The non-contact IC card technology that was put into use in the early days was mostly a logical encryption card, such as the most famous Mifare 1 card of Philips (now NXP). The contactless logic encryption card technology has been quickly favored by users with its low cost, concise transaction process and simple system architecture, and has been rapidly applied and developed. According to incomplete statistics, as of the end of last year, the number of non-contact logic encryption cards in various fields in China has reached hundreds of millions.
With the continuous application of contactless logic encryption cards, the inadequacies of contactless logic encryption card technology are increasingly exposed, and it is difficult to meet the requirements of higher security and more complex multiple applications. In particular, in October 2008, the method of cracking the password of MIFARE CLASSIC IC chip (hereinafter referred to as M1 chip) was announced on the Internet. The criminals can use this method to reduce the economic cost of all kinds of "one card" and access control using the chip. The card is illegally recharged or copied, which brings great social security risks. Therefore, the non-contact CPU card smart card technology is becoming a technically updated option.
The Key Management System, also referred to as KMS, is the core of IC project security. How to manage the security of the key runs through the entire life cycle of the IC card application.
1. The secure authentication of the contactless logical encryption card relies on the verification of each sector's independent KEYA and KEYB. The sector control word can be used for the read/write security control of the sector data by different security combinations of KEYA and KEYB. The personalization of the contactless logical encryption card is also relatively simple, mainly including the update of data and each sector KEYA, KEYB, during which all sensitive data including KEYA and KEYB are directly updated in clear text.
Due to the verification mechanism of KEYA and KEYB, the card-to-terminal authentication can only be solved, and the terminal-to-card authentication cannot be solved, that is, the risk of our commonly known "pseudo-card".
The key of the contactless logical encryption card is a preset fixed password. No matter what method is used to calculate the key, it must be consistent with the previously written fixed password to read and write the protected data. Therefore, whether it is a one-card-one-density system or a unified password system, the decryption of the contactless logical encryption card can be realized after being cracked. Many people think that if the ID number of a card-one-density, real-time online system or contactless logical encryption card is used, the key can be decrypted. In fact, the decryption of the non-contact logical encryption card means that the M1 card can be copied. Using the online system can avoid illegal recharge, but can not guarantee illegal consumption, that is, copying an M1 card with the same ID number, you can illegally consume. Today's technology can be completely replicated using an FPGA. Based on this principle, the M1 access card is also unsafe. At present, 80% of the access control products in China use the UID number of the original IC card or the ID number of the ID card to do the access control card. There is no encryption key or a dedicated key developed. The security risks are far more than the Mifare card crack. More dangerous, illegally cracked people only need to use professional technical means to complete the cracking process, which leads to the fact that most of the domestic access control products do not have safety reasons, because the design theory of early access control products is introduced from abroad. Come over, most domestic manufacturers have long used foreign practices, using ID and IC card read-only features for identity recognition, rarely pay attention to encryption authentication between cards and equipment, lack of key system design; and ID card is very The easy-to-replicate carrier makes it easy for all access control to be cracked and copied in an instant; this is the biggest disaster in our domestic security market.
2, non-contact CPU card smart card and non-contact logic encryption card, with independent CPU processor and chip operating system, so more flexible support for a variety of different application needs, more secure design transaction process. At the same time, compared with the non-contact logic encryption card system, the system of the contactless CPU card smart card is more complicated, and more system modifications, such as key management, transaction process, PSAM card and card personalization, are required. The keys are usually divided into a recharge key (ISAM card), an impaired key (PSAM card), and an authentication key (SAM card).
The contactless CPU card smart card can meet the security and key management requirements of different business processes with high reliability through internal and external authentication mechanisms, such as the electronic wallet transaction process defined by the Ministry of Construction. For the electronic wallet storage, the storage key can be used, the consumption can use the consumption key, the clearing can use the TAC key, the update data can use the card application maintenance key, and the card transmission key and the card owner can be used during the card personalization process. Control key, application master key, etc., truly use one key.
The non-contact CPU card encryption algorithm and the random number generator and the key authentication card (SAM card) installed in the read/write device mutually transmit the authenticated random number, and the following functions can be realized:
(1) The card is authenticated by the SAM card on the terminal device.
(2) Mutual authentication of the non-contact CPU card and the SAM card on the terminal device to achieve authentication of the card terminal.
(3) Recharge the non-contact CPU card through the ISAM card to achieve safe stored value.
(4) The non-contact CPU card is devalued by the PSAM card to achieve secure deduction.
(5) The data transmitted in the terminal device and the contactless CPU card is an encrypted transmission.
(6) The calculation of data transmission verification can be realized by the random number MAC1 sent to the SAM card by the non-contact CPU card, the random number MAC2 sent by the SAM card to the contactless CPU, and the random number TAC returned by the non-contact CPU card. MAC1, MAC2, and TAC are the same non-contact CPU card in the process of each transmission is different, so you can not use the air receiving method to crack the key of the non-contact CPU card.
3, non-contact CPU card smart card, you can use the key version of the mechanism, that is, for different batches of user cards, use different versions of the key coexistence in the system, to achieve the purpose of the key expiration of the natural phase-out transition, and gradually replace The key used in the system to prevent the security risks caused by long-term use of the system.
The contactless CPU card smart card can also use the key indexing mechanism, that is, for the issued user card, the key of multiple sets of indexes can be supported at the same time. If the currently used key is leaked or there is a security risk, the system can be activated urgently. Another set of indexed keys, instead of recycling and replacing cards on the user's hand.
In the non-contact CPU card smart card system, the PSAM card is usually used to calculate and verify the MAC code appearing during the consumer transaction process. At the same time, in the process of calculation, the transaction information such as transaction time, transaction amount, transaction type, etc. are also involved in the calculation, so that the transaction Safer and more reliable. In some cases, the PSAM card in the contactless CPU card smart card system can also be used to support the calculation of the MAC when the security message is updated, and the verification of the transaction TAC. Therefore, the PSAM card in the contactless CPU card smart card system supports a wider range of functions than the contactless logical encryption card system, and is also more flexible, secure and complex. The PSAM card of the non-contact CPU card smart card system also supports different key versions.
Instead of touching the CPU card, the personalization of the smart card can usually be divided into two separate processes: card washing and card personalization. The former creates a card file structure, the latter updates the personalized data, and injects the corresponding key. In the process of information update and key injection, security messages are usually used to ensure the correctness and security of data and key updates. Moreover, the order of key injection and the dependency of mutual protection also fully embodies the security design of the key. For example, the card master key is usually used to protect the import application master key, and the application master key is usually used. Protect the import of other application keys, such as consumer keys.
4. Key implementation of non-contact CPU card:
(1) Hard key: Install the SAM card holder in the terminal tool. All the authentication is performed by the SAM card installed in the SAM card holder. When the terminal tool is repaired, just remove the SAM card holder. SAM card, this terminal is empty. Therefore, all bank devices use the SAM card authentication mode.
(2) Soft key: There is no SAM card holder in the terminal equipment. The operation of this key is actually completed by the terminal equipment, so that the customer's key is equal to the existence of the terminal equipment. When the manufacturer takes back the terminal equipment maintenance, the pole Easy to cause key loss.
In summary, the M1 card, that is, the logical encryption card uses a fixed password, and the non-contact CPU card uses a dynamic password, and is a single-use, ie, the same non-contact CPU card smart card, each time the card is swiped. The authentication passwords are different. This intelligent authentication method improves the security of the system. Especially when the two parties complete the transaction, the acquirer may modify or falsify the transaction flow to achieve the profit, in order to prevent the terminal. Forgery of transaction flow, the system requires the card to generate a transaction verification code generated by the transaction element to verify the validity of the transaction during background clearing.
The contactless CPU card can generate a transaction verification code TAC at the end of the transaction to prevent counterfeit transactions. Since the logical encryption card does not have the computing power, it is impossible to generate a verification code for the transaction. Therefore, from the perspective of security, upgrading from an IC card logical encryption card to a CPU card is an inevitable choice.
Folding Stool Plastic,Outdoor Portable Stool,Colorful Folding Chairs,Foldable Plastic Stool
ZHEJIANG HUZOLI METAL PRODUCTS CO.,LTD , https://www.zlplasticfurniture.com