Summary of the invention
In view of this, the object of the present invention is to provide a kind of intelligent memory card, this storage card can improve security and dirigibility.
The object of the present invention is to provide a kind of method of intelligent storage managing card safety, the method can improve security and dirigibility.
For achieving the above object, technical scheme of the present invention is specifically achieved in that
An intelligent memory card, this storage card comprises:
Interface module, exports the document control parameter F CP information command of setting up of outside input to memory controller; Export operational order and the Authority Verification instruction of outside input to memory controller; Described FCP information is include file title, security algorithm and safety condition at least;
Controlled memory block, for save contents and described catalogue under file;
Memory controller, exports the described FCP of foundation information command to additional controller; The title of the pending file that described operational order is carried and described Authority Verification instruction export additional controller to; Data after the safeguard protection of additional controller being exported according to operational order are processed;
Additional controller, according to the described FCP information command of setting up, with name, be called index and set up the catalogue of preserving with described controlled memory block catalogue FCP information one to one, with name, be called index and set up the file preserved with described controlled memory block file FCP information one to one; According to its FCP information of the name acquiring of described pending file, resolve FCP information acquisition safety condition and the security algorithm of described pending file; According to Authority Verification, instruction judges whether to meet safety condition, determining while meeting safety condition, utilize security algorithm to protect the data of pending file including, obtain the data after safeguard protection, the data after output safety protection are to described memory controller; Determine and do not meet safety condition, refusal operates.
Preferably, described FCP information further comprises a life cycle;
Described additional controller is further resolved the FCP information acquisition life cycle of described pending file, and judges whether to meet the requirement of life cycle, and after determining and meeting, according to Authority Verification, instruction judges whether to meet safety condition; Determine and do not meet life cycle, refusal operates.
Preferably, described FCP information further comprises the logical combination of a safety condition;
The logical combination of the safety condition that described additional controller further contains according to described FCP packets of information judges whether to meet safety condition.
In said memory card, described additional controller comprises:
Microprocessor, according to the described FCP information command of setting up of described memory controller output, in additional storage, with name, be called index and preserve and the catalogue of described controlled memory block catalogue FCP information one to one, in additional storage, with name, be called index and preserve and the file of described controlled memory block file FCP information one to one; The title of the pending file carrying according to operational order reads the FCP information of pending file from additional storage, resolves FCP information acquisition life cycle, safety condition and the security algorithm of described pending file; Judge whether to meet the requirement of life cycle, determine and meet after life cycle, according to the logical combination of Authority Verification instruction and safety condition, judge whether to meet safety condition, determine and meet after safety condition, utilize security algorithm to protect the data of pending file including, obtain the data after safeguard protection, the data after output safety protection are to described memory controller; Determine when not meeting life cycle or not meeting safety condition refusal operation;
Additional storage, for preserving described catalogue FCP information and described file FCP information.
Preferably, described additional storage is further used for preserving the required key of security algorithm and/or password.
An intelligent memory card, this storage card comprises:
Interface module, exports the instruction of setting up document control parameter F CP information, Authority Verification instruction and the operational order of outside input to memory controller; Described FCP information is include file title, safety condition and security algorithm at least;
Storer, the file for saving contents, under described catalogue, with described catalogue one to one catalogue FCP information and with described catalogue under file file FCP information one to one;
Memory controller, according to the described FCP information command of setting up, in storer, with name, be called index and set up and the described catalogue of preserving catalogue FCP information one to one, in storer, with name, be called index and set up and the described file of preserving file FCP information one to one; Its FCP information of the name acquiring of the pending file carrying according to described operational order, resolves FCP information acquisition safety condition and the security algorithm of described pending file; According to described Authority Verification instruction, judge whether to meet safety condition, determining while meeting safety condition, utilize security algorithm to protect the data of pending file including, obtain the data after safeguard protection, the data according to described operational order after to safeguard protection are processed; Determine and do not meet safety condition, refusal operates.
Preferably, described FCP information further comprises a life cycle;
Described memory controller is further resolved the FCP acquisition of information life cycle of described pending file, and judges whether to meet the requirement of life cycle, and after determining and meeting, according to Authority Verification, instruction judges whether to meet safety condition; Determine and do not meet life cycle, refusal operates.
Preferably, described FCP information further comprises the logical combination of a safety condition;
The logical combination of the safety condition that described memory controller further contains according to Authority Verification instruction and described FCP packets of information judges whether to meet safety condition.
In said memory card, described storer comprises:
Controlled memory block, for save contents and described catalogue under file;
Additional storage, for preserving and the described catalogue of described controlled memory block catalogue FCP information one to one, for preserving file under the described catalogue with described controlled memory block file FCP information one to one.
Preferably, described storer is further used for preserving the required key of security algorithm and/or password.
A method for intelligent storage managing card safety, the method comprises:
A, in additional storage, set up the catalogue of preserving with the controlled memory block file of preserving with controlled memory block that catalogue file is controlled parameter F CP information and carried out index with the title one to one file FCP information one to one of carrying out index with title; Described FCP information is include file title, safety condition and security algorithm at least;
Its FCP information of name acquiring of B, the pending file that carries according to the operational order of outside input, resolves FCP information acquisition safety condition and the security algorithm of described pending file;
C, the Authority Verification instruction of inputting according to outside, judge whether to meet safety condition, determining while meeting safety condition, utilize security algorithm protect the data after acquisition safeguard protection to the data of pending file including, the data according to described operational order after to safeguard protection are processed; Determining that while not meeting safety condition, refusal operates.
Preferably, described FCP information further comprises a life cycle;
Between described step B and described step C, further comprise: resolve the FCP information acquisition life cycle of described pending file, definite, meet after life cycle, execution step C, otherwise refusal operates.
Preferably, described FCP information further comprises the logical combination of a safety condition;
Described step B further comprises: the logical combination of the safety condition containing according to described FCP packets of information judges whether to meet safety condition.
In said method, the file of preserving with controlled memory block described in steps A one to one file FCP information is: the file structure that described file FCP information and described catalogue FCP information form in additional storage, the file structure that catalogue corresponding to the file corresponding with described file FCP information and described catalogue FCP information forms in controlled memory block is identical.
In said method, described security algorithm at least comprises cryptographic algorithm and verification, or described security algorithm at least comprises decipherment algorithm and verification;
Described in step C, utilize security algorithm, the data protection of pending file comprised:
C1, utilize cryptographic algorithm to be encrypted the data of pending file including, or utilize decipherment algorithm to be decrypted the data of pending file including;
C2, to encrypting the integrality of the data that obtain after the data of rear acquisition or deciphering, carry out verification, data and the data of proof test value after safeguard protection after encrypting, maybe using data and the data of proof test value after safeguard protection after deciphering.
Preferably, described in steps A, in additional storage, set up the file of preserving with controlled memory block one to one before file FCP information carry out index with title, further comprise: for the file of preserving under catalogue described in described controlled memory block adds a file name; The length of described file name is M byte; Described M is less than 256 natural number.
As seen from the above technical solutions, the invention provides a kind of method of intelligent memory card and safety management thereof, intelligent memory card is according to the FCP information of setting up FCP information and setting, in intelligent memory card, set up catalogue FCP information and file FCP information, intelligent storage is stuck in while setting up FCP information, the file structure forming while preserving in controlled memory block according to catalogue and file is set up catalogue FCP information and the file FCP information of same file structure in additional storage; According to its FCP information of pending file acquisition; according to safety condition and logical combination thereof, determine while meeting safety condition, utilize security algorithm to protect pending data; obtain the data after safeguard protection, the data according to operational order after to safeguard protection are processed.Adopt storage card of the present invention and method, when the file in controlled memory block is operated, its operational order is carried out to security control, by safety condition and logical combination thereof, realize the safeguard protection to data, improved security and dirigibility.
Embodiment
For making object of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
The method of intelligent memory card of the present invention and intelligent storage managing card safety no longer be take sector and is carried out safety management as unit, but take file, manage as unit, and by the memory controller in intelligent memory card or additional controller, realize the file of preserving in controlled memory block is carried out to safety management, improved security; Can be according to user the real needs for a certain file, safety condition and security algorithm that the FCP packets of information of this document is contained arrange, and have improved dirigibility.
FCP information of the present invention is to define with reference to the structure described in ISO7816-4 standard, but FCP information of the present invention is also further expanded ISO7816-4 standard, in FCP information, increased the file name that can be arranged to any byte length, be further convenient to realize and take file and carry out safety management as unit.
Fig. 1 is the structural representation of intelligent memory card the first embodiment of the present invention.Now, in conjunction with Fig. 1, the first embodiment of intelligent memory card of the present invention is described, specific as follows:
Intelligent memory card of the present invention comprises: interface module 10, memory controller 11, controlled memory block 12 and additional controller 13.Wherein, interface module 10 one end connect memory controller 11, the external unit of other end connected reference intelligent memory card; Memory controller 11 connects controlled memory block 12 and additional controller 13.
Interface module 10 provides the communication channel between memory controller 11 and the external unit of access intelligent memory card.Interface module 10 exports document control parameter (FCP) information command of setting up of outside input to memory controller 11.Wherein, set up FCP information command and carry the directory name of FCP information to be set up and the FCP information of setting, or carry the file name of FCP information to be set up and the FCP information of setting; The FCP information of described setting at least comprises file name and security attribute; Described security attribute at least comprises safety condition and security algorithm; Described security attribute can be set to compact mode, mode of extension, with reference to the combination of mode of extension or above-mentioned various modes.In order to improve security, described security attribute also can further comprise the logical combination of a life cycle and/or safety condition.
Interface module 10 exports operational order and the Authority Verification instruction of outside input to memory controller 11.Wherein, operational order comprises read data instruction or writes data command; Operational order also further carries the title of pending file; The title of pending file can be the title of pending catalogue or the title of the file under pending data.Authority Verification instruction also carries this time certificate parameter of operation.
Controlled memory block 12 is for preserving a plurality of files under a plurality of catalogues and described each catalogue.Catalogue and the file that preserve controlled memory block 12 are the contents that need to carry out safeguard protection.Such as: catalogue 1 include file 1 and file 2, catalogue 2 include files 3 and file 4.
Memory controller 11 exports additional controller 13 to by setting up FCP information command.The title of the pending file that memory controller 11 carries operational order and Authority Verification instruction export additional controller 13 to.Data after the safeguard protection that memory controller 11 is exported additional controller 13 according to operational order are processed, the data to interface module 10 feedback processing results and after processing.In the present embodiment, file or catalogue that memory controller 11 is not preserved controlled memory block 12 are carried out safety management, and the data after the safeguard protection of only according to operational order, additional controller 13 being exported are carried out read or write operation.
Additional controller 13 is according to setting up FCP information command, is called index sets up the catalogue of preserving with controlled memory block 12 catalogue FCP information one to one with name, is called index sets up the file preserved with controlled memory block 12 file FCP information one to one with name; Particularly, additional controller 13 can obtain the file structure of controlled memory block 12 by the communication with memory controller 11 by memory controller 11, and the catalogue of controlled memory block 12 preservations and the file under catalogue.Above-mentioned relation is one to one embodied in the file structure being comprised of file and catalogue, be the file structure that file FCP information and catalogue FCP information form in additional controller 13, the file structure that catalogue corresponding to the file corresponding with file FCP information and catalogue FCP information forms in controlled memory block 12 is identical.
Additional controller 13, according to the title of pending file, is searched the FCP information of pending file from the FCP information of having set up; Resolve FCP information acquisition life cycle, the safety condition of pending file, logical combination and the security algorithm of safety condition; Judge whether to meet life cycle, if meet life cycle, according to the logical combination of Authority Verification instruction and safety condition, judge whether to meet safety condition, determining while meeting safety condition, utilize security algorithm the data of pending file including to be protected to the data that obtain after safeguard protection, the data after output safety protection are to memory controller 11; Determining that while not meeting life cycle or safety condition, refusal is operation this time.Whether life cycle is a term of validity, judge whether to meet life cycle and namely judge the operation of pending file in the term of validity, if so, carry out the judgement of safety condition, otherwise refusal is operation this time.Additional controller 13 is also further preserved for carrying out key and/or the password of security algorithm.Such as: the FCP information acquisition safety condition of resolution file 1 is PIN code, security algorithm is cryptographic algorithm and verification, judge that whether the certificate parameter that Authority Verification instruction carries is identical with PIN code, if identical, meet safety condition, utilize the key of preserving to be encrypted computing to pending data, the data after cryptographic calculation are carried out to completeness check, the data after output safety protection or proof test value are to memory controller 11; The certificate parameter that the checking instruction that defines the competence is carried is not identical with PIN code, determines and does not meet safety condition, and refusal is operation this time.
Wherein, additional controller 13 comprises microprocessor 131 and additional storage 132.Microprocessor 131 connects memory controller 11 and additional storage 132.
Additional storage 132 is for FCP information and the file FCP information of saving contents.Additional storage 132 is further used for preserving the required key of security algorithm and/or password.
Microprocessor 131 is set up FCP information command according to memory controller 11 output, in additional storage 132, with name, be called index and preserve and the catalogue of controlled memory block 12 catalogue FCP information one to one, in additional storage 132, with name, be called index and preserve and the file of controlled memory block 12 file FCP information one to one; The title of the pending file carrying according to operational order reads the FCP information of pending file from additional storage 132, resolves FCP information acquisition life cycle, the safety condition of pending file, logical combination and the security algorithm of safety condition; Judge whether to meet the requirement of life cycle, determine and meet after life cycle, according to the logical combination of Authority Verification instruction and safety condition, judge whether to meet safety condition, definite, meet after safety condition, utilize security algorithm the data of pending file including to be protected to the data that obtain after safeguard protection, the data after output safety protection are to memory controller 11; Determine when not meeting life cycle or not meeting safety condition refusal operation.
Fig. 2 is the structural representation of intelligent memory card the second embodiment of the present invention.Now, in conjunction with Fig. 2, the second embodiment of intelligent memory card of the present invention is described, specific as follows:
Intelligent memory card the second embodiment of the present invention compares with the first embodiment, lacked for carrying out the additional controller of file security control, the function of additional controller in Implementing Memory Controllers the first embodiment in the second embodiment, the intelligent storage of this embodiment has reduced hardware cost.
Intelligent memory card of the present invention comprises interface module 20, memory controller 21 and storer 22.Interface module 20 one end connect memory controller 21, the external unit of other end connected reference intelligent memory card; Memory controller 21 connected storages 22.
The interface module 20 of the present embodiment is identical with the interface module 10 of the first embodiment, this no longer docking port module 20 describe.
The file of storer 22 for saving contents, under catalogue, with described catalogue one to one catalogue FCP information and with described catalogue under file file FCP information one to one.Storer 22 is also further preserved for carrying out key and/or the password of security algorithm.The content of catalogue FCP information and file FCP information is identical with the content of embodiment mono-, does not repeat them here.
Memory controller 21 is according to setting up FCP information command, from storer 22, obtain the catalogue of its preservation and the file under catalogue, the FCP information of the setting of carrying according to FCP information command, the described catalogue that is called index foundation with name and preserves in storer is catalogue FCP information one to one, and with the described file of preserving file FCP information one to one, in other words, the file structure that catalogue corresponding to the file that file FCP information is corresponding with file FCP information with the file structure that catalogue FCP information forms at storer 22 and catalogue FCP information forms at storer 22 is identical.
The title of the pending file that memory controller 21 carries according to operational order, the FCP information of searching pending file from the FCP information of having set up; Resolve described FCP information acquisition for the logical combination of life cycle, safety condition, security algorithm and the safety condition of pending file.Memory controller 21 judges whether to meet life cycle, after determining and meeting life cycle, according to the logical combination of Authority Verification instruction and safety condition, judge whether to meet safety condition, determining while meeting safety condition, utilize security algorithm the data of pending file including to be protected to the data that obtain after safeguard protection, the data according to operational order after to safeguard protection are processed; Determining that when not meeting life cycle or not meeting safety condition, refusal is operation this time.
Memory controller 21 is the data to interface module 20 feedback processing results and after processing further; Described result is the result of refusal operation or the result of complete operation; Data after described processing are data or the integrity check value after safeguard protection.
Wherein, storer 22 comprises: 221He additional storage, controlled memory block 222.
Controlled memory block 221 is for preserving a plurality of files under a plurality of catalogues and each catalogue.Catalogue and the file in controlled memory block 221, preserved are the files that carries out safeguard protection.
Additional storage 222 is for FCP information and the file FCP information of saving contents.
The file structure that the catalogue that the file structure that the catalogue FCP information that preserve additional storage 222 and file FCP information form is preserved with controlled memory block 221 and the file under catalogue form is identical.
Fig. 3 is the process flow diagram of the method for intelligent storage managing card safety of the present invention.Now, in conjunction with Fig. 3, the method for intelligent storage managing card safety of the present invention is described, specific as follows:
Step 301: set up the FCP information of carrying out index with title;
This step comprises: step 3011, and the catalogue of preserving according to controlled memory block is added directory name, and the file of preserving according to controlled memory block adds file name; Step 3012, according to FCP information and the directory name of setting up the setting that FCP information command carries, in additional storage, set up with directory name, carry out index with controlled memory block in catalogue catalogue FCP information one to one; Step 3013, according to FCP information and the file name of setting up the setting that FCP information command carries, in additional storage, set up with file name, carry out index with controlled memory block in file file FCP information one to one.
In step 3011, length and particular content that the file of preserving according to controlled memory block adds file name can arrange according to user's demand, the title that is no longer confined to the fixed byte length stipulated in ISO7816-4, can file name be set to M byte; Described M is less than 256 natural number.
In this step, the file structure that the catalogue that the file structure that the catalogue FCP information that preserve additional storage and file FCP information form is preserved with controlled memory block and file form is identical, does not repeat them here.
Step 302: the FCP information of obtaining pending file;
According to the title of the pending file carrying in operational order, the FCP information of the pending file of FCP information searching of preserving from additional storage.
Step 303: logical combination and the security algorithm of resolving FCP information acquisition safety condition, safety condition;
In intelligent memory card, be responsible for the controller that file is carried out to safety management, such as memory controller or additional controller, the FCP information of pending file resolved, obtain the safety condition relevant to pending file, logic and the security algorithm of safety condition.
Step 304: judge whether to meet safety condition, if so, execution step 305, otherwise execution step 307;
In this step, if the logical combination of safety condition is not set, directly according to Authority Verification, instruction judges whether to meet safety condition; If be provided with the logical combination of safety condition, according to the logical combination of Authority Verification instruction and safety condition, judge whether to meet safety condition.
Safety condition of the present invention also further carries to determine whether the parameter that meets safety condition, such as: safety condition can be PIN code checking, authentication, external authentication, internal authentication, multiple authentication etc., according to the PIN code of input, authentication code, external authentication code, internal authentication code, multiple authentication code etc., determine whether that the parameter of carrying with safety condition is identical, if, determine and meet safety condition, otherwise determine and do not meet safety condition.
Step 305: utilize security algorithm to protect pending file;
Described security algorithm at least comprises cryptographic algorithm and verification, or described security algorithm at least comprises decipherment algorithm and verification.
With security algorithm, comprise cryptographic algorithm and be verified as example, this step comprises: utilize the key of cryptographic algorithm and preservation, pending file is encrypted; To encrypting the data of rear acquisition, carry out data integrity verifying, data and the data of proof test value after safeguard protection after encrypting.
With security algorithm, comprise decipherment algorithm and be verified as example, this step comprises: utilize the key of decipherment algorithm and preservation, pending file is decrypted; To deciphering the data of rear acquisition, carry out data integrity verifying, using data and the data of proof test value after safeguard protection after deciphering.
Step 306: the data according to operational order after to safeguard protection are processed;
Described operational order comprises reading command or writes instruction; According to the operational order receiving, the data after the safeguard protection that step 305 is obtained are carried out read or write operation.
Step 307: finish.
In order further to improve security, FCP information further comprises life cycle; Life cycle is in order to judge the whether effective parameter of the operation of a certain file.
Between step 303 and step 304, further comprise: the life cycle containing according to the FCP packets of information of pending file, judge whether to meet life cycle, if so, execution step 304, otherwise execution step 307.
In above-mentioned preferred embodiment of the present invention, no longer the external unit by access intelligent memory card carries out safety management to the data in intelligent memory card, but the FCP information being set in advance by intelligent memory card basis, the file of preserving in controlled memory block is carried out to safety management, be difficult for being cracked by physics or software, improved security; Intelligent memory card of the present invention and method for managing security, no longer using the base unit of sector as rights management, but by the file under different file the elementary cell as safety management, such as: the file under the file under FAT (File Allocation Table) file system, NTFS (New Technology File System) file system or the file under EXT (Extended File System) file system, but be not limited to the file under above-mentioned three kinds of file system.Intelligent memory card of the present invention and method for managing security can arrange FCP information to the security requirement of specific file according to user, have improved dirigibility; For the ease of take file, carry out safety management as base unit, the file structure that the catalogue FCP information of preserving in additional storage of the present invention and file FCP information form is identical with the catalogue of preservation controlled memory block in and the file structure of file formation.
The foregoing is only preferred embodiment of the present invention, be not limited to the present invention, within the spirit and principles in the present invention all, any modification of making, be equal to replacement, improvement etc., within all should being included in the scope of protection of the invention.