WO2013139194A1

WO2013139194A1 - Financial pos system capable of resisting channel trojan attack and anti-attack implementation method thereof

Info

Publication number: WO2013139194A1
Application number: PCT/CN2013/071890
Authority: WO
Inventors: 邹候文; 唐韶华; 唐春明; 张世渡; 苏胡双
Original assignee: 广州大学; 华南理工大学; 深圳视融达科技有限公司
Priority date: 2012-03-23
Filing date: 2013-02-26
Publication date: 2013-09-26
Also published as: CN102663863B; CN102663863A

Abstract

Disclosed are a financial POS system capable of resisting a channel Trojan attack and an anti-attack implementation method thereof. The system comprises a POS mainboard, an IC card box, a password keyboard, a user PIN disk, a nonvolatile memory, an IC card, and a trust management party. The IC card box is connected to the POS mainboard, the password keyboard is connected to the IC card box, the POS mainboard is connected to the trust management party through an I/O interface, and the IC card is connected to the trust management party through the IC card box. In the present invention, under a condition that a subliminal channel can be reliably shielded on a POS terminal of a dealer and a card holder uses a private user PIN disk to confirm a transaction amount and input a PIN password, the dealer and the card holder can avoid the attack of the channel Trojan.

Description

Financial P0S system against channel Trojan attack and its anti-attack implementation method

The invention relates to the application field of a cipher chip for security and authentication in information security, in particular to a financial POS system against channel Trojan attack and an anti-attack implementation method. Background technique

IC cards based on crypto chips have been widely used in finance, telecommunications, transportation, public utilities, government, defense, and military. EMV is a bank IC card specification jointly developed by Europay, MasterCard and VISA. EMV migration refers to the transfer of bank cards from magnetic stripe cards to integrated circuit (IC) cards. The purpose of EMV migration is to replace magnetic stripe cards with IC cards to prevent financial crimes such as using fake credit cards, credit card fraud, and cross-border financial fraud.

To facilitate discussion of the security of bank cards, let's look at three classic questions:

1) "Chess Grandmaster":

In 1976, Η Con Conway mentioned in the monograph On numbers and games that B, which does not play chess, plays chess with two chess masters A and C. In the chessboard, A holds black against B, and in the second checkboard, B holds black against C. B, such as the black one in the chessboard, first moves, then presses A to move in the second board. After the second move of C, the learning of B moves in the chessboard. By analogy, the two boards move exactly the same, and the result is that either B wins one of the games, or both play.

Using the method in the "Chess Master Problem" can cause "mafia problem", "passport rental problem" / "terrorist problem". In 1988, Yvo Desmedt et al. gave a description of these issues in the article Special Use and abuses of the Fiat-Shamir passport protocol.

2) "Mafia Fraud":

A lives in a hotel opened by Mafia B, C is a member of the Mafia, D is a jeweler, B and C are able to communicate via wireless channel, and C's identification card can communicate with device B through the wireless channel. A and D will not be aware of the following counterfeiting:

When A checks out, B informs C to start fraud. C selects the jewelry at D and checks out, D checks C's identification card. During the inspection process, B and C act as intermediaries between A and D. B and C exchange all questions and answers between A and D. The result is that B is exempt from A's hotel expenses, and A pays for C for jewelry. . 3) "Passport Rental Issues" I "Renting passports":

B could not get the pass to the location, but she wanted to go. A plans to carry out illegal activities and hopes to obtain evidence of absence, so she recommends B to rent her passport. Through a method similar to the "mafia problem", B went to ", A did illegal activities and obtained evidence of absence.

In 1990, Thomas Beth et al. pointed out in the article Identification tokens - or: Solving The Chess Grandmaster Problem: There is no general security identification problem under the Game Theory model. The solution to solve the security identification problem must rely on the specific model; each proposal to solve the mafia problem can theoretically be extended to solve the passport rental problem. The conclusions of Thomas Beth et al. warn us that we must discuss the "Chess Master Problem" and its solutions to the problem based on a specific application. Don't try to find a general solution to these problems. In addition, the article also pointed out: Embedding the certifier's security protocol into the anti-tampering system and forcing the certifier to abide by the agreement can effectively solve the "mafia problem" and "terrorist problem."

In 2007, Drimer et al. in the "Keep your enemies close: Distance bounding against smartcard relay attacks" article, using the "mafia problem" attack EMV card, as shown in Figure 1. Drimer et al.'s attack experiments are not related to cryptographic security protocols (password-based security protocols are not sufficient to resist such attacks). The limitation is that the mafia holding the POS terminal exposes itself and there is a time synchronization problem. "electronic attorney" or "Distance bounding" to resist this attack. In 2010, there were more than 730 million EMV bank cards issued worldwide. Murdoch, S. et al. gave the agreement on the EMV card and PIN password in the article Chip and PIN is Broken. Attack method, as shown in Figure 2. The method used in Murdoch, S. et al.'s attack experiment is similar to the method in the "Chess Master Problem", but instead of simply forwarding information, it intercepts and inserts a message in the key steps of the EMV protocol, using the proposed Method, after the attacker seizes or steals the EMV card, the EMV card can be stolen before the cardholder's report is effective. The text suggests a password-based security protocol to resist the man-in-the-middle attack.

Considering the shortcomings of the EMV protocol, the international bank card agreement has gradually begun to meet the Payment Card Industry Data Security Standard (PCI-DSS). PCI-DSS is a security protocol developed by the founding members of the PCI Security Standards Council (including American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International) to encourage international adoption of consistent data security measures. The cardholder's credit and debit card information is secure.

Through the study of the existing EMV financial POS system, we simplified, summarized and summarized the "Chess Master The method of "problem", "mafia problem", "passport rental problem" I "terrorist problem", through the promotion found that there are channel vulnerabilities in the existing EMV system, we call the attack using channel vulnerability as channel Trojan attack Existing "distance limits", "electronic lawyers" and password-based security protocols are difficult to block channel vulnerabilities. The following is based on channel Trojans giving cardholders attacking merchants, cardholders attacking cardholders, merchants attacking cardholders, And examples of merchants attacking merchants.

Channel Trojan: The channel refers to the transmission channel of the signal. The Trojan is a secret latent malicious function module that can be controlled by a remote network. The channel Trojan refers to a malicious function module secretly lurking on the signal transmission path. Forwarding, tampering, inserting, replaying, intercepting, and leaking of messages.

Channel Trojan Attack Example 1: Cardholder Attacking Merchant:

As shown in Figure 3, the attacker holds a legal EMV card A, and a card reader B. The attacking partner holds a fake card C that can communicate with B in accordance with the attacker's EMV card. The attacking partner used a fake card to shop at a store in City G and swipe the card at POS Terminal D. Using the method of the "mafia problem", the attacking partner will successfully take the goods. When the attacker is convinced that the attacking partner has left safely, he falsely reports to the police that he has been stolen. Since the attacker has evidence of absence, he can file a chargeback with the bank. The experimental method of this attack is completely consistent with the experimental method of Drimer et al. The bank shall reject the request for an attacker’s refusal.

Channel Trojan Attack Example 2: Cardholder Attack Cardholder:

The attacker inserts a channel Trojan in advance on the channels of the EMV card, the display, the keyboard, and the printer of the POS terminal of the store B of the city G and the store B of the city H. Using a similar method on the "mafia problem" (also slightly different, B and C cross-exchange information, as shown in Figure 4), attacker A (take 20,000 yuan of goods) can successfully contact another cardholder (take 100 yuan) Goods) Exchange bills. When the cardholder finds that he has been swiped, he will file a chargeback with the bank. This kind of attack also has a problem of time synchronization. The cardholder's refusal is a reasonable appeal and should be supported. If the bank supports the refusal, the merchant loses, otherwise the cardholder loses. In any case, the attacker can make a profit, and the cardholder is attacked without fault.

Channel Trojan Attack Example 3: Merchant Attack Cardholder:

As shown in FIG. 5, the attacker forges a POS terminal B, and the IC card holder of the POS terminal B is connected to the deck of a legitimate POS terminal D by the wire C. If the cardholder is shopping at the attacker's store, the cardholder of the purchase is considered to be role A in the "mafia problem", since A does not see the legitimate POS terminal D, and the actual credit card amount is determined by D, Therefore, the attacker can arbitrarily set the legal credit card amount. Since the cardholder is deceived by the fake POS terminal in front of it, the IC card is directly connected to the real POS terminal through the wire, so the "distance limit" and the cryptographic protocol cannot solve the attack problem, and the "electronic lawyer" may be able to resist this attack. However, the "electronic lawyer" only protects the interests of the cardholder. If the "electronic lawyer" is allowed, the cardholder can attack the merchant. Cardholder It is now being refused to pay by multiple cards, which is attacked without fault. It is a reasonable appeal and the bank should give support. Channel Trojan Attack Example 4: Merchant Attack Merchant:

As shown in Fig. 6, in the city G, the merchant who initiated the attack inserts the channel Trojan in the POS terminal B of the store, and also inserts the channel Trojan in the POS terminal D of the attacked merchant of the city H in advance. Cardholder A swipes the card at the POS terminal B (100 yuan), and the cardholder C swipes the card at POS terminal D (20,000 yuan). The attack is successful in a similar way to attack example 2. This kind of attack does not affect the two cardholders. Their card amount is equal to the value of the goods, but the attacking merchant pays 20,000 yuan for the goods of 100 yuan, while the attacked merchant pays 20,000 yuan for the goods but only receives 100 yuan. .

In the above four examples, the cardholders of Examples 1, 2, and 3 all filed a chargeback application with the bank. The chargeback of Example 1 is a refusal and should be rejected. The second and third refusal requests are reasonable, but existing The European and American bank card technology can't distinguish the rejection of the one-off application, and the one that refuses to apply for the support.

The attacks in the four examples of the above are not related to the security protocol. Even if the bank cards in Europe and the United States use POS terminals and EMV cards that meet the PCI-DSS standard, it is difficult for banks and police to distinguish who is the victim and who is the attacker. The use of channel vulnerabilities to implement channel Trojan attacks is not costly. In particular, attack example 3, only need to make a fake POS terminal, and connect the IC card holder of the fake POS terminal to the IC card holder of the real POS terminal. can. Channel Trojan attacks make existing bank IC cards no more secure than magnetic stripe cards!

Bank card systems are extremely valuable in the eyes of attackers, and systems with high security levels must be used. Therefore, a comprehensive threat model, a secure security policy, security protocols, and security methods should be established. New cryptographic chip attack methods such as bypass attacks, physical intrusion attacks, and chip Trojans all have the characteristics of channel Trojans. The broadcast attacks of Drimer et al. are different from our four examples (isolated with the example one), which are all channel-based vulnerabilities. The man-in-the-middle attack by Murdoch, S. et al. is a protocol attack, and the protocol attack also has the characteristics of a channel Trojan. Therefore, we will use channel vulnerabilities to conduct attacks, protocol attacks, bypass attacks, physical intrusion attacks, and chip Trojan attacks collectively as channel Trojan attacks.

Bypass Attack (SCA) uses the various physical information leaked by the chip to efficiently obtain the key in the crypto chip. This is a channel leak key information, but this leak is natural and not artificially introduced. The equipment required for SCA is easy to obtain, and it can be attacked without leaving any traces. SCA has broken a large number of smart cards, cryptographic chips and cryptosystems, including current mainstream computing security AES, IDEA, 3DES, RSA, ECC and other cryptographic algorithms. Existing methods of resisting bypass attacks include hidden, masked, and provable security against leaks. The hidden method can effectively increase the attacker's attack difficulty, but the hidden method can't prove its security; the n-th order mask can't resist the n+1 order differential attack, and the existing anti-leakage scheme is actually equivalent to one time and one secret, therefore, currently The practical solution of SCA resistance is far from the cryptography "Safety" goal. We have proposed N key schemes to resist bypass attacks: Assume that bypass attacks require M sets of key leakage information to break the system, if the number of times each key is used is less than N times and N< M, the bypass attack that requires the M key leakage information cannot attack the system based on the N-time key scheme. By adopting appropriate concealment measures, the M value can be effectively increased at a lower speed, area, and power consumption cost. Of course, if the attacker can bypass the counting mechanism of the cryptographic chip, the number of times the key is used is invalid. The method in the patent application with the application number of 201110303449. 1 can effectively prevent the attacker from bypassing the counting mechanism of the cryptographic chip. , can effectively resist bypass attacks.

Physical intrusion attacks are expensive, so they are often ignored by researchers, but Mifare is broken, Actel chips are broken, bankruptcy reorganization, and the inferior Infineon can't help but its TPM is broken. These three things have raised people's attacks on physical intrusions. Respect. The attack on the Infineon TPM uses a physical intrusion chip, bypassing the sensor detection network and then tapping the wire to obtain the key and unique manufacturing information, which is a channel eavesdropping. Resist physical intrusion attacks, like resistance to poor search attacks, can't be theoretically resisted, but the sensitive circuit of the physical unclonable module of dense CMOS technology can surround the cryptographic logic to effectively increase the difficulty of implementing physical intruders, even achieving "computational security." "effect. The cryptographic logic dynamically takes the key sequence as input and invokes the key extraction process to extract the key from the physical unclonable module. A cryptographic chip containing such cryptographic logic creates a physical unclonable puzzle for physical intruders: sensitive circuitry that bypasses the physical unclon module of the cryptographic logic's periphery and does not destroy these sensitive circuits.

Similar to physical intrusion attacks are not valued, due to the attack cost of the chip Trojan (mainly the cost of inserting the chip Trojan), making it easy to be ignored. The so-called chip Trojan refers to the Trojan inserted during the chip production process. Considering the problems of using existing research results and the survival pressure of the chip industry, existing cryptographic chips are all made up of mature IP cores, including cryptographic algorithm IP core, processor IP core, and various functional IPs. nuclear. China's existing cryptographic chips inevitably need to use the functional IP core of foreign technology, and even the processor IP core of the processor also uses foreign technology. Of course, it is easy to check out the chip Trojan inserted in the autonomous cryptographic algorithm IP core, but the probability of inserting a Trojan in the functional IP core or processor IP core is very low. We have been working on cryptographic processor IP core design. Currently, we have cryptographic algorithm IP core, cryptographic algorithm dedicated instruction set, processor IP core, IP core FPGA hard emulation, custom dedicated instruction set emulation software and compiling software. Good progress, forming a complete cryptographic processor system, is currently planning to stream 13 experiments with a 13-instruction MPKC processor IP core. Based on the cryptographic chip designed by the cryptographic processor IP core, even if the chip Trojan is inserted into other functional modules, the secret authentication of the cryptographic chip is still reliable.

The attack form of the channel Trojan will continue to evolve, and Murdoch, S. et al. pointed out in the paper attacking the chip and PIN that the agreement was broken and difficult to save. Both the EMV and PCI protocols are very complex. In general, the more complex the protocol, The more difficult the analysis, the higher the probability of a fatal vulnerability. The protocol using confidentiality and authentication means high security, but it is difficult to guarantee immunization against the protocol attack. If the process of dynamically updating the cipher chip execution program and updating the execution program is reliable and does not reduce the security of the system, the protocol After being broken, simply updating the executive will avoid replacing a lot of hardware and systems. Designing a cryptosystem based on a certain problem is the goal pursued by information security researchers. We intend to design a cryptosystem based on a physical unclonable puzzle. It is expected that such a system has dynamic protocol security, and the overall security of the system is still based on physical impossibility. Clone the puzzle.

There is no absolutely secure system, but the attack technology is constantly improving, so the protection technology must also be improved, and the protection measures should be sufficient to deal with the expected attackers. As a highly valuable target, the financial system should pursue a system security goal similar to "computational security." As a trust management party, the bank should provide at least the bank card system: Protect the interests of cardholders and merchants. If the cardholder or merchant is not at fault, it should not be attacked. In the second and third examples of the above attack, the cardholder is not at fault, but is attacked. After joining attack example 1 and attack example four, the existing bank card system cannot distinguish who should bear the responsibility.

In summary, a financial P0S system that can effectively resist channel Trojan attacks and an anti-attack implementation method thereof are one of the problems that those skilled in the art urgently need to solve. Summary of the invention

The object of the present invention is to overcome the shortcomings and deficiencies of the prior art and to provide a financial POS system that can effectively resist channel Trojan attacks.

Another object of the present invention is to provide an anti-attack implementation method for a financial POS system based on the above-mentioned anti-channel Trojan attack.

In order to achieve the above first object, the present invention adopts the following technical solutions:

The invention relates to a financial POS system against channel Trojan attack, which comprises a POS motherboard, an IC card box, a PIN pad, a user PIN disk, a nonvolatile memory, an IC card, and a trust management party, and the IC card box and the POS motherboard are Connecting, the PIN pad is connected to the IC card box, and the POS motherboard is connected to the trust management party through an I/O interface, and the IC card is connected to the trust management party through the IC card box;

The PIN pad is configured to receive a user PIN code;

The user PIN disk is used to display the transaction amount and receive the user PIN password;

The nonvolatile memory is configured to store an authorization credential of the transaction;

The IC card box, the PIN pad, the user PIN disk, and the IC card are all provided with a cryptographic chip;

The trust management party shares a key with an IC card box, a PIN pad, a user PIN disk, and an IC card, respectively. Preferably, the IC card case comprises an external contact interface, an external contactless interface, an internal contact interface, an internal contactless interface and a sealed shielding box, the sealed shielding box is provided with a communication line inside and outside the box and an insertion IC The opening of the card is provided with a sealing screen door that can be opened and closed, and the sealing screen door is densely contacted.

Preferably, the inner and outer layers of the sealed shielding box are each covered with a layer of sensitive circuit, and the cryptographic chip of the IC card box is disposed between the inner and outer layers of the sensitive circuit layer, and the external contact interface and the external non-contact interface are in the outer layer. Outside the sensitive circuit layer, the internal contact interface and the internal contactless interface are within the inner sensitive circuit layer; when the sealed screen of the IC card box is opened, the sensitive circuit is cut off, and when the sealed screen door is closed, the sensitive circuit is connected.

Preferably, the sensitive circuit layer is composed of a sensitive circuit of a physical unclonable module.

Preferably, the cryptographic chip is provided with a physical unclonable module and a cryptographic processor IP core, and the sensitive circuit of the physical unclonable module is surrounded by a periphery of the cryptographic processor IP core to form a cage structure, and the cryptographic processor The key sequence that needs to be reused in the IP core is stored in the non-volatile memory of the cryptographic chip, and the key is extracted from the physical unclonable module with the key sequence number as input when needed.

Preferably, the user PIN disk is private to the user, and the user PIN disk includes a contact interface, a contactless interface, a keyboard and a display, and the contact interface can be connected with an external contact interface of the IC card case, the non-contact The interface can be connected to the external contactless interface of the IC card holder.

In order to achieve the above other object, the present invention adopts the following technical solutions:

The invention provides a method for implementing anti-attack of a financial POS system against channel Trojan attack, and the specific steps are as follows:

(11) Initialization:

The trust management direction writes the initial symmetric key sequence number and the initial asymmetric key sequence number in the cipher chip of the IC card box, the PIN pad, the user PIN disk, and the IC card, and the number of times of use of each key sequence number; The symmetric key sequence is used as an input to extract the initial symmetric key from the physical unclonable module, and the cryptographic chip sends the extracted initial symmetric key back to the trust management party; the cryptographic chip uses the initial asymmetric key sequence number as input and is not clonotable from the physical. The initial private key is extracted from the module, and the corresponding initial public key is calculated and sent to the trust management party. The trust management party signs the digital certificate for the initial public key and sends it back to the cipher chip. The trust management party sends its own public key to the IC card box and password. a password chip in the keyboard, the user PIN disk and the IC card; the trust management party receives and stores the cardholder's PIN code;

(12) Transaction process:

The card holder inserts the IC card into the IC card case and closes the sealed screen door of the IC card case, so that the sealed shielding box of the IC card case acts as a shield, so that the IC card in the IC card case can only pass through the inside and outside of the IC card case. Communication line and IC The device communication outside the card box; in addition, after the sealed screen door of the IC card box is closed, the sensitive circuit of the physical unclonable module on the IC card box is turned on, so that the cipher chip of the IC card box can be extracted from the physical unclonable module The key shared with the trust management party and the private key of the IC card cipher chip;

( 13 ) Increase the number of key sequence usage times:

Each time the cryptographic chip uses the key shared by the trust manager or its own private key, it needs to be extracted from the physical unclonable module using a symmetric key sequence number or an asymmetric key sequence number; the crypto chip uses any key at a time. After the serial number, it is necessary to increase the number of times the key sequence number is used. When the number of uses reaches the limit of use, the cipher chip will update the key sequence number, and take the new key sequence number as input and extract the corresponding new key from the physical unclonable module. For the new key corresponding to the symmetric key sequence, the cryptographic chip encrypts the new key and the new key sequence number with the old key and sends it to the trust management party. For the private key corresponding to the asymmetric key sequence, the cryptographic chip will The public key corresponding to the private key and its key sequence number are sent to the trust management party, and the trust management party signs the digital certificate for the public key and sends it back to the cryptographic chip.

Preferably, the initializing further comprises setting a help PIN password, wherein the help PIN password is used in an emergency situation, and when the cardholder enters the help PIN password in the transaction process, the trust management party completes the same as the universal PIN password. Outside of all the processes, the cardholder needs to be assisted to ask the police for help.

Preferably, the transaction process comprises the following steps:

(21) The IC card sends the card number to the IC card box;

(22) The IC card box sends the IC card number and the IC card box number to the trust management party;

(23) The trust management party can query whether the IC card uses the cardholder's private user PIN disk according to the IC card number, and query the password keyboard number according to the IC card box number; if the IC card uses the user PIN disk, the interactive three parties are the IC card. , IC card box and user PIN disk, otherwise IC card, IC card box and password keyboard; trust management party generates a session key, respectively, using the key shared with the three parties or the three-party public key to encrypt the session key and then distribute For interactive three parties, the communication in steps (24) - (29) below is encrypted using the session key;

(24) The IC card box sends Ml and Mil to the IC card, where Ml = "IC card box number, IC card box key serial number, IC card box key serial number usage count, IC card box transaction serial number, transaction amount", M11 =EK (H (MD ); where EK ( ) indicates that the key is encrypted with the key shared by the cryptographic chip and the trust manager, or the information is signed with the private key of the initiator; H ( ) is a HASH function; IC card box Calling to increase the number of key sequence usage times;

(25) The IC card sends M2 and M21 to the IC card box, where M2 = "IC card number, IC card key serial number, IC card key serial number usage count, IC card transaction serial number", M21 = EK (H (M2|| M11)), the IC card calls to increase the number of key sequence usage times; (26) The IC card box sends Ml, Mil, M2, M21 to the trust management party, and the trust management party checks and verifies the validity of the Mil and M21, and ends with an error;

(27) Trust management direction The IC card box sends M3, M31 and M32, where M3 = "M2, transaction amount", M31-EK (H (M3)), and the trust management party queries the use of the IC card according to the IC card number in M2. PIN device, if using a PIN pad, M32 = l, if using a user PIN disk, M32 = 2;

(28) The IC card box decides to send M3 and M31 to the PIN pad or the user PIN disk according to the value of M32, and receives M4=EK (H (M3, user PIN code));

(29) The IC card box sends M4 to the trust management party. After the trust management party verifies the error, save M5= "Ml, Mil, M2, M21, M3, M4, date, time" as a record, and calculate M51= EK

(H (M5)) and sent to the IC card box; the IC card box and the IC card both add their respective transaction serial numbers, the IC card box requests the IC card to open the certificate of the IC card box screen door, and after receiving the response, the IC card box will be M5 and M51 is saved to the non-volatile memory of the POS system to open the screen door of the IC card box; the POS system prints the document, and the document includes "IC card box number, IC card box key serial number, IC card box transaction serial number, IC card number, IC card key serial number, IC card transaction serial number, transaction amount, date, time"; after the document is signed by the cardholder and the merchant representative signs and seals, the cardholder holds the stamp, and the merchant submits the signature to the acquiring bank. After receiving the application, the acquiring bank will apply to the issuing bank after the verification is correct. The issuing bank will transfer the transaction amount from the cardholder's account to the merchant's designated account and end the transaction process.

Preferably, the specific content of step (28) is:

(281) If M32 = 1, send M3 and M31 to the PIN pad, and the PIN pad verifies M3 and M31. If there is an error, the process of adding the key sequence number is used to end the process. After verifying that M3 and M31 are correct, the PIN pad receives the user PIN code. And send M4 to the IC card box, wherein M4 = EK (H (M3, user PIN code)), the password keyboard calls to increase the number of key sequence usage times;

(282) If M32 = 2, send M3 and M31 to the user's PIN disk, and the user PIN disk will verify M3 and M31. If there is an error, the process of increasing the key number usage times will be called, and M3 will be displayed after error. The user confirms the amount of M3. After entering the PIN code without error, the user PIN disk sends M4 to the IC card box, where M4 = EK (H

(M3, user PIN code)), the user PIN disk calls to increase the number of key sequence usage times. The present invention has the following advantages and effects over the prior art:

1. The present invention is effective against attacks described in the four channel Trojan attack examples based on our proposed channel vulnerabilities, and existing bank card technologies are not resistant to these four attacks. The attack examples 1, 2 and 4 are all dependent on wireless communication (submerged channel), otherwise the merchant will find the attack behavior. In the financial POS system of the present invention, the IC card box with the shielding function must be closed to open the screen door for trading operations, and closing the screen door will cause the IC card box to be closed. The IC card in the middle cannot exchange information with the border through wireless communication, so that the attacks of the first, second and fourth examples cannot be carried out. For the attack example 3, when the cardholder enters the PIN code using the private user PIN disk, since the cardholder checks the card amount in advance, the merchant cannot tamper with the card amount, so the attack method of the third example is invalid.

2, can effectively increase the risk of IC card robbers. The so-called IC card robbery refers to the criminals who hijack the cardholder and force the cardholder to say the PIN code and then use the cardholder's IC card to withdraw money. Since it is difficult for criminals to distinguish whether the cardholder gives a normal PIN code or a help PIN code, the trust manager will be able to notify the police in time when the criminal uses the cardholder's PIN for withdrawal.

3. Dynamic bypass attack security. The background trust management party can monitor the usage of the key through the transaction record. By limiting the number of uses, the attacker can collect up to N sets of leak information of the same key. If the new bypass attack collects the M group leak information, the system can be broken. When N>M, an attacker can attack the system. After this happens, the background trust management party sets each key to use up to L times, so that the attacker can only collect the L group leaks, and L<M, the new bypass attack method that needs the M group leak information. Invalid.

4. The financial POS system of the present invention has the following characteristics:

(1) Effectively resist chip Trojan attacks. Inserting a chip Trojan in the cryptographic processor IP core is easy to check out, and when a chip Trojan is inserted into another functional IP core other than the cryptographic processing IP core, since the cryptographic processor IP core is self-contained, the cryptographic processor IP is used. The security and authentication services of the core crypto chip are still reliable.

(2) It has an enhanced ability to resist physical intrusion attacks. The delay circuit of the physical cloning module is overlaid on the periphery of the cryptographic processor IP core (also covering the inner and outer layers of the IC card encapsulation shield). If an attacker wants to obtain a key through a physical intrusion attack, it needs to bypass the sensitivity. The circuit can't damage the sensitive circuit, and the successful wire-tapping can be successful. This is the "difficult" we set, and it is the security foundation of the system we designed.

(3) It has an enhanced anti-bypass attack capability. The cost of inserting Hamming distance interference into the IP core of the cryptographic processor is not large, but it can effectively increase the difficulty of establishing a Hamming model based on passive bypass attacks such as energy/electromagnetic, and greatly increase the number of leaked samples that the attack needs to collect. The trust management party limits the number of times each key is used, and forces the update after the specified number of uses. The PUF delay circuit covers the periphery of the processor IP core to effectively increase the attack cost of an active bypass attacker such as fault injection. .

Next, we will implement dynamic protocol security based on physical unclonable puzzles: If the adversary can't break the physical unclonable module, then even if the adversary uses a new protocol attack method to break the protocol, you can update the IC card, POS terminal online, The program of the user PIN disk and the background device execution protocol resists the new protocol attack, thereby avoiding a large number of replacement of the IC card and the financial POS terminal, thereby effectively reducing the loss of the protocol.

In summary, the financial P0S system's resistance to channel Trojan attacks requires a new cryptographic chip based on the problem of physical unclonable modules. IC cards that need to comply with protocols, tamper-resistant and can shield potential channels, need to comply with the protocol. A cardholder-private user PIN that is tamper-proof and can display the transaction amount. DRAWINGS

Figure 1 is a schematic diagram of the mafia attack by Drimer et al;

Figure 2 is a schematic diagram of the EMV protocol man-in-the-middle attack by Murdoch, S. et al.

3 is a schematic diagram of a card attacker attacking a merchant in the channel Trojan attack example 1;

4 is a schematic diagram of a cardholder attacking a cardholder in the second example of the channel Trojan attack;

FIG. 5 is a schematic diagram of a merchant attack cardholder of the channel Trojan attack example 3;

6 is a schematic diagram of a merchant attacking merchant of the channel Trojan attack example 4;

Figure Ί is a schematic structural diagram of a financial P0S system of the anti-channel Trojan attack of the present invention;

Figure 8 is a schematic diagram of a dual arbitrator physical unclonable module DAPUF;

Figure 9 is a flow chart of key generation of the DAPUF;

Figure 10 is a flow chart of key reconstruction of the DAPUF.

detailed description

The present invention will be further described in detail below with reference to the embodiments and drawings, but the embodiments of the invention are not limited thereto.

Example

As shown in FIG. 7, a financial POS system against channel Trojan attacks includes a POS motherboard, an IC card box, a PIN pad, a user PIN disk, a nonvolatile memory, an IC card, and a trust management party. The IC card box is connected to the POS motherboard, and the PIN pad is connected to the IC card box. The POS board is connected to the trust management party through an I/O interface, and the IC card is connected to the trust management party through the IC card box. ;

The PIN pad is configured to receive a user PIN code;

The trust management party shares a key with an IC card box, a PIN pad, a user PIN disk, and an IC card, respectively.

The IC card case comprises an external contact interface, an external contactless interface, an internal contact interface, an internal contactless interface and a sealed shielding box, the sealed shielding box is provided with a communication line inside and outside the box and an opening for inserting the IC card A sealed screen door that can be opened and closed is provided at the opening, and the sealing door is sealed with a contact point. The inner and outer layers of the sealed shielding box are each covered with a sensitive circuit layer, and the sensitive circuit layer is composed of a sensitive circuit of a physical unclonable module; the cryptographic chip of the IC card box is disposed between the inner and outer two sensitive circuit layers, The external contact interface and the external contactless interface are outside the outer sensitive circuit layer, the internal contact interface and the internal non-contact interface are within the inner sensitive circuit layer; the sealed circuit of the IC card box is cut off when the shielding gate is opened When the sealed screen door is closed, the sensitive circuit is connected.

The cryptographic chip is provided with a physical unclonable module and a cryptographic processor IP core, and the sensitive circuit of the physical unclonable module is surrounded by the periphery of the cryptographic processor IP core to form a cage structure, and the cryptographic processor IP core The key sequence that needs to be reused is stored in the non-volatile memory of the cryptographic chip, and the key is extracted from the physical unclonable module with the key sequence number as input when needed.

The physical unclonable module may adopt a double arbiter non-cloning module DAPUF, as shown in FIG. 8; DAPUF includes m (m=l in FIG. 7) group delay circuit, m positive arbiter (Arbiterl) and m counters Arbiter (Arbiter2), input an n-bit challenge C to obtain m-bit positive arbitration response LR and m-bit inverse arbitration response RR; each delay circuit in DAPUF consists of n two-in and two-out path selectors, each The excitation signal path of the path selector is controlled by one bit in the challenge C. The excitation signal is divided into two upper and lower paths to reach the first path selector. If the first bit of the challenge is 0, the two signals are directly output, otherwise the crossover Output; When two signals pass through the nth path selector controlled by the nth bit of the challenge, the upper and lower signals are directly sent to the positive arbiter and cross-processed to the inverse arbiter, and the positive arbiter and the inverse arbiter are The order in which the upper and lower signals arrive is output, if the first path is first, the output is 1, otherwise the output is 0.

Experiments were carried out using the key generation flow shown in FIG. 9 and the key reconstruction process shown in FIG. 10 (OWP^, OWF _2, and OWF ₃ in FIGS. 9 and 10 are both one-way functions). Currently, we have collected a challenge response pair of 6.3 million DAPUFs, each containing a 64-bit positive arbitration response and a 64-bit inverse arbitration response with an average effective bit of 57.4 (every 64) bits. The valid response bits in the 6.3 million responses have passed the randomness test of NIST. For the same 100,000 group challenge, the bit difference rate of effective responses between different chips is about 49.6%. The same chip has the same challenge and the effective response of different regions. The bit difference rate is 49.01%. Of the 6.3 million data tested, there is no need to enable the Shamir threshold scheme to recover the key.

The cryptographic processor IP core performs a custom instruction set according to the cryptographic operation, taking the rainbow signature and verification requirements of the multivariate public key cipher MPKC as an example, and can customize the instruction set shown in Table 1 and the instruction set decoding shown in Table 2. table.

Table 1

R SUB d, Rt, s s- t send Rd

R XOR Rd, Rt, Rs Rt Bitwise XOR Rs

R GFM d, Rt, Rs domain multiplication Rd=Rt* s

R GFI d, Rt, inversion on the s domain Rd=GF_Inv(Rs)

R ANRd generates random number to send Rd

I BEQ Rt, s, Radr Rs equals Rt, then send PC+Radr to PC register

I ADDI t, Rs, Imm Imm + Rt to send Rt. (Rs does not participate in the operation)

I LW t, Rs, Radr sends the contents of the storage unit or port 10 with the address Rs+Radr to Rt.

I SW t, Rs, and Radr store the contents of Rt in the storage unit or port 10 with the address Rs+Radr.

J JMP Adr sends Adr to PC

Table 2

000010 Adr(A9~A2) A1,A0=00 J Jmp Adr

000100 Rs Rt Radr(A7~A0) I BEQ

001000 Rs Rt Immed(Sign OOOOH D15-D0) I ADDI

100011 Rs Rt Radr I LW

101011 Rs Rt Radr I SW

For the instructions in Table 1, each instruction is completed in one clock cycle, and each clock cycle is divided into five stages: instruction fetch, decode, control, execution, and write back. Using the instruction set programming shown in Table 1, the MPKC Rainbow Processor IP core uses 16-bit data channels and 32 general-purpose registers, occupying 1261 ALUTs and 539 dedicated logic registers in Altera's EP2S series FPGAs. The signature algorithm program occupies 2216 bytes of space ( 554 * 4) and consumes 405392 clock cycles. MPKC's rainbow signature and verification requires an instruction set of 11 instructions, but except for the domain multiply GFM and the domain inversion GFI is a dedicated instruction of MPKC, the other instructions are general instructions, which can be directly adopted by other algorithms and general control programs. . With proper processing, the GFI-consuming gates can even be shared with the inversion of the AES algorithm.

The cryptographic processor IP core inserts Hamming distance interference in five stages of the data path of each instruction cycle, so that the Hamming distance of each instruction stage is maintained at a constant value, thereby effectively eliminating processor power consumption. Features that make it difficult for an attacker to build a Hamming model.

The user PIN disk is private to the user, and the user PIN disk includes a contact interface, a contactless interface, a keyboard, and a display, and the contact interface can be connected to an external contact interface of the IC card case, and the contactless interface can be Connect to the external contactless interface of the IC card holder.

The embodiment is based on the anti-attack implementation method of the above-mentioned anti-channel Trojan attack financial POS system, and the specific steps are as follows:

(11) Initialization:

The trust management direction writes the initial symmetric key sequence number and the initial asymmetric key sequence number in the cipher chip of the IC card box, the PIN pad, the user PIN disk, and the IC card, and the number of times of use of each key sequence number; The symmetric key sequence is used as an input to extract the initial symmetric key from the physical unclonable module, and the cryptographic chip sends the extracted initial symmetric key back to the trust management party; the cryptographic chip uses the initial asymmetric key sequence number as input and is not clonotable from the physical. The initial private key is extracted from the module, and the corresponding initial public key is calculated and sent to the trust management party. The trust management party signs the digital certificate for the initial public key and sends it back to the cipher chip. The trust management party sends its own public key to the IC card box and password. Password chip in keyboard, user PIN disk and IC card; trust management party receives and The cardholder's PIN code is stored. In addition to setting a general PIN code, the cardholder can also set a helper PIN code.

(12) Transaction process:

The card holder inserts the IC card into the IC card case and closes the sealed screen door of the IC card case, so that the sealed shielding box of the IC card case acts as a shield, so that the IC card in the IC card case can only pass through the inside and outside of the IC card case. The communication line communicates with the device outside the IC card box; in addition, after the sealed screen door of the IC card box is closed, the sensitive circuit of the physical unclonable module on the IC card box is turned on, so that the cipher chip of the IC card box can be physically incapable Extracting a key shared by the trust management party and a private key of the IC card cipher chip in the cloning module;

( 13 ) Increase the number of key sequence usage times:

The help PIN code set in the initialization is used in an emergency situation. When the cardholder enters the help PIN code in the transaction process, the trust management party needs to assist the cardholder in addition to all the processes like the universal PIN password. Ask the police for help.

The transaction process includes the following steps:

(21) The IC card sends the card number to the IC card box;

(23) The trust management party can query whether the IC card uses the cardholder's private user PIN disk according to the IC card number, and query the password keyboard number according to the IC card box number; if the IC card uses the user PIN disk, the interaction three parties are IC Card, IC card box and user PIN disk, otherwise IC card, IC card box and password keyboard; trust management party generates a session key, respectively, after encrypting the session key with the key shared by the interactive three parties or the three-party public key Distributed to the interactive three parties, the communication in the following steps (24) - (29) are encrypted using the session key;

(24) The IC card box sends Ml and Mil to the IC card, where Ml = "IC card box number, IC card box key serial number, IC card box key serial number usage count, IC card box transaction serial number, transaction amount", M11 =EK (H (M1 ) ) _; where EK ( ) indicates that the cryptographic chip is encrypted with the key shared by the trust manager, or by the initiator The private key signs the information; H ( ) is a HASH function; the IC card box calls to increase the number of key sequence usage times;

(25) The IC card sends M2 and M21 to the IC card box, where M2 = "IC card number, IC card key serial number, IC card key serial number usage count, IC card transaction serial number", M21 = EK (H (M2|| M11)), the IC card calls to increase the number of key sequence usage times;

(26) The IC card box sends Ml, Mll, M2, M21 to the trust management party, and the trust management party checks and verifies the validity of Mi l and M21, and ends with an error;

(27) Trust management direction The IC card box sends M3, M31 and M32, where M3 = "M2, transaction amount", M31 = EK (H (M3)), and the trust management party queries the use of the IC card according to the IC card number in M2. PIN device, if using a PIN pad, M32 = l, if using a user PIN disk, M32 = 2;

(28) The IC card box is based on the value of M32:

(281) If M32=1, send M3 and M31 to the PIN pad, and the PIN pad will verify M3 and M31. If there is an error, the process will increase the number of key sequence usage and end. After verifying that M3 and M31 are correct, the PIN pad receives the user PIN code. And sending M4 to the IC card box, wherein M4=EK (H (M3, user PIN code)), the password keyboard calls to increase the number of key sequence usage times;

(282) If M32 = 2, send M3 and M31 to the user's PIN disk, and the user PIN disk verifies M3 and M31. If there is an error, the process of increasing the number of key usage is ended, and M3 is displayed after error. The user confirms the amount of M3. After inputting the PIN code without error, the user PIN disk sends M4 to the IC card box, where M4 = EK (H (M3, user PIN code)), and the user PIN disk calls to increase the number of times of using the key sequence number;

(29) The IC card box sends M4 to the trust management party. After the trust management party verifies the error, save M5 = "Ml, Mil, M2, M21, M3, M4, date, time" as a record, and calculate M51 = EK

(H (M5)) and sent to the IC card box; the IC card box and the IC card both add their respective transaction serial numbers, the IC card box requests the IC card to open the certificate of the IC card box screen door, and after receiving the response, the IC card box will be M5 and M51 is saved to the non-volatile memory of the POS system to open the screen door of the IC card box; the POS system prints the document, and the document includes "IC card box number, IC card box key serial number, IC card box transaction serial number, IC card number, IC card key serial number, IC card transaction serial number, transaction amount, date, time"; after the document is signed by the cardholder and the merchant representative signs and seals, the cardholder holds the stamp, and the merchant submits the signature to the acquiring bank. After receiving the application, the acquiring bank will submit an application to the issuing bank after the verification is correct. The issuing bank will transfer the transaction amount from the cardholder's account to the merchant's designated account and end the transaction process.

The above embodiments are preferred embodiments of the present invention, but the embodiments of the present invention are not affected by the above embodiments. It is intended that the present invention be construed as being limited by the scope of the invention, and the modifications, substitutions, combinations, and simplifications of the present invention.

Claims

A financial POS system for anti-channel Trojan attack, comprising: a POS motherboard, an IC card box, a PIN pad, a user PIN disk, a nonvolatile memory, an IC card, and a trust management party, the IC card box The PIN motherboard is connected to the IC card box, and the POS motherboard is connected to the trust management party through an I/O interface, and the IC card is connected to the trust management party through the IC card box;

The PIN pad is configured to receive a user PIN code;

The IC card box, the PIN pad, the user PIN disk and the IC card are all provided with a cryptographic chip;

The trust management party shares a key with the IC card box, the PIN pad, the user PIN disk, and the IC card, respectively.

2. The financial POS system for anti-channel Trojan attack according to claim 1, wherein the IC card box comprises an external contact interface, an external contactless interface, an internal contact interface, an internal contactless interface, and The sealed shielding box is provided with a communication line inside and outside the box and an opening for inserting the IC card, and a sealing screen door is arranged at the opening to seal the contact point of the shielding door.

3. The financial POS system for anti-channel Trojan attack according to claim 2, wherein the inner and outer layers of the sealed shielding box are each covered with a layer of sensitive circuit, and the cipher chip of the IC card box is disposed inside and outside. Between the circuit layers, the external contact interface and the external contactless interface are outside the outer sensitive circuit layer, the internal contact interface and the internal non-contact interface are within the inner sensitive circuit layer; the IC card box is sealed When the screen door is opened, the sensitive circuit is cut off, and when the sealed screen door is closed, the sensitive circuit is connected.

4. The financial POS system for anti-channel Trojan attack according to claim 3, wherein the sensitive circuit layer is composed of a sensitive circuit of a physical unclonable module.

The financial POS system for anti-channel Trojan attack according to claim 1, wherein the cryptographic chip is provided with a physical unclonable module and a cryptographic processor IP core, and the sensitive circuit of the physical unclonable module is surrounded. At the periphery of the cryptographic processor IP core, a cage structure is formed, and the key sequence number repeatedly used in the cryptographic processor IP core is stored in the non-volatile memory of the cryptographic chip, and the key is used as a key when needed. The sequence number is extracted as input from the physical unclonable module.

The financial POS system for anti-channel Trojan attack according to claim 1 or 2, wherein the user PIN disk is private to the user, and the user PIN disk comprises a contact interface, a contactless interface, a keyboard, and a display. The contact interface is connected to an external contact interface of the IC card case, and the contactless interface is connected to an external contactless interface of the IC card case. The method for implementing anti-attack of a financial POS system for anti-channel Trojan attack according to any one of claims 1 to 6, characterized in that the specific steps are:

(11) Initialization:

(12) Transaction process:

Insert the IC card into the IC card box and close the sealed screen door of the IC card box, so that the sealed shielding box of the IC card box can be shielded, so that the IC card in the IC card box can only pass through the internal and external communication lines of the IC card box. The device communication outside the IC card box; in addition, after the sealed screen door of the IC card box is closed, the sensitive circuit of the physical unclonable module on the IC card box is turned on, so that the cipher chip of the IC card box can be removed from the physical unclonable module. Extracting a key shared with the trust management party and a private key of the IC card cipher chip;

( 13 ) Increase the number of key sequence usage times:

8. The method for implementing an anti-attack of a financial POS system for anti-channel Trojan attack according to claim 301, wherein said initializing further comprises setting a help PIN code, said help PIN code being used in an emergency situation, When the cardholder enters the help PIN code in the transaction process, the trust manager needs to assist the cardholder to seek help from the police, in addition to completing all the same procedures as the universal PIN code.

9. The method for implementing anti-attack of a financial POS system for anti-channel Trojan attack according to claim ,, The method is characterized in that the transaction process comprises the following steps:

(21) The IC card sends the card number to the IC card box;

(23 M words management party according to the IC card number to check whether the IC card uses the cardholder's private user PIN disk, according to the IC card box number to query the password keyboard number; if the IC card uses the user PIN disk, the interactive three parties are IC Card, IC card box and user PIN disk, otherwise IC card, IC card box and password keyboard; trust management party generates a session key, respectively, after encrypting the session key with the key shared by the interactive three parties or the three-party public key Distributed to the interactive three parties, the communication in the following steps (24) - (29) are encrypted using the session key;

(24) The IC card box sends Ml and Mil to the IC card, where Ml = "IC card box number, IC card box key serial number, IC card box key serial number usage count, IC card box transaction serial number, transaction amount", M11 =EK (H (Ml ) ); where EK ( ) indicates that the cryptographic chip is encrypted with the key shared by the trust manager, or the information is signed with the initiator's private key; H ( ) is a HASH function; IC card The box call increases the number of key sequence usage times;

(29) The IC card box sends M4 to the trust management party. After the trust management party verifies the error, save M5= "Ml, Mil, M2, M21, M3, M4, date, time" as a record, and calculate M51 = EK

(H (M5)) and sent to the IC card box; the IC card box and the IC card both add their respective transaction serial numbers, the IC card box requests the IC card to open the certificate of the IC card box screen door, and after receiving the response, the IC card box will be M5 and M51 is saved to the non-volatile memory of the POS system to open the screen door of the IC card box; the POS system prints the document, and the document includes "IC card box number, IC card box key serial number, IC card box transaction serial number, IC card number, IC card key serial number, IC card transaction serial number, transaction amount, date, time"; after the document is signed by the cardholder and the merchant representative signs and seals, the cardholder holds the stamp, and the merchant submits the signature to the acquiring bank. The application for the receipt, the receipt of the receipt is correct, and the card is issued to the issuing bank. When the application is filed, the card issuing bank transfers the transaction amount from the cardholder's account to the merchant's designated account and ends the transaction process.

The method for implementing the anti-attack of the anti-channel Trojan attack-resistant financial POS system according to claim 9, wherein the specific steps of the step (28) are:

(282) If M32 = 2, send M3 and M31 to the user's PIN disk, and the user PIN disk will verify M3 and M31. If there is an error, the process of increasing the key number usage times will be called, and M3 will be displayed after the error. The user confirms the amount of M3. After entering the PIN code without error, the user PIN disk sends M4 to the IC card box, where M4 = EK (H

(M3, user PIN code)), the user HN disk calls to increase the number of key sequence usage times.