the invention realizes the high-speed password service provided for the upper computer.)

1. A secure smartcard system, characterized in that the system comprises: the system comprises an interface module, a controller and a plurality of functional modules;

the interface module is electrically connected with the controller and is used for providing a sector read-write interface for the upper computer so as to realize data interaction between the upper computer and the controller;

the controller is used for providing sectors with different functions to receive data packets with different service requirements, each sector corresponds to a designated functional module, and the controller adopts the sectors with different functions to distribute the data packets with different service requirements to the designated functional module; the sectors with different functions are formed by jointly appointing the controller and the upper computer;

the plurality of functional modules comprise a security chip and a soft password module, wherein the security chip is electrically connected with the controller and is used for providing hardware password service, and the soft password module is arranged in the controller and is used for providing software password service.

2. A secure smartcard system according to claim 1 wherein the controller is provided with a first agent and a second agent; the sectors with different functions respectively comprise a first sector, a second sector and a third sector;

the first sector reads and writes an upgrading data packet to the security chip through the first agent program so as to realize firmware upgrading of the security chip;

the second sector reads and writes the encryption and decryption data packet to the security chip through a second agent program so that the security chip provides hardware password service;

and the third sector and the soft cipher module directly transmit the encryption and decryption data packet so that the soft cipher module provides software cipher service.

3. A secure smartcard system according to claim 2,

the size of a single upgrading data packet read and written between the upper computer and the first agent program is preset to be 1KB, the size of the single upgrading data packet read and written between the first agent program and the security chip is N bytes, and N is smaller than or equal to 1024;

the sizes of the read-write single encryption and decryption data packets between the upper computer and the second agent program and between the second agent program and the security chip are integral multiples of 512 bytes;

the size of a single encryption and decryption data packet read and written between the upper computer and the soft password module is 2 KB.

4. The secure smartcard system of claim 1, further comprising a storage module, the storage module being electrically connected to the controller for storing data cryptograms.

5. The smart card system of claim 1, wherein the security chip further has an authority control function, and when the user reads and writes the smart card system through the upper computer, the security chip verifies the identity of the user, and after the identity verification succeeds, the upper computer is allowed to read and write the smart card system.

6. A secure smart card system as claimed in claim 1, wherein said secure chip supports a key agreement algorithm, a symmetric cryptographic algorithm, an asymmetric cryptographic algorithm, and a hash, hash cryptographic algorithm; the soft cipher module supports a symmetric cipher algorithm and a Hash cipher algorithm.

7. A cryptographic service method applied to the secure smart card system of any one of claims 1 to 6, the method comprising:

the upper computer writes a data packet to be processed into a corresponding sector in the controller through an interface module;

the corresponding sector transfers the data packet to be processed to the corresponding functional module;

carrying out password operation on the data packet to be processed by the corresponding functional module, and caching the processed data packet;

the upper computer sends a reading request to a corresponding sector in the controller through the interface module;

and reading the data packet processed by the corresponding functional module by the corresponding sector according to the reading request, and returning the data packet to the upper computer.

8. The cryptographic service method of claim 7, wherein the forwarding of the pending data packet to the corresponding functional module by the corresponding sector specifically includes:

the corresponding sector transmits the data packet to be processed to the agent program;

and the agent program transmits the data packet to be processed to the corresponding functional module.

9. The method of claim 7, wherein after the corresponding sector forwards the pending data packet to the corresponding functional module, the method further comprises:

carrying out encryption operation on the data packet to be processed by the corresponding functional module to generate a data ciphertext, and returning the data ciphertext to the controller;

and the controller transmits the data ciphertext to a storage module for ciphertext storage.

10. The cryptographic service method of claim 7, wherein the method further comprises:

the upper computer writes an upgrading data packet into a corresponding sector in the controller through an interface module;

transmitting the upgrade data packet to the security chip by the corresponding sector;

the security chip receives the upgrade data packet and carries out firmware upgrade;

the upper computer sends a reading request to a corresponding sector in the controller through the interface module;

and reading the upgrading result of the security chip firmware by the corresponding sector according to the reading request, and returning the upgrading result to the upper computer.

Technical Field

The invention relates to the technical field of intelligent cards and security, in particular to a secure intelligent card system and a password service method thereof.

Background

The smart card includes an SD card, a TF card, and the like. Taking an SD card as an example, the SD card is mainly used for storing data, and is widely used in portable devices. The conventional SD card mainly includes an interface module, a controller, and a storage module, the interface module is connected to the controller, the controller is connected to the storage module, and an upper computer sends a read-write command to the controller through the interface module, and the controller writes corresponding data into the storage module according to the write command and reads corresponding data from the storage module according to the read command.

The traditional SD card can only simply receive and store data written by an upper computer, the data in the storage module mostly exist in a plaintext mode, once the SD card is lost, the private data in the storage module can be acquired by other people, and the safe storage of the data by a user is not facilitated.

Meanwhile, with the great increase of the data volume of the information communication service, the safety of data information is ensured, and the data transmission delay caused by encryption or decryption processing is reduced as much as possible. Therefore, how to develop a hardware product for high-speed encryption and decryption becomes a current key technical problem.

Disclosure of Invention

Based on the above, there is a need for a secure smart card system and a cryptographic service method thereof to achieve security protection of user data.

A first aspect of the present invention provides a secure smartcard system, said system comprising: the system comprises an interface module, a controller and a plurality of functional modules;

the interface module is electrically connected with the controller and is used for providing a sector read-write interface for the upper computer so as to realize data interaction between the upper computer and the controller;

the controller is used for providing sectors with different functions to receive data packets with different service requirements, each sector corresponds to a designated functional module, and the controller adopts the sectors with different functions to distribute the data packets with different service requirements to the designated functional module; the sectors with different functions are formed by jointly appointing the controller and the upper computer;

the plurality of functional modules comprise a security chip and a soft password module, wherein the security chip is electrically connected with the controller and is used for providing hardware password service, and the soft password module is arranged in the controller and is used for providing software password service.

Further, the controller is provided with a first agent program and a second agent program; the sectors with different functions respectively comprise a first sector, a second sector and a third sector;

the first sector reads and writes an upgrading data packet to the security chip through the first agent program so as to realize firmware upgrading of the security chip;

the second sector reads and writes the encryption and decryption data packet to the security chip through a second agent program so that the security chip provides hardware password service;

and the third sector and the soft cipher module directly transmit the encryption and decryption data packet so that the soft cipher module provides software cipher service.

Further, the size of a single upgrading data packet read and written between the upper computer and the first agent program is preset to be 1KB, the size of the single upgrading data packet read and written between the first agent program and the security chip is N bytes, and N is smaller than or equal to 1024;

the sizes of the read-write single encryption and decryption data packets between the upper computer and the second agent program and between the second agent program and the security chip are integral multiples of 512 bytes;

the size of a single encryption and decryption data packet read and written between the upper computer and the soft password module is 2 KB.

Further, the system further comprises a storage module, wherein the storage module is electrically connected to the controller and used for storing the data ciphertext.

Furthermore, the security chip also has an authority control function, when a user reads and writes the security smart card system through an upper computer, the security chip verifies the identity of the user, and after the identity verification is successful, the upper computer is allowed to read and write the security smart card system.

Further, the secure chip supports a key agreement algorithm, a symmetric cryptographic algorithm, an asymmetric cryptographic algorithm, a hash algorithm and a hash algorithm; the soft cipher module supports a symmetric cipher algorithm and a Hash cipher algorithm.

The second aspect of the present invention further provides a password service method, which is applied to the secure smart card system, where the method includes:

the upper computer writes a data packet to be processed into a corresponding sector in the controller through an interface module;

the corresponding sector transfers the data packet to be processed to the corresponding functional module;

carrying out password operation on the data packet to be processed by the corresponding functional module, and caching the processed data packet;

the upper computer sends a reading request to a corresponding sector in the controller through the interface module;

and reading the data packet processed by the corresponding functional module by the corresponding sector according to the reading request, and returning the data packet to the upper computer.

Further, the step of transferring the data packet to be processed to the corresponding functional module by the corresponding sector specifically includes:

the corresponding sector transmits the data packet to be processed to the agent program;

and the agent program transmits the data packet to be processed to the corresponding functional module.

Further, after the corresponding sector transfers the data packet to be processed to the corresponding functional module, the method further includes:

carrying out encryption operation on the data packet to be processed by the corresponding functional module to generate a data ciphertext, and returning the data ciphertext to the controller;

and the controller transmits the data ciphertext to a storage module for ciphertext storage.

Further, the method further comprises:

the upper computer writes an upgrading data packet into a corresponding sector in the controller through an interface module;

transmitting the upgrade data packet to the security chip by the corresponding sector;

the security chip receives the upgrade data packet and carries out firmware upgrade;

the upper computer sends a reading request to a corresponding sector in the controller through the interface module;

and reading the upgrading result of the security chip firmware by the corresponding sector according to the reading request, and returning the upgrading result to the upper computer.

The safe intelligent card system can realize encryption and decryption and signature processing of data and provide passwords for an upper computer. The safety intelligent card system is provided with a plurality of sectors through the controller so as to be in butt joint with data packets with different service requirements; compared with the traditional intelligent card, the invention does not need to carry out whole packet analysis on the data packet, can realize the labor division processing of the data packets with different service requirements only according to the sector number in the data packet, reduces the time consumption of analysis and improves the processing speed. In addition, the storage module of the safe intelligent card system can realize ciphertext storage of user data, and effectively prevents other people from illegally obtaining data information of the user, so that the safety of data storage is improved.

Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.

Drawings

The above and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:

FIG. 1 shows a block diagram of a secure smartcard system of the present invention;

fig. 2 shows a flow chart of a cryptographic service method based on a secure smart card system of the present invention.

Detailed Description

In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and therefore the scope of the present invention is not limited by the specific embodiments disclosed below.

Fig. 1 shows a block diagram of a secure smartcard system of the present invention.

As shown in fig. 1, a first aspect of the present invention provides a secure smart card system, including: the system comprises an interface module, a controller and a plurality of functional modules;

the interface module is electrically connected with the controller and is used for providing a sector read-write interface for the upper computer so as to realize data interaction between the upper computer and the controller;

the controller is used for providing sectors with different functions to receive data packets with different service requirements, each sector corresponds to a designated functional module, and the controller adopts the sectors with different functions to distribute the data packets with different service requirements to the designated functional module; the sectors with different functions are formed by jointly appointing the controller and the upper computer;

the plurality of functional modules comprise a security chip and a soft password module, wherein the security chip is electrically connected with the controller and is used for providing hardware password service, and the soft password module is arranged in the controller and is used for providing software password service.

Specifically, the hardware cryptographic service includes signing, signature verification, encryption and decryption, random number generation and the like; the software cryptographic service comprises signature, signature verification, encryption and decryption and the like.

Specifically, the interface module may be an EMMC interface, an SD interface, a USB interface, or the like; the controller may be an EMMC controller, an SD controller, a USB controller, or the like.

Specifically, the smart card of the present invention may be an NM card, an SD card, a TF card, etc.; the upper computer of the invention can be a mobile phone, a PC, a PAD and the like.

It should be noted that the sectors in the controller are not actual hardware structures, and the sectors are named as sectors for convenience of understanding only. The sector of the invention can be analogized to a virtual channel, and the function of the sector is mainly to facilitate the efficient and rapid distribution of different data packets sent by an upper computer to a designated functional module.

Specifically, the controller and the upper computer subscribe a plurality of sectors in advance, each sector is numbered, if the upper computer needs to provide hardware password service for the security smart card system, the upper computer can package a specific sector number when writing data to the security smart card system, and therefore, after the controller receives a data packet with the sector number, the data packet can be distributed to the security chip for hardware encryption and decryption.

Further, the controller is provided with a first agent program and a second agent program; the sectors with different functions respectively comprise a first sector, a second sector and a third sector;

the first sector reads and writes an upgrading data packet to the security chip through the first agent program so as to realize firmware upgrading of the security chip;

the second sector reads and writes the encryption and decryption data packet to the security chip through a second agent program so that the security chip provides hardware password service;

and the third sector and the soft cipher module directly transmit the encryption and decryption data packet so that the soft cipher module provides software cipher service.

Specifically, the controller provides a sector read-write channel for the upper computer, and appoints 3 specific sectors aiming at three different functions of security chip firmware updating, security chip hardware encryption and decryption functions and software encryption and decryption operation, wherein the first sector is responsible for the firmware updating of the security chip; the second sector is responsible for providing the hardware encryption and decryption functions of the security chip; the third sector is responsible for providing software encryption and decryption operations.

Further, the size of a single upgrading data packet read and written between the upper computer and the first agent program is preset to be 1KB, the size of the single upgrading data packet read and written between the first agent program and the security chip is N bytes, and N is smaller than or equal to 1024;

the sizes of the read-write single encryption and decryption data packets between the upper computer and the second agent program and between the second agent program and the security chip are integral multiples of 512 bytes;

the size of a single encryption and decryption data packet read and written between the upper computer and the soft password module is 2 KB.

Specifically, according to Boot Loader Boot loading requirements, the size of a single upgrade data packet read and written between a first agent and the security chip is fixed to 536 bytes; but the size of the single upgrading data packet read and written between the first agent program and the upper computer is 1 KB. Therefore, when the first agent receives a 1KB upgrade data packet (the first 536 bytes are valid data and the last 488 bytes are complement data) written by the upper computer, the first 536 bytes of the data packet are taken and transmitted to the security chip. When the first agent program receives the 536-byte firmware upgrading check package fed back by the security chip, the check package is filled with enough 1KB and then returned to the upper computer.

Further, the first agent and the security chip adopt a standard SPI communication protocol; the second agent program and the safety chip adopt 6-wire SPI communication protocol. But is not limited thereto.

Further, the system further comprises a storage module, wherein the storage module is electrically connected to the controller and used for storing the data ciphertext.

It is understood that the memory module includes Nand Flash memory, Nor Flash memory, DRAM memory, EPROM memory, EEPROM memory, and the like. Preferably, the storage module may be a Nand Flash memory. But is not limited thereto.

Furthermore, the security chip also has an authority control function, when a user reads and writes the security smart card system through an upper computer, the security chip verifies the identity of the user, and after the identity verification is successful, the upper computer is allowed to read and write the security smart card system.

Specifically, the security chip is preset with first identity information, when a user reads and writes the security smart card system through an upper computer, the user is prompted to input second identity information, then the security chip compares whether the second identity information is matched with the first identity information, if the second identity information is matched with the first identity information, the upper computer is allowed to read and write the security smart card system, and if the second identity information is not matched with the first identity information, the upper computer is refused to read and write the security smart card system, so that illegal persons are effectively prevented from visiting the security smart card system by falsely names, and the security and the reliability of the security smart card system are further enhanced.

It should be noted that the identity information described in the present invention may be a password, or may also be biometric information, such as a fingerprint, a human face, an iris, and the like.

Further, the secure chip supports a key agreement algorithm, a symmetric cryptographic algorithm, an asymmetric cryptographic algorithm, a hash algorithm and a hash algorithm; the soft cipher module supports a symmetric cipher algorithm and a Hash cipher algorithm.

Specifically, the symmetric cryptographic algorithm includes a DES algorithm, a 3DES algorithm, an AES algorithm, a cryptographic SM4 algorithm, and the like.

Fig. 2 shows a flow chart of a cryptographic service method based on a secure smart card system of the present invention.

As shown in fig. 2, a second aspect of the present invention provides a cryptographic service method, which is applied to the secure smart card system, and the method includes the following steps:

s201, writing a data packet to be processed into a corresponding sector in the controller by the upper computer through an interface module;

s202, the corresponding sector transfers the data packet to be processed to the corresponding functional module;

s203, the corresponding functional module performs cryptographic operation on the data packet to be processed, and caches the processed data packet;

s204, the upper computer sends a reading request to a corresponding sector in the controller through the interface module;

and S205, reading the data packet processed by the corresponding functional module by the corresponding sector according to the reading request, and returning the data packet to the upper computer.

According to an embodiment of the present invention, the corresponding functional module may be a security chip or a soft cryptographic module, and the corresponding sector is a second sector or a third sector. In practical application, the upper computer generates a data packet to be processed according to service requirements, encapsulates the data packet to be processed based on a sector number agreed with the controller in advance, transmits the encapsulated data packet to the interface module, analyzes the sector number after the interface module receives data, and finally distributes the data packet according to the sector number obtained by analysis. For example, when the sector number is 2, the packet may be assigned to the second sector, and when the sector number is 3, the packet may be assigned to the third sector.

The controller on the traditional smart card is not provided with sectors with different functions, and after the controller receives a data packet, the data packet can be accurately transmitted to the corresponding functional module only after being subjected to whole packet analysis, however, the speed of the whole packet analysis is slow, and the high-speed processing performance of the smart card is influenced. The controller and the upper computer of the invention have already agreed several sectors in advance, and each sector corresponds to the corresponding function module, the upper computer is while writing the data packet to the safe intelligent card system, capsulate the sector number at the same time, when the interface module receives the data packet with sector number, can analyze and get the sector number fast, and assign the data packet to the corresponding sector accurately according to the sector number. Therefore, the safe intelligent card system can improve the efficiency of the division processing of the data packets of different services and improve the processing performance.

Further, the step of transferring the data packet to be processed to the corresponding functional module by the corresponding sector specifically includes:

the corresponding sector transmits the data packet to be processed to the agent program;

and the agent program transmits the data packet to be processed to the corresponding functional module.

In a specific embodiment, when the upper computer writes the second sector, the controller only needs to transmit the data of the integer multiple of 512 bytes to the second agent, and the second agent completely transmits the data to the security chip. Similarly, when the upper computer reads the second sector, the second agent program reads the data of the integral multiple of 512 bytes from the security chip and returns the data to the controller, and the controller only needs to completely transmit the data returned by the second agent program to the upper computer.

In a specific embodiment, when the upper computer is in the third sector, the controller only needs to transmit the 2KB data to the soft cryptographic module. Similarly, when the upper computer reads the third sector, the controller only needs to transmit the 2KB data returned by the soft cryptographic module to the upper computer.

Further, after the corresponding sector transfers the data packet to be processed to the corresponding functional module, the method further includes:

carrying out encryption operation on the data packet to be processed by the corresponding functional module to generate a data ciphertext, and returning the data ciphertext to the controller;

and the controller transmits the data ciphertext to a storage module for ciphertext storage.

Further, when the upper computer needs to read the data of the storage module, the upper computer sends a reading request to the controller. And the controller reads the data ciphertext in the storage module according to the reading request, then calls a security chip or a soft password module to decrypt the data ciphertext to obtain a data plaintext, and finally returns the data plaintext to the upper computer.

According to an embodiment of the invention, the method further comprises the steps of:

the upper computer writes an upgrading data packet into a corresponding sector in the controller through an interface module;

transmitting the upgrade data packet to the security chip by the corresponding sector;

the security chip receives the upgrade data packet and carries out firmware upgrade;

the upper computer sends a reading request to a corresponding sector in the controller through the interface module;

and reading the upgrading result of the security chip firmware by the corresponding sector according to the reading request, and returning the upgrading result to the upper computer.

According to an embodiment of the present invention, the corresponding sector is a first sector. When the upper computer writes the first sector, the controller only needs to transmit the upgrade data to the first agent program, and the first agent program transmits the first 536 bytes of the upgrade data to the security chip. Similarly, when the upper computer reads the first sector, the first agent reads the 536-byte upgrade result from the security chip, fills 1KB enough and returns the upgrade result to the controller, and the controller only needs to transmit the 1KB data returned by the first agent to the host.

Further, before the upper computer writes a data packet to be processed into a corresponding sector in the controller through the interface module, the method further includes:

prompting a user to input identity information for verification through an upper computer;

and the security chip receives second identity information input by a user, compares the second identity information with pre-stored first identity information, and allows the upper computer to write a data packet to be processed into a corresponding sector in the controller through the interface module after the second identity information is successfully compared with the pre-stored first identity information.

Specifically, the identity information may be a password, biometric information, and the like, and the biometric information may be a face, a fingerprint, an iris, and the like.

The safe intelligent card system can realize encryption and decryption and signature processing of data and provide cryptographic service for an upper computer. The safety intelligent card system is provided with a plurality of sectors through the controller so as to be in butt joint with data packets with different service requirements; compared with the traditional intelligent card, the invention does not need to carry out whole packet analysis on the data packet, can realize the labor division processing of the data packets with different service requirements only according to the sector number in the data packet, reduces the time consumption of analysis and improves the processing speed. In addition, the storage module of the safe intelligent card system can realize ciphertext storage of user data, and effectively prevents other people from illegally obtaining data information of the user, so that the safety of data storage is improved.

The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.