Intelligent card secure communication method

US 9,253,162 B2
Filed: 01/07/2014
Issued: 02/02/2016
Est. Priority Date: 01/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method for safe communication of a smart card comprising:

S1 comprising powering up the smart card;

S2 comprising setting a security identifier and a security variate;

S3 comprising waiting for receiving a command and determining a type of a received command;

setting an authentication method identifier as an external authentication identifier or a mutual authentication identifier, setting an authentication identifier of a certificate, obtaining an RSA public key reference and an RSA private key reference, setting a security environment management identifier, going back to step S3 if the received command is a first command;

determining whether both the security environment management identifier and the authentication identifier of the certificate are set if the received command is a second command, authenticating the certificate, setting the authentication identifier and going back to S3 if both the security environment management identifier and the authentication identifier of the certificate are set;

reporting an error and going back to S2 if the security environment management identifier and the authentication identifier of the certificate are not both set;

determining whether the authentication identifier of the certificate is set if the received command is a third command, sending the certificate to an external device of the smart card and going back to S3 if the authentication identifier of the certificate is set;

reporting an error and returning to S2 if the authentication identifier of the certificate is not set;

if the received command is a fourth command, going to S4;

if the received command is a fifth command, going to S5;

if the received command is a sixth command, going to S6;

if the received command is a seventh command, going to S7;

determining whether the command meets a preset condition if the command is one of other commands, authenticating the command according to a safe level and a session key if the command meets the preset condition;

performing corresponding operation after a successful authentication, going back to S3;

otherwise, reporting an error if the command does not meet the preset condition;

S4 comprising determining whether a condition that the security environment management identifier is not set and the authentication identifier of the certificate is set is met;

reporting an error and going back to S2 if the condition is met;

decrypting the fourth command via a public key referenced by the RSA public key reference to obtain a decryption result;

obtaining a TLV structure with a safe level from the decryption result, storing the safe level, establishing a session key, storing the session key, setting signature information and setting a session key establishing identifier, going back to S3;

S5 comprising determining whether the session key establishment identifier is set, generating a first random number, storing the first random number and sending the first random number to the external device of the smart card and setting an obtaining random number identifier if the session key establishment identifier is set;

going back to S3;

reporting an error and going back to S2 if the session key establishment identifier is not set;

S6 comprising determining whether the obtaining random number identifier is set, reporting an error and going back to step S2 if the obtaining random number identifier is not set;

constructing a first data block containing the TLV structure with safe level, the session key, the first random number, performing an operation on the first data block with a first algorithm to obtain a first calculation result, constructing a second block data containing the first calculation result and the first algorithm, reading a signature result of the external device of the smart card in the sixth command, authenticating the signature result via a public key referenced by the RSA public key reference and the second data block;

setting an external authentication identifier if the authentication is successful, determining whether an authentication method identifier is the external authentication identifier, setting the mutual authentication identifier if the authentication method identifier is the external authentication identifier, going back to S3;

going back to S3 if the authentication method identifier is not the external authentication identifier;

reporting error and going back to S2 if the authentication is not successful;

S7 comprising obtaining a second random number from the seventh command, storing the second random number, determining whether a condition that the authentication method identifier is the external authentication identifier and the external authentication identifier is set is met, constructing a third data block containing the session key and the second random number if the condition that the authentication method identifier is the external authentication identifier and the external authentication identifier is set is met, performing an operation on the third data block via the first algorithm to obtain a second calculation result;

constructing a fourth data block containing the second calculation result and the first algorithm;

encrypting the fourth data block via a private key referenced by the RSA private key reference to obtain an encryption result, wherein the obtained encryption result is a first signature result, sending the first signature result to the external device of the smart card, setting the mutual authentication identifier, clearing the first random number and the second random number, going back to S3;

going back to S2 if the condition that the authentication method identifier is the external authentication identifier and the external authentication identifier is set is not met.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to the field of information security. Disclosed is an intelligent card secure communication method, capable of preventing the communication data from being monitored or intercepted. The method of the present invention provides a card with a definitely secure communication mechanism, initiates a session for the two communication parties to authenticate each other, and to check the identification legitimacy of the other party and the integrity of communication data, and provides a security constraint for subsequent communication, thus improving communication security.

Citations

11 Claims

1. A method for safe communication of a smart card comprising:
- S1 comprising powering up the smart card;
  
  S2 comprising setting a security identifier and a security variate;
  
  S3 comprising waiting for receiving a command and determining a type of a received command;
  
  setting an authentication method identifier as an external authentication identifier or a mutual authentication identifier, setting an authentication identifier of a certificate, obtaining an RSA public key reference and an RSA private key reference, setting a security environment management identifier, going back to step S3 if the received command is a first command;
  
  determining whether both the security environment management identifier and the authentication identifier of the certificate are set if the received command is a second command, authenticating the certificate, setting the authentication identifier and going back to S3 if both the security environment management identifier and the authentication identifier of the certificate are set;
  
  reporting an error and going back to S2 if the security environment management identifier and the authentication identifier of the certificate are not both set;
  
  determining whether the authentication identifier of the certificate is set if the received command is a third command, sending the certificate to an external device of the smart card and going back to S3 if the authentication identifier of the certificate is set;
  
  reporting an error and returning to S2 if the authentication identifier of the certificate is not set;
  
  if the received command is a fourth command, going to S4;
  
  if the received command is a fifth command, going to S5;
  
  if the received command is a sixth command, going to S6;
  
  if the received command is a seventh command, going to S7;
  
  determining whether the command meets a preset condition if the command is one of other commands, authenticating the command according to a safe level and a session key if the command meets the preset condition;
  
  performing corresponding operation after a successful authentication, going back to S3;
  
  otherwise, reporting an error if the command does not meet the preset condition;
  
  S4 comprising determining whether a condition that the security environment management identifier is not set and the authentication identifier of the certificate is set is met;
  
  reporting an error and going back to S2 if the condition is met;
  
  decrypting the fourth command via a public key referenced by the RSA public key reference to obtain a decryption result;
  
  obtaining a TLV structure with a safe level from the decryption result, storing the safe level, establishing a session key, storing the session key, setting signature information and setting a session key establishing identifier, going back to S3;
  
  S5 comprising determining whether the session key establishment identifier is set, generating a first random number, storing the first random number and sending the first random number to the external device of the smart card and setting an obtaining random number identifier if the session key establishment identifier is set;
  
  going back to S3;
  
  reporting an error and going back to S2 if the session key establishment identifier is not set;
  
  S6 comprising determining whether the obtaining random number identifier is set, reporting an error and going back to step S2 if the obtaining random number identifier is not set;
  
  constructing a first data block containing the TLV structure with safe level, the session key, the first random number, performing an operation on the first data block with a first algorithm to obtain a first calculation result, constructing a second block data containing the first calculation result and the first algorithm, reading a signature result of the external device of the smart card in the sixth command, authenticating the signature result via a public key referenced by the RSA public key reference and the second data block;
  
  setting an external authentication identifier if the authentication is successful, determining whether an authentication method identifier is the external authentication identifier, setting the mutual authentication identifier if the authentication method identifier is the external authentication identifier, going back to S3;
  
  going back to S3 if the authentication method identifier is not the external authentication identifier;
  
  reporting error and going back to S2 if the authentication is not successful;
  
  S7 comprising obtaining a second random number from the seventh command, storing the second random number, determining whether a condition that the authentication method identifier is the external authentication identifier and the external authentication identifier is set is met, constructing a third data block containing the session key and the second random number if the condition that the authentication method identifier is the external authentication identifier and the external authentication identifier is set is met, performing an operation on the third data block via the first algorithm to obtain a second calculation result;
  
  constructing a fourth data block containing the second calculation result and the first algorithm;
  
  encrypting the fourth data block via a private key referenced by the RSA private key reference to obtain an encryption result, wherein the obtained encryption result is a first signature result, sending the first signature result to the external device of the smart card, setting the mutual authentication identifier, clearing the first random number and the second random number, going back to S3;
  
  going back to S2 if the condition that the authentication method identifier is the external authentication identifier and the external authentication identifier is set is not met.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, whereinsetting the security identifier comprises:
    - resetting the security environment management identifier, setting the session security identifier being without a safe level, resetting the authentication identifier of the certificate, resetting the obtaining random number identifier, resetting the session key establishment identifier, resetting the external authentication identifier and resetting the mutual authentication identifier,setting the security variate comprises;
      
      setting the RSA public key reference as a default RSA public key reference;
      
      setting the RSA private key reference as a default RSA private key reference;
      
      setting the first session key, the second session key, the third session key, the fourth session key and the fifth session key as a default value respectively.
  - 3. The method of claim 1, whereinsetting an authentication method identifier as an external authentication identifier or a mutual authentication identifier comprises:
    - setting the authentication method identifier as an external authentication identifier if a value of a first preset byte of the first command is a first preset value;
      
      setting the authentication method identifier as a mutual authentication identifier if the value of the first preset byte of the first command is a second preset value;
      
      setting an authentication identifier of a certificate comprises;
      
      resetting the authentication identifier of the certificate if a value of a third preset byte of the first command is a third preset value;
      
      setting authentication identifier of the certificate if the value of the third preset byte of the first command is a fourth preset value;
      
      obtaining an RSA public key reference and an RSA private key reference comprises;
      
      step a1 comprising determining whether a first TLV structure in a data field of the first command is a first preset structure;
      
      going to step a2 if the first TLV structure in the data field of the first command is the first preset structure;
      
      otherwise, reporting an error and going back to S2;
      
      step a2 comprising determining whether there is a TLV structure being a second preset structure in the data field;
      
      obtaining and storing the RSA public key reference if there is a TLV structure being a second preset structure in the data field;
      
      reporting an error and going back S2 if there is not a TLV structure being a second preset structure in the data field;
      
      step a3 comprising determining whether there is a TLV structure being a third preset structure in the data field;
      
      obtaining and storing RSA private key reference if there is a TLV structure being a third preset structure in the data field;
      
      reporting an error and going back to S2 if there is not a TLV structure being a third preset structure in the data field.
  - 4. The method of claim 3, wherein,obtaining and storing the RSA public key reference comprises:
    - obtaining the last two bytes of a first structure value and storing the last two bytes as the RSA public key reference if a value of the second preset structure is the first structure value;
      
      using the default RSA public key reference by the card if the value of the second preset structure is a second structure value;
      
      obtaining and storing the RSA private key reference comprises;
      
      obtaining the last two bytes of a third structure value and storing the last two bytes as the RSA private key reference if a value of a third preset structure is the third structure;
      
      using the default RSA private key reference by the card if the value of the third preset structure is a fourth structure.
  - 5. The method of claim 1, whereinafter determining whether both the security environment management identifier and the authentication identifier of the certificate are set, the method further comprises:
    - determining whether the second command meets a first condition, using a public key authentication certificate referenced by the RSA public key reference to determine whether there is a certificate required to be authenticated if the second command meets the first condition, going back to S2 if there is a certificate required to be authenticated or setting the authentication identifier of the certificate if there is not a certificate required to be authenticated and going back to S3;
      
      reporting an error and going back to S2 if the second command does not meet the first condition.
  - 6. The method of claim 5, whereinthat the second command meets the first condition comprises:
    - a value of a specified part of the second command equals to a fifth preset value;
      
      determining whether there is a certificate required to be authenticated comprises;
      
      there is not a certification required to be authenticated if a value of a fifth bit of a first byte of the second command is a ninth preset value;
      
      there is a certificate required to be authenticated if the value of the fifth bit of the first byte of the second command is not the ninth preset value.
  - 7. The method of claim 1, whereinbefore decrypting the fourth command via the public key referenced by the RSA public key reference, the method further comprises:
    - determining whether a length of a data field of the fourth command equals to a modular length of the public key referenced by the RSA public key reference, decrypting the fourth command with the public key referenced by the RSA public key reference if the length of the data field of the fourth command equals to the modular length of the public key referenced by the RSA public key reference;
      
      otherwise, reporting an error and going back to S3;
      
      after storing the safe level and before establishing the session key, the method further comprises;
      
      determining whether the session key can be established, establishing session key if the session key can be established;
      
      otherwise, reporting an error and going back to S3.
  - 8. The method of claim 7, wherein determining whether the session key can be established comprises:
    - determining whether a condition that a value of a general tag of a control reference template equals to a seventh preset value, and there is a first TLV structure and a second TLV structure, the length of which equals to a first preset length, in the control reference template is met, the session key can be established if the condition is met;
      
      the session key cannot be established if the condition is not met;
      
      wherein the seventh preset value is a first tag or a second tag;
      
      establishing the session key comprises;
      
      in the case that the value of the general tag of the control reference template is a first tag,if a Value in the TLV structure with a TAG being 95 is a first value, establishing a first session key;
      
      if the Value in the TLV structure with the TAG being 95 is a second value, establishing a second session key; and
      
      if the Value in the TLV structure with the TAG being 95 is a third value, establishing the first session key and the second session key;
      
      in the case that the value of the general tag of the control reference template is a second tag,if the Value in the TLV structure with the TAG being 95 is a first value, establishing a third session key;
      
      if the Value in the TLV structure with the TAG being 95 is a second value, establishing a fourth session key;
      
      if the Value in the TLV structure with the TAG being 95 is a third value, establishing the third session key and the fourth session key; and
      
      if the Value in the TLV structure with the TAG being 95 is a fourth value, establishing a fifth session key;
      
      after storing the session key and before setting signature information, the method further comprises;
      
      determining whether the signature information is required to be set, setting signature if the signature information is required to be set;
      
      reporting an error and going back to S2 if the signature information is not required to be set.
  - 9. The method of claim 8, whereindetermining whether the session key can be established comprises:
    - determining whether the condition that the value of the general tag of the control reference template equals to the seventh preset value and there is the first TLV structure and the second TLV structure, the length of which equals to the first preset length, in the control reference template is met, the session key can be established if the condition is met;
      
      otherwise, the session key can not be established;
      
      determining whether the signature information is required to be set comprises;
      
      determining whether there is a third TLV structure in the control reference template, wherein a value of TAG of third TLV structure equals to an eighth preset value and a length of TAG of third TLV structure equals to an second preset length;
      
      the signature information being required to be set if there is a third TLV structure in the control reference template;
      
      otherwise, the signature information not being required to be set.
  - 10. The method of claim 1, wherein S4-S7 are replaced by S4′
    - -S7′
      
      ,S4′
      
      , reporting an error and going back to S2;
      
      S5′
      
      , determining whether a condition that the security environment management identifier is not set and the authentication identifier of the certificate is set is met, reporting an error if the condition is met, going back to S2;
      
      otherwise, generating a first random number, storing the first random number and sending the first random number to an external device of the smart card and setting an obtaining random number identifier, going back to S3;
      
      S6′
      
      , determining whether a condition that the obtaining random number identifier is set, and a decryption result obtained by decrypting the data field of the sixth command with the public key referenced by the RSA public key reference is successfully authenticated is met, reporting an error and going back to S2 if the condition is not met;
      
      if the condition is met, obtaining a safe level from the decryption result and generating card confidential data, determining whether a control reference template of the decryption result meets a preset requirement, obtaining and storing confidential data of the external device of the smart card if the control reference template meets the preset requirement, generating a session key according to the card confidential data and the confidential data of the external device, generating signature information according to a specified byte of the confidential data of the external device and a specified byte of the card confidential data, setting a session key establishment identifier and setting an obtaining random number identifier;
      
      reporting an error and going back to S2 if the control reference template does not meet the preset requirement; and
      
      S7′
      
      , obtaining the second random number from the seventh command, storing the second random number and determining whether a condition that the session key establishment identifier is set and the obtaining random number identifier is set is met, going back to S2 if the condition is not met;
      
      if the condition is met, obtaining a data field of the seventh command from the seventh command, constructing a third data block containing the card confidential data and the data field of the seventh command, performing operation on the third data block via the first algorithm to obtain an operation result, wherein the operation result is a second calculation result;
      
      constructing a fourth data block containing the card confidential data and the second calculation result;
      
      encrypting the fourth block via the private key referenced by the RSA private key reference to obtain an encryption result, wherein the encryption result is a first signature result;
      
      sending the first signature result to the external device of the smart card, setting the mutual authentication identifier, clearing the first random number and the second random number, going back to S3.
  - 11. The method of claim 10, whereingenerating a session key according to the card confidential data and the confidential data of the external device comprisesperforming an exclusive OR operation on the confidential data of the external device and the card confidential data to obtain an exclusive OR operation result;
    - setting a corresponding counting number according to a type of the session key required to be generated, splicing the exclusive operation result and the counting number orderly, performing an operation on an splicing result via a first algorithm to obtain a third calculation result, obtaining a preset byte data from the third calculation result and storing the preset byte data as the session key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Feitian Technologies Company Limited
Original Assignee
Feitian Technologies Company Limited
Inventors
Lu, Zhou, Yu, Huazhang
Primary Examiner(s)
CHANG, KENNETH W

Application Number

US14/436,256
Publication Number

US 20150350164A1
Time in Patent Office

756 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 9/0869   involving random numbers or...

H04L 9/3263   involving certificates, e.g...

Intelligent card secure communication method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Intelligent card secure communication method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links