CN111310243A - Operating system in intelligent IC card with many owner security territories - Google Patents
Operating system in intelligent IC card with many owner security territories Download PDFInfo
- Publication number
- CN111310243A CN111310243A CN202010188006.1A CN202010188006A CN111310243A CN 111310243 A CN111310243 A CN 111310243A CN 202010188006 A CN202010188006 A CN 202010188006A CN 111310243 A CN111310243 A CN 111310243A
- Authority
- CN
- China
- Prior art keywords
- layer
- security
- application
- card
- security domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 claims abstract description 15
- 238000012795 verification Methods 0.000 claims description 5
- 238000000034 method Methods 0.000 claims description 3
- 238000012986 modification Methods 0.000 claims description 2
- 230000004048 modification Effects 0.000 claims description 2
- 238000007792 addition Methods 0.000 claims 1
- 238000012217 deletion Methods 0.000 claims 1
- 230000037430 deletion Effects 0.000 claims 1
- 238000005516 engineering process Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000004377 microelectronic Methods 0.000 description 2
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/77—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides an operating system in an intelligent IC card with a plurality of main security domains, wherein a hardware driving layer in a main control chip of the intelligent IC card is respectively in communication connection with an application layer and a security protocol layer; the security protocol layer is configured with a plurality of main security domains, each main security domain is independent of the other main security domain and is respectively provided with security domain registry information; each main security domain is in communication connection with the hardware driving layer respectively; the application layer is configured with a plurality of application instances; each application instance is associated with a master security domain; the application layer can provide an access port for the application instances in the IC card from outside the card, the main security domain is responsible for managing the associated application instances, each application instance is independent, and data is prevented from being illegally accessed or deleted by other main security domains. And the problems that the information security of the IC card is threatened and the account security cannot be guaranteed are also avoided.
Description
Technical Field
The invention relates to the technical field of IC cards, in particular to an operating system in an intelligent IC card with multiple main security domains.
Background
An IC Card (Integrated Circuit Card), also called Smart Card (Smart Card), Smart Card (Intelligent Card), Microcircuit Card (Microcircuit Card) or microchip Card, etc. The IC card is made by embedding a microelectronic chip into a card base conforming to ISO 7816 standard. The communication mode between the IC card and the reader/writer may be a contact type or a non-contact type. Because the IC card has the characteristics of small volume, convenient carrying, large storage capacity, high reliability, long service life, strong confidentiality, high safety and the like, the IC card is applied to the industries of finance, traffic, medical treatment, identity certification and the like, and combines the microelectronic technology and the computer technology together, thereby improving the modernization degree of work and life of people.
With the social development and the progress of the IC card chip technology, more and more industries are converged, and a bank card can be loaded with a plurality of industry applications for use, such as various joint cards issued by departments of bank joint social security, industry and commerce, transportation and the like. At this time, the bank as an issuer of the joint name card has the authority of the main security domain, so that all resources in the card can be managed conveniently, but the bank also has the capability of deleting application data of other industries. Therefore, other industries feel limited and have certain risks, many industries hope to have card management authority equal to that of banks as a joint issuer, and all industries manage the loaded applications and data by themselves, so that information security is threatened, and account security is not guaranteed.
Disclosure of Invention
In order to overcome the above-mentioned deficiencies in the prior art, the present invention provides an operating system in an intelligent IC card having multiple security domains, comprising: the system comprises an application layer, a security protocol layer and a hardware driving layer;
the hardware driving layer is respectively in communication connection with the application layer and the security protocol layer;
the security protocol layer is configured with a plurality of main security domains, each main security domain is independent of the other main security domain and is respectively provided with security domain registry information; each main security domain is in communication connection with the hardware driving layer respectively;
the application layer is configured with a plurality of application instances; each application instance is correspondingly associated with a main security domain; the application instance is configured with registration information;
the hardware driving layer configures the operation authority of each main security domain to the application instance in the IC card;
and each main security domain operates the IC card information according to the operation authority of the application instance in the IC card and stores the operation process information.
It is further to be noted that, the main security domain receives an application instance resource application request sent by the application layer;
reading a resource configuration request and allocating hardware resources corresponding to the application instance;
judging whether the application instance meets the associated authority of the main security domain;
and if the association authority is met, associating the application instance with the main security domain.
It should be further noted that the hardware driver layer includes: the system comprises a processor, a memory, an operation port and a communication module;
the processor acquires data information input by a user and configuration information of an application layer and a security protocol layer through an operation port;
the memory is used for storing the configuration information of the hardware driving layer and the configuration information of the application layer and the security protocol layer;
the processor is respectively connected with the application layer and the security protocol layer through the communication module.
It should be further noted that the hardware driver layer configures the key and the access authentication information of each main security domain respectively;
and the user performs access operation verification through the main security domain associated with the application instance.
It should be further noted that the master security domains configured in the security domain layer are independent of each other.
It is further noted that the hardware driver layer configures the resources of each main security domain and its associated application.
The hardware driving layer configures the same or different safety control protocols for each main safety domain; the application layer acquires the security control protocol information of a main security domain in the security protocol layer; and performing operations such as authority verification, safety access and the like according to the safety control protocol information.
According to the technical scheme, the invention has the following advantages:
the application layer in the operating system in the intelligent IC card with the multiple main security domains can provide an access port for application in the IC card to acquire the authority for accessing the application data in the intelligent IC card, and the associated application data among the main security domains are stored independently, so that the data is prevented from being accessed illegally. And the problems that the information security of the IC card is threatened and the account security cannot be guaranteed are also avoided.
The number of the main security domains of the security protocol layer can be flexibly configured, and the application expansibility is good. When an application is operated and a user accesses, identity authentication is required to be carried out according to a security control protocol set by a main security domain associated with the application, so that data security is ensured.
The operating system in the intelligent IC card with the multiple main security domains has wide application scenes and is suitable for industries such as finance, transportation, medical treatment, identity authentication and the like.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings used in the description will be briefly introduced, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of an operating system in an intelligent IC card with multiple main security domains.
Detailed Description
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The invention provides an operating system in an intelligent IC card with a plurality of main security domains, as shown in figure 1, comprising: the system comprises an application layer, a security protocol layer and a hardware driving layer;
the hardware driving layer is respectively in communication connection with the application layer and the security protocol layer; the security protocol layer is configured with a plurality of main security domains, each main security domain is independent of the other main security domain and is respectively provided with security domain registry information; each main security domain is in communication connection with the hardware driving layer respectively;
the application layer is configured with a plurality of application instances; each application instance is correspondingly associated with a main security domain; the application instance is configured with an access port;
the hardware driving layer configures the operation authority of each main security domain to the application instance in the IC card;
and each main security domain operates the IC card information according to the operation authority of the application instance in the IC card and stores the operation process information.
In the invention, main security domains with corresponding quantity are created according to the quantity of application layers in a security protocol layer, and AIDs of all the main security domains are unique. Preferably, the security state and the configuration parameter in each main security domain are independently stored, and when the system runs, each main security domain can only manage the application and data associated with itself, but cannot access and manage the application data associated with other security domains. If the security domain authority associated with the application is not obtained, updating or deleting the application program or data can return error information.
The application layer can be applied to finance, industry and commerce, social security and the like, the corresponding main security domain in the card needs to be associated when the application client is loaded and installed, and once the association is successful, the main security domains of other industries cannot update or delete the application program. And data of applications in each industry are independently stored, other applications cannot access the data, and otherwise, the permission is not satisfied by returning an error code.
Chip information of the intelligent IC card is redesigned and defined through a security protocol layer, so that a plurality of main security domains can be created and exist in the intelligent IC card at the same time, the main security domains have the same grade, and managed applications share resources in the card. Each master security domain can only update or delete its associated industry applications and data.
The programming standard realized by the invention includes not limited to Native Card, Java Card and the like, and the realization form of the intelligent IC Card includes not limited to double-interface intelligent IC Card, contact type IC Card, non-contact type IC Card and the like.
The hardware driving layer of the invention comprises: the system comprises a processor, a memory, an operation port and a communication module; the processor acquires data information input by a user and configuration information of an application layer and a security protocol layer through an operation port; the memory is used for storing the configuration information of the hardware driving layer and the configuration information of the application layer and the security protocol layer; the processor is respectively connected with the application layer and the security protocol layer through the communication module.
The hardware driving layer supports configuration management of a plurality of main security domains, and dynamic allocation of DTR, RTR and NVM storage space.
To further increase the security of each application instance data. And the hardware driving layer is respectively configured with application instance resources associated with each main security domain, sets the same or different access control protocol information for each main security domain, and sets different key values.
A card operator acquires the authority of a main security domain in a security protocol layer; and operating the application associated with the main security domain in the security protocol layer according to the registration information.
In the above embodiment, at least two main security domains are configured as a security domain group within the card; the main security domains configured in the security domain group are independent.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (9)
1. An operating system in a smart IC card having a multi-master security domain, comprising: the system comprises an application layer, a security protocol layer and a hardware driving layer;
the hardware driving layer is respectively in communication connection with the application layer and the security protocol layer;
the security protocol layer is configured with a plurality of main security domains, each main security domain is independent of the other main security domain and is respectively provided with security domain registry information; each main security domain is in communication connection with the hardware driving layer respectively;
the application layer is configured with a plurality of application instances; each application instance is correspondingly associated with a main security domain; the application instance is configured with registration information;
the hardware driving layer configures the operation authority of each main security domain to the application instance in the IC card;
each main security domain can operate the application instance according to the registration information and the operation authority, and stores the operation process information.
2. An operating system in a smart IC card with multiple master security domains according to claim 1,
the main security domain receives an application instance resource application request sent by an application layer;
reading a resource configuration request and allocating hardware resources corresponding to the application instance;
judging whether the application instance meets the associated authority of the main security domain;
and if the association authority is met, associating the application instance with the main security domain.
3. An operating system in a smart IC card with multiple master security domains according to claim 2,
the application layer sends an operation request to the application instance;
a main security domain associated with an application instance receives a request and judges whether an operation authority is currently satisfied;
and if the associated operation authority is met, allowing the application instances associated with the current main security domain to be subjected to addition, deletion, modification and check.
4. An operating system in a smart IC card with multiple master security domains according to claim 1,
the hardware driving layer comprises: the system comprises a processor, a memory, an operation port and a communication module;
the processor acquires data information input by a user and configuration information of an application layer and a security protocol layer through an operation port;
the memory is used for storing the configuration information of the hardware driving layer and the configuration information of the application layer and the security protocol layer;
the processor is respectively connected with the application layer and the security protocol layer through the communication module.
5. An operating system in a smart IC card with multiple master security domains according to claim 1,
the hardware driving layer is respectively configured with a key and access verification information of each main security domain;
and the user performs access operation verification through the main security domain associated with the application instance.
6. An operating system in a smart IC card with multiple master security domains according to claim 1,
the main security domains configured in the security domain layer are independent.
7. An operating system in a smart IC card with multiple master security domains according to claim 6,
the hardware driver layer configures the resources of each master security domain and its associated application.
8. An operating system in a smart IC card with multiple master security domains according to claim 5,
the hardware driver layer configures each main security domain with the same or different security control protocols.
9. An operating system in a smart IC card with multiple master security domains according to claim 1,
the application layer acquires the security control protocol information of a main security domain in the security protocol layer;
and performing operations such as authority verification, safety access and the like according to the safety control protocol information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010188006.1A CN111310243A (en) | 2020-03-17 | 2020-03-17 | Operating system in intelligent IC card with many owner security territories |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010188006.1A CN111310243A (en) | 2020-03-17 | 2020-03-17 | Operating system in intelligent IC card with many owner security territories |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111310243A true CN111310243A (en) | 2020-06-19 |
Family
ID=71160560
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010188006.1A Pending CN111310243A (en) | 2020-03-17 | 2020-03-17 | Operating system in intelligent IC card with many owner security territories |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111310243A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113805943A (en) * | 2021-09-18 | 2021-12-17 | 上海中通吉网络技术有限公司 | Protocol system of integrated intelligent device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105809064A (en) * | 2014-12-31 | 2016-07-27 | 北京华大智宝电子系统有限公司 | Smart card safety control method and smart card |
| CN106228090A (en) * | 2016-07-28 | 2016-12-14 | 飞天诚信科技股份有限公司 | One how main security domain Java smart card and its implementation |
| CN108304716A (en) * | 2017-01-13 | 2018-07-20 | 国民技术股份有限公司 | Multi-application smart card and its application management method, communication system and communication means |
-
2020
- 2020-03-17 CN CN202010188006.1A patent/CN111310243A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105809064A (en) * | 2014-12-31 | 2016-07-27 | 北京华大智宝电子系统有限公司 | Smart card safety control method and smart card |
| CN106228090A (en) * | 2016-07-28 | 2016-12-14 | 飞天诚信科技股份有限公司 | One how main security domain Java smart card and its implementation |
| CN108304716A (en) * | 2017-01-13 | 2018-07-20 | 国民技术股份有限公司 | Multi-application smart card and its application management method, communication system and communication means |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113805943A (en) * | 2021-09-18 | 2021-12-17 | 上海中通吉网络技术有限公司 | Protocol system of integrated intelligent device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7886970B2 (en) | Data communicating apparatus and method for managing memory of data communicating apparatus | |
| US6296191B1 (en) | Storing data objects in a smart card memory | |
| EP2183728B1 (en) | Method, system and trusted service manager for securely transmitting an application to a mobile phone | |
| US8811971B2 (en) | Mobile communication device and method for disabling applications | |
| US8725211B2 (en) | Trusted service manager managing reports of lost or stolen mobile communication devices | |
| JP5323873B2 (en) | System, method, portable computing device, and computer-readable medium using configurable firewall | |
| US20070271433A1 (en) | Information Management Device and Information Management Method | |
| EP2048594A1 (en) | Method for communication, communication device and secure processor | |
| US7516479B2 (en) | Data communicating apparatus and method for managing memory of data communicating apparatus | |
| US20060218196A1 (en) | Information management device and information management method | |
| JP4727876B2 (en) | Method of operating a data storage medium designed to execute a reloadable functional program | |
| JP4972706B2 (en) | Method for managing unique memory device identification display, server and mobile communication device | |
| KR100600508B1 (en) | Method and system of deleting smartcard application | |
| CN111310243A (en) | Operating system in intelligent IC card with many owner security territories | |
| JPH10171716A (en) | Method for safely transferring data and application to chip card | |
| EP2225694A1 (en) | Selection of access conditions for portable tokens | |
| US20100199059A1 (en) | Mobile communication device and method for defragging mifare memory | |
| JP7009844B2 (en) | Update method and update program using electronic information storage medium, IC card, electronic information storage medium | |
| JP4638135B2 (en) | Information storage medium | |
| US20100200650A1 (en) | Mobile communication device and method for recovering mifare memory | |
| JP2018116366A (en) | Electronic information storage medium, IC card, deletion processing method, and deletion processing program | |
| Corcoran et al. | An open middleware for smart cards | |
| Oldenburg et al. | Smartcard-based multi user security concept for mobile devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200619 |