Summary of the invention
The invention provides a set of smart card and the method for controlling security thereof that are applicable to specialized mobile radio demand, to support civilian, special two kinds of demands, realize data isolation and safe storage, civilian/dedicated network authentication arithmetic and user identification arithmetic can be carried, the security service interface enriched can be supported.
For solving the problems of the technologies described above, the invention provides following technical scheme:
A kind of method of controlling security being applicable to the smart card of specialized mobile radio demand, storage area in smart card is divided into the first storage area and the second storage area, wherein the first storage area stores operator preset authentication arithmetic and identifying algorithm before this smart card of distribution, uses under being general mode in operator scheme; Second storage area stores operator user-defined authentication arithmetic and/or identifying algorithm after this smart card of distribution, wherein said smart card:
Obtain the operator scheme that user will use;
When operator scheme is general mode, in authentication or identifying procedure, perform authentication arithmetic or identifying algorithm that in the first storage area, operator is preset; And, when operator scheme is custom model, in authentication or identifying procedure, start authentication arithmetic or identifying algorithm that virtual machine program performs the second storage area storage.
Preferably, described method also has following features: get after the authentication arithmetic that described second storage area stores and/or identifying algorithm are connected with external data terminal by card reader.
Preferably, described method also has following features: described acquisition, in order to before the authentication arithmetic that uses under being custom model in operator scheme and/or identifying algorithm, also comprises:
Write-protect process is carried out to described first storage area.
Preferably, described method also has following features: described method also comprises:
If receive the service request of information security, then adopt the security algorithm prestored in smart card, the service of information security is externally provided.
Preferably, described method also has following features: the service of described information security comprises at least one in encryption, deciphering, signature and sign test.
A kind of smart card being applicable to specialized mobile radio demand, comprise processor and memory, the storage area of described memory is divided into the first storage area and the second storage area, wherein the first storage area stores operator preset authentication arithmetic and identifying algorithm before this smart card of distribution, uses under being general mode in operator scheme; Second storage area stores operator user-defined authentication arithmetic and/or identifying algorithm after this smart card of distribution; Wherein said processor comprises:
Download module, for from the self-defining authentication arithmetic of outside download user and/or identifying algorithm, and is saved in the second storage area;
Virtual machine module, for performing authentication arithmetic in the second storage area and/or identifying algorithm;
Pattern acquiring module, for obtaining the operator scheme that user will use;
Processing module, for when operator scheme is general mode, performs authentication arithmetic or identifying algorithm that in the first storage area, operator is preset in authentication or identifying procedure; And, when operator scheme is custom model, in authentication or identifying procedure, start authentication arithmetic or identifying algorithm that virtual machine program performs the second storage area storage.
Preferably, described smart card also has following features: described first storage area is the storage area carrying out write-protect operation.
Preferably, described smart card also has following features:
Described download module is also for applying from the self-defining security algorithm of outside download user;
Described smart card also comprises:
Security service module, for when receiving the service request of information security, adopting the security algorithm application in smart card, externally providing the service of information security.
Preferably, described smart card also has following features: the service of the information security that described security service module provides comprises at least one in encryption, deciphering, signature and sign test.
Compared with prior art, the smart card that the embodiment of the present invention provides and control method thereof not only carry network authentication algorithm and the user identification arithmetic of new customization, preserve legacy network authentication arithmetic and the user identification arithmetic of normal smart cards simultaneously, can for user flexibility configuration.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly, the present invention is described in further detail below in conjunction with the accompanying drawings and the specific embodiments.It should be noted that, when not conflicting, the embodiment in the application and the feature in embodiment can combination in any mutually.
The schematic flow sheet being applicable to the method for controlling security embodiment of the smart card of specialized mobile radio demand that Fig. 1 provides for the embodiment of the present invention.In embodiment of the method shown in Fig. 1, the storage area in smart card logically can support that multiple secure storage section is for storing different authentication arithmetics and/or identifying algorithm.Distinguish according to the opportunity disposing authentication arithmetic and/or identifying algorithm, the first storage area and the second storage area can be divided into, wherein the first storage area stores operator preset authentication arithmetic and identifying algorithm before this smart card of distribution, uses under being general mode in operator scheme; Second storage area store distribution this smart card after user-defined authentication arithmetic and/or identifying algorithm, use under being custom model in operator scheme; Wherein said smart card:
The operator scheme that step 101, acquisition user will use;
Step 102, when operator scheme is general mode, in authentication or identifying procedure, perform authentication arithmetic or identifying algorithm that in the first storage area, operator is preset;
Step 103, when operator scheme is custom model, start in authentication or identifying procedure virtual machine program perform second storage area store authentication arithmetic or identifying algorithm.
It should be noted that, user can only define new authentication arithmetic, does not define new identifying algorithm, namely, under custom model, smart card uses the authentication arithmetic stored in the second storage area to carry out authentication, uses the identifying algorithm of the first storage area to carry out certification, certainly, vice versa.
Relative, if operator scheme is general mode, then flow processing conventionally.
Certainly, in order to ensure that the data of the first storage area after this smart card of distribution can not be destroyed, before writing new content to smart card, write-protect process is carried out to described first storage area.
The authentication arithmetic stored for described second storage area and/or identifying algorithm, got after can being connected, also can be obtained by web download by card reader with external data terminal.
Specifically, obtain the operator scheme that user will use, STK menu setecting mode can be adopted to realize.The schematic diagram of the menu setecting mode that Fig. 2 provides for the embodiment of the present invention.By obtaining user to the selection result of menu, specify user's operator scheme to be selected.
As seen from the above, said method can support network authentication algorithm and the user authentication algorithm of customization, and the network authentication algorithm of this customization and user identification arithmetic can be developed by user security department, the mechanism of algorithm is transparent to card provider, accordingly, smartcard provider should provide the deployment of the new authentication arithmetic of a set of corresponding security system support and user identification arithmetic, safe storage, activation, use, upgrade; In addition, the algorithm of new customization and traditional algorithm are also deposited, can flexible configuration, specifically, under this security control system, this smart card not only carries network authentication algorithm and the user identification arithmetic of new customization, preserves legacy network authentication arithmetic and the user identification arithmetic of normal smart cards simultaneously, can for user flexibility configuration.Under this security control system, special intelligent card should be able to provide a set of customizable security service, and this security service should be able to according to terminal, the concrete instruction demand customization of POS, amendment.
Below embodiment of the method provided by the invention is described further:
The smart card that the present invention realizes presets network authentication algorithm and the user authentication algorithm of normal smart cards, the identical function with normal smart cards can be realized, meanwhile, under the support of JavaCard virtual machine, multiple JavaCard application can be carried and realize the peculiar function of special intelligent card.The network authentication algorithm of one class application for customizing under realizing Private Mobile Communication Network network, the user identification arithmetic of one class application for customizing under realizing Private Mobile Communication Network network, one class application externally provides security service, and a class application is for configuring card mode of operation.
The structural representation being applicable to the smart card of specialized mobile radio demand that Fig. 3 provides for the embodiment of the present invention.Smart card shown in Fig. 3 comprises processor 31 and memory 32, the storage area of wherein said memory 32 is divided into the first storage area and the second storage area, wherein the first storage area store operator distribution this smart card before preset authentication arithmetic and identifying algorithm, use under being general mode in operator scheme; Second storage area stores operator user-defined authentication arithmetic and/or identifying algorithm after this smart card of distribution; Wherein said processor comprises:
Download module 311, is connected with memory, for from the self-defining authentication arithmetic of outside download user and/or identifying algorithm, and is saved in the second storage area;
Virtual machine module 312, for performing authentication arithmetic in the second storage area and/or identifying algorithm;
Pattern acquiring module 313, for obtaining the operator scheme that user will use;
Processing module 314, is connected with pattern acquiring module 313 with described virtual machine module 312, for when operator scheme is general mode, performs authentication arithmetic or identifying algorithm that in the first storage area, operator is preset in authentication or identifying procedure; And, when operator scheme is custom model, in authentication or identifying procedure, start authentication arithmetic or identifying algorithm that virtual machine program performs the second storage area storage.
Preferably, described first storage area is the storage area carrying out write-protect operation.
The configuration diagram of the smart card that Fig. 4 provides for the embodiment of the present invention.As seen from Figure 4, the mode of operation of the smart card that the present invention realizes has two kinds, i.e. general mode and custom model.The security mechanism adopted under two kinds of patterns is different with the security parameter of use.Wherein, in the normal mode, card calls network authentication algorithm and the user authentication algorithm of normal smart cards, and externally performance is consistent with normal smart cards.Under custom model, card calls network authentication algorithm and the user authentication algorithm of customization, externally can provide security service simultaneously, realize the specific safety demand of specific industry.
Communication terminal interface can adopt STK menu setecting mode.After user have selected concrete pattern, record current operation mode by a mark in card, such as, 0 is general mode, and 1 is custom model.
The network authentication method of smart card that just the present invention realizes below is described:
The authentication arithmetic logic of preset normal smart cards on smart card.In the card issuing stage, write normal smart cards individual authorization data.In addition, the authentication arithmetic that customizes under can supporting dedicated communications network of smart card.This authentication arithmetic can be designed and developed by user security department, and to card, provider is transparent.After card issuing, by user oneself, the authentication arithmetic of customization can be downloaded on card.
Smart card receives user-selected operator scheme, if user's selection is general mode, then, under card is in general mode, receives the authentication instruction that terminal is sent, and card operating system will perform the authorizing procedure of current conventional mobile communications network; On the contrary, then under intelligent cards is in custom model, receive the authentication instruction that terminal is sent, card operating system will perform the authorizing procedure of customization, comprises and uses the network authentication algorithm of customization to process etc.
In the present invention, customize authentication arithmetic support and adopt JavaCard technological development.Input/output interface, writing personalized incoming interface, the algorithm realization of user security department definition authentication arithmetic, issue authentication arithmetic with the form of JavaApplet.By the standard download of GlobalPlatform on card.
And the user authen method of the smart card that the present invention realizes is described:
The user authentication logic of preset normal smart cards on smart card.In the card issuing stage, write normal smart cards personal authentication data are as PIN code.The user authentication algorithm that smart card customizes under can supporting dedicated communications network.This user authentication algorithm can be designed and developed by user security department, and to card, provider is transparent.After card issuing, by user oneself, the user authentication algorithm of customization can be downloaded on card.
Smart card receives user-selected operator scheme, if what user selected is general mode, then under card is in general mode, receive the cryptographic check instruction that terminal is sent, card operating system will perform the user authentication flow process of current conventional mobile communications network; On the contrary, under card is in custom model, receive the certification that terminal is sent, card operating system will perform the user authentication flow process of customization.
In the present invention, the user authentication algorithm support of customization adopts JavaCard technological development.Input/output interface, writing personalized incoming interface, the algorithm realization of user security department definition user authentication algorithm, with the user authentication algorithm of the form publishing of customized of JavaApplet.By the standard download of GlobalPlatform on card.
Preferably, described download module is also for applying from the self-defining security algorithm of outside download user;
Described smart card also comprises:
Security service module, for when receiving the service request of information security, adopting the security algorithm application in smart card, externally providing the service of information security.
Wherein, the service of information security that described security service module provides comprises at least one in encryption, deciphering, signature and sign test.
Specifically, on the smart card realized in the present invention, also supporting a class private security application, for providing security service for outside, adopting JavaCard technological development.In this type of application, by call DES in card 3DES AES RSA the security algorithm such as RCC, the security services such as encryption, deciphering, signature, sign test are externally provided.External security service interface provides in the mode of APDU instruction, and the definition of security service interface can according to the demand custom-modification of terminal.
In sum, compared with prior art, the smart card that the embodiment of the present invention provides and control method thereof not only carry network authentication algorithm and the user identification arithmetic of new customization, preserve legacy network authentication arithmetic and the user identification arithmetic of normal smart cards simultaneously, can for user flexibility configuration.
The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; change can be expected easily or replace, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range described in claim.