CN107798256B - Smart card based on cryptographic algorithm separation storage and design method - Google Patents

Smart card based on cryptographic algorithm separation storage and design method Download PDF

Info

Publication number
CN107798256B
CN107798256B CN201711162447.9A CN201711162447A CN107798256B CN 107798256 B CN107798256 B CN 107798256B CN 201711162447 A CN201711162447 A CN 201711162447A CN 107798256 B CN107798256 B CN 107798256B
Authority
CN
China
Prior art keywords
cryptographic algorithm
command
processing
application
cos
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711162447.9A
Other languages
Chinese (zh)
Other versions
CN107798256A (en
Inventor
曾雪琴
周道双
周留洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CHENGDU SANLINGJIA MICROELECTRONIC Co Ltd
Original Assignee
CHENGDU SANLINGJIA MICROELECTRONIC Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CHENGDU SANLINGJIA MICROELECTRONIC Co Ltd filed Critical CHENGDU SANLINGJIA MICROELECTRONIC Co Ltd
Priority to CN201711162447.9A priority Critical patent/CN107798256B/en
Publication of CN107798256A publication Critical patent/CN107798256A/en
Application granted granted Critical
Publication of CN107798256B publication Critical patent/CN107798256B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/77Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the field of embedded SOC (System On chip), and provides a smart card based On cryptographic algorithm separation storage and a design method thereof, aiming at the problems in the prior art. The intelligent card comprises a chip COS system, a customized application module and a password algorithm module. The invention combines the COS system of the traditional intelligent card and the relevant part of the cryptographic algorithm in the customized application into the cryptographic algorithm module. The COS system and the customized application designed according to the invention do not relate to a cryptographic algorithm, and the structure is convenient for the independent development and management of cryptographic resources, prevents the leakage of the cryptographic resources, can obviously increase the confidentiality of the cryptographic algorithm, and further improves the safety and reliability of the smart card; the COS system supports the filling or updating of the cryptographic algorithm, the main control module of the COS system detects whether the cryptographic algorithm is registered or not, if the cryptographic algorithm is registered, the cryptographic algorithm is called to perform security processing, if the registration of the cryptographic algorithm is not detected, the security processing for reducing the security level is executed, the filling or updating of the cryptographic algorithm is performed, a command from the terminal read-write equipment is waited, and the data communication between the intelligent card and the terminal read-write equipment is completed.

Description

Smart card based on cryptographic algorithm separation storage and design method
Technical Field
The invention relates to the field of embedded SOC (System On chip), in particular to a smart card based On cryptographic algorithm separation storage and a design method thereof.
Background
The smart card is a general name of a plastic card with an embedded integrated circuit chip and can complete functions of data storage, data encryption and decryption processing, data transmission and the like. The smart card chip generally comprises a smart card interface, a cpu (central processing unit) processor, a reconfigurable password coprocessor, a Random number generator, a small-capacity RAM (Random-Access Memory), a non-volatile Memory, and software solidified therein, including a smart card operating system cos (card Operation system), and a user-customized application, as shown in fig. 1.
According to the functional division, the traditional smart card COS architecture mainly includes a system main control module, a hardware resource management module, a communication management module, a security management module, a file system management module, an application management module, a customized application interface module, and a customized application management module, as shown in fig. 2. The system main control module is the core of the COS, is directly oriented to hardware resources, provides an interface for calling the hardware resources for upper-layer application, and coordinates the operation of each module in a unified way; the hardware resource management module manages and calls the hardware resources of the intelligent card so as to complete various basic functions; the communication management module executes a smart card transmission protocol and manages the interaction of the smart card and the data of the terminal read-write equipment; the security management module performs encryption, decryption and authority authentication on the transmitted and stored data to ensure the security of the intelligent card; the file system management module manages data stored in a file form, is responsible for completing operations such as searching, reading and writing of files and the like, and manages storage space; the application management module judges, analyzes and processes various instructions sent from the outside, schedules internal resources to complete corresponding operations, and returns corresponding responses; the customized application interface provides some application interfaces for the customized application, so that the customized application can call the internal resources of the smart card conveniently; the custom application management configures the software and hardware environment for the custom application while completing the transfer of the custom application data.
In order to ensure the communication security of the smart card, the integrity, authenticity, validity and confidentiality of the information exchange process between the smart card and the external read-write equipment need to be ensured. The key point for satisfying the four characteristics is ciphertext transmission, that is, information is converted into a ciphertext form which is difficult to identify through a certain rule in the transmission process, and the information is recovered into plaintext information which can be identified through the same rule after being received, and the rule is a cryptographic algorithm. The cryptographic algorithm is applied to the smart card COS system and the customized application shown in fig. 2, and the two requirements are different, so that the used cryptographic algorithms are different, and particularly in the military field, the cryptographic algorithm belongs to the category of security, is generally developed by a specially-assigned person, and the knowledge range of the cryptographic algorithm is limited to security-involved persons. While the smart card software architecture described in fig. 2 does not support the development of cryptographic algorithms in this mode.
In recent years, the smart card has the characteristics of convenience in carrying, low power consumption, low cost, safety, reliability and the like, and is widely applied to various fields from civilian use to military use, and security solutions from single machines to large complex systems. However, as the usage range of the smart card is gradually increased, more and more attack means are provided for the smart card, and the life cycle of the cryptographic algorithm is shorter and shorter, which means that the cryptographic algorithm needs to be replaced periodically.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: aiming at the problems in the prior art, the smart card based on the cryptographic algorithm separation storage and the design method are provided. The system divides an intelligent card software system from the function, and then structurally designs the intelligent card software system separately, and comprises a COS system (COS system for short) for stripping a password algorithm, a customized application system (customized application for short) for stripping the password algorithm and a password algorithm system (password algorithm for short), wherein the system structure strips the password algorithm from the COS system and strips the password algorithm from the customized application, the COS system, the customized application and the password algorithm respectively occupy independent storage spaces, the COS system can achieve the purpose of accessing the password algorithm by accessing an address pointer, and similarly, the customized application system also calls password resources in the same way, and the calling relation of the COS system, the customized application system and the password algorithm is shown in figure 3. The structure is convenient for independent development and management of the password resources, leakage of the password resources is prevented, the confidentiality of the password algorithm can be obviously improved, and the safety and reliability of the intelligent card are further improved.
The technical scheme adopted by the invention is as follows:
a smart card design method based on cryptographic algorithm separation storage comprises the following steps:
step 1: the COS system reads the command of the card reading equipment, when the command is a safe processing command, the COS system judges whether the cryptographic algorithm of the cryptographic algorithm software system is registered (the COS system reads an algorithm registration flag bit of an initial address stored in an algorithm mapping area, if the flag bit is valid, the cryptographic algorithm is registered, the COS system reads a cryptographic algorithm mapping table, and the cryptographic algorithm registration is completed), and if the cryptographic algorithm is registered, the step 2 is executed; otherwise, executing step 3;
step 2: the COS system gives the control right of the CPU pointer to the cryptographic algorithm system, and the cryptographic algorithm system controls the CPU pointer to read instructions from a code area of the cryptographic algorithm system and access data from a global variable area and a stack area of the cryptographic algorithm system so as to complete the processing of safely processing the cryptographic data; feeding back the processing result to the COS system through the shared variable region, and returning the control right of the CPU pointer to the COS system by the cryptographic algorithm system;
and step 3: and the cryptographic algorithm of the cryptographic algorithm system carries out filling processing.
Further, after the step 2, when the command is judged to be a basic command, that is, a non-application processing command, the COS system masters the control right of the CPU pointer, reads an instruction from the code region of the COS system, accesses data from the global variable region and the stack region of the COS system, completes the command processing, feeds back the processing result to the COS system through the shared variable region, and returns the control right of the CPU pointer.
Further, after the step 2, judging that the command is an application processing command, and when the command is an application processing command related to encryption, the customized application system gives the control right of the CPU pointer to the cryptographic algorithm system, and after the cryptographic algorithm system completes cryptographic processing of data corresponding to the application processing command, the cryptographic algorithm system returns the control right of the CPU pointer to the customized application system, completes processing of the application processing command, feeds back a processing result to the COS system through the shared variable region, and returns the control right of the CPU pointer.
Further, after the step 2, when the command is determined to be an application processing command and is a non-encrypted application processing command, the COS system gives the control right of the CPU pointer to the customized application system, the customized application system controls the CPU pointer to read an instruction from the code region of the customized application system, accesses data from the global variable region of the customized application system, completes processing of the application processing command, feeds back a processing result to the COS system through the shared variable region, and returns the control right of the CPU pointer.
Furthermore, the smart card design method based on the separated storage of the cryptographic algorithm also comprises the step of updating the cryptographic algorithm of the cryptographic algorithm system.
Furthermore, the COS system comprises a main control module, a hardware resource management module, a communication management module, a safety management module and a file system management module; the safety management module comprises a safety application module, a password resource library interface module and a password management module; the customized application system comprises a non-password application function module and an application password management module; the cipher algorithm software system mainly comprises a cipher processing module, a cipher algorithm code module and a cipher algorithm output base module.
Further, step 1 is preceded by: the COS system also includes an application and parameter injection stage, a cryptographic algorithm and a key data injection stage.
The smart card based on the smart card design method based on the separated storage of the cryptographic algorithm comprises the following steps:
COS system: the COS system is used for reading a command of the card reading device, judging whether a cryptographic algorithm of the cryptographic algorithm software system is registered or not when the command is a safety processing command, and giving the control right of a CPU pointer to the cryptographic algorithm system if the cryptographic algorithm is registered; otherwise, the cryptographic algorithm of the cryptographic algorithm system carries out the filling processing.
A cryptographic algorithm system: the pointer used for controlling the CPU reads instructions from a code area of the cryptographic algorithm system, accesses data from a global variable area and a stack area of the cryptographic algorithm system and finishes the processing of cryptographic data; the cryptographic algorithm then returns the control of the CPU pointer to the COS system.
Further, when the command is judged to be a basic command, namely a non-application processing command, the COS system controls the control right of the CPU pointer, reads an instruction from a code area of the COS system, and accesses data from a global variable area and a stack area of the COS system to complete command processing to obtain a processing result;
and when the command is judged to be an application processing command and is an application processing command related to encryption, the customized application system gives the control right of the CPU pointer to the cryptographic algorithm system, and after the cryptographic algorithm system finishes cryptographic processing of data corresponding to the application processing command, the cryptographic algorithm system returns the control right of the CPU pointer to the customized application system, finishes processing of the application processing command, feeds back a processing result to the COS system through the shared variable region, and returns the control right of the CPU pointer.
Further, when the command is judged to be an application processing command and is a non-encrypted application processing command, the COS system gives the control right of the CPU pointer to the customized application system, and the customized application system controls the CPU pointer to read an instruction from a code area of the customized application system and access data from a global variable area of the customized application system to complete the processing of an application function; the custom application then returns control of the CPU pointer to the COS system.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:
by adopting the smart card software system structure based on the separated storage of the cryptographic algorithm, the smart card software system is functionally divided, and then the structure is separately designed, the cryptographic algorithm is separated from the COS system and the customized application and is divided into the COS system, the customized application system and the cryptographic algorithm system, so that the structure is convenient for the independent development and management of cryptographic resources, can support the periodic online updating of the cryptographic algorithm, can obviously increase the confidentiality of the cryptographic algorithm, and further improves the anti-attack capability and the safety and reliability of the smart card.
The invention relates to the field of embedded SOC (System On chip), in particular to a smart card software system structure with separated storage of a cryptographic algorithm.
Drawings
The invention will now be described, by way of example, with reference to the accompanying drawings, in which:
fig. 1 is a schematic diagram of a smart card software system structure according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of a smart card software system relationship call according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of an operating state of a smart card software system according to an embodiment of the present invention.
FIG. 4 is a flowchart illustrating operations of cryptographic algorithm priming and updating according to an embodiment of the present invention.
FIG. 5 is a flow chart of an embodiment of the present invention.
Reference numerals:
1-main control module 2-hardware resource management module 3-communication management module
4-security management module 5-file system management module 6-application password management module
7-non-password application function module 8-password processing module 9-password algorithm code module
10-cipher algorithm output base module 11-terminal read-write equipment 12-intelligent card
Detailed Description
All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.
Any feature disclosed in this specification may be replaced by alternative features serving equivalent or similar purposes, unless expressly stated otherwise. That is, unless expressly stated otherwise, each feature is only an example of a generic series of equivalent or similar features.
Firstly, the structure of the invention is described:
the smart card 12 includes a COS system 21, a customized application system 22, and a customized application system 23. As shown in fig. 1, the COS system includes a main control module 1, a hardware resource management module 2, a communication management module 3, a security management module 4, and a file system management module 5; the customized application system comprises an application password management module 6 and a non-password application function module 7; the cipher algorithm software system mainly comprises a cipher processing module 8, a cipher algorithm code module 9 and a cipher algorithm output library module 10;
1. COS system:
the main control module is the core of the COS, is directly oriented to hardware resources, provides an interface for calling the hardware resources for upper-layer application, and coordinates the operation of each module in a unified way; the hardware resource management module manages and calls the hardware resources of the intelligent card so as to complete various basic functions; the communication management module executes a smart card transmission protocol and manages the interaction of the smart card and the data of the terminal read-write equipment; the security management module performs encryption, decryption and authority authentication on the transmitted and stored data to ensure the security of the intelligent card; the file system management module manages data stored in a file form, is responsible for completing operations such as searching, reading and writing of files and the like, and manages storage space; the application management module judges, analyzes and processes various instructions sent from the outside, schedules internal resources to complete corresponding operations, and returns corresponding responses; the security management module of the COS system provides a password resource library interface for a user, the user does not need to care about design principles, operation steps and other bottom-layer driving details of the reconfigurable password coprocessor of the intelligent card chip, and only needs to call physical resources of the password coprocessor on the intelligent card through the password resource library interface module to complete development of corresponding password algorithm functions. The safety management module comprises a safety application module, a password resource library interface module and a password management module; wherein the content of the first and second substances,
1.1 the password resource library of the password resource library interface module mainly has the following functional functions:
the register function of the password coprocessor realizes the enabling and interrupting register functions of the password coprocessor and configures the interrupt priority; the password coprocessor logout function realizes the functions of closing the password coprocessor and interrupting logout; the main cipher algorithm loading function loads the cipher algorithm binary code, and copies the cipher algorithm binary code from the physical memory area of cipher resource to the memory area in the cipher coprocessor; the working key loading function copies the working key from the physical storage area of the password resource to a working key storage area inside the password coprocessor; the work key expansion function carries out expansion operation of the internal work key and completes corresponding work key expansion according to the algorithm number of the input parameter and the work key number; the structure key loading function copies the structure key from the physical storage area of the password resource to the structure key storage area in the password coprocessor; and the key destroying function erases the cryptographic algorithm, the key and the sensitive data stored in the cryptographic coprocessor.
1.2 the password management module of the COS system security management module has the following functions:
filling and updating channels are provided for the cryptographic algorithm, integrity and legality detection after the cryptographic algorithm is downloaded is carried out, and writing of an illegal cryptographic algorithm is prevented; carrying out cipher algorithm registration management, detecting whether the cipher algorithm is registered or not, if the cipher algorithm is detected, executing the registration of the cipher algorithm, carrying out entry address assignment on cipher resource function interfaces provided by the cipher algorithm, such as identity authentication, integrity verification, data encryption and decryption and the like, and configuring an application environment for a security processing module to call the cipher algorithm resource function interfaces; and password resource destruction in emergency is supported.
1.3 the security application module function of the COS system security management module is:
completing the safety application processing function of the intelligent card, namely completing power-on self-check when the intelligent card is powered on; after the cryptographic algorithm is registered, various cryptographic algorithms are called to complete the security processing functions of the COS system, including integrity verification of transmission data, bidirectional identity authentication, sensitive data destruction and the like.
2. A cryptographic algorithm system:
the cryptographic algorithm system mainly comprises a cryptographic algorithm code module, a cryptographic processing module and a cryptographic algorithm output library module, wherein the cryptographic algorithm code module integrates binary codes and sensitive data of the cryptographic algorithm and generally stores the binary codes and the sensitive data in an array form, and the binary codes of the cryptographic algorithm code module are executable codes which are formed by coding the cryptographic algorithm written by C language through a compiler of a cryptographic coprocessor; the password processing module configures the password resources of the smart card by calling a password resource library interface of the COS system to complete encryption or decryption of data; the cipher algorithm output library module is a set of cipher processing function interfaces, defines interface parameters and access entry addresses of various cipher processing functions, maps various cipher processing function logics to a memory area algorithm mapping area, provides a cipher algorithm access interface for the COS system and the customized application, and the COS system and the customized application can set parameters and acquire encryption and decryption data through the interfaces.
In the invention, the COS system, the customized application system and the cryptographic algorithm system are separately stored in a storage space, information interaction is carried out through a shared variable area, a system configuration area and an algorithm mapping area, and parameter values, local variables and the like of a storage function of a shared stack area are commonly used. The smart card storage space is divided into a code area and a variable area, and the code area is divided into a COS system code area, an algorithm mapping area, a system configuration area, an application code area, a password algorithm code area and a file system area. The variable area is divided into a shared variable area, a COS global variable area, an application global variable area, a cryptographic algorithm global variable area and a shared stack area. The COS system and the customized application cannot be directly accessed, namely the code area of the cryptographic algorithm is invisible to a user, and the user can only call the cryptographic processing function through the algorithm mapping area. The working principle is that the entry addresses of the cryptographic processing interface functions required to be output by the cryptographic algorithm system are sequentially linked into a continuous storage space at the beginning of the initial address of the algorithm mapping area according to a storage specified format specified by a card manufacturer, each cryptographic processing interface function corresponds to a fixed entry address, and the access of the cryptographic processing functions can be realized by accessing the entry addresses for indirect addressing.
3. The software system of the invention clearly defines the working state of the smart card to be divided into four stages: a factory leaving stage, an application and parameter injection stage, a cryptographic algorithm and key data injection stage, and a business working stage, as shown in fig. 3. The intelligent card is required to complete intelligent card COS software injection and card information compiling (card number, production date, packaging form, manufacturer and the like) before leaving a factory; completing the injection of the application software and related parameters of the smart card and the establishment of a file system in an application and parameter injection stage; the method comprises the following steps that (1) injection of smart card cryptographic algorithm software, binary codes of various cryptographic algorithms and key parameters is completed in a cryptographic algorithm and key data injection stage, and the injection is completed by a development subject unit or a trusted use subject in a safe and guaranteed environment; in the service working stage, after the card issuing company finishes the personalization of the intelligent card, the personalized intelligent card is distributed to the user, and the user enters the user using stage, so that the service function scheduling of the intelligent card can be supported, and the service instruction is executed. In the service stage, the card can be destroyed, namely user application software and parameters, a cryptographic algorithm and key parameters are permanently erased, and the state of the intelligent card returns to the factory state; the service stage can perform key destruction, namely permanently erasing the cryptographic algorithm and the key parameters, and the state of the smart card returns to the application and parameter injection stage. The four-stage working state of the intelligent card is clearly defined and is respectively dominated by different main bodies, and each main body is defined, developed or used according to the interface specification.
And when the smart card is powered on, the COS system inquires whether the password algorithm program is registered, if the password algorithm is detected to be registered, the password algorithm is called to perform security processing, and if the password algorithm is not detected to be registered, the security processing for reducing the security level is executed. When the terminal read-write equipment needs to add or update the cryptographic algorithm, bidirectional authentication needs to be carried out, the host sends a specific command, the smart card analyzes the command to carry out identity authentication, an authentication parameter is calculated according to the authentication algorithm, the host reads the authentication parameter and compares the authentication parameter with the authentication parameter calculated by the host, if the authentication parameter is consistent with the authentication parameter calculated by the host, the identity is legal, the cryptographic algorithm is updated, and otherwise, the cryptographic algorithm is stopped to be updated; the identity authentication of the intelligent card passes, the physical environment configuration is completed, the processing state is returned, and the host computer is informed that the intelligent card is ready to receive the cryptographic algorithm.
The smart card software system of the present invention supports online filling and updating of cryptographic algorithms, as shown in fig. 4. The method comprises the following specific steps: the COS system is solidified to a COS code area of the nonvolatile storage area, and the intelligent card works normally; the intelligent card detects whether the password equipment is registered, if so, the password algorithm registration is completed, and if not, the intelligent card continues to wait for the command of the terminal read-write equipment; the intelligent card receives the commands of adding and updating the password algorithm of the terminal read-write equipment, and performs bidirectional authentication of the terminal read-write equipment and the intelligent card: the smart card calculates an authentication parameter by using an authentication algorithm according to data received from the terminal read-write equipment, and the terminal read-write equipment reads the authentication parameter and compares the authentication parameter with the authentication parameter calculated by the terminal read-write equipment; and if the authentication parameters are consistent with the standard values, the terminal read-write equipment starts to send cipher algorithm filling or updating data after passing the identity authentication, the smart card receives the cipher algorithm data, stores the cipher algorithm data in a temporary storage area, carries out integrity detection after the transmission is finished, updates the cipher algorithm data to a cipher algorithm code area after the integrity detection is passed, completes the filling or updating of the cipher algorithm, and otherwise, informs the terminal read-write equipment that the transmission of the cipher algorithm data is wrong and prepares for re-sending. (the specific process of filling or updating is that the terminal read-write equipment sends a filling command, the COS system analyzes the command, an authentication parameter is calculated according to an authentication algorithm, the COS system reads the authentication parameter and compares the authentication parameter with the authentication parameter calculated by the COS system, if the authentication parameter is consistent with the authentication parameter calculated by the COS system, the identity is legal, then the terminal read-write equipment sends a password algorithm, the intelligent card receives the password algorithm through the COS system to update the password algorithm, and otherwise, only the intelligent card terminates the password algorithm updating).
Secondly, the working flow of the invention is shown in fig. 5.
The smart card is powered on, the COS system waits for a reset signal of the read-write equipment, detects an effective reset signal and sends a reset response to complete power-on reset of the smart card; then, the COS system detects whether the customized application is registered, and if the COS system detects that the application is registered, the COS system configures an operating environment for the application; the COS system detects whether a fixed password algorithm is registered, and if the COS system detects that the password algorithm is registered, the COS system registers the password algorithm and configures an access address for an output library interface of the password algorithm; next, the COS system is on standby, waiting for a command from the card reading device, the command being divided into a basic instruction process, a security process, and an application process. When the command is a basic command, the COS system controls the control right of the CPU pointer, reads the command from the code area of the COS system, accesses data from the global variable area and the stack area of the COS system, and completes the command processing to obtain a processing result. When the command is a safe processing command, if the cryptographic algorithm is registered, the COS system gives the control right of the CPU pointer to the cryptographic algorithm system, the cryptographic algorithm system controls the CPU pointer to read the command from a code region of the cryptographic algorithm and access data from a global variable region and a stack region of the cryptographic algorithm system, when the processing of the cryptographic data is completed, the cryptographic algorithm system returns the control right of the CPU pointer to the COS system, and the COS system continues to complete the safe processing function. When the command is application processing, the COS system gives the control right of the CPU pointer to the customized application system, the customized application system controls the CPU pointer to read the command from the application code area and access data from the global variable area of the application, when the encrypted application processing command is processed, the customized application system gives the control right of the CPU pointer to the cryptographic algorithm system, after the cryptographic processing of the data corresponding to the application processing command is completed through the cryptographic algorithm system, the cryptographic algorithm system gives the control right of the CPU pointer back to the customized application system to complete the processing of the application processing command, the processing result is fed back to the COS system through the shared variable area, and the control right of the CPU pointer is returned.
The invention is not limited to the foregoing embodiments. The invention extends to any novel feature or any novel combination of features disclosed in this specification and any novel method or process steps or any novel combination of features disclosed.

Claims (8)

1. A smart card design method based on cryptographic algorithm separation storage is characterized by comprising the following steps:
step 1: the COS system reads the command of the card reading device, and if the command is a safe processing command and the cryptographic algorithm is registered, the step 2 is executed; otherwise, executing step 3;
step 2: the COS system gives the control right of the CPU pointer to the cryptographic algorithm system, and the cryptographic algorithm system controls the CPU pointer to read instructions from a code area of the cryptographic algorithm system and access data from a global variable area and a stack area of the cryptographic algorithm system so as to complete the processing of safely processing the cryptographic data; feeding back the processing result to the COS system through the shared variable region, and returning the control right of the CPU pointer to the COS system by the cryptographic algorithm system;
and step 3: filling the cryptographic algorithm of the cryptographic algorithm system;
after the step 2, judging that the command is an application processing command, and when the command is an application processing command related to encryption, the customized application system gives the control right of the CPU pointer to the cryptographic algorithm system, and after the cryptographic algorithm system finishes the cryptographic processing of the data corresponding to the application processing command, the cryptographic algorithm system returns the control right of the CPU pointer to the customized application system, finishes the processing of the application processing command, feeds back the processing result to the COS system through the shared variable region, and returns the control right of the CPU pointer.
2. The smart card design method based on the separation storage of the cryptographic algorithm as claimed in claim 1, wherein after said step 2, when it is determined that the command is a basic command, i.e. a non-application processing command, the COS system masters the control right of the CPU pointer, reads the command from the code area of the COS system, accesses data from the global variable area and the stack area of the COS system, completes the command processing, feeds back the processing result to the COS system through the shared variable area, and returns the control right of the CPU pointer.
3. The smart card design method based on the separate storage of cryptographic algorithm as claimed in claim 1, wherein after said step 2, when said command is determined to be an application processing command and is a non-encrypted application processing command, the COS system passes the control right of the CPU pointer to the customized application system, the pointer of the customized application system controlling the CPU reads an instruction from the code region of the customized application system, accesses data from the global variable region of the customized application system, completes the processing of the application processing command, feeds back the processing result to the COS system through the shared variable region, and returns the control right of the CPU pointer.
4. The smart card design method based on the separated storage of the cryptographic algorithm as claimed in claim 1, 2 or 3, further comprising updating the cryptographic algorithm of the cryptographic algorithm system.
5. The smart card design method based on the separation and storage of the cryptographic algorithm as recited in claim 4, wherein the COS system comprises a main control module, a hardware resource management module, a communication management module, a security management module, a file system management module;
the safety management module comprises a safety application module, a password resource library interface module and a password management module;
the customized application system comprises a non-password application function module and an application password management module;
the cipher algorithm software system mainly comprises a cipher processing module, a cipher algorithm code module and a cipher algorithm output base module.
6. A method for designing a smart card based on a separate storage of cryptographic algorithms according to claim 1, 2, 3 or 5, wherein said step 1 is preceded by the steps of: the COS system also includes an application and parameter injection stage, a cryptographic algorithm and a key data injection stage.
7. A smart card separately stored based on a cryptographic algorithm, wherein the smart card designing method separately stored based on the cryptographic algorithm of claim 1, 2, 3 or 5 comprises:
COS system: the COS system is used for reading a command of the card reading device, judging whether a cryptographic algorithm of the cryptographic algorithm software system is registered or not when the command is a safety processing command, and giving the control right of a CPU pointer to the cryptographic algorithm system if the cryptographic algorithm is registered; otherwise, the cryptographic algorithm of the cryptographic algorithm system carries out the filling processing;
a cryptographic algorithm system: the pointer used for controlling the CPU reads instructions from a code area of the cryptographic algorithm system, accesses data from a global variable area and a stack area of the cryptographic algorithm system and finishes the processing of cryptographic data; then the cryptographic algorithm system returns the control right of the CPU pointer to the COS system;
when the command is judged to be a basic command, namely a non-application processing command, the COS system controls the control right of the CPU pointer, reads an instruction from a code area of the COS system, and accesses data from a global variable area and a stack area of the COS system to complete command processing to obtain a processing result;
and when the command is judged to be an application processing command and is an application processing command related to encryption, the customized application system gives the control right of the CPU pointer to the cryptographic algorithm system, and after the cryptographic algorithm system finishes cryptographic processing of data corresponding to the application processing command, the cryptographic algorithm system returns the control right of the CPU pointer to the customized application system, finishes processing of the application processing command, feeds back a processing result to the COS system through the shared variable region, and returns the control right of the CPU pointer.
8. The smart card based on the separate storage of the cryptographic algorithm of claim 7, wherein when the command is determined to be an application processing command and is a non-encrypted application processing command, the COS system passes control of the CPU pointer to the customized application system, the customized application system controls the CPU pointer to read an instruction from a code region of the customized application system and access data from a global variable region of the customized application system, thereby completing processing of an application function; the custom application then returns control of the CPU pointer to the COS system.
CN201711162447.9A 2017-11-21 2017-11-21 Smart card based on cryptographic algorithm separation storage and design method Active CN107798256B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711162447.9A CN107798256B (en) 2017-11-21 2017-11-21 Smart card based on cryptographic algorithm separation storage and design method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711162447.9A CN107798256B (en) 2017-11-21 2017-11-21 Smart card based on cryptographic algorithm separation storage and design method

Publications (2)

Publication Number Publication Date
CN107798256A CN107798256A (en) 2018-03-13
CN107798256B true CN107798256B (en) 2020-02-21

Family

ID=61535502

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711162447.9A Active CN107798256B (en) 2017-11-21 2017-11-21 Smart card based on cryptographic algorithm separation storage and design method

Country Status (1)

Country Link
CN (1) CN107798256B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109145654A (en) * 2018-08-15 2019-01-04 阿里巴巴集团控股有限公司 Prevent the chip and method for processing business of cracking trajectory model
CN110971443B (en) * 2018-09-28 2023-11-07 赛灵思公司 Network interface device and method
CN109672519B (en) * 2018-10-17 2022-06-24 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Cipher device and data encryption and decryption method thereof

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102752104A (en) * 2012-06-07 2012-10-24 中国电子科技集团公司第三十研究所 Method for achieving symmetric cipher service based on intelligent card chip operating system (COS)
CN105468408A (en) * 2015-11-19 2016-04-06 中国航天科工集团第二研究院七〇六所 Method for downloading cryptographic algorithm by intelligent card
CN106127092A (en) * 2016-06-17 2016-11-16 成都三零嘉微电子有限公司 The smart card of a kind of COS system application stripping and method of work thereof

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2903508B1 (en) * 2006-07-10 2008-10-17 Sagem Defense Securite PROTECTION OF A PROGRAM INTERPRETED BY A VIRTUAL MACHINE

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102752104A (en) * 2012-06-07 2012-10-24 中国电子科技集团公司第三十研究所 Method for achieving symmetric cipher service based on intelligent card chip operating system (COS)
CN105468408A (en) * 2015-11-19 2016-04-06 中国航天科工集团第二研究院七〇六所 Method for downloading cryptographic algorithm by intelligent card
CN106127092A (en) * 2016-06-17 2016-11-16 成都三零嘉微电子有限公司 The smart card of a kind of COS system application stripping and method of work thereof

Also Published As

Publication number Publication date
CN107798256A (en) 2018-03-13

Similar Documents

Publication Publication Date Title
KR100386154B1 (en) Data excange system comprising portable data processing units
CN107798256B (en) Smart card based on cryptographic algorithm separation storage and design method
JP2007226839A (en) Memory unit and system for storing data structure
KR20170055933A (en) Method and apparatus for protecting kernel control-flow integrity using static binary instrumentaiton
US20210224426A1 (en) Proessing unit, electronic device, and security control method
US7610488B2 (en) Data processing device and method and program of same
JP4074620B2 (en) Memory management unit
EP2876593B1 (en) Method of generating a structure and corresponding structure
CN100424659C (en) Method and apparatus for physical address-based security to determine target security
CN113826097A (en) Electronic device for performing identity authentication using user biometric information and method of operating the same
EP3591517A1 (en) Smart card
CN101334827A (en) Magnetic disc encryption method and magnetic disc encryption system for implementing the method
CN113569245A (en) Processing device, embedded system, system on chip and security control method
JP4591163B2 (en) Bus access control device
CN101888627B (en) Mobile terminal and system data protection method thereof
WO2022165771A1 (en) Virtual electronic card management method and system, security chip, terminal, and storage medium
US20160196170A1 (en) Integrated-circuit radio
JP4742469B2 (en) IC card, IC card processing apparatus and processing method using a plurality of OSs
US8677137B2 (en) Communication device, communication method, information processing device, information processing method, program, and communication system
EP3751437A1 (en) Information processing device, information processing method, and program
KR20160102040A (en) Integrated-circuit radio
CN115730341A (en) Access control method, system, storage medium, electronic device and system-on-chip
WO2005121979A1 (en) Access control device and access control method
US10489775B2 (en) Integrated circuit card adapted to transfer first data from a first application for use by a second application
CN104778053A (en) Initialization control method and device of smart card

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant