CN117473529A - Touch IC working mode loading method, PIN input method and input system - Google Patents

Abstract

The invention discloses a touch IC working mode loading method, a PIN input method and an input system, which can effectively avoid the security risk of data transmission between a touch IC and a security CPU, in particular the risk of detection and theft of plaintext key coordinate data related to PIN, thereby effectively protecting PIN information and improving the security of financial POS; meanwhile, the touch coordinate data obtained by touch IC detection is encrypted in an encryption mode of a software layer, physical protection related to PIN input can be simplified, the POS product can be simplified in physical design on the basis of logic protection based on data encryption and decryption (namely, the protection of the software layer is enhanced, so that the dependence of the physical layer is reduced), and the overall cost of the product safety protection is reduced; according to the scheme, the anti-interference capability of the POS can be greatly enhanced through data encryption of the software layer, and the reliability of the product is improved.

Description

Touch IC working mode loading method, PIN input method and input system

Technical Field

The invention relates to the technical field of POS equipment and financial data acquisition and interaction, in particular to a touch IC working mode loading method, a PIN input method and an input system.

Background

With the increasing popularity and application of touch technology, many financial POS devices have been widely used to collect information input such as PIN (i.e. user password) and electronic signature related to payment transaction by using a touch screen, where the PIN is very critical security information of a user, and the electronic signature needs to be protected with emphasis, and the electronic signature usually does not need to be protected with emphasis due to relatively back importance level.

The conventional design scheme of the security protection strategy of the PIN information at present is as follows: when PIN is required to be input, the liquid crystal display screen displays an analog numeric keyboard, the touch screen monitors the touch state and position of a user, and coordinate data are formed and transmitted to the security CPU. And then the security CPU analyzes the corresponding number key codes according to the coordinate data range of the number keyboard to obtain the PIN. According to the security application requirements of the financial POS, the financial POS is required to have a certain software and hardware protection mechanism and an intrusion detection and response mechanism, so that attacks in various physical modes can be resisted, including but not limited to drilling, laser, chemical corrosion, cover opening and the like, and an attacker generally acquires PIN information by adopting an attack method such as shielding or bypassing the security mechanism and the like.

In terms of software and hardware protection of PIN information, the conventional design method mainly comprises the following two steps:

1) Adopts a double protection mode: the digital keyboard displayed by the liquid crystal display screen adopts random disordered arrangement, and simultaneously adopts an intrusion detection and response mechanism provided by the security CPU to carry out physical security protection on liquid crystal signals and touch screen signals. The protection scheme has the advantages that the risk of being attacked by security is dispersed to the liquid crystal display signal and the touch screen signal, and the liquid crystal signal and the touch screen signal need to be attacked and successfully acquired at the same time for acquiring the PIN. The protection mode has the defects that the operation of the out-of-order number keyboard is inconvenient and the input error is easy; the clear text coordinate data are transmitted between the touch screen and the secure CPU, and the liquid crystal signal and the touch screen signal have the risk of being attacked and detected; the design difficulty of physical safety protection is high, safety attack false alarm is easily generated by electric interference, and the reliability of products is influenced;

2) Only the touch screen and its signals are protected: the digital keyboard displayed by the liquid crystal display screen adopts positive sequence arrangement, and adopts an intrusion detection and response mechanism provided by a security CPU to carry out physical security enhanced protection on touch screen signals. The benefit of this protection scheme is that PIN entry is facilitated. The protection mode is insufficient in that plaintext coordinate data are transmitted between the touch screen and the secure CPU, the risk of being attacked by security is concentrated on related signals of the touch screen, and if any point on a signal channel such as a transmission line, a connector and the like between the touch screen and the secure CPU is attacked, PIN leakage is caused. In addition, the physical safety protection has higher design difficulty and high cost, and is easy to be mistakenly reported by safety attack generated by electric interference, thereby influencing the reliability of the product.

Among the technical documents disclosed in the prior art, some documents describe a touch screen, a touch encryption keyboard and a touch screen information input method, and the encryption module is used for encrypting position coordinate information acquired from a touch screen controller by introducing an encryption module and a shielding shell, and then transmitting the encrypted user touch information to an external host; the shielding shell provides an intrusion detection signal to protect the touch chip and the encryption module from physical attacks such as drilling. The disadvantages of this solution include: 1) The shielding shell is required to be physically protected, so that the processing cost of the shielding shell is high, and the reliability is low; 2) The shielding shell can be opened under the condition of power failure when the power is needed, and the detection signals are short-circuited from head to tail, so that a protection mechanism can be bypassed, a connecting line between the touch chip and the encryption module is accessed, and plaintext coordinate information is stolen; 3) Additional encryption modules are required to be introduced, so that the cost and complexity of the system are increased, and in addition, the security protection of the encryption modules is not mentioned, and if the encryption modules are loaded into illegal programs, the security cannot be ensured. Still other documents propose a secure password input system and method based on a secure touch screen control chip, wherein the secure touch screen control chip encrypts and transmits a password input interface image to a display screen for display, encrypts and stores touch information generated by the touch screen, and automatically decrypts and transmits the password when a system processor sends a password reading command. The disadvantages of this solution include: 1) The control chip of the safe touch screen and the system processor adopt clear text transmission, and the connecting circuit between the control chip and the system processor also needs additional protection; 2) The user program of the security touch screen control chip is downloaded and updated without legal verification and can be loaded into an illegal program to steal the password; 3) The scheme avoids malicious program screen capturing analysis by encrypting the password input interface images out of order, which may not be needed in the financial POS practice. The financial POS safety requires that the password input of the touch screen does not allow the input of the anti-display response effective key input, does not allow the display of the input key code, only allows the display of the 'x' number to replace the input key code, and can avoid peeping by an external camera or the like or screen capturing by a malicious program, so that the safety touch screen control chip does not need to be associated with the display screen, and the complexity of the system can be reduced.

In summary, how to improve the data transmission security between the touch IC and the secure CPU of the financial POS and reduce the security protection dependency of the financial POS on the physical hardware is a subject with positive practical significance.

Disclosure of Invention

Therefore, the invention aims to provide a touch IC working mode loading method, a PIN input method and an input system which are reliable in implementation, flexible in application, low in cost and good in safety.

In order to achieve the technical purpose, the invention adopts the following technical scheme:

a loading method of a touch IC working mode, wherein a memory and a serial interface are arranged in the touch IC, comprises the following steps:

the touch IC is powered on or reset, the touch IC loads a common working mode or a safe working mode according to a preset mode, and when the touch IC is in the common working mode, the touch IC can be irreversibly switched into the safe working mode according to the preset mode; when the touch IC is in a safe working mode, the touch IC only continues to load the safe working mode when the touch IC is restarted to be powered on or reset;

when the touch IC is in a common working mode, the touch IC can update or download the touch application program through the serial interface and/or the debugging interface;

When the touch IC is in a safe working mode, an unsafe downloading interface of the touch IC is closed, and the touch IC can update or download the touch application program only through a preset safe starting program.

In terms of loading the touch IC operating mode, as one possible implementation manner, further, the memory according to the present embodiment includes: ROM memory, eFuse memory, or OTP memory;

the normal working mode is loaded by a normal starting program built in the ROM;

in a common working mode, the touch IC runs a touch application program through a common starting program or updates or downloads the touch application program by using a serial interface or a debugging interface;

in the normal working mode, the touch IC loads a preset safe starting program and a public key through a normal starting program, utilizes an instruction to configure an eFuse memory or an OTP memory, closes a debugging interface and all the downloading interfaces defined as unsafe, simultaneously adjusts the starting addresses of CPU programs for powering on and resetting of the touch IC to lead the CPU programs to point to an entrance of the safe starting program, and enables the touch IC to enter the safe working mode, and simultaneously, when the touch IC is powered on or reset again, the touch IC only continues to load the safe working mode.

In terms of loading the touch IC operating mode, as another possible implementation manner, further, the memory in this solution includes: FLASH program memory, eFuse memory, or OTP memory;

the normal working mode is loaded by a normal starting program preset in a FLASH program memory;

in a common working mode, the touch IC runs a touch application program through a common starting program or updates or downloads the touch application program by utilizing a serial interface;

and under the normal working mode, the touch IC loads a preset agent program through a normal starting program, then loads a safe starting program and a public key through the agent program, covers the normal starting program, configures an eFuse memory or an OTP memory by utilizing an instruction, closes a debugging interface and all downloading interfaces defined as unsafe, enables the touch IC to enter a safe working mode, and only continues to load the safe working mode when the touch IC is restarted to be powered on or reset.

As a preferred optional implementation manner, preferably, in the secure working mode of the touch control IC, integrity and validity verification are performed on the running or updated touch control application program by using a digest algorithm, a signature algorithm and a public key; and when the touch IC is powered on and started to a safe working mode, the touch IC also performs self-checking so as to ensure that illegal programs cannot be downloaded or updated into the touch IC.

As a preferred alternative embodiment, preferably, the summarization algorithm of the present embodiment includes SHA2, SHA3 or SM3; the signature algorithm includes SM2, ECC, ECSA, RSA or DSA.

Based on the above, the invention further provides a PIN input method of a financial POS, which comprises the touch IC working mode loading method, the financial POS further comprises a secure CPU and a touch screen, the secure CPU is further internally provided with a random number generator, and the PIN input method comprises the following steps:

in a secure environment, i.e. at a secure controlled financial POS production or maintenance site, the secure CPU performs a secure initialization or secure reset, during which:

1) The touch IC is safeguarded (namely, the touch IC is switched from a common working mode to a safe working mode) and is loaded with a touch application program;

2) Loading an encryption key: the random number generator built in the security CPU generates a random number as an encryption and decryption Key of the touch coordinate data, which is called as Key_xy, and the Key is written into the touch IC through a communication interface between the security CPU and the touch IC. In the touch IC, the key is stored in a secure memory and is not allowed to be read out, and the key can be still reserved after power failure. In the secure CPU, the key is encrypted by a root key and stored in a nonvolatile memory of the secure CPU in a cryptograph mode, and the key is decrypted by the root key only when the key is used, and is removed after the key is used.

In the method, the encryption and decryption key of the touch coordinate data can only be generated and written into the touch IC in a safe environment. Because the encryption and decryption key is transmitted in the clear, if the touch IC is written in other unsafe environments, the encryption and decryption key can be possibly stolen by monitoring. The mode also avoids that an attacker steals the encryption and decryption keys by replacing the touch IC or the touch module.

During a financial payment transaction, when PIN entry is required:

s01, the secure CPU generates a group of random numbers through a random generator, sets the random numbers as Rdata_add0, and then stores the random numbers in a memory of the secure CPU;

s02, the security CPU generates a state switching control instruction, so that coordinate data transmitted by the touch IC subsequently adopts a ciphertext form, and meanwhile, a random number Rdata_add0 is transmitted to the touch IC;

s03, the touch IC performs touch detection on the touch screen in a safe working mode to acquire a touch state and a position of a user and obtain touch coordinate data;

s04, the touch control IC combines and encrypts the touch control coordinate data and the random number Rdata_add0 through an encryption Key Key_xy and a symmetric Key encryption algorithm to form a ciphertext, and then the ciphertext is transmitted to the secure CPU;

s05, the secure CPU receives the ciphertext, and then decrypts the ciphertext by using a decryption Key Key_xy corresponding to the touch IC and a corresponding symmetric Key decryption algorithm to obtain a group of touch coordinate data and a group of random numbers Rdata_add1;

S06, the security CPU compares the random number Rdata_add1 obtained in the S05 with the random number Rdata_add0 generated in the S01 in a consistency mode, if the random numbers Rdata_add1 and the random number Rdata_add0 are the same, the touch IC is defined as a trusted object, then S07 is entered, if the touch IC is not the same, the touch IC is defined as an untrusted object, and financial POS transaction is ended;

s07, the security CPU analyzes the touch coordinate data obtained in the S05 to obtain corresponding input information, then judges the content of the data information, when the input information points to a cancel instruction, the security CPU enters S08, when the input information points to a number key code, the security CPU judges the PIN length of the security CPU, when the length of the security CPU meets the preset requirement, the security CPU enters S08, and when the length of the security CPU does not meet the preset requirement, the security CPU jumps back to S03;

s08, the security CPU performs input cancellation or obtains PIN according to the digital information content judged in S07.

As a preferred alternative implementation manner, in the present embodiment S04, the touch IC encrypts and transmits the acquired touch coordinate data to the secure CPU in a real-time manner.

In addition, as a preferred embodiment, in the present embodiment S07, when the PIN length determination is performed on the input information,

and when the PIN length corresponding to the input information is smaller than the preset length, jumping back to S03, and reserving the PIN corresponding to the input information by the safety CPU, merging the PIN with the PIN obtained by analyzing the subsequent ciphertext transmission of the touch IC, and judging the PIN length until the length meets the requirement or the safety CPU exits after overtime.

As a preferred alternative implementation, in the present embodiment S08, when the PIN input is exited, the secure CPU further generates a state switching control instruction, so that the touch coordinate data that is subsequently transmitted by the touch IC adopts a plaintext form.

As a preferred implementation manner, preferably, in this scheme, a symmetric key encryption algorithm adopted by the touch IC to combine and encrypt the touch coordinate data and the random number rdata_add0 is AES, DES, 3DES or SM4.

In the scheme of the invention, the touch IC is used for realizing touch detection and generating touch coordinate data, and comprises a serial communication interface connected with a secure CPU, wherein the serial communication interface comprises, but is not limited to, IIC, SPI, UART, and meanwhile, the touch IC is also internally provided with a CPU kernel, a storage module and an encryption and decryption module. Specifically, the functions that the touch IC may functionally implement include: the touch IC supports symmetric key encryption and decryption algorithms including but not limited to AES, DES, 3DES and SM4, and encrypts coordinate data by one of the encryption algorithms to form ciphertext, and the coordinate data is transmitted by using the ciphertext; in addition, the touch IC supports key storage, and encryption and decryption keys of touch coordinate data can be written in and stored in the touch IC through control instructions, and the keys are not allowed to be read out and can be still reserved after power failure; in this case, the touch IC supports secure booting and secure updating, while supporting digest algorithms, including but not limited to SHA2, SHA3, SM3, signature algorithms, including but not limited to SM2, ECC, ECSA, RSA, DSA, and integrity and legitimacy verification of the running and updated touch application using one of the digest algorithms and one of the signature algorithms described above.

In the scheme, the security CPU is a security core of the financial POS and is used for processing sensitive information related to security payment such as PIN, payment transaction key, account data and the like; the security CPU is internally provided with an encryption and decryption module which supports at least one symmetric key encryption and decryption algorithm such as AES, DES, 3DES, SM4 and the like, and the symmetric key algorithm is compatible with an encryption algorithm supported by the touch IC; the secure CPU is also internally provided with a random number generator, and when the secure CPU is in secure initialization or secure reset, the random number generator is used for generating a root key and an encryption and decryption key of touch coordinate data, wherein the root key is stored in a secure memory of the secure CPU, the secure CPU is self-destructed when in intrusion response, and other payment transaction keys and encryption and decryption keys are encrypted by the root key and stored in a nonvolatile memory of the secure CPU in a ciphertext mode. The key plaintext used for encrypting and decrypting the touch coordinate data is only decrypted by the root key when in use, and the key plaintext is cleared after the key plaintext is used.

Based on the above, the invention also provides a financial POS information input system, which is loaded with the PIN input method of the financial POS, the system comprises:

the touch IC is used for receiving a working instruction, and loading a safe working mode when the touch IC is powered on or reset, wherein when the touch IC is in the safe working mode, the touch IC is defined or marked as an unsafe downloading interface and/or a debugging interface is closed, and the touch IC can only update or download a touch application program through a preset safe starting program; the touch IC is also internally provided with a memory, wherein the memory comprises a ROM memory, a FLASH program memory, an eFuse memory or an OTP memory, and is used for storing a safe starting program and a touch application program required by a touch IC loading working mode;

The touch screen is connected with the touch IC and used for collecting touch information, and the collected touch information is transmitted to the touch IC for detection;

the security CPU is used for controlling the data transmission form of the touch IC, transmitting the detected touch coordinate data through a plaintext or ciphertext, and analyzing and judging the information containing the touch coordinate data transmitted by the touch IC so as to obtain the PIN meeting the requirements.

By adopting the technical scheme, compared with the prior art, the invention has the beneficial effects that: the scheme can effectively avoid the security risk of data transmission between the touch IC and the security CPU, especially the risk of detection and theft of plaintext key coordinate data related to PIN, thereby effectively protecting PIN information and improving the security of financial POS; meanwhile, the touch coordinate data obtained by touch IC detection is encrypted in an encryption mode of a software layer, physical protection related to PIN input can be simplified, the POS product can be simplified in physical design on the basis of logic protection based on data encryption and decryption (namely, the protection of the software layer is enhanced, so that the dependence of the physical layer is reduced), and the overall cost of the product safety protection is reduced; according to the scheme, the anti-interference capability of the POS can be greatly enhanced through data encryption of a software layer, and the reliability of a product is improved; in addition, the touch IC supporting safe starting and program safe updating is adopted in the scheme, and encryption and decryption keys are adopted in the PIN input process to carry out the trusted verification of the touch IC, so that an attacker cannot obtain PIN information by changing a touch module or changing a control program of the touch IC, and the safety of the financial POS is improved. Therefore, the invention can systematically avoid the risk of being attacked on signal channels such as a transmission line, a connector and the like between the touch screen and the safety CPU, perfectly solve the safety problem of the financial POS based on the PIN input of the touch screen, effectively improve the safety of products, reduce the overall cost of the products and improve the reliability of the products.

Drawings

In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of a part of rights or functions of a touch IC in a normal operation mode, a secure operation mode, and a secure operation mode when downloading or updating a touch application;

FIG. 2 is a schematic illustration of the connection of a touch IC to a touch screen, secure CPU in this scheme;

FIG. 3 is a schematic flow chart of the PIN entry method of the present scheme;

fig. 4 is a schematic diagram of a secure CPU transferring a key to a touch IC in the PIN input method of the present embodiment;

fig. 5 is a schematic diagram of a secure CPU transferring a switching command to a touch IC in the PIN input method of the present embodiment;

fig. 6 is a schematic diagram of the touch control IC encrypting the touch control coordinate data with a random number into a ciphertext and transmitting the ciphertext to the secure CPU in the PIN input method of the present embodiment;

Fig. 7 is a schematic diagram of the input system of the present embodiment.

Detailed Description

The invention is described in further detail below with reference to the drawings and examples. It is specifically noted that the following examples are only for illustrating the present invention, but do not limit the scope of the present invention. Likewise, the following examples are only some, but not all, of the examples of the present invention, and all other examples, which a person of ordinary skill in the art would obtain without making any inventive effort, are within the scope of the present invention.

Referring to fig. 1, in this embodiment, a method for loading a working mode of a touch IC, where a memory and a serial interface are built in the touch IC, includes:

the touch IC is powered on or reset, the touch IC loads a common working mode or a safe working mode according to a preset mode, and when the touch IC is in the common working mode, the touch IC can be irreversibly switched into the safe working mode according to the preset mode; when the touch IC is in a safe working mode, the touch IC only continues to load the safe working mode when the touch IC is restarted to be powered on or reset.

When the touch IC is in a common working mode, the touch IC can update or download the touch application program through the serial interface and/or the debugging interface;

When the touch IC is in a safe working mode, an unsafe downloading interface and/or a debugging interface of the touch IC are closed, and the touch IC can update or download the touch application program only through a preset safe starting program.

In terms of loading the touch IC operating mode of the touch IC, the scheme of this embodiment includes two switching schemes for switching the touch IC from the normal operating mode to the safe operating mode:

as one possible implementation manner of switching the touch IC from the normal operation mode to the safe operation mode, the memory according to the present embodiment includes: ROM memory, eFuse memory, or OTP memory.

Wherein the normal operation mode is loaded by a normal boot program built in the ROM. In the normal working mode, the touch IC runs the touch application program through a normal starting program or updates or downloads the touch application program by utilizing a serial interface or calling a debugging interface. That is, the general startup program may download the touch application program of the user through the serial interface or the debug interface, and if the touch application program is already available, and when the download is not needed, the touch application program is operated.

In addition, the touch IC loads a preset safe starting program and a public key through a common starting program in a common working mode, utilizes an instruction to configure an eFuse memory or an OTP memory, closes a debugging interface and all the downloading interfaces defined as unsafe, adjusts the starting addresses of CPU programs for powering on and resetting of the touch IC to point to an entrance of the safe starting program, enables the touch IC to enter the safe working mode, and simultaneously, when the financial POS is powered on or reset again, the touch IC only continues to load the safe working mode. That is, because the eFuse memory or OTP memory configuration is irreversible, after switching to secure mode, the touch IC cannot be returned to normal mode any more.

In the secure operating mode, the touch IC first runs a secure boot program each time it is powered on or reset, the above-described normal boot program is skipped, and the debug interface and all non-secure download interfaces are not available. The touch IC can only download or update the touch application through the secure launch program.

As another possible implementation manner of switching the touch IC to the safe operation mode in the normal operation mode, further, the memory according to the present embodiment includes: FLASH program memory, eFuse memory, or OTP memory.

As an example, in the scheme, when the touch IC is manufactured and tested, a common start program is loaded in a FLASH program memory of the touch IC through a manufacturing test interface, and after the manufacturing test is completed, the manufacturing test interface and other debug interfaces are closed through configuration of an eFuse memory or an OTP memory.

The normal working mode is loaded by a normal starting program preset in a FLASH program memory; that is, each time power is applied or reset, the touch IC first runs the above-described normal start-up procedure. The common starting program can download the touch control application program of the user through the serial interface, and if the touch control application program does not need to be downloaded, the touch control application program is operated. That is, in the normal working mode, the touch IC runs the touch application program through a normal start program or updates or downloads the touch application program by using a serial interface.

In addition, the touch IC loads a preset agent program through a common starting program (loads a download agent program through a download interface provided by the common starting program) in a common working mode, then loads a secure starting program and a public key through the agent program, covers the common starting program, configures an eFuse memory or an OTP memory by using an instruction, closes a debugging interface and all serial interfaces and download interfaces defined as non-secure, enables the touch IC to enter a secure working mode, and enables the touch IC to only continue to load the secure working mode when the touch IC is powered on or reset through restarting.

After the touch IC is switched to the secure operating mode, each time the touch IC is powered on or reset, the touch IC first runs a secure boot program (the above ordinary boot program is covered and not present), the debug interface and all non-secure download interfaces are not available, and at this time, the touch IC can only download or update the touch application program through the secure boot program.

In the scheme, the touch IC performs integrity and validity verification on an operating or updated touch application program through a digest algorithm, a signature algorithm and a public key in a safe working mode; when the touch IC is powered on and started to a safe working mode, the touch IC also performs self-checking to ensure that illegal programs cannot be downloaded or updated into the touch IC; by the method, illegal programs can not be downloaded and updated to the touch IC, and financial transaction safety in a safe working mode is ensured.

In algorithm selection, as a preferred implementation manner, preferably, the summary algorithm in this scheme includes SHA2, SHA3 or SM3; the signature algorithm includes SM2, ECC, ECSA, RSA or DSA.

According to the working mode switching method, the touch IC can be safer and more reliable when in data interaction with the secure CPU, meanwhile, the touch IC realizes secure starting and secure updating, legal programs with signatures can be updated through the communication interface between the secure CPU and the touch IC, and remote program updating can be realized through the remote communication interface of the financial POS. And an attacker cannot load the Trojan horse and other attack means to steal the security information by downloading an illegal program.

The conventional financial POS uses a general touch IC, which is the same as a touch IC used in a smart phone, a tablet, etc., and forms coordinate data by monitoring a touch state and a position of a user, and transmits the coordinate data to a secure CPU in a plaintext manner.

In order to realize ciphertext transmission and meet the safety requirement of the financial POS on PIN input, the touch IC is internally provided with a CPU or DSP kernel, a storage and encryption and decryption module, the functions of encryption key storage, encryption operation and the like are realized through a preset touch application program, and the functions are realized in the form without a special circuit, so that the research and development period and cost of the touch IC can be shortened, the application flexibility is improved, and the cost of the touch IC and the cost of the financial POS can be reduced. When the chip leaves the factory, the touch IC is a general IC with a CPU or DSP kernel and a storage and encryption and decryption module, and is provided with an interface for downloading and updating touch application programs. In practical application, each application manufacturer can design and load corresponding touch control application programs according to respective requirements; in this case, the operation mode of the touch IC may be referred to as a normal operation mode. In order to meet the security requirement of the financial POS on PIN input, a mechanism for preventing illegal and malicious programs from being loaded is needed, so that the touch IC is required to support a security working mode, and the scheme is switched to the security working mode through a security process, so that a touch IC application can select to keep a common working mode or switch to the security working mode according to an actual application scene.

The security process in the scheme is that the touch IC loads a security start program and a public key through a download interface of the touch IC in a common mode state, closes a debugging interface and all non-security download interfaces, and switches to a security mode. In the design of the touch IC, various methods can be selected, such as providing a method for configuring eFuse memory, OTP memory or Flash memory, or overlaying a common starting program with a safe starting program.

Based on the foregoing, this embodiment further provides a PIN input method of a financial POS, which includes the above-mentioned touch IC operation mode loading method, as shown in fig. 2, where the financial POS further includes a secure CPU and a touch screen, the secure CPU is built with a random number generator, and after the financial POS is powered on, the touch IC loads the secure operation mode, as shown in fig. 3, and the PIN input method includes:

s01, the secure CPU generates a group of random numbers through a random generator, sets the random numbers as Rdata_add0, and then stores the random numbers in a memory of the secure CPU (refer to the diagram shown in FIG. 4); the random number is used as scrambling data of a touch coordinate data ciphertext and is also used as identity verification data of a subsequent touch IC;

S02, the security CPU generates a state switching control instruction to enable coordinate data which is subsequently transmitted by the touch IC to be in a ciphertext form, and meanwhile, a random number Rdata_add0 is transmitted to the touch IC (shown by referring to FIG. 5);

s03, the touch IC performs touch detection on the touch screen in a safe working mode to acquire data input by a user and acquire touch coordinate data;

s04, the touch IC combines and encrypts the touch coordinate data and the random number Rdata_add0 through an encryption Key Key_xy and a symmetric Key encryption algorithm to form a ciphertext, and then the ciphertext is transmitted to a secure CPU (refer to FIG. 6);

s05, the secure CPU receives the ciphertext, and then decrypts the ciphertext by using a decryption Key Key_xy corresponding to the touch IC and a corresponding symmetric Key decryption algorithm to obtain a group of touch coordinate data and a group of random numbers Rdata_add1;

s06, the security CPU compares the random number Rdata_add1 obtained in the S05 with the random number Rdata_add0 generated in the S01 in a consistency mode, if the random numbers Rdata_add1 and the random number Rdata_add0 are the same, the touch IC is defined as a trusted object, then S07 is entered, if the touch IC is not the same, the touch IC is defined as an untrusted object, and financial POS transaction is ended; when the touch IC is defined as an untrusted object, the touch IC may indicate that there is a potential safety hazard, and the encryption key is incorrect, so that the touch IC may be replaced, thereby causing the risk of the device in financial transaction, in actual operation, when the touch IC is defined as an untrusted object, the financial POS is stopped from working in payment transaction, and the merchant needs to repair the financial POS for security detection and security reset;

S07, the security CPU analyzes the touch coordinate data obtained in the S05 to obtain corresponding input information, then judges the content of the data information, when the input information points to a cancel instruction, the security CPU enters S08, when the input information points to a number key code, the security CPU judges the PIN length of the security CPU, when the length of the security CPU meets the preset requirement, the security CPU enters S08, and when the length of the security CPU does not meet the preset requirement, the security CPU jumps back to S03;

s08, the security CPU performs input cancellation or obtains PIN according to the digital information content judged in S07.

As a preferred alternative implementation manner, in the present embodiment S04, the touch IC encrypts and transmits the acquired touch coordinate data to the secure CPU in a real-time manner.

In the present solution S04, the symmetric key encryption algorithm adopted by the touch IC to combine and encrypt the touch coordinate data and the random number rdata_add0 is AES, DES, 3DES or SM4.

In the scheme, when the coordinate data and the random number are combined in S04, the symmetric key encryption algorithm is used for encryption, and the scheme has the important characteristics that after a key is given, if plaintext data is the same, the transformed ciphertext is the same. When the number of plaintext samples is small, the available ciphertext samples are also small. The capacitive touch screen actually used by the financial POS is divided into a limited number of blocks in the horizontal-vertical direction, so that coordinate data generated by touch control is limited in sample number when PIN is input, and an attacker can construct a touch point location and ciphertext comparison list by collecting ciphertext data generally from hundreds to thousands, and can perform table lookup attack. In the invention, the scrambling data Rdata_add0 is added in the process of encrypting the coordinate data of the touch IC. Each time a PIN is entered, rdata_add0 is regenerated by the secure CPU random number generator. If Rdata_add0 is 6 bytes, the number of plaintext samples is increased by a factor of 48 of 2, the size of corresponding ciphertext is increased by a factor of 48 of 2, and the size of ciphertext is enlarged, so that table lookup attack becomes impossible.

In addition, as a preferred embodiment, in the present embodiment S07, when the PIN length determination is performed on the input information,

and when the PIN length corresponding to the input information is smaller than the preset length, jumping back to S03, and reserving the PIN corresponding to the input information by the safety CPU, merging the PIN with the PIN obtained by analyzing the subsequent ciphertext transmission of the touch IC, and judging the PIN length until the length meets the requirement or the safety CPU exits after overtime.

As a preferred alternative implementation manner, preferably, in the present solution S08, when exiting PIN input, the secure CPU further generates a state switching control instruction, so that touch coordinate data transmitted by the touch IC subsequently adopts a plaintext form; in other words, in the PIN input method, when the user does not need to input the PIN, the security CPU and the touch IC transmit coordinate data of touch by using plaintext, so that the response speed and performance of touch screen input such as electronic signature are not affected.

In the PIN input method of the financial POS, the random number generated randomly is added as scrambling data in the touch coordinate encryption and decryption process, so that the quantity scale of ciphertext can be increased. Because the actual touch point number of the touch screen is small in scale, an attacker can perform table lookup attack by collecting ciphertext data and constructing a touch point and ciphertext comparison list. Under the condition that scrambling data is added, the number scale of ciphertext is enlarged, so that table lookup attack becomes impossible. Meanwhile, the security CPU checks the decrypted scrambled data to realize the trusted verification of the security CPU on the touch IC.

As an example, in this embodiment, the touch IC is configured to implement touch detection and generate touch coordinate data, and includes a serial communication interface connected to the secure CPU, where the serial communication interface includes, but is not limited to, IIC, SPI, UART, and meanwhile, the touch IC further includes a CPU core, a storage module, and an encryption/decryption module. Specifically, the functions that the touch IC may functionally implement include: the touch IC supports symmetric key encryption and decryption algorithms including but not limited to AES, DES, 3DES and SM4, and encrypts coordinate data by one of the encryption algorithms to form ciphertext, and the coordinate data is transmitted by using the ciphertext; in addition, the touch IC supports key storage, and encryption and decryption keys of touch coordinate data can be written in and stored in the touch IC through control instructions, and the keys are not allowed to be read out and can be still reserved after power failure; in this case, the touch IC supports secure booting and secure updating, while supporting digest algorithms, including but not limited to SHA2, SHA3, SM3, signature algorithms, including but not limited to SM2, ECC, ECSA, RSA, DSA, and integrity and legitimacy verification of the running and updated touch application using one of the digest algorithms and one of the signature algorithms described above.

As an example, in this scheme, the secure CPU is a secure core of the financial POS, and is used to process sensitive information related to secure payment, such as PIN, payment transaction key, account data, etc.; the security CPU is internally provided with an encryption and decryption module which supports at least one symmetric key encryption and decryption algorithm such as AES, DES, 3DES, SM4 and the like, and the symmetric key algorithm is compatible with an encryption algorithm supported by the touch IC; the secure CPU is also internally provided with a random number generator, and when the secure CPU is in secure initialization or secure reset, the random number generator is used for generating a root key and an encryption and decryption key of touch coordinate data, wherein the root key is stored in a secure memory of the secure CPU, the secure CPU is self-destructed when in intrusion response, and other payment transaction keys and encryption and decryption keys are encrypted by the root key and stored in a nonvolatile memory of the secure CPU in a ciphertext mode. The key plaintext used for encrypting and decrypting the touch coordinate data is only decrypted by the root key when in use, and the key plaintext is cleared after the key plaintext is used.

As shown in fig. 7, based on the foregoing, the present embodiment further provides a financial POS information input system, which is loaded with the PIN input method of the foregoing financial POS, where the system includes:

the touch IC is used for receiving a working instruction, and loading a safe working mode when the touch IC is powered on or reset, wherein when the touch IC is in the safe working mode, an unsafe downloading interface and/or a debugging interface of the touch IC are closed, and the touch IC can update or download a touch application program only through a preset safe starting program; the touch IC is also internally provided with a memory, wherein the memory comprises a ROM memory, a FLASH program memory, an eFuse memory or an OTP memory and is used for storing a common starting program and/or a safe starting program and a touch application program required by the touch IC loading working mode;

The touch screen is connected with the touch IC and used for collecting touch information, and the collected touch information is transmitted to the touch IC for detection;

the security CPU is used for controlling the data transmission form of the touch IC, transmitting the detected touch coordinate data through a plaintext or ciphertext, and analyzing and judging the information containing the touch coordinate data transmitted by the touch IC so as to obtain the PIN meeting the requirements.

The aforementioned financial POS information input system may further include other components for maintaining operation of other additional functions, such as a button component or other electronic components, etc., when actually applied to a financial POS, which are all prior art and will not be described herein.

As an extension example, in this solution, the system may further include a display screen and an application CPU, where the application CPU may be communicatively connected to the security CPU and the touch IC, and the display screen is communicatively connected to the application CPU.

The foregoing description is only a partial embodiment of the present invention, and is not intended to limit the scope of the present invention, and all equivalent devices or equivalent processes using the descriptions and the drawings of the present invention or directly or indirectly applied to other related technical fields are included in the scope of the present invention.

Claims (10)

1. The method for loading the working mode of the touch IC is characterized by comprising the following steps of:

the touch IC is powered on or reset, the touch IC loads a common working mode or a safe working mode according to a preset mode, and when the touch IC is in the common working mode, the touch IC can be irreversibly switched into the safe working mode according to the preset mode; when the touch IC is in a safe working mode, the touch IC only continues to load the safe working mode when the touch IC is restarted to be powered on or reset;

when the touch IC is in a common working mode, the touch IC can update or download the touch application program through the serial interface and/or the debugging interface;

when the touch IC is in a safe working mode, an unsafe downloading interface and/or a debugging interface of the touch IC are closed, and the touch IC can update or download the touch application program only through a preset safe starting program.

2. The method for loading a touch IC operation mode according to claim 1, wherein the memory comprises: ROM memory, eFuse memory, or OTP memory;

the normal working mode is loaded by a normal starting program built in the ROM;

In a common working mode, the touch IC runs a touch application program through a common starting program or updates or downloads the touch application program by using a serial interface or a debugging interface;

in the normal working mode, the touch IC loads a preset safe starting program and a public key through a normal starting program, utilizes an instruction to configure an eFuse memory or an OTP memory, closes a debugging interface and all the downloading interfaces defined as unsafe, simultaneously adjusts the starting addresses of CPU programs for powering on and resetting of the touch IC to lead the CPU programs to point to an entrance of the safe starting program, and enables the touch IC to enter the safe working mode, and simultaneously, when the touch IC is powered on or reset again, the touch IC only continues to load the safe working mode.

3. The method for loading a touch IC operation mode according to claim 1, wherein the memory comprises: FLASH program memory, eFuse memory, or OTP memory;

the normal working mode is loaded by a normal starting program preset in a FLASH program memory;

in a common working mode, the touch IC runs a touch application program through a common starting program or updates or downloads the touch application program by utilizing a serial interface;

And under the normal working mode, the touch IC loads a preset agent program through a normal starting program, then loads a safe starting program and a public key through the agent program, covers the normal starting program, configures an eFuse memory or an OTP memory by utilizing an instruction, closes a debugging interface and all downloading interfaces defined as unsafe, enables the touch IC to enter a safe working mode, and only continues to load the safe working mode when the touch IC is restarted to be powered on or reset.

4. A method for loading a touch IC operating mode according to any one of claims 1 to 3, wherein the touch IC performs integrity and validity verification on the running or updated touch application by using a digest algorithm, a signature algorithm and a public key in a secure operating mode; and when the touch IC is powered on and started to a safe working mode, the touch IC also performs self-checking so as to ensure that illegal programs cannot be downloaded or updated into the touch IC.

5. The method for loading a touch IC operation mode as claimed in claim 4, wherein the digest algorithm comprises SHA2, SHA3 or SM3; the signature algorithm includes SM2, ECC, ECSA, RSA or DSA.

6. A PIN input method of a financial POS, which is characterized in that the PIN input method includes a touch IC operation mode loading method according to one of claims 1 to 5, the financial POS further includes a secure CPU and a touch screen, the secure CPU is internally provided with a random number generator, wherein after the financial POS is powered on and started, the touch IC loads the secure operation mode, the PIN input method includes:

S01, the secure CPU generates a group of random numbers through a random generator, sets the random numbers as Rdata_add0, and then stores the random numbers in a memory of the secure CPU;

s02, the security CPU generates a state switching control instruction, so that coordinate data transmitted by the touch IC subsequently adopts a ciphertext form, and meanwhile, a random number Rdata_add0 is transmitted to the touch IC;

s03, the touch IC performs touch detection on the touch screen in a safe working mode to acquire a touch state and a position of a user and obtain touch coordinate data;

s04, the touch control IC combines and encrypts the touch control coordinate data and the random number Rdata_add0 through an encryption Key Key_xy and a symmetric Key encryption algorithm to form a ciphertext, and then the ciphertext is transmitted to the secure CPU;

s05, the secure CPU receives the ciphertext, and then decrypts the ciphertext by using a decryption Key Key_xy corresponding to the touch IC and a corresponding symmetric Key decryption algorithm to obtain a group of touch coordinate data and a group of random numbers Rdata_add1;

s06, the security CPU compares the random number Rdata_add1 obtained in the S05 with the random number Rdata_add0 generated in the S01 in a consistency mode, if the random numbers Rdata_add1 and the random number Rdata_add0 are the same, the touch IC is defined as a trusted object, then S07 is entered, if the touch IC is not the same, the touch IC is defined as an untrusted object, and financial POS transaction is ended;

S07, the security CPU analyzes the touch coordinate data obtained in the S05 to obtain corresponding input information, then judges the content of the data information, when the input information points to a cancel instruction, the security CPU enters S08, when the input information points to a number key code, the security CPU judges the PIN length of the security CPU, when the length of the security CPU meets the preset requirement, the security CPU enters S08, and when the length of the security CPU does not meet the preset requirement, the security CPU jumps back to S03;

s08, the security CPU performs input cancellation or obtains PIN according to the digital information content judged in S07.

7. The method for PIN input of financial POS according to claim 6, wherein in S04, the touch IC encrypts and transfers the acquired touch coordinate data to the secure CPU in real time;

in S07, when the PIN length of the input information is judged,

and when the PIN length corresponding to the input information is smaller than the preset length, jumping back to S03, and reserving the PIN corresponding to the input information by the safety CPU, merging the PIN with the PIN obtained by analyzing the subsequent ciphertext transmission of the touch IC, and judging the PIN length until the length meets the requirement or the safety CPU exits after overtime.

8. The method of claim 6, wherein in S08, when the PIN input is exited, the secure CPU further generates a state switching control command to enable the touch coordinate data transmitted by the touch IC subsequently to be in a plaintext form.

9. The method of claim 6, wherein the symmetric key encryption algorithm used by the touch IC to combine and encrypt the touch coordinate data and the random number rdata_add0 is AES, DES, 3DES or SM4.

10. A financial POS information input system loaded with the PIN input method of a financial POS as defined in any one of claims 6 to 9, said system comprising:

the touch IC is used for receiving a working instruction, and loading a safe working mode when the touch IC is powered on or reset, wherein when the touch IC is in the safe working mode, the unsafe downloading interface and/or the debugging interface are closed, and the touch IC can update or download a touch application program only through a preset safe starting program; the touch IC is also internally provided with a memory, and the memory comprises a ROM memory, a FLASH program memory, an eFuse memory or an OTP memory, which is used for storing a safe starting program and a touch application program required by the touch IC loading working mode;

the touch screen is connected with the touch IC and used for collecting touch information, and the collected touch information is transmitted to the touch IC for detection;

the security CPU is used for controlling the data transmission form of the touch IC, transmitting the detected touch coordinate data through a plaintext or ciphertext, and analyzing and judging the information containing the touch coordinate data transmitted by the touch IC so as to obtain the PIN meeting the requirements.