CN113704773A - Relay protection safety chip operating system and communication method thereof - Google Patents
Relay protection safety chip operating system and communication method thereof Download PDFInfo
- Publication number
- CN113704773A CN113704773A CN202111071063.2A CN202111071063A CN113704773A CN 113704773 A CN113704773 A CN 113704773A CN 202111071063 A CN202111071063 A CN 202111071063A CN 113704773 A CN113704773 A CN 113704773A
- Authority
- CN
- China
- Prior art keywords
- command message
- apdu
- safety
- unit
- relay protection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The application relates to a relay protection safety chip operating system and a communication method thereof. The communication management module receives an APDU command message sent by the terminal and sends the APDU command message to the command processing module; the command processing module carries out legitimacy verification such as CLA instruction class verification, CLA hash verification and INS verification on the command message, sends the command message to the security management module after the legitimacy verification is passed, and sends the command message to the file management module when the command message meets the specification of command execution permission; the safety management module judges whether the command message conforms to the regulation of the preset command execution authority or not and feeds back the judgment result to the command processing module; the file processing module carries out response operation on the command message and feeds back a response result to the command processing module. The relay protection safety chip operating system has the advantage of good safety.
Description
Technical Field
The application relates to the field of relay protection, in particular to a relay protection safety chip operating system and a communication method thereof.
Background
The relay protection device is a common device in the power system, and the working state of the relay protection device directly affects the whole power system, and is responsible for important mission of protecting the safe and stable operation of the power system. In a relay protection device, a security chip is generally provided to ensure the security of the device.
In a conventional relay protection security chip operating system, after receiving an Application Protocol Data Unit (APDU) command message, authentication processing is directly performed, that is, it is determined whether the APDU command message meets the provision of a preset command execution authority, and after the authentication is passed, a response operation is performed to feed back a response result. Therefore, the conventional relay protection security chip operating system may be attacked by an illegal command message carrying a secret key, and has a problem of poor security.
Disclosure of Invention
Therefore, it is necessary to provide a relay protection security chip operating system with good operation security and a communication method thereof.
A relay protection security chip operating system comprises a communication management module, a security management module, a command processing module and a file management module; the command processing module is connected with the communication management module, the safety management module and the file management module; the communication management module is also connected with a terminal;
the communication management module is used for receiving the APDU command message sent by the terminal and sending the APDU command message to the command processing module;
the command processing module is used for carrying out validity check on the APDU command message, sending the APDU command message to the safety management module after the validity check is passed, and sending the APDU command message to the file processing module when the APDU command message meets the regulation of a preset command execution authority; the validity check comprises CLA instruction class check, CLA hash check and INS check;
the safety management module is used for judging whether the APDU command message meets the regulation of the preset command execution authority or not and feeding back the judgment result to the command processing module;
the file processing module is used for responding to the APDU command message and feeding back a response result to the command processing module; and the response result is received by the terminal after sequentially passing through the command processing module and the communication management module.
In one embodiment, the communication management module comprises an ATR sending unit, a PPS negotiation unit and an APDU management unit;
the ATR sending unit is used for acquiring communication electrical parameter information of the terminal and the relay protection safety chip and comparing the communication electrical parameter information with the communication electrical parameter information;
the PPS negotiation unit is used for determining communication parameters according to a preset negotiation mode when the communication electrical parameter information of the terminal and the relay protection safety chip is inconsistent;
and the APDU management unit is used for carrying out data transmission between the terminal and the relay protection safety chip based on the communication parameters.
In one embodiment, the security management module comprises a security attribute management submodule, a security state management submodule and a security mechanism management submodule;
the safety attribute management submodule is used for determining the corresponding relation between the APDU command message and the safety state;
the safety state management submodule is used for determining the current safety state;
and the safety mechanism management submodule is used for judging whether the APDU command message conforms to the regulation of the execution authority of the preset command or not according to the APDU command message and the corresponding relation between the APDU command message and the safety state, and feeding back the judgment result to the command processing module.
In one embodiment, the security attribute management sub-module is specifically configured to determine a correspondence between an APDU command message and an operation type, and a correspondence between an operation type and a security state; the safety mechanism management submodule comprises a data encryption and decryption unit, an authentication and verification unit and a file access safety control unit;
the data encryption and decryption unit is used for decrypting the APDU command message and determining the executable operation type of the APDU command message according to the corresponding relation between the APDU command message and the operation type after decryption;
the authentication and verification unit is used for configuring the safety state according to the operation type, the current safety state and the corresponding relation between the operation type and the safety state;
and the file access security control unit is used for judging whether the APDU command message conforms to the regulation of the preset command execution authority or not based on the configured security state, and feeding back the judgment result to the command processing module.
In one embodiment, the file management module comprises a file query unit, an upper file management unit, a lower file management unit and a peer file management unit;
the file query unit is used for carrying out file directory query according to the APDU command message to obtain the name and the level of a file to be processed;
the superior file management unit, the subordinate file management unit and the peer file management unit are used for respectively responding to the files to be processed at the corresponding levels according to the names and the levels of the files to be processed and feeding back response results to the command processing module.
In one embodiment, the file management module further includes a wear leveling management unit, which is used for managing the erasing times of the relay protection security chip.
In one embodiment, the file management module further includes a power down protection unit, configured to backup data to be erased before performing corresponding erasing operation when receiving a data erasing instruction.
In one embodiment, the command processing module comprises a CLA processing unit and an INS processing unit;
the CLA processing unit is used for sequentially carrying out CLA instruction class verification and CLA hash verification, and after the CLA instruction class verification and the CLA hash verification pass, analyzing the APDU command message to obtain an INS instruction code and sending the INS instruction code to the INS processing unit;
and the INS processing unit is used for performing INS validity check and INS logic check on the INS instruction code and transmitting the APDU command message to the safety management module after the INS instruction code passes the check.
In one embodiment, the CLA processing unit is further configured to perform CLA repeated check before analyzing the APDU command packet to obtain an INS instruction code and sending the INS instruction code to the INS processing unit after the CLA instruction class check and the CLA hash check pass.
A communication method for a relay protection safety chip operating system is realized based on the relay protection safety chip operating system, and comprises the following steps:
receiving an APDU command message sent by a terminal;
carrying out validity check on the APDU command message; the validity check comprises CLA instruction class check, CLA hash check and INS check;
when the validity check is passed, judging whether the APDU command message conforms to the regulation of a preset command execution authority;
and if so, performing response operation on the APDU command message, and feeding back a response result to the terminal.
According to the relay protection safety chip operating system, the configuration command processing module performs legality verification such as CLA instruction class verification, CLA hash verification and INS verification on the APDU command message, the configuration safety management module confirms the execution authority of the APDU command message, corresponding response operation is performed only when the legality verification is passed and the corresponding command execution authority is confirmed, and the safety of the relay protection safety chip operating system is improved.
Drawings
FIG. 1 is a block diagram of an operating system of a relay protection security chip in an embodiment;
FIG. 2 is a block diagram of an operating system of a relay protection security chip in another embodiment;
FIG. 3 is a block diagram illustrating the components of a command processing module according to one embodiment;
FIG. 4 is a block diagram illustrating components of a communication management module in accordance with one embodiment;
FIG. 5 is a block diagram illustrating components of a security management module in accordance with an embodiment;
FIG. 6 is a block diagram illustrating the components of the security mechanism management submodule in one embodiment;
FIG. 7 is a block diagram illustrating components of a file management module in accordance with an embodiment;
FIG. 8 is a diagram of a logical structure of a file system of an operating system of a relay protection security chip in an embodiment;
fig. 9 is a flowchart of a communication method of an operating system of a relay protection security chip in an embodiment.
Detailed Description
To facilitate an understanding of the present application, the present application will now be described more fully with reference to the accompanying drawings. Embodiments of the present application are set forth in the accompanying drawings. This application may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein in the description of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
It will be understood that when an element is referred to as being "connected" to another element, it can be directly connected to the other element or be connected to the other element through intervening elements. Further, "connection" in the following embodiments is understood to mean "electrical connection", "communication connection", or the like, if there is a transfer of electrical signals or data between the connected objects.
As used herein, the singular forms "a", "an" and "the" may include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises/comprising," "includes" or "including," etc., specify the presence of stated features, integers, steps, operations, components, parts, or combinations thereof, but do not preclude the presence or addition of one or more other features, integers, steps, operations, components, parts, or combinations thereof.
The application provides a relay protection safety chip operating system in a first aspect, and is applied to a safety chip inside a relay protection device. The relay protection device is a relay protection SOC (System On Chip) Chip. In one embodiment, as shown in fig. 1, the relay protection security chip operating system includes a communication management module 100, a command processing module 200, a security management module 300, and a file management module 400. The command processing module 200 is connected with the communication management module 100, the security management module 300 and the file management module 400; the communication management module 100 is also connected to a terminal.
The communication management module 100 is configured to receive an APDU command message sent by a terminal, and send the APDU command message to the command processing module 200. The command processing module 200 is configured to perform validity check on the APDU command packet, send the APDU command packet to the security management module 300 after the validity check is passed, and send the APDU command packet to the file processing module 200 when the APDU command packet meets the specification of the preset command execution permission; the validity check comprises CLA instruction class check, CLA hash check and INS check. The security management module 300 is configured to determine whether the APDU command packet conforms to the rule of the preset command execution permission, and feed back the determination result to the command processing module 200. The file processing module 400 is configured to perform a response operation on the APDU command packet, and feed back a response result to the command processing module 200; the response result is received by the terminal after passing through the command processing module 200 and the communication management module 100 in sequence.
The Operating System (COS) of the relay protection safety Chip is a special System Operating in the relay protection safety Chip and used for controlling information exchange between the relay protection safety Chip and the outside. Terminals include, but are not limited to, various personal computers, laptops, smartphones, tablets, and portable wearable devices. And the interactive message between the terminal and the relay protection safety chip adopts an APDU protocol form. According to the definition of ISO7816 standard, the APDU message used by the terminal is an APDU command message, namely C-APDU; the APDU message used by the security chip is an APDU response message, namely R-APDU.
Specifically, the communication management module 100 receives an APDU command packet sent by the terminal and forwards the APDU command packet to the command processing module 200 based on a preset information transmission protocol; and receiving a response result corresponding to the APDU command message, and sending the response result to the terminal according to a format corresponding to the information transmission protocol. For the exchange command specification, security management specification, etc., reference may be made to the existing ISO7816-4, 8, 9 standard, which will not be described in detail here.
Further, the APDU command message includes a command header and a command body, and the command header includes a CLA field, an INS field, a P1 field, and a P2 field. Where the CLA field is used to indicate the type of APDU, the INS indicates the instruction to be executed, and the P1 and P2 fields are arguments. The command processing module 200 receives the APDU command message forwarded by the communication management module 100, analyzes and verifies the validity of the received APDU command message, extracts CLA field information and INS field information in the message, sequentially performs validity checks such as CLA instruction class check, CLA hash check and INS check, and sends the APDU command message to the security management module 300 after the validity checks pass.
The security management module 300 relates to an authority control and confidential information confidentiality related mechanism for accessing internal data of the relay protection security chip, and is configured to determine whether an APDU command packet conforms to a rule of a preset command execution authority, and feed back a determination result to the command processing module 200. The file management module 400 is responsible for managing the storage space, and is specifically configured to perform a response operation on the APDU command packet, and feed back a response result to the command processing module 200, where the response operation includes file selection, creation, deletion, reading, writing, and the like. The response result sequentially passes through the command processing module 200 and the communication management module 100, and is received by the terminal in the form of an APDU response message.
It can be understood that the command processing module 200 is further configured to feed back, through the communication management module 100, corresponding verification failure information to the terminal or the display device when the validity verification fails, and the security management module 300 is further configured to feed back, through the command processing module 200 and the communication management module 100, verification failure information to the terminal or the display device when it is determined that the APDU command packet does not meet the specification of the preset command execution authority.
Further, all or part of each module in the relay protection security chip operating system may be implemented by software, hardware, or a combination thereof. The modules can be embedded in a processor of the relay protection SOC chip or independent of the processor of the relay protection SOC chip in a hardware form, and can also be stored in a memory of the relay protection SOC chip in a software form, so that the processor can call and execute the corresponding operation of each module.
Further, as shown in fig. 2, the relay protection security chip operating system further includes a bottom layer driving module 500 for controlling a bottom layer of the relay protection security chip. Specifically, the bottom driver module 500 is connected to the communication management module 100, the command processing module 200, the security management module 300, and the file management module 400, and is configured to control hardware involved in the working process of each functional module, for example, drive an I/O interface so that the communication management module 100 can establish a communication link with a terminal; the memory is driven so that the file management module 400 smoothly performs a message response operation. The communication management module 100, the command processing module 200, the security management module 300, and the file management module 400 are located at a functional module layer of the system, and the bottom driver module 500 is located at a microkernel of the system.
According to the relay protection safety chip operating system, the configuration command processing module performs legality verification such as CLA instruction class verification, CLA hash verification and INS verification on the APDU command message, the configuration safety management module confirms the execution authority of the APDU command message, corresponding response operation is performed only when the legality verification is passed and the corresponding command execution authority is confirmed, and the safety of the relay protection safety chip operating system is improved.
In one embodiment, as shown in FIG. 3, command processing module 200 includes a CLA processing unit 210 and an INS processing unit 220. The CLA processing unit 210 is configured to perform CLA instruction class verification and CLA hash verification in sequence, and after the CLA instruction class verification and the CLA hash verification pass, parse the APDU command packet to obtain an INS instruction code and send the INS instruction code to the INS processing unit 220. The INS processing unit 220 is configured to perform INS validity check and INS logic check on the INS instruction code, and send the APDU command packet to the security management module 300 after the check is passed.
Specifically, the CLA processing unit 210 extracts CLA field information in the APDU command message, compares the CLA field information with executable instruction types pre-stored in the COS system, determines that the CLA instruction type of the APDU command message is illegal if the CLA field information is inconsistent with the executable instruction types pre-stored in the COS system, and ends the command processing. If the hash value is consistent with the preset white list, calculating the CLA field hash value, comparing the calculated hash value with the preset white list, if the hash value is in the preset white list, judging that the CLA field hash value passes verification, and performing subsequent processing, otherwise, finishing the command processing. After both the CLA instruction class check and the CLA hash check pass, the CLA processing unit 210 analyzes the APDU command packet to obtain an INS instruction code, and sends the INS instruction code to the INS processing unit 220. Further, the CLA processing unit 210 is further configured to feed back corresponding CLA error status information to the terminal or the display device via the communication management module 100 when the check fails.
The INS processing unit 220 receives the INS instruction code, performs INS validity check on the INS instruction code, determines whether the instruction code is an instruction executable by the COS system, and if not, ends the command processing; if yes, performing subsequent INS logic check, checking whether a preposed logic judgment condition corresponding to the instruction code is met, if yes, sending the APDU command message to the safety management module 300, otherwise, ending the command processing. Similarly, the INS processing unit 220 is further configured to feed back corresponding INS error status information to the terminal or the display device via the communication management module 100 when the verification fails.
In the above embodiment, the CLA processing unit 210 and the INS processing unit 220 are configured to perform CLA instruction class verification, CLA hash verification, INS validity verification, and INS logic verification on the APDU command message in sequence, which is beneficial to further improving the security of the relay protection security chip operating system.
Further, in one embodiment, CLA processing unit 210 is also configured to perform CLA duplicate checking. Specifically, after the CLA instruction class check and the CLA hash check pass, the CLA processing unit 210 performs CLA repetition check to check whether the CLA field is repeated with the CLA field in the previous received APDU command message before analyzing the APDU command message to obtain the INS instruction code and sending the INS instruction code to the INS processing unit 220, and performs subsequent work if the CLA field is not repeated, and if the CLA field is repeated, the CLA processing unit abandons execution to avoid repeated response of the same command message, thereby improving work efficiency.
In one embodiment, as shown in fig. 4, the communication management module 100 includes an ATR (Answer To reset) transmission unit 110, a PPS (Protocol Parameters Selection, Protocol Selection and parameter setting) negotiation unit 120, and an APDU management unit 130. The ATR sending unit 110 is configured to obtain communication electrical parameter information of the terminal and the relay protection security chip, and compare the communication electrical parameter information with the communication electrical parameter information; the PPS negotiation unit 120 is configured to determine a communication parameter according to a preset negotiation mode when communication electrical parameter information of the terminal and the relay protection security chip is inconsistent; the APDU management unit 130 is configured to perform data transmission between the terminal and the relay protection security chip based on the communication parameter.
The ATR is a first character string for communication between the security chip and the terminal, where the character string is communication electrical parameter information such as communication physical parameters, electrical characteristics, and the like, followed by the security chip to inform the terminal itself, and specifically includes a frequency division value, a clock frequency, a work waiting time, and the like. Specifically, the ATR sending unit 110 obtains and compares the communication electrical parameter information of the terminal and the relay protection safety chip. When the communication electrical information of the two parties is inconsistent, the PPS negotiation unit 120 determines the communication parameters according to the preset negotiation mode, so that the subsequent communication between the two parties is facilitated. The negotiation mode can refer to the existing card reading technology, and the terminal modifies the parameters in the security chip ATR so as to enable the communication electrical parameter information of the security chip ATR and the security chip ATR to be consistent, and further determines communication parameters such as a communication protocol and a transmission speed. After the PPS negotiation is completed, the APDU management unit 130 is configured to perform data transmission between the terminal and the relay protection security chip based on the determined communication parameters, specifically, when receiving a message sent by the terminal, convert the message into a message format conforming to that received by the command processing module 200 in the security chip, and send the message to the command processing module 200; and when receiving the message sent by the command processing module 200, converting the message into a format conforming to the message of the terminal and sending the message to the terminal.
When the communication electrical parameter information of the terminal and the relay protection safety chip is consistent, the communication parameters such as the communication protocol and the transmission speed are directly determined according to the communication electrical parameters, and subsequent data transmission is performed. Further, according to the application scene requirement of the relay protection safety chip, a character transmission protocol with T being 0 is selected for data transmission.
In the above embodiment, different units are configured to perform ATR sending, PPS negotiation and APDU management, so that the communication reliability between the terminal and the security chip can be ensured, and the working efficiency of the relay protection security chip operating system is further improved.
In one embodiment, as shown in FIG. 5, the security management module 300 includes a security attribute management submodule 310, a security state management submodule 320, and a security mechanism management submodule 330. The security attribute management sub-module 310 is configured to determine a corresponding relationship between the APDU command packet and the security status; the security status management sub-module 320 is used for determining the current security status; the security mechanism management sub-module 330 is configured to determine whether the APDU command message conforms to the rule of the preset command execution permission according to the APDU command message and the corresponding relationship between the APDU command message and the security state, and feed back the determination result to the command processing module 200.
The safety state refers to a safety level of the relay protection safety chip, namely a value of a safety state register, and the safety state is a state after the safety chip is initialized or processes a certain command. Security attributes defining the conditions required to execute a certain command, i.e. the security state required when performing a certain operation. For the security attribute of the APDU command message, it is defined in the specific CLA related domain, for example, it is shown that which information in the message is encrypted, and the specific action of the command can be executed only after the verification is passed. In this embodiment, there are 16 different security states defined 0-F, which can be changed by executing commands such as PIN verification and external authentication.
Specifically, the security attribute management sub-module 310 is configured to determine a corresponding relationship between an APDU command packet and a security state; the security status management sub-module 320 is used for determining the current security status; the security mechanism management sub-module 330 is configured to determine whether the APDU command message conforms to the rule of the preset command execution permission according to the APDU command message and the corresponding relationship between the APDU command message and the security state, and feed back the determination result to the command processing module 200.
In an embodiment, the security attribute management sub-module 310 is specifically configured to determine a corresponding relationship between an APDU command message and an operation type, and a corresponding relationship between an operation type and a security state. As shown in fig. 6, the security mechanism management sub-module 330 includes a data encryption/decryption unit 331, an authentication verification unit 332, and a file access security control unit 333. The data encryption and decryption unit 331 is configured to decrypt the APDU command packet, and determine an executable operation type of the APDU command packet according to a corresponding relationship between the APDU command packet and the operation type after decryption. The authentication and verification unit 332 is configured to configure the security status according to the operation type and the current security status, and the corresponding relationship between the operation type and the security status. The file access security control unit 333 is configured to determine, based on the configured security state, whether the APDU command packet conforms to the specification of the preset command execution permission, and feed back a determination result to the command processing module 200.
The safety mechanism in the relay protection safety chip COS mainly considers the information of three aspects: data encryption and decryption, authentication and verification, and file access security control. And establishing a key file under each middleware, wherein the files under the middleware can be subjected to further operation only after the key verification under the current directory is passed. Specifically, the data encryption and decryption unit 331 performs key verification on the received key verification data based on the key file, decrypts the APDU command packet, and determines the operation type executable by the APDU command packet according to the correspondence between the APDU command packet and the operation type after decryption. The authentication and verification unit 332 is configured to configure the security state according to the operation type, the current security state, and the corresponding relationship between the operation type and the security state through a mutual authentication process among the terminal, the security chip, and the user, so as to ensure the validity of the subsequent operation. Finally, the file access security control unit 333 is configured to determine whether the APDU command packet conforms to the rule of the preset command execution permission by using an authentication register mode based on the configured security state, and feed back the determination result to the command processing module 200.
In this embodiment, two 4-bit registers are used to represent the security status, one of which is used as the security status register of MF (Main File), and the other is used as the security status register of the current dedicated middleware. Setting the initial value of each register to be 0, setting the value range to be 0-F, representing different security state levels, having read authority and write authority for file operation, each represented by a byte, when the value of the security state register is larger than the low half byte of the access control authority and smaller than the high half byte, indicating that the corresponding read-write authority of the file is satisfied at the security state level, conforming to the regulation of the execution authority of the preset command, and performing corresponding operation. At this time, the file access security control unit 333 feeds back, to the command processing module 200, a determination result that the APDU command packet conforms to the specification of the preset command execution authority.
Further, the data encryption and decryption module 331 is further configured to feed back a result of failing to pass the verification to the command processing module 200 when the key fails to pass the verification; the authentication verification module 332 is further configured to, when the configuration of the security status fails, feed back the result of the configuration failure to the command processing module 200; the file access security control module 333 is further configured to feed back, to the command processing module 200, a determination result that the APDU command packet does not conform to the command execution permission specification when the value of the security status register is smaller than the low nibble of the access control permission and the value of the security status register is larger than the high nibble of the access control permission. The above-mentioned failure results are finally fed back to the terminal or the display device by the communication management module 100.
In the above embodiment, the specific configuration of the security management module 300 is provided, which is beneficial to further improving the security of the relay protection security chip operating system.
In one embodiment, as shown in fig. 7, the file management module 400 includes a file querying unit 410, an upper file management unit 420, a lower file management unit 430, and a peer file management unit 440. The file query unit 410 is configured to perform file directory query according to the APDU command packet to obtain a name and a level of a file to be processed; the upper file management unit 420, the lower file management unit 430, and the peer file management unit 440 are configured to perform response operations on the to-be-processed files at corresponding levels according to the to-be-processed file names and the levels thereof, and feed back response results to the command processing module 200.
Specifically, the relay protection security chip adopts a file system with a tree structure, and all files have a unique file identifier, so that the required files can be directly searched through the file identifiers. In terms of implementation of file management, a linked list method may be used to construct a link structure between files, as shown in fig. 8, where a Parent pointer (corresponding to the superior file management module 420) is used to find the superior directory file, a Child pointer (corresponding to the inferior file management module 430) is linked to the Next directory file, and a Next pointer (corresponding to the peer file management module 440) indicates the storage location information of the peer directory file. The file query unit 410 is configured to perform file directory query according to the APDU command packet to obtain a name and a level of a file to be processed; the upper file management unit 420, the lower file management unit 430, and the peer file management unit 440 are configured to perform response operations such as storing, reading, and deleting on the to-be-processed file at the corresponding level according to the to-be-processed file name and the level thereof, and feed back a response result to the command processing module 200.
In the above embodiment, different file management units are configured to process the files to be processed at corresponding levels, so that the relay protection chip can work safely and stably for a long time, and the improvement of the working efficiency is facilitated.
In one embodiment, the file management module 400 further includes a wear leveling management unit for managing the erasing times of the relay protection security chip. Specifically, for a Flash memory in a relay protection safety chip, wear leveling control is an effective means for prolonging the service life of the Flash memory. The file data in the security chip can be divided into two categories: cold data and hot data. Cold data is data that is updated less frequently or never, and hot data is data content that is updated frequently. How to exchange the "hot and cold" data storage locations is a problem that cannot be ignored in the wear leveling process. For example, wear leveling management may be performed by a dynamic wear leveling method or a static wear leveling method. The specific process of dynamic wear uniformity is as follows: and recording the erasing times of each block in the memory, and when overwriting is needed, writing new data to a free page, marking old data as invalid, and waiting for garbage collection and erasing. The static wear is uniform and comprises the following specific processes: recording the erasing times of each block in the memory, and exchanging the data in the block with less erasing times with the data in the block with more erasing times when detecting that the erasing times of one block exceeds the average erasing times of all blocks.
In the above embodiment, the wear leveling management unit is configured to manage the erasing times of the relay protection safety chip, so that the service life of a memory in the relay protection safety chip can be effectively prolonged, and the stability of the system is further improved.
In an embodiment, the file management module 400 further includes a power down protection unit, configured to backup the data to be erased and then perform corresponding erasing operation when receiving the data erasing instruction.
Specifically, a buffer area of a fixed size is set in the memory as a backup area, data to be erased is backed up to the area before erasing of the data is started, and the area is set to a "backed-up state". If the writing is successful, the corresponding data in the backup area is set as 'failure data', and if the writing is unsuccessful, the corresponding data in the backup area is set as 'valid data'. When the system is powered on again, the state identifier of the data in the backup area is read firstly, if valid data exists, the valid data is restored to the erased position, and corresponding data in the backup area is set as 'failure data', so that the backup area can be used next time. In order to further increase the erasing burden of the backup area, the buffer area can be set into a plurality of backup areas, and a cyclic utilization mode is adopted. It is understood that only the backup areas in the non "backed-up state" and the backup areas in the "backed-up state" but the data in the areas are "failed data" can be used for performing the current data backup.
In the above embodiment, when the configured power down protection unit receives the data erasing instruction, the data to be erased is backed up and then the corresponding erasing operation is performed, so that data loss caused by power down can be avoided.
In a second aspect of the present application, as shown in fig. 9, a communication method for an operation system of a relay protection security chip is provided, which is implemented based on the operation system of the relay protection security chip, and includes steps S200 to S800.
Step S200: and receiving an APDU command message sent by the terminal.
Step S400: carrying out validity check on the APDU command message; the validity check comprises CLA instruction class check, CLA hash check and INS check.
Step S600: and when the validity check is passed, judging whether the APDU command message conforms to the regulation of the preset command execution authority.
Step S800: and if so, performing response operation on the APDU command message, and feeding back a response result to the terminal.
The relay protection safety chip operating system is a special system operated in the relay protection safety chip and used for controlling information exchange between the relay protection safety chip and the outside. Terminals include, but are not limited to, various personal computers, laptops, smartphones, tablets, and portable wearable devices. The interactive message between the terminal and the relay protection safety chip mostly adopts the form of APDU protocol. According to the definition of ISO7816 standard, the APDU message used by the terminal is an APDU command message, namely C-APDU; the APDU message used by the security chip is an APDU response message, namely R-APDU.
Specifically, the communication management module receives an APDU command message sent by the terminal and forwards the APDU command message to the command processing module based on a preset information transmission protocol; and receiving a response result corresponding to the APDU command message, and sending the response result to the terminal according to a format corresponding to the information transmission protocol. For the exchange command specification, security management specification, etc., reference is made to the current ISO7816-4, 8, 9 standard, which will not be described in detail in this application.
Further, the APDU command message includes a command header and a command body, and the command header includes a CLA field, an INS field, a P1 field, and a P2 field. CLA fields are used to indicate the type of APDU, INS indicates the instruction to be executed, and P1 and P2 fields are arguments. The command processing module receives the APDU command message forwarded by the communication management module, analyzes and verifies the validity of the received APDU command message, extracts CLA information and INS information in the message, sequentially performs validity checks such as CLA instruction class check, CLA hash check and INS check, and sends the APDU command message to the safety management module after the validity checks pass.
The safety management module relates to an authority control and confidential information confidentiality related mechanism for accessing internal data of the relay protection safety chip, and is used for judging whether the APDU command message meets the regulation of the execution authority of the preset command or not and feeding back the judgment result to the command processing module. The file management module is responsible for managing the storage space, is used for responding to the APDU command message, and feeds back a response result to the command processing module, and specifically comprises file selection, creation, deletion, reading, writing and the like. And the response result is received by the terminal in the form of an APDU response message after sequentially passing through the command processing module and the communication management module.
It can be understood that the command processing module is further configured to feed back, to the terminal or the display device, corresponding verification failure information through the communication management module when the validity verification fails, and the security management module is further configured to feed back, to the terminal or the display device, verification failure information through the command processing module and the communication management module in sequence when it is determined that the APDU command packet does not meet the provision of the preset command execution permission.
It should be noted that, all or part of each module in the relay protection security chip operating system may be implemented by software, hardware, or a combination thereof. The modules can be embedded in a processor of the relay protection SOC chip or independent of the processor of the relay protection SOC chip in a hardware form, and can also be stored in a memory of the relay protection SOC chip in a software form, so that the processor can call and execute the corresponding operation of each module.
Furthermore, the relay protection safety chip operating system further comprises a bottom layer driving module for controlling the bottom layer of the relay protection safety chip. Specifically, the bottom driver module is used for controlling hardware involved in the working process of each module, for example, driving an I/O interface so that the communication management module can establish a communication link with a terminal; and driving the memory so that the file management module can smoothly perform message response operation.
According to the communication method of the relay protection safety chip operating system, corresponding response operation is carried out only when validity checks such as CLA instruction class check, CLA hash check and INS check are passed and corresponding command execution rights are confirmed, and the safety of the relay protection safety chip operating system is improved.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A relay protection safety chip operating system is characterized by comprising a communication management module, a safety management module, a command processing module and a file management module; the command processing module is connected with the communication management module, the safety management module and the file management module; the communication management module is also connected with a terminal;
the communication management module is used for receiving the APDU command message sent by the terminal and sending the APDU command message to the command processing module;
the command processing module is used for carrying out validity check on the APDU command message, sending the APDU command message to the safety management module after the validity check is passed, and sending the APDU command message to the file processing module when the APDU command message meets the regulation of a preset command execution authority; the validity check comprises CLA instruction class check, CLA hash check and INS check;
the safety management module is used for judging whether the APDU command message meets the regulation of the preset command execution authority or not and feeding back the judgment result to the command processing module;
the file processing module is used for responding to the APDU command message and feeding back a response result to the command processing module; and the response result is received by the terminal after sequentially passing through the command processing module and the communication management module.
2. The relay protection safety chip operating system according to claim 1, wherein the communication management module includes an ATR sending unit, a PPS negotiation unit, and an APDU management unit;
the ATR sending unit is used for acquiring communication electrical parameter information of the terminal and the relay protection safety chip and comparing the communication electrical parameter information with the communication electrical parameter information;
the PPS negotiation unit is used for determining communication parameters according to a preset negotiation mode when the communication electrical parameter information of the terminal and the relay protection safety chip is inconsistent;
and the APDU management unit is used for carrying out data transmission between the terminal and the relay protection safety chip based on the communication parameters.
3. The relay protection safety chip operating system according to claim 1, wherein the safety management module includes a safety attribute management submodule, a safety state management submodule, and a safety mechanism management submodule;
the safety attribute management submodule is used for determining the corresponding relation between the APDU command message and the safety state;
the safety state management submodule is used for determining the current safety state;
and the safety mechanism management submodule is used for judging whether the APDU command message conforms to the regulation of the execution authority of the preset command or not according to the APDU command message and the corresponding relation between the APDU command message and the safety state, and feeding back the judgment result to the command processing module.
4. The relay protection safety chip operating system according to claim 3, wherein the safety attribute management sub-module is specifically configured to determine a correspondence between an APDU command message and an operation type, and a correspondence between an operation type and a safety state; the safety mechanism management submodule comprises a data encryption and decryption unit, an authentication and verification unit and a file access safety control unit;
the data encryption and decryption unit is used for decrypting the APDU command message and determining the executable operation type of the APDU command message according to the corresponding relation between the APDU command message and the operation type after decryption;
the authentication and verification unit is used for configuring the safety state according to the operation type, the current safety state and the corresponding relation between the operation type and the safety state;
and the file access security control unit is used for judging whether the APDU command message conforms to the regulation of the preset command execution authority or not based on the configured security state, and feeding back the judgment result to the command processing module.
5. The relay protection safety chip operating system according to claim 1, wherein the file management module includes a file query unit, an upper level file management unit, a lower level file management unit, and a peer level file management unit;
the file query unit is used for carrying out file directory query according to the APDU command message to obtain the name and the level of a file to be processed;
the superior file management unit, the subordinate file management unit and the peer file management unit are used for respectively responding to the files to be processed at the corresponding levels according to the names and the levels of the files to be processed and feeding back response results to the command processing module.
6. The relay protection safety chip operating system according to claim 5, wherein the file management module further comprises a wear leveling management unit for managing the erase/write times of the relay protection safety chip.
7. The relay protection safety chip operating system according to claim 5, wherein the file management module further comprises a power-down protection unit, configured to backup data to be erased before performing corresponding erasing operation when receiving a data erasing instruction.
8. The relay protection safety chip operating system according to any one of claims 1 to 7, wherein the command processing module includes a CLA processing unit and an INS processing unit;
the CLA processing unit is used for sequentially carrying out CLA instruction class verification and CLA hash verification, and after the CLA instruction class verification and the CLA hash verification pass, analyzing the APDU command message to obtain an INS instruction code and sending the INS instruction code to the INS processing unit;
and the INS processing unit is used for performing INS validity check and INS logic check on the INS instruction code and transmitting the APDU command message to the safety management module after the INS instruction code passes the check.
9. The relay protection security chip operating system of claim 8, wherein the CLA processing unit is further configured to perform CLA repeated verification before the APDU command message is analyzed to obtain the INS command code and the INS command code is sent to the INS processing unit after the CLA command class verification and the CLA hash verification pass.
10. A communication method for an operation system of a relay protection security chip, which is implemented based on the operation system of the relay protection security chip of any one of claims 1 to 9, and comprises:
receiving an APDU command message sent by a terminal;
carrying out validity check on the APDU command message; the validity check comprises CLA instruction class check, CLA hash check and INS check;
when the validity check is passed, judging whether the APDU command message conforms to the regulation of a preset command execution authority;
and if so, performing response operation on the APDU command message, and feeding back a response result to the terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111071063.2A CN113704773B (en) | 2021-09-13 | 2021-09-13 | Relay protection safety chip operating system and communication method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111071063.2A CN113704773B (en) | 2021-09-13 | 2021-09-13 | Relay protection safety chip operating system and communication method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113704773A true CN113704773A (en) | 2021-11-26 |
| CN113704773B CN113704773B (en) | 2022-11-25 |
Family
ID=78660180
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111071063.2A Active CN113704773B (en) | 2021-09-13 | 2021-09-13 | Relay protection safety chip operating system and communication method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113704773B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115718555A (en) * | 2022-11-16 | 2023-02-28 | 河南翔宇医疗设备股份有限公司 | Control method of man-machine interaction and related assembly |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100115275A1 (en) * | 2008-11-03 | 2010-05-06 | Samsung Electronics Co. Ltd. | Security system and method for wireless communication system |
| CN102567009A (en) * | 2011-09-27 | 2012-07-11 | 广州中大微电子有限公司 | Configurable financial smart card operation system architecture |
| US20130159428A1 (en) * | 2011-12-19 | 2013-06-20 | Vmware, Inc. | Methods and apparatus for an e-mail-based management interface for virtualized environments |
| CN105719409A (en) * | 2014-12-05 | 2016-06-29 | 航天信息股份有限公司 | Tax control equipment based on COS system |
| CN108183903A (en) * | 2017-12-29 | 2018-06-19 | 靖州鑫兴智能科技有限公司 | A kind of intelligent card chip operating system |
-
2021
- 2021-09-13 CN CN202111071063.2A patent/CN113704773B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100115275A1 (en) * | 2008-11-03 | 2010-05-06 | Samsung Electronics Co. Ltd. | Security system and method for wireless communication system |
| CN102567009A (en) * | 2011-09-27 | 2012-07-11 | 广州中大微电子有限公司 | Configurable financial smart card operation system architecture |
| US20130159428A1 (en) * | 2011-12-19 | 2013-06-20 | Vmware, Inc. | Methods and apparatus for an e-mail-based management interface for virtualized environments |
| CN105719409A (en) * | 2014-12-05 | 2016-06-29 | 航天信息股份有限公司 | Tax control equipment based on COS system |
| CN108183903A (en) * | 2017-12-29 | 2018-06-19 | 靖州鑫兴智能科技有限公司 | A kind of intelligent card chip operating system |
Non-Patent Citations (1)
| Title |
|---|
| 郭剑岚等: "智能卡芯片操作系统命令的分析与实现", 《网络安全技术与应用》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115718555A (en) * | 2022-11-16 | 2023-02-28 | 河南翔宇医疗设备股份有限公司 | Control method of man-machine interaction and related assembly |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113704773B (en) | 2022-11-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1269071C (en) | Storage card | |
| US8060751B2 (en) | Access-control method for software module and programmable electronic device therefor | |
| US8332915B2 (en) | Information processing system, information processing apparatus, mobile terminal and access control method | |
| JP2011504263A (en) | Smart storage devices | |
| JP4073974B2 (en) | Method for securing access to a removable card for a computer | |
| CN111586671B (en) | Embedded user identification card configuration method and device, communication equipment and storage medium | |
| US11405202B2 (en) | Key processing method and apparatus | |
| JP2008016001A (en) | Information storage device | |
| US8328104B2 (en) | Storage device management systems and methods | |
| US9606810B2 (en) | Method and apparatus for replacing the operating system of a limited-resource portable data carrier | |
| JP2008015744A (en) | Information storage device | |
| CN115956243A (en) | Model protection device and method and computing device | |
| CN210627203U (en) | UICC device with safe storage function | |
| CN113704773B (en) | Relay protection safety chip operating system and communication method thereof | |
| CN115129332A (en) | Firmware burning method, computer equipment and readable storage medium | |
| JP4338989B2 (en) | Memory device | |
| JP4993114B2 (en) | Shared management method for portable storage device and portable storage device | |
| CN106951771B (en) | Mobile terminal using method of android operating system | |
| JP4236830B2 (en) | Storage device with upload function | |
| CN107967432B (en) | Safe storage device, system and method | |
| CN112422281B (en) | Method and system for changing secret key in security module | |
| KR101722159B1 (en) | Secure memory card | |
| CN115599407B (en) | Firmware burning method, firmware burning system and memory storage device | |
| CN117610089B (en) | Encryption method, system, equipment and storage medium of multi-core heterogeneous chip | |
| KR101495766B1 (en) | System and method for remote security management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |