In order to facilitate the provision of encryption services on Windows, Microsoft proposed a development model of CSP/Crypto API, which provides a set of programming interface provider for encryption, decryption and signature authentication. By calling this function interface, the application The program can provide users with powerful encryption and decryption services using software or hardware (smart card). In recent years, the smart card has become a mainstream security medium due to its compact size, ease of use and high security. The smart card-based CSP can fully utilize the smart card plug-and-play and bus-powered features, making the security device portable and flexible, and can easily perform signature encryption and authentication in various occasions. However, every smart card manufacturer needs to develop a CSP based on its own smart card. If it can provide a convenient CSP solution that integrates multi-vendor smart cards, it will greatly improve development efficiency, save development costs, and have high application value. Very good market prospects.
1 Introduction to CSP
1.1 About Microsoft CryptoAPI and CSP
In order to provide basic information security services such as encryption/decryption, signature/authentication, and generation of random numbers, some standardization organizations and large vendors in the industry have proposed their own set of APIs for providing these services. Currently, the international API for encryption APIs. The standards and specifications are: Intel CDSA, RSA PKCS#11 and Microsoft CryptoAPI. Among them, Microsoft CryptoAPI is the encryption API recommended by PKI [1]. It provides developers with a complete set of encryption and decryption and signature verification interfaces under Win32 environment, and CSP (Cryptographic Service Provider) is the real implementation of these additions. The basic module for decryption and signature verification.
.jpg)
As shown in Figure 1, the application uses the provided security service by calling the interface provided by CryptoAPI. The operating system selects the appropriate SPI according to the upper API call, and the corresponding CSP gets the upper layer call through the unified interface (SPI). The specific parameters of the API function are provided by the corresponding CSP. The entity of CSP is a DLL and a signature file. The DLL includes 24 basic functions: encryption device providing function, key generation and exchange function, data encryption/decryption function, hash and digital signature function. In the specific implementation of the function, software implementation and hardware implementation based on USB or SD interface smart card can be adopted. This paper proposes a CSP design based on USB and SD interface smart cards. The application can create public/private key files, symmetric key files in the card through CSP, and can perform encryption and decryption and signature authentication. Since the smart card can set different keys to specify the access rights of the files on the access of different files, the secure storage of the key files is ensured from the hardware.
1.2 About smart cards
The smart card used here is also called a CPU card, which includes a central processing unit CPU, EEPROM, RAM, and ROM, in which a COS (Chip Operating System) is solidified in the ROM. The most common interfaces for smart card external communication are the USB interface applied to the PC and the SD interface for handheld devices. At present, the most widely used smart card standard in the industry is ISO7816, and major smart card manufacturers will produce smart cards and COS according to this standard. The smart card can communicate with the outside world, and internally execute and transmit the result according to the incoming command. The smart card we use can internally generate and save the RSA public-private key pair and perform RSA encryption and decryption operations.
There is a file system in the smart card. According to ISO7816-4, two types of files are supported in the smart card: DF (Dedicated File) and EF (Elementary File). DF is similar to the directory file in DOS, which can contain DF and EF; EF is similar to the data file in DOS, it is the file that actually stores the data, the public and private key and the symmetric key file pair belong to the EF file; in each smart card file system There is a root file MF (Master File), and all DF and EF are stored in this root file. There are two types of EF, one is binary EF and the other is record EF. A binary EF file is an unstructured file, while a record-type EF file is accessed by record. The length of each record can be specified at the beginning of file creation. The COS written by each smart card manufacturer has different support for ISO7816. If some vendors do not support record files, the implementation of file access rights is very different, etc., which requires each manufacturer to develop CSP for their own smart cards, which is not conducive to saving development. Cost and improve development efficiency. The CSP architecture proposed in this paper can easily integrate smart cards with different COS versions from different vendors to solve this problem.
1.3 CSP based on USB and SD interface smart cards
At present, the interface of the smart card is mainly a USB interface and an SD interface. The former is mainly used on a PC, and the supported operating systems are mostly PC Windows systems of various versions (Windows 98/2000/XP); the latter is mainly used for some handheld devices. For example, smartphones, PDAs, and the Win-dows CE operating system can be used on these handheld devices. The CSPs described in this article are primarily developed on both operating systems. For the USB interface smart card, it can be directly operated by CSP (based on Windows98/2000/XP) on the PC; for the SD interface smart card, there are two modes of operation: one is to develop CSP on the handheld device (based on Windows CE) The other way is to communicate on the bottom layer through the CSP on the PC and the handheld device connected to the PC. The CSP sends the command to the smart card of the handheld device through the PC. At this time, the handheld device is equivalent to one. Card reader.
2 Based on USB and SD interface smart card architecture and module design
2.1 The logical structure of the CSP
The design of our CSP is mainly composed of three parts: the logical structure of CSP, the file organization structure in smart card, and the basic command flow module of CSP. The basic operation of a CSP is the operation of a key, where the key is primarily a session key for symmetric encryption and a public/private key for exchange and signature. The key operations mainly include: generating a key, destroying a key, importing and exporting a key, encrypting and decrypting with a symmetric key, and verifying a signature with a public/private key pair.
The logical structure of the CSP is shown in Figure 2. The key is provided by a key provider (KeyProvider), which can be divided into a session key provider (Session Key Provider) and a public key and private key provider (RSA Key Provider), responsible for the generation and density of specific keys. Key parameter setting, implementation of key operations. The key provider drives the smart card to generate the RSA public/private key and saves it in the corresponding key file (EF) in the card. The smart card also provides operations such as signature, verification and random number generation. The provider builds the corresponding command in memory according to the ISO7816-4 protocol and sends it to the smart card for execution. Relative to the session key, CSP provides a soft implementation that operates in memory.
.jpg)
The Key Container controls the key providers, each of which is for a particular application. For a new application, the CSP creates a new key container, sets the required parameters, generates a specific key by controlling the key provider, and finally operates on it. For the user, each key container is transparent, and does not affect each other without interference, and is uniformly applied to the same CSP. The creation of a key container involves creating a directory file (DF) on the smart card in which the key file (EF) for the container is placed. The CSP Manager (CSP Manager) acts as a global administrator and is globally unique and is responsible for establishing and managing various CSP contexts. Each user has its own specific CSP application environment. The CSP context represents a user-specific CSP application environment. The CSP administrator is responsible for initializing the CSP management environment, including initializing the smart card and setting the smart card administrator key file. The CSP Context is equivalent to a user's application environment. All applications are completed in the context of CSP. The CSP application environment mainly includes the type of key container established by the user, the type of key provider, and the key container. The specific location. The CSP context creates the CSP application home directory file for each user in the smart card, saves the user key file, creates a key container for each application, and manages it.
2.2 File System Structure in Smart Card
For the CSP logical structure proposed above, the corresponding file system structure should be supported in the smart card. The operations of the CSP administrator, CSP context, key container and key provider involve the corresponding file operations of the smart card. A specific file structure is established in the card for key management and operation. The CSP smart card file system structure we designed is shown in Figure 3. The CSP administrator initializes the card, establishes the root directory (MF), and creates an administrator key file in the root directory. Only users with a legal key can have administrator rights; establish a CSP context for the user, that is, create a directory file (DF) for each CSP context under the root directory, different directory files correspond to different CSP contexts, and finally Create a record-type EF file in the root directory. Each record corresponds to a context, and records the directory ID and CSP context name. The CSP context creates a user key file, a key container directory file, and a record EF file that records key container information in its own directory file. Each key container corresponds to a directory file. In the directory file of the key container, the key container establishes its own specific key file, including the session key and the public/private key file. Each key container directory does not affect each other independently.
2.3 Command Flow in CSP
The two major parts of the CSP design are the design of the CSP logical structure design and the CSP command stream. The CSP command stream is the CSP logic module (CSP Manager, CSP Context, CSP Container, Key Provider). The command is built in memory according to the command format in ISO7816-4 and sent to the smart card. The smart card executes the command and returns the result. The modules for operating the smart card in the CSP include: a command building module, a command transmission module, and a command parsing module. The process of the CSP upper logic module operating on the smart card mainly includes: constructing a command to be operated by the command building module, and instructing the driver of the transfer module to call the card to send the command to the smart card for execution, and after the execution, the return result is obtained through the command transmission module, and then The result is parsed by the command parsing module.
.jpg)
The biggest benefit of this design is the separation of decision making and execution. The logic module decides which commands to execute, and the command stream module constructs and transmits commands. The command stream module can be designed and implemented for smart cards from different vendors. For example, according to the support of each smart card manufacturer COS for ISO7816-4, different command building modules and command parsing modules are integrated into a CSP. The logic module is only responsible for deciding which commands to implement, and the construction, transmission, and parsing of specific commands are transparent to it. In this way, the manufacturer's smart card device can be easily integrated by adding the command stream module without changing the upper logic structure module. At the same time, because the command transmission module and the smart card driver are separated, the command transmission module calls different drivers to send the command to Smart cards with different interfaces, so that the CSP can support USB and SD interface smart cards based on different platforms, different terminals, and different vendors.
3 Conclusion
Developing such a CSP that can integrate smart cards from different vendors not only saves development costs and improves development efficiency, but also supports SD-based smart cards, which can be used for handheld devices such as mobile phones and Pocket PCs. Powerful and flexible applications that can be used in industries and sectors such as personal finance, securities, insurance, etc., with broad application prospects.
Dumbbell Bench,Incline Dumbbell Bench,Dumbbell Flat Bench,Dumbbell Stool
NINGBO CHEN WEI SUPPLY CHAIN MANAGEMENT CO.,LTD , https://www.chenweifurniture.com