Summary of the invention
In view of this, the invention provides a kind of control method of intelligent memory card, can realize that function expansion and realization are to its management based on storage card.
The control method of a kind of intelligent memory card provided by the invention comprises memory card controller and physical storage medium in the described intelligent memory card, also carry the valued added applications module that is used to realize valued added applications in the described intelligent memory card, and this method comprises:
Application program sends command packet, wherein carries the target type that is used for determining this utility command packet operand, is used for the command code information that memory card controller obtains order;
It is operand that memory card controller is selected physical storage medium or valued added applications module according to described target type, and described command code information decoding is obtained corresponding order, and the order that utilizes decoding to obtain is carried out corresponding operating to the operand of selecting.
The order that described utilization decoding obtains is carried out after the corresponding operating the operand of selecting, and this method further comprises:
Whether successful memory card controller sends the reply data bag to application program, wherein carry the described corresponding operating of expression encoding the response information.
Further carry in the described command packet: be used to represent that the type of data packet of command packet identifies, is used to represent that sequence number, this command packet of the pairing protocol version of this command packet, this command packet are used to carry the data field of data, the data field length of this command packet;
Further carry in the described reply data bag: be used to represent that the type of data packet of reply data bag identifies, is used to represent the sequence number of the pairing protocol version of this reply data bag, this reply data bag, the data field of this reply data bag, the data field length of this reply data bag.
Described order is divided into four classes, is followed successively by first kind order, the second class order, the 3rd class order, the 4th class order from low to high according to its rights of using rank;
Utilize the second class order that the operand of selecting is carried out before the corresponding operating, this method further comprises: application program by with the first order authentication of intelligent memory card;
Utilize the 3rd class order that the operand of selecting is carried out before the corresponding operating, this method further comprises: application program by with the first order and the second level authentication of intelligent memory card;
Utilize the 4th class order that the operand of selecting is carried out before the corresponding operating, this method further comprises: application program by with the first order, the second level and the third level authentication of intelligent memory card.
In described intelligent memory card, be provided for writing down the authority register that passes through authentication grade;
Utilize the four class orders of second class to that the operand of selecting is carried out before the corresponding operating, this method further comprises: memory card controller judges whether that according to the authentication grade that writes down in the authority register authority utilizes the current command that the operand of selecting is carried out corresponding operating.
Described first kind order comprises: order, the order of reading the intelligent memory card version information, the order that sends Application Protocol Data Unit APDU, reading matter that intelligent memory card resets are managed the order of hidden area in the order of normal areas in the storage medium, the order of writing normal areas in the physical storage medium, the reading matter reason storage medium, the authentication request order of writing the order of hidden area in the physical storage medium and being respectively applied for authentication.
Described intelligent memory card version information comprises: product classification number, Production Version, product ID, the coded message of manufacturer's title, the length of manufacturer's title, manufacturer's title, protocol version.
In described intelligent memory card, control register is set, wherein records the whether read-write enable information of physical storage medium.
Comprise the order of first order authentication request in the described authentication request order, described first order authentication comprises:
Coded message in the application program command packet is set to the command code information of authentication request order, and will include the first order authentication request order of the characteristic information of the user identity that is used to discern current use application program, be carried in the data field of command packet and be sent to memory card controller;
Memory card controller mates the characteristic information of storing in characteristic information in the command packet and the intelligent memory card, and the authentication result that will include matching result is carried in the data field of reply data bag and returns to application program.
Further comprise in the order of described first order authentication request: the session identification that the length of the command id of first order authentication request order, the order of first order authentication request, sign current first time of authentication are mutual and the type of characteristic information;
Further comprise in the described first order authentication response: whether the length of replying sign, authentication result of first order authentication response, mutual session identification, the failure cause when authentication result is failure, the expression of the current first order authentication of sign carry out the key agreement sign of key agreement.
Comprise second level authentication request order in the described authentication request order, the authentication of the described second level comprises:
Coded message in the application program command packet is set to the coded message of authentication request order, generate first random number, and the second level authentication request order that will include first random number is carried in the data field of command packet and is sent to memory card controller;
The default key seed of memory card controller utilization is carried out Hash Hash computing to first random number and is obtained a Hash operation result, and the second level authentication response that will include a Hash operation result is carried in the reply data bag data field and returns to application program;
The application program utilization key seed identical with memory card controller carried out the Hash computing to first random number of its generation, and the 2nd Hash operation result that will obtain and the Hash operation result in the reply data bag compare, if the two is identical, the data field that the authentication result that then will represent authentication success is carried on command packet is sent to memory card controller.
Further comprise in the authentication request order of the described second level: the length of the command id of second level authentication request order, second level authentication request order, mutual session identification, hash algorithm type identification, hash algorithm key length, the key of hash algorithm, the key seed sign of sign current second level authentication;
Further comprise in the authentication response of the described second level: the length of replying sign, second level authentication response of second level authentication response, the error reason when the current second level of sign authenticates mutual session identification, Hash operation mistake, the length of a Hash operation result.
Comprise the order of third level authentication request in the described authentication request order, described third level authentication comprises:
Coded message in the application program command packet is set to the coded message of authentication request order, and generates second random number and be carried in the data field of command packet with the order of third level authentication request and be sent to memory card controller;
Memory card controller generates the 3rd random number, and second random number in the 3rd random number and the command packet is carried out XOR, utilizes the pairing private key of default public key certificate in the intelligent memory card that the XOR budget result is carried out digital signature then; The third level that will include described public key certificate and digital signature is replied to be carried in the reply data bag data field and returns to application program;
Application program utilizes the public key certificate in the reply data bag that digital signature is verified, if the verification passes, the data field that the authentication result that then will represent authentication success is carried on command packet is sent to memory card controller.
Further comprise in the order of described third level authentication request: the length of the command id of third level authentication request order, the order of third level authentication request, the mutual session identification of the current third level authentication of sign;
Further comprise in the described third level authentication response: the length of replying sign, third level authentication response of third level authentication response, error reason, the algorithm types sign of digital signature, the 3rd random number, digital signature length, public key certificate length when mutual session identification, XOR or the signature of the current third level authentication of sign handled mistake.
In described intelligent memory card, be provided for writing down the control register of physical storage medium read-write enable information;
The order that utilizing decodes obtains is carried out before the corresponding operating to physical storage medium, this method further comprises: memory card controller judges whether to allow to utilize the current command that physical storage medium is carried out read-write operation according to the read-write enable information that writes down in the control register.
Described enable information comprises: the expression physical storage medium whether the normal areas of addressable general enable information, expression physical storage medium whether can write the normal areas of writing enable information, expression physical storage medium whether readable read enable information.
The described second class order comprises: the order of read control register, the order of write control register, expression send the order of a plurality of APDU simultaneously.
In described intelligent memory card, be provided for writing down the special control register of downloading and individualizing enable information in advance;
The order that utilizing decodes obtains is carried out before the corresponding operating to the operand of selecting, this method further comprises: whether memory card controller judges whether to allow the down load application program and/or allows pre-individualized according to download of writing down in the special control register and pre-individualized enable information.
Described the 3rd class order comprises: read special control register order, write the order of special control register.
Described the 4th class order comprises: write the intelligent memory card version information order, test intelligent memory card order, initialization intelligent memory card order, read key in the intelligent memory card order, write the order of key in the intelligent memory card.
As seen from the above technical solution, the present invention has made full use of the existing bus resource of storage card, in storage card, set up and include the valued added applications module thereby can realize the function expansion by the valued added applications module, make the realization of valued added applications no longer be subject to SIM card, thereby the value-added service of being convenient to value-added service operator expands, and has stronger compatibility and upgradability.And the present invention realizes management to intelligent memory card by application program by command packet, thereby can guarantee the operate as normal of intelligent memory card.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
Fig. 1 is the structural representation of intelligent memory card in the embodiment of the invention.As shown in Figure 1, the intelligent memory card in the present embodiment comprises: physical interface, memory card controller, physical storage medium, intelligent card chip.Wherein, physical interface, memory card controller, physical storage medium are the structure in the existing storage card; Then carry the valued added applications module that is used to realize valued added applications in the intelligent card chip, can break away from SIM card and realize various valued added applications.
Wherein, the valued added applications module can be according to the mode of existing SIM card, transparent transmission and network side through terminal equipment are realized valued added applications alternately, the interactive mode of SIM and network side can realize for those skilled in the art, and the present invention is primarily aimed at control and management intelligent memory card how and not at realizing related mutual of valued added applications, thereby repeats no more in this article.
Valued added applications module in physical storage medium and the intelligent card chip all can be regarded addressable resource in the intelligent memory card as, and resource management of the present invention mainly is meant the management to intelligent card chip.
Present embodiment can be realized the visit of application program to intelligent card chip in the following way:
1, exploitation driver is so that application program can have access to the address outside the physical storage medium.How to develop driver according to above-mentioned requirements is that those skilled in the art can realize, does not repeat them here.
2, use the definition of storage card Extended Protocol to be exclusively used in the order of visiting intelligent card chip, and the assurance memory card controller can be discerned.How to define specific command and can realize, do not repeat them here for those skilled in the art.
3, with the map addresses of intelligent card chip default address at physical storage medium, make that memory card controller can be according to the location of reference address realization to the expanded application chip, when application program need be visited the expanded application chip, memory card controller can be located the address of expanded application chip.How to realize map addresses and also can realize, do not repeat them here for those skilled in the art based on the location of map addresses.
Above-mentioned 3 kinds of modes can guarantee that all application program can have access to intelligent card chip, but by contrast, the exploitation driver has the higher development difficulty, needs the long construction cycle; Use the storage card Extended Protocol then to need to revise mobile phone terminal and memory card controller; The mode of map addresses does not then have the defective of preceding dual mode.Therefore, preferably adopt the mode of map addresses in the present embodiment.
Referring to Fig. 2, when visiting the physical storage medium in the intelligent memory card, application program and intelligent memory card are undertaken by application interface, driver and terminal equipment alternately.
Still referring to Fig. 2, guarantee that in the map addresses mode it is example that application program can have access to intelligent card chip, application program sends command packet by default interface document, driver, the terminal equipment intelligent card chip in intelligent memory card successively, carries out corresponding operation for the valued added applications module in the intelligent card chip.Correspondingly, the valued added applications module in the intelligent card chip also can be by reverse path to application program echo reply packet.
Wherein, interface document is mapped in the default address that is mapped with intelligent card chip in the physical storage medium, this interface document is deferred to the file system principle, the base unit that takies disk space be not byte but bunch, even certain interface document has only a byte, also can be assigned to a minimum unit, promptly one bunch.
Application interface need be when intelligent card chip sends command packet, only need this command packet is written in the interface document, and the mode of order by command packet that is written in the interface document is sent to intelligent memory card via driver, terminal equipment, and the object run object of this command packet can be set to be mapped with the default address of intelligent card chip.
Then, the memory card controller in the intelligent memory card judges whether the object run object of command packet is the default address of expression expanded application chip.If the object run object then goes to the interface protocol program entry program to the expanded application chip operation of expanded application type identification correspondence for presetting the address, and this command packet is sent to corresponding expanded application chip.
More than be brief description to the structure and the basic functional principle thereof of intelligent memory card, below, the control method at intelligent memory card is elaborated again.
Fig. 3 is the exemplary process diagram of the control method of intelligent memory card in the embodiment of the invention.As shown in Figure 3, this method comprises:
Step 301, application program sends command packet to described intelligent memory card, wherein carries the target type that is used for determining this utility command packet operand, the memory card controller that is used for intelligent memory card obtains the command code information of order.
Step 302, it is operand that memory card controller in the intelligent memory card is selected physical storage medium or valued added applications module according to target type, and command code information decoded obtain corresponding order, the order that utilizes decoding to obtain is carried out corresponding operating to the operand of selecting.
In the present embodiment, order can be divided into four classes, be followed successively by first kind order, the second class order, the 3rd class order, the 4th class order from low to high according to its rights of using rank.
Intelligent memory card utilizes the second class order that the operand of selecting is carried out before the corresponding operating, need application program by with the first order authentication of intelligent memory card;
Intelligent memory card utilizes the 3rd class order that the operand of selecting is carried out before the corresponding operating, need application program by with the first order and the second level authentication of intelligent memory card;
Intelligent memory card utilizes the 4th class order that the operand of selecting is carried out before the corresponding operating, need application program by with the first order, the second level and the third level authentication of intelligent memory card.
If not by corresponding authentication, then operation failure.
To pass through authentication grade in order writing down, the authority register can be set in described intelligent memory card, each flag bit of this authority register can be as shown in table 1.
Byte offsets |
Implication |
31~4 |
Keep |
3 |
3 grades of authority mark 0: allow to handle the 3rd class order 1: refusal is handled the 3rd class order |
2 |
2 grades of authority mark 0: allow to handle the second class order 1: refusal is handled the second class order |
1 |
1 grade of authority mark 0: allow to handle first kind order 1: refusal is handled first kind order |
0 |
Keep |
Table 1
Utilize before the four class orders of second class to the carry out corresponding operating to the operand of selecting at intelligent memory card, the memory card controller in the intelligent memory card can judge whether that authority utilizes the current command that the operand of selecting is carried out corresponding operating according to the authentication grade that writes down in the authority register.
Step 303, whether successful the memory card controller in the intelligent memory card sends the reply data bag to application program, wherein carry expression corresponding operating encoding the response information.
In this step, reply success and be meant to successful execution the corresponding operation of order; Encoding the response information for the expression failure also can be divided into multiple, as shown in table 2 according to failure cause.
Encoding the response |
Implication |
Numerical code 0 |
Reply successfully |
Numerical code 1 |
Answer failed, failure cause are illegal command |
Numerical code 2 |
Answer failed, failure cause are overtime |
Numerical code 3 |
Answer failed, failure cause are that intelligent memory card is locked |
Numerical code 4 |
Answer failed, failure cause is not for there being authority |
Numerical code 5 |
Answer failed, failure cause are other reasons |
Numerical code 6-numerical code 65535 |
Keep |
Table 2
Step 304, application program is decoded to replying coded message, knows whether operation is successful.
So far, this flow process finishes.
Need to prove that not all order all needs to reply, thereby the step 303~step 304 in the above-mentioned flow process is optional step.
As seen, based on structure as shown in Figure 1, only need in storage card, to add intelligent card chip and can realize the function expansion, and can realize the management of intelligent memory card is controlled by aforesaid flow process.For example the resource in the intelligent memory card is managed, the authentication and the authority of intelligent memory card are authorized etc.
In the present embodiment, the form of command packet and reply data bag is as shown in table 3.
Title |
Implication |
Data field 1 |
The type of data packet sign |
Data field 2 |
Protocol version |
Data field 3 |
Target type |
Data field 4 |
The command/response coded message |
Data field 5 |
Sequence of data packet number |
Data field 6 |
The length of data field |
Data field 7 |
Data field |
Table 3
In table 1, except the target type and coded message of necessity, can also comprise in command packet and the reply data bag: the data field length of the sequence number of type of data packet sign, the pairing protocol version of packet, packet, data field, packet.
The type of data packet sign is used to represent that this application interface packet is command packet or reply data bag, and for example available 0x53AC represents command packet, and 0xAC53 represents the reply data bag;
Protocol version is represented the protocol version that the application interface packet is followed, and for example available 0x01 represents the front page agreement, and the rest may be inferred by analogy for it;
Target type is represented the operand of application interface packet, and for example available 0x01 represents that operand is the valued added applications module in the sheet intelligent card chip, and 0x02 represents that operand is a physical storage medium, and the EXPANDING DISPLAY AREA operation is done in all the other reservations;
The command/response type coding then comprises the coded message of the command/response of carrying in the data field, is used for command/response is decoded; For example, the coded message in the command packet is 0x0, and then memory card controller can obtain representing the order that resets according to 0x0 decoding; Coded message in the reply data bag is 0, and then end application can obtain representing successful replying according to 0 decoding; In fact, the coded message of aforesaid way also can be regarded command id as, can know corresponding command/response with the corresponding relation according to preset coding information and command/response and obtain one of coded message;
Sequence of data packet number can take 4 bytes, and in the transmission month of for example available first byte representation packet, from 1~12 (decimal system), the date of shipping of second byte representation packet is from 1~31 (decimal system); The sequence number of latter two byte representation transmission on the same day is from 0x0000~0xFFFF.
The lengths table of data field is shown the data length of band in the packet, and data length is 500 (decimal systems) to the maximum, if there are not data, then is 0.If the length of data field is not 0, then the portability order or the related data of replying in the data field.
Below, again various command and coded message thereof are elaborated.
As previously mentioned, can all orders be divided into four classifications according to the rights of using of order in the present embodiment.
Wherein, first kind order is opened to domestic consumer; The second class order is used for senior application, to the limited opening of domestic consumer; The 3rd class order is used for intelligent memory card manufacturer internal application, and is open to exploitation mechanism based on the independently developed software of manufacturer; The 4th class order is used for the inner setting of intelligent memory card manufacturer, only limits to the inner use of manufacturer.
Like this, present embodiment can be used at production, exploitation and the user class of intelligent memory card, respectively function corresponding is realized control and management.
In the present embodiment, first kind order can comprise: order, the order of reading the intelligent memory card version information, the order that sends Application Protocol Data Unit (APDU), reading matter that intelligent memory card resets are managed the order of hidden area in the order of normal areas in the storage medium, the order of writing normal areas in the physical storage medium, the reading matter reason storage medium, the authentication request order of writing the order of hidden area in the physical storage medium and being respectively applied for authentication.
Correspondingly, the coded message of first kind order can be as shown in table 4.
Command code (hexadecimal) |
The title code name |
The order implication |
0x0 |
SSC_RESET |
Intelligent memory card is resetted |
0x1 |
SSC_READ_INFO |
Read the intelligent memory card version information |
0x2 |
SSC_APDU |
Send APDU |
0x3 |
READ_SECTOR |
Normal areas in the reading matter reason storage medium |
0x4 |
WRITE_SECTOR |
Write normal areas in the physical storage medium |
0x5 |
READ_MULTI_SECTOR |
Hidden area in the reading matter reason storage medium |
0x6 |
WRITE_MULTI_SECTOR |
Write hidden area in the physical storage medium |
0x7 |
AUTHENTICATE |
Authentication |
0x8-0xFF |
Keep |
Keep |
Table 4
For the order that intelligent memory card is resetted, the data field length in the command packet is 0; In its corresponding reply data bag, whether the encoding the response information representation resets successful, then carries the sign of expression reset answer in the data field.
Intelligent memory card version information shown in the table 4 comprises: product classification number, Production Version, product ID, the coded message of manufacturer's title, the length of manufacturer's title, manufacturer's title, protocol version, and specifically referring to table 5.
Byte offset |
Title |
Implication |
0~1 |
Product classification number |
1: intelligent memory card; 2: condition receiving card; Other numerical value: other purposes. |
2~3 |
Production Version |
Totally 4 numerals, preceding two numerals are major version number, and final two digits is a time version number, and each numeral adopts 4 codings |
4~11 |
Product ID |
Totally 16 numerals, each numeral adopts 4 codings |
12~13 |
Manufacturer's coding |
0: test 1: the 1 2~FFFF of manufacturer: the 2-FFFF of manufacturer |
14 |
Manufacturer's title length |
The message length of manufacturer's title |
15~78 |
Manufacturer's title |
Can store 64 characters at most, i.e. 32 Chinese characters |
79~80 |
Protocol version |
Protocol version, totally 4 numerals, preceding two numerals are major version number, and final two digits is a time version number, and each numeral adopts 4 codings |
81~255 |
Keep |
|
Table 5
For the order that sends APDU, the data of then carrying in the data field are APDU.Wherein, among the APDU portability be used for network side alternately to realize the data of valued added applications.After application program receives and carries the reply data bag of APDU in the data field that intelligent memory card sends, can be with this APDU transparent transmission to network side; After receiving the APDU of network side, this APDU can be carried on coded message and represent to send in the command packet of APDU and be sent to intelligent memory card.
As previously mentioned, because the valued added applications module can be according to the mode of existing SIM card, transparent transmission and network side through terminal equipment are realized valued added applications alternately, and the interactive mode of SIM and network side can realize for those skilled in the art, thereby relates to described mutual related data among the APDU and repeat no more in this article.
Order for normal areas and hidden area in the reading matter reason storage medium then carries address number in the data field; Order for writing normal areas and hidden area in the physical storage medium then carries address number and data to be written, specifically referring to table 6 in the data field.
Byte offsets |
Title |
Implication |
0~3 |
The address |
Address number |
4~509 |
Data |
Data to be written |
Table 6
For the order of authentication, can be divided into the order of first order authentication request, second level authentication request order and the order of third level authentication request.
These three kinds of authentication request orders can the identical command code information of employing as shown in table 4, but carry different command ids respectively in data field, certainly, also can adopt different command code information, so just need not to carry in data field command id.
First order authentication also can be called simple authentication, and this flow process comprises:
Coded message in 1a, the application program command packet is set to the command code information of authentication request order, and will include first order authentication request (SimAuthRequire) order of the characteristic information of the user identity that is used to discern current use application program, be carried in the data field of command packet and be sent to intelligent memory card;
Memory card controller in 1b, the intelligent memory card mates the characteristic information of storing in characteristic information in the command packet and the intelligent memory card, and authentication result (SimAuthResult) information that will include matching result is carried in the data field of reply data bag and returns to application program.Certainly, this step also can be the successful encoding the response information of expression with the encoding the response information setting of reply data bag, and does not carry AuthResult information in data field.If in physical storage medium, then carrying the object run object of the command packet of SimAuthRequire order, the characteristic information of storing in the intelligent memory card represents physical storage medium, otherwise, the valued added applications module in the expression intelligent card chip.
Wherein, the form of SimAuthRequire is as shown in table 7, comprising: the command id of SimAuthRequire, the length of SimAuthRequire, sign authenticate the type (CharInfoCat) of mutual session identification (SessionID), characteristic information (CharInfo) and characteristic information the current first time.
Field |
Length |
Type |
The command id of SimAuthRequire |
2 bytes |
Integer |
The length of SimAuthRequire |
2 bytes |
Integer |
SessionID |
2 bytes |
Integer |
Reserved field |
2 bytes |
Integer |
Characteristic information |
1 byte |
Integer |
The type of characteristic information |
Variable |
Integer/character string |
Table 7
In table 7, the characteristic information type can comprise at least: the unique identification of username and password, intelligent memory card, represent by 0x00 and 0x01 respectively.Characteristic information is a Sharing Information between application program and intelligent memory card, and length is any.
The form of SimAuthResult is as shown in table 8, comprising: the key agreement sign (KAFlag) whether the failure cause the when length of replying sign, SimAuthResult of SimAuthResult, the current first order of sign authenticate mutual SessionID, authentication result (VerifyResult) for failure, expression carry out key agreement.
Field |
Length |
Type |
Reply sign |
2 bytes |
Integer |
The length of first order authentication result |
2 bytes |
Integer |
SessionID |
2 bytes |
Integer |
Failure cause |
2 bytes |
Integer |
Authentication result |
1 byte |
Integer |
The key agreement sign |
1 byte |
Integer |
Reserved field |
2 bytes |
Integer |
Table 8
Second level authentication also can be called limited authentication, and this flow process comprises:
Coded message in 2a, the application program command packet is set to the coded message of authentication request order, generate first random number of 64bit, and second level authentication request (LimAuthRequire) order that will include first random number is carried in the data field of command packet and is sent to intelligent memory card;
The default key seed of memory card controller utilization in 2b, the intelligent memory card is carried out Hash (Hash) computing to first random number and is obtained a Hash operation result, and the second level authentication response (LimAuthResponse) that will include a Hash operation result is carried in the reply data bag data field and returns to application program; If default key seed is stored in physical storage medium, the object run object that then carries the command packet of LimAuthRequire order is represented physical storage medium, otherwise the valued added applications module in the expression intelligent card chip;
2c, the application program utilization key seed identical with memory card controller are carried out the Hash computing to first random number of its generation, and the 2nd Hash operation result that will obtain and the Hash operation result in the reply data bag compare, if the two is identical, the data field that the second level authentication result (LimAuthResult) that then will represent authentication success is carried on command packet is sent to intelligent memory card.
Wherein, the form of LimAuthRequire is as shown in table 9, comprising: the command id of LimAuthRequire, the length of LimAuthRequire, mutual SessionID, hash algorithm type identification (HashAlgorithm), hash algorithm key length (HashKeyLen), the key (HashKey) of hash algorithm, key seed sign (SeedID), first random number of sign current second level authentication.
Field |
Length |
Type |
The command id of LimAuthRequire |
2 bytes |
Integer |
The length of LimAuthRequire |
2 bytes |
Integer |
SessionID |
2 bytes |
Integer |
HashAlgorithm |
4 bytes |
Integer |
HashKeyLen |
2 bytes |
Integer |
HashKey |
Variable |
Integer |
SeedID |
2 bytes |
Integer |
First random number |
8 bytes |
Integer |
Reserved field |
2 bytes |
Integer |
Table 9
The form of LimAuthResponse is as shown in table 10, comprising: the length of replying sign, LimAuthResponse of LimAuthResponse, error reason, the length of a Hash operation result, a Hash operation result (HashVal) when the current second level of sign authenticates mutual SessionID, Hash operation mistake.
Field |
Length |
Type |
LimAuthResponse replys sign |
2 bytes |
Integer |
The length of LimAuthResponse |
2 bytes |
Integer |
SessionID |
2 bytes |
Integer |
Error reason |
2 bytes |
Integer |
The length of the one Hash operation result |
2 bytes |
Integer |
HashVal |
Variable |
Integer |
Reserved field |
2 bytes |
Integer |
Table 10
Third level authentication also can be called the enhancing authentication, and this flow process comprises:
Coded message in 3a, the application program command packet is set to the coded message of authentication request order, and generates second random number and be carried in the data field of command packet with third level authentication request (EnhAuthRequire) order and be sent to intelligent memory card;
Memory card controller in 3b, the intelligent memory card generates the 3rd random number, and second random number in the 3rd random number and the command packet carried out XOR, utilize the pairing private key of default public key certificate in the intelligent memory card that the XOR budget result is carried out digital signature then; The third level that will include public key certificate and digital signature is replied (EnhAuthResponse) and is carried in the reply data bag data field and returns to application program; If default public key certificate and corresponding private key thereof are stored in physical storage medium, the object run object that then carries the command packet of EnhAuthRequire order is represented physical storage medium, otherwise the valued added applications module in the expression intelligent card chip;
3c, application program utilize the public key certificate in the reply data bag that digital signature is verified, if the verification passes, the third level authentication result (EnhAuthResult) that then will the represent authentication success data field that is carried on command packet is sent to intelligent memory card.
Wherein, the form of EnhAuthRequire is as shown in table 11, comprising: the command id of EnhAuthRequire, the length of EnhAuthRequire, mutual SessionID, second random number of the current third level authentication of sign.
Field |
Length |
Type |
The command id of EnhAuthRequire |
2 bytes |
Integer |
The length of EnhAuthRequire |
2 bytes |
Integer |
SessionID |
2 bytes |
Integer |
Second random number |
8 bytes |
Integer |
Reserved field |
2 bytes |
Integer |
Table 11
The form of EnhAuthResponse is as shown in table 12, comprising: the length of replying sign, EnhAuthResponse of EnhAuthResponse, the error reason when mutual SessionID, XOR or the signature of the current third level authentication of sign handled mistake, algorithm types sign (SignAlgorithm), the 3rd random number of digital signature, digital signature length (SignLen), digital signature (Signature), public key certificate length (PKCertificateLen), public key certificate (PKCertificate).
Field |
Length |
Type |
EnhAuthResponse replys sign |
2 bytes |
Integer |
The length of EnhAuthResponse |
2 bytes |
Integer |
SessionID |
2 bytes |
Integer |
Error reason |
2 bytes |
Integer |
SignAlgorithm |
2 bytes |
Integer |
The 3rd random number |
8 bytes |
Integer |
SignLen |
2 bytes |
Integer |
Signature |
Variable |
Integer/character string |
PKCertificateLen |
2 bytes |
Integer |
PKCertificate |
Variable |
Integer/character string |
Reserved field |
2 bytes |
Integer |
Table 12
Relation between the above-mentioned authentication at different levels can be as shown in Figure 4.Intelligent memory card begin with application program mutual after, just can use first kind order to realize common application; Through using the second class order after the first order authentication, can use first kind order simultaneously to realize common application to realize senior application; Through using the 3rd class order after the authentication of the second level to realize manufacturer's internal application and finally to transfer to card issuer and use, can use the second class order to realize senior application simultaneously, also can use first kind order to realize common application; Through using the 4th class order after the third level authentication to realize manufacturer's internal application and to use by manufacturer oneself, can use simultaneously the 3rd class order to realize manufacturer's internal application and finally to transfer to card issuer and use, also can use the second class order to realize senior application, also can use first kind order to realize common application.
The related processes such as encryption and decryption, Hash computing and key agreement of above-mentioned authentication at different levels are those skilled in the art and can realize, repeat no more in this article.
In the present embodiment, can in intelligent memory card, be provided for writing down the control register of physical storage medium read-write enable information.Like this, before the order that utilizes decoding to obtain is carried out corresponding operating to physical storage medium, can judge whether to allow to utilize the current command that physical storage medium is carried out read-write operation according to the read-write enable information that writes down in the control register.
Each flag bit of expression read-write enable information can be as shown in table 13 in the control register, comprising: the expression physical storage medium whether the normal areas of addressable general enable information, expression physical storage medium whether can write the normal areas of writing enable information, expression physical storage medium whether readable read enable information.
The position side-play amount |
Title |
Implication |
31~3 |
Keep |
|
2 |
Generic command enables |
0: forbid 1: enable |
1 |
Write and enable |
0: the normal areas 1 of forbidding writing physical storage medium: the normal areas that allows to write physical storage medium |
0 |
Read to enable |
0: the normal areas 1 of forbidding reading matter reason storage medium: the normal areas that allows reading matter reason storage medium |
Table 13
The second class order in the present embodiment specifically comprises then mainly at control register: the order of read control register, the order of write control register, the second class order can also comprise that expression sends the order of a plurality of APDU simultaneously.
The command code information of the second class order is referring to table 14.
Command code (hexadecimal) |
The title code name |
Implication |
0x100 |
SSC_READ_REGISTER |
Read the intelligent memory card control register |
0x101 |
SSC_WRITE_REGISTER |
Write the intelligent memory card control register |
0x102 |
MULTI_COMMAND |
Send a plurality of APDU |
0x103-0x1FF |
Keep |
Keep |
Table 14
In addition, in the present embodiment, can also in intelligent memory card, be provided for writing down the special control register of downloading and individualizing enable information in advance.Like this, before the order that utilizes decoding to obtain is carried out corresponding operating to the operand of selecting, can judge whether to allow the down load application program and/or whether allow pre-individualized according to download of writing down in the special control register and pre-individualized enable information.For how realizing that pre-individual turns to those skilled in the art and can realize, do not repeat them here.
Each flag bit of expression read-write enable information can be as shown in Table 15 in the special control register.
The position side-play amount |
Title |
Implication |
31~2 |
Keep |
|
1 |
Application program is downloaded and is enabled |
0: forbid using and download 1: allow to use and download |
0 |
Pre-individualized enabling |
0: forbid pre-individualized 1: allow individualized in advance |
Table 15
The 3rd class order in the present embodiment specifically comprises then mainly at special control register: read special control register order, write the order of special control register.The command code information of the 3rd class order is referring to table 16.
Command code (hexadecimal) |
The title code name |
Implication |
0x200 |
SSC_READ_REGISTER |
Read special control control register |
0x201 |
SSC_WRITE_REGISTER |
Write special control control register |
0x201-0x2FF |
Keep |
Keep |
Table 16
The 4th class order in the present embodiment comprises: write the intelligent memory card version information order, test intelligent memory card order, initialization intelligent memory card order, read key in the intelligent memory card order, write the order of key in the intelligent memory card.The coded message of the 4th class order is referring to table 17.
Command code (hexadecimal) |
The title code name |
Implication |
0x300 |
SSC_WRITE_INFO |
Write the intelligent memory card version information |
0x301 |
TEST |
The test intelligent memory card |
0x302 |
INIT |
The initialization intelligent memory card |
0x303 |
READ_KEY |
Read key in the intelligent memory card |
0x304 |
WIETE_KEY |
Write key in the intelligent memory card |
0x305-0x3FF |
Keep |
Keep |
Table 17
Wherein, the order of test intelligent memory card can be at different tested objects, and the test command of corresponding different objects has different test command signs, specifically referring to table 18.
Test command sign (hexadecimal) |
Title |
Implication |
0 |
Keep |
|
1 |
Terminal equipment (for example card reader) loopback test |
The test of smart card reader interface loopback |
2 |
The intelligent memory card loopback test |
The smart card loopback test |
3~255 |
Keep |
|
Table 18
For how realizing that loopback test is that those skilled in the art can realize, does not repeat them here.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to and replace and improvement etc., all should be included within protection scope of the present invention.