Summary of the invention
Technical matters to be solved by this invention is to provide a kind of intelligent memory card and data safety control system and method, to realize intelligent memory card and the data communication safely and effectively that blocks access means.
For solving the problems of the technologies described above, the present invention at first provides a kind of intelligent memory card, comprise storage medium and usb interface module, wherein, the storage space of described storage medium is divided into the different spaces that comprises confidential data district and mass memory district at least, described mass memory district uses the file system of standard format, has the file relevant with smart card in the file system in described confidential data district; The visit boundary in disk size parameter that disposes in the described usb interface module and described mass memory district is complementary, and described usb interface module has the sector map unit, and mapping is unified with card access means memory sector in the different sectors that are used for described confidential data district and mass memory district are covered.
The present invention and then a kind of intelligent memory card data security access system is provided, comprise intelligent memory card and card access means, described intelligent memory card comprises storage medium and usb interface module, and link to each other with described card access means by the USB adapter, wherein, the storage space of described storage medium is divided into the different spaces that comprises confidential data district and mass memory district at least, described mass memory district uses the file system of standard format, has the file relevant with smart card in the file system in described confidential data district; The visit boundary in disk size parameter that is provided with in the described usb interface module and described mass memory district is complementary, and described usb interface module has the sector map unit, and the memory sector that is used for different sectors that described confidential data district and mass memory district are covered and described card access means is unified mapping.
Wherein, described card access means further comprises: the confidential data operational module, the memory sector that described confidential data operational module is operated on the card access means, the file system of the confidential data district same format of use and described intelligent memory card, and mapping relations are set up with the memory sector in the confidential data district of described intelligent memory card in the sector map unit that has by described usb interface module.
Wherein, the file system of described standard format is FAT, NTFS or EXT file system.
Wherein, the described file relevant with smart card is the file that meets the ISO/IEC7816 standard, comprises master file MF, private file DF and basic document EF.
Wherein, described intelligent memory card further comprises: the safe access control module is used to monitor the visit to the file in confidential data district, and judges by the access consideration of described file whether the visit to described file has corresponding authority.
The present invention also provides a kind of intelligent memory card data security control method, and described intelligent memory card comprises storage medium and usb interface module, and links to each other with the card access means by the USB adapter, and described method comprises the steps:
(1) storage space with described intelligent memory card is divided into the different spaces that comprises confidential data district and mass memory district at least, described mass memory district uses the file system of standard format, sets up the file relevant with smart card in the file system in described confidential data district;
(2) according to the visit boundary in described mass memory district, the disk size parameter is set in described usb interface module, the visit boundary in disk size parameter and mass memory district is complementary;
(3) in usb interface module, set up the sector map unit, different sectors and described card access means memory sector that described confidential data district and mass memory district are covered are unified mapping.
Wherein, the present invention may further include step: further set up a confidential data operational module in described card access means, the memory sector that described confidential data operational module is operated on the card access means, the file system of the confidential data district same format of use and described intelligent memory card, and the sector map unit that has by described usb interface module, set up mapping relations with the memory sector in the confidential data district of described intelligent memory card.
Wherein, the present invention may further include step: further set up a safe access control module in described intelligent memory card, by the visit of monitoring, and judge by the access consideration of described file whether the visit to described file has corresponding authority to the file in described confidential data district.
Wherein, described confidential data operational module is edited additions and deletions or backup operation by described mapping relations to the data in the confidential data district of described intelligent memory card.
Wherein, described confidential data operational module is by described mapping relations, in the output intelligent memory card during file in confidential data district, and filename and pathname conductively-closed in the smart card.
Wherein, after described confidential data operational module confirms that by initialization intelligent memory card has connected, further comprise step: call in the card access means with intelligent memory card in the identical file system dynamic base of confidential data district file layout, by the usb interface module of described intelligent memory card the file in intelligent memory card confidential data district is operated.
Wherein, described confidential data operational module further comprises step after confirming that by initialization intelligent memory card has connected:
A) the safe access control module in the described intelligent memory card judges whether described confidential data operational module satisfies the access consideration of described file to the visit of the file in confidential data district, thereby determines whether to have corresponding access rights;
B) if the confidential data operational module has corresponding access rights, described confidential data operational module call in the card access means with intelligent memory card in the identical file system dynamic base of confidential data district file layout, by the usb interface module of described intelligent memory card the file in intelligent memory card confidential data district is operated; If the confidential data operational module does not have corresponding access rights, then the confidential data operational module can not be operated the file in intelligent memory card confidential data district.
The invention solves when intelligent card data and the shared storage medium of mass storage data; and the data security problem that runs into when carrying out data interaction by USB/SD/MMC interface and card access means; providing a kind of can either conduct interviews to mass storage data; realize the intelligent card data protection simultaneously; and provide the solution that intelligent card data is backed up and edits, thereby provide value, competitive new type of safe intelligent memory card to the final user.
Embodiment
The intelligent memory card running environment that the present invention relates to is based on multitask, the multi-application platform of RTOS (real time operating system), has comprised file system module and corresponding FLASH sector operation interface in the card simultaneously.Concrete environment description figure of the present invention as shown in Figure 1, thereby wherein USB interface is called USB by task scheduling and is driven the read-write finish bottom FLASH.
Versatility and ease for use for the storage data that realize intelligent memory card, the intelligent memory card that embodiments of the invention provide comprises storage medium and usb interface module, the storage space of described storage medium is divided into the different spaces that comprises confidential data district and mass memory district at least, described mass memory district uses the file system of standard format, has the file relevant with smart card in the file system in described confidential data district; The visit boundary in disk size parameter that is provided with in the described usb interface module and described mass memory district is complementary, and have the sector map unit in the usb interface module, the memory sector that is used for different sectors that described confidential data district and mass memory district are covered and access terminal is unified mapping.Make intelligent memory card can be used as a kind of universal storage device like this and use, have certain non-visible space (non-massive storage space) to deposit some significant datas simultaneously again for the user.
Preferably, the file system of described standard format is, for example FAT (File Allocation Table), NTFS (New Technology File System) or EXT (Extended File System) file system.The described file relevant with smart card is the file that meets the ISO/IEC standard, comprises master file MF, private file DF and basic document EF.
Preferably, may further include the safe access control module in the described intelligent memory card, be used to monitor visit, and judge by the access consideration of file whether the visit to file has corresponding authority the file in confidential data district.
As shown in Figure 2, be the application system figure between intelligent memory card of the present invention and the personal computer (PC).The embodiment of the invention comprises intelligent memory card 10 and personal computer 20, described intelligent memory card comprises storage medium and usb interface module, and link to each other with described personal computer by the USB adapter, the storage space of described storage medium is divided into the system file district, the mass memory district, subscriber computer ciphertext data district etc.; The visit boundary in disk size parameter that is provided with in the described usb interface module and described mass memory district is complementary, and have the sector map unit in the usb interface module, the different sectors and the described personal computer memory sector that are used for described confidential data district and mass memory district are covered are unified mapping.
Preferably, described personal computer 20 further comprises: confidential data operational module 201, the memory sector that described confidential data operational module 201 is operated on personal computer, the file system of the confidential data district same format of use and described intelligent memory card, and mapping relations are set up with the memory sector in the confidential data district of described intelligent memory card in the sector map unit that has by described usb interface module.
Preferably, the mass memory district of described intelligent memory card uses the file system of the standard format identical with personal computer, comprises FAT, NTFS or EXT file system; The described file relevant with smart card is the file that meets the ISO/IEC standard, comprises master file MF, private file DF and basic document EF.
Preferably, described intelligent memory card further comprises: the safe access control module is used to monitor the visit to the file in confidential data district, and judges by the access consideration of file whether the visit to file has corresponding authority.
As shown in Figure 3, be intelligent memory card data security access method schematic flow sheet of the present invention, described intelligent memory card comprises storage medium and usb interface module, and links to each other with personal computer by the USB adapter, and described method comprises the steps:
(301) storage space with described memory device is divided into the different spaces that comprises confidential data district and mass memory district at least, described mass memory district uses the file system of standard format, sets up the file relevant with smart card in the file system in described confidential data district;
(302) according to the visit boundary in described mass memory district, the disk size parameter is set in described usb interface module, the visit boundary in disk size parameter and mass memory district is complementary;
(303) in usb interface module, set up the sector map unit, different memory sectors and described personal computer memory sector that described confidential data district and mass memory district are covered are unified mapping.
Preferably, may further include step: in described personal computer, further set up a confidential data operational module, the memory sector that described confidential data operational module is operated on personal computer, the file system of the confidential data district same format of use and described intelligent memory card, and the sector map unit that has by described usb interface module, set up mapping relations with the memory sector in the confidential data district of described intelligent memory card.
Preferably, the mass memory district of intelligent memory card uses the file system of the standard format identical with personal computer, for example: FAT, NTFS or EXT file system, the file relevant with smart card is the file that meets the ISO/IEC7816 standard, comprise master file MF, private file DF and basic document EF.
Preferably, may further include step: in described intelligent memory card, further set up a safe access control module, monitoring is to the visit of the file in confidential data district, and judges by the access consideration of file whether the visit to file has corresponding authority.
Preferably, described confidential data operational module is edited additions and deletions or backup operation by described mapping relations to the data in the confidential data district of described intelligent memory card.
Preferably, described confidential data operational module is by described mapping relations, during the file in the confidential data district in the output intelligent memory card, and corresponding filename and pathname conductively-closed in the intelligent memory card.
When concrete the application, the described confidential data operational module 201 of the embodiment of the invention can be a PC backup software instrument.The modular structure of application system of the present invention has comprised data I/O api layer as shown in Figure 4, dedicated file system layer, and bottom sector operation interface (present embodiment has utilized USB interface).By structure bottom sector operation interface, file branch sector on the smart card is read, and by WINDOWS platform construction dedicated file system to carry out the establishment of file, read/write, operations such as attribute.On these file basic operation bases that file system realizes, concrete application and development be can carry out easily and quickly,, and flexible processing and mutual with the PC data carried out for the user provides the I/O of various intelligent card datas or USB device file.
Design to usb interface module describes below.
The visit end points of standard USB Mass Storage agreement comprises 0 end points (standard control end points) at least, the Bulk_Out end points, Bulk In end points, two end points of Bulk Out and Bulk In when carrying out data transmission, have mainly been used, wherein Bulk In refers to main frame device request data to the periphery, sends data by peripherals to main frame; The transmission direction of Bulk Out is opposite with Bulk-In, by main frame equipment sending data to the periphery.The embodiment of the invention has been used the SCSI protocol transmission after finishing the standard enumeration process.
The mass memory zone of intelligent memory card, the USB flash disk among Fig. 2 for example, intelligent card data storage area (confidential data zone) with the needs visit, many application area of the USB among Fig. 2 for example, be physically located at same NAND Flash, the setting of disk size parameter and the visit boundary of USB flash disk are complementary in the configuration descriptor, promptly are set to the size of USB flash disk storage area.
After getting access to the disk size parameter, PC conducts interviews to the read-write of the USB flash disk integral multiple with the standard sector-size, promptly, the read write command of PC is by the sector number of SCSI protocol transmission sector number and this transmission, bottom PC driver only carries out the encapsulation of CBW (Command Block Warp command block bag) to order, process of commands and parsing are carried out corresponding Interrupt Process by USB device in usb interface module.
Because PC itself does not carry out bounds checking to the command body of scsi command, make and to utilize the scsi command body to transmit other special many utility commands and data become possibility, scsi command at BULK_ONLY host-host protocol among the USB is introduced carrying out the hiding data transmission in the intelligent memory card below, and idiographic flow is as follows:
(1) PC carries out initialization to USB flash disk and enumerates (use standard control end points), obtains equipment disposition, endpoint type, and information such as agreement support determine that this equipment is USB flash disk equipment, use the SCSI agreement to carry out data transmission.
(2) utilize information in the equipment disposition descriptor, main frame and equipment use the SCSI agreement to utilize BulkOut end points and Bulk In end points to carry out data transmission.By Inquiry, Read_Capacity, Read_Format_Capacity, Mode_Sense obtain the information of disk Flash.
Bulk Out end points is to the processing of hiding data:
Bulk Out end points is responsible for receiving PC and is sent data, and write concrete physical medium, therefore, can utilize the sector map unit in the usb interface module, carry out unified mapping by the sector number to C zone and D zone and realize, concrete mapping relations as shown in Figure 5.
Moveable magnetic disc is partly for passing through the visible USB flash disk of PC zone among Fig. 5.Usb interface module with different sector map in the zones of different of Flash, and by make up at PC end with smart card on the file system of same format come C zone in blocking is conducted interviews.By mapping, make PC visit the C district by sector operation, simultaneously,, make that sector number has surpassed the disk size parameter when visit C district because the disk size parameter that is provided with and the size of D district storage area are complementary, the C district is sightless for PC.Bring in from PC, the memory sector that the C district is covered is hidden, thereby has realized hiding of C district data at the PC end, but can be by custom-designed software module, and for example the PC backup tool is realized the visit to the C district.
Bulk In end points to the processing of hiding data with Bulk Out end points.
The PC backup tool is to receiving the processing of data:
As from the foregoing, for smart card, SIM card for example, the visit in data area (C zone) is that the mapping by the sector realizes, therefore, at the PC end, need do opposite sector map and can accomplish normal visit to the intelligent card data zone.
The organizational form of C district file system may be identical with the structure of the FAT file system of PC in the intelligent memory card, also may be inequality, when file system is inequality, need set up the file system identical at the PC end with form on the smart card, can accomplish the correct visit of data and file.
Fig. 6 is the corresponding diagram of file system on PC end file system and the intelligent memory card.Among Fig. 6, the FAT file system is the Windows file system of standard, dedicated file system (BackupFAT) refer to the intelligent memory card file system in the corresponding file system in C zone.The file system in D district is identical with the standard file system of PC in the intelligent memory card.Should be noted that following some:
(1) the interface FlashDiskCommand () of intelligent memory card file system and bottom Flash should be revised as the USB interface that has sector map as required.
(2) (2) do more zone mapping and backup if desired, need with other zones (as A:, B:) do similarly mapping and sector-size is mated.
The PC backup tool is to the processing of data transmission:
(1) USB sector access process
Realize that the visit of USB sector mainly comprises:
1) opens USB device.
2) open the end points of USB.
3) read the USB sector.Comprising of the conversion of file system sector to USB visit sector number.
4) write the USB sector.Comprising of the conversion of file system sector to USB visit sector number.
(2) alignment processing of PC end dedicated file system and intelligent memory card file system.
(3) PC backup software and file system interface.
For preventing the maloperation of upper layer application, can provide the initialization of USB device to the upper strata, the importing/operations such as derivation of specific file to data in the intelligent memory card.Mainly comprise:
Whether (1) detect USB device is removed.Whether must detect intelligent memory card before each read-write exists.
(2) from intelligent memory card, derive a file in PC specified path specified file down, will not be created, if existence then cover this document if this document does not exist.
(3) specified file under the PC specified path is imported in the intelligent memory card in the specified file under the specified path, will not be created, if exist then cover this document if this document does not exist.
In order further to realize the data security characteristic of intelligent memory card storage file, the present invention has also designed a safe access control module, has realized the passage by the access to web page data content under the supervision of safety management, and the specific implementation method is as follows:
Purposes according to data is divided with logic or physics mode when storing, give different access considerations to different data, accomplish the data that PC both can the random access lack of competence requires, simultaneously also can visit limited data, thereby realize that intelligent memory card is synchronous by the data security of high-speed interface and PC by special software.
When with the PC backup tool data in blocking being read and write, according to the ISO/IEC7816 agreement, different files has different access considerations in the smart card.
The control of authority of SIM card data mainly comprises following aspect:
At first, according to the ISO/IEC7816 agreement, each file all has specific access consideration for each order.The access consideration of the file of selecting obtains before should beginning in the action of request recently.
Each file:
-READ (reading) is identical with the access consideration of SEEK (inquiry) order;
-SELECT (selection) is unconditional (ALW) with the access consideration of STATUS (state) order;
The present no standard of access consideration of-MF (master file) and DFs (private file).
According to GSM11.11, the rank of access consideration is as shown in the table:
Rank |
Access consideration |
0 1 2 3 4-14 15 |
ALW CHV1 CHV2 keeps ADM NEV |
Wherein, ALW: the unconditional execution;
CHV1:(card holder authenticates 1): one of following 3 kinds of conditions person can be satisfied, action can be carried out:
A) at current session, a correct CHV1 value has offered SIM card;
B) CHV1 enables/does not enable indicator and is in " forbidding " state;
C) the successful execution of current session UNBLOCK CHV1.
CHV2:(card holder authenticates 2) can satisfy one of following two conditions person, can carry out action:
A) at current session, a correct CHV2 value has offered SIM card;
B) the successful execution of current session UNBLOCK CHV2.
ADM: this is to be used for the employed cryptographic algorithm of SIM card supvr;
NEV: on SIM/ME (portable terminal) interface, can not carry out action.SIM card can be carried out internal actions;
The condition rank is independently each other.For example, even correct CHV2 is arranged, do not allow to carry out the action that needs CHV1 to support yet.A condition rank up to standard is all remained valid up to the GSM end-of-dialogue.CHV condition rank up to standard is applicable to DF simultaneously
GSMAnd DF
TELECOMFile.
By the response to the STATUS order, whether CHV2 is available in the ME decision, if CHV2 does not have initialization, then can not use about the order (for example VERIFY CHV2) of CHV2.
Below be verified as example with CHV1, introduce the flow process of carrying out safe access control and verification by USB interface.
CHV1 is the PIN1 sign indicating number (PIN (Personal Identification Number)) in the mobile phone, and the PC backup software carries out the PIN code state and reads and the PIN code verification by sending specific SCSI read write command, and the PIN code state reads as shown in Figure 7; The PIN code status check as shown in Figure 8.
In sum, the present invention comes the SIM content is operated by set up the special-purpose file system identical with intelligent memory card confidential data plot structure in the confidential data operational module of PC end, and shields the path and the old file name of SIM inside when file backup is exported.
The present invention is by the corresponding file layout of file layout of each logic region on PC end structure and smart card, realized the accurate complete of file on the smart card read and write, and PC end output file path is controlled, and interior file of shielding smart card and pathname.
File hide and data backup by file system, specify particular path (as " C: 3F00 ") and it solidified in interface inside, make the user have no right to revise; The mapping table of filename is similar, solidifies in interface inside.
Further specify below by two application examples.
One of concrete application: backup and renewal smart card short message and telephone directory
(1) smart card is connected with PC by the USB adapter.
(2) start PC end backup tool, this backup tool initialization confirms that smart card connects.
(3) backup tool calls backupFS (identical with the file system format of the many application area of USB in the intelligent memory card) the file system dynamic base of PC end, by the data interaction of carrying out of usb interface module.
(4) because this document system dynamics storehouse is identical with the form of intelligent memory card store data inside, therefore can normally visits short message or telephone directory file, thereby short message or telephone directory are backuped on the PC with certain form., also short message file in the intelligent memory card or telephone directory file can be read the PC end by identical mode, write in the intelligent memory card again after editing, thus the renewal of interior short message of intact paired card or telephone directory file.
Two of concrete application: subscriber identity authentication
(1) intelligent memory card is connected with PC by the USB adapter.
(2) start PC end backup tool, this backup tool initialization confirms that smart card connects.
(3) authorization interface of PC end and intelligent memory card end agreement is called in the backup tool initialization, confirms to carry out follow-up other intelligent memory cards visits behind the user right.
(4) after authentication is confirmed, intelligent memory card will enable other critical data interfaces.At this moment, can carry out the critical data operation, as operations such as modification PIN code by the PC backup tool.
The present invention realizes the function of intelligent memory card file hiding and data backup by novel file system, can make intelligent memory card not only can be used as independently storer/card (USB flash disk, SD card, mmc card) use, share and swap data with digital equipments such as the PC of present main flow, digital camera, MP3/MP4 players, and can be used as a kind of data interchange platform, become mobile phone terminal, PC and other Card Reader access terminal equipment and carry out the mutual instrument of secure data.The user can be easily to blocking interior data (as personal information, telephone directory, note and mobile phone are provided with etc.) or responsive usb data is edited, additions and deletions and backup, and do not influence the operation of other data in the smart card simultaneously.