[0060] The present invention will be further explained below in conjunction with the drawings and embodiments:
[0061] Such as image 3 As shown, this trusted computing platform chip that can be applied to mobile communication devices combines the high security of TPM with short-distance transmission technology, and the addition of fingerprint technology enables the binding of devices and people, which greatly strengthens the SIM card safety. The focus of the present invention is to add a fingerprint processing engine module, a SCSI interface module supporting SIM card operation, and a short-distance transmission module on the common TPM chip. The fingerprint processing engine module, the SCSI interface module and the short-distance transmission module are all connected to the communication bus, and the chip is packaged in the form of a SIM card or TPM, and supports both contact and non-contact operations. The common short-distance transmission modules are RF, DI and NFC.
[0062] When used as a SIM card, the PIN package is like Figure 4 Shown: According to the ISO/IEC7816 standard, the SIM card usually has 8 contacts C1~C8, and the ordinary SIM card usually only uses 5 contacts of C1, C2, C3, C5, C7, which increases the short distance The card of the transmission module also needs to use the two contacts C4 and C8 as the antenna.
[0063] The pin definition is as follows:
[0064] Table 1 Mobile payment SIM card pin definition
[0065] Pin
[0066] Due to the addition of fingerprint operations, the requirements for memory and speed are higher, so this chip needs to run at a higher frequency, and there is a special fingerprint processing engine, and the RAM area is also enlarged to handle fingerprints.
[0067] According to unused applications, when the chip is used in electronic wallets or other small payments, it does not need to be authenticated; but when large payments such as transfers or remote payments are used, identity verification is required.
[0068] The method for authenticating a trusted computing platform chip applicable to mobile communication equipment according to the present invention has the following specific steps:
[0069] (1) Before making a mobile payment, the mobile phone generates a pair of public and private keys and the corresponding certificate issued by the CA. After the user has his own certificate, the subsequent mobile payment operation is performed. Every time the user logs in to the mobile payment service system Before, the user’s identity authentication is required;
[0070] (2) After the identity authentication is passed, the user uses the payment system to make mobile payments. Since it is a small payment, there is no need to verify fingerprints; when paying near the scene, it is the same as the existing mobile payment method. For remote payment, identity authentication is required; existing mobile payments do not support online banking operations. Based on the high security of TPM, this chip can be used for online banking operations on the Internet. Most of the current mobile phones support WAP2.0. Compared with WAP1.x, WAP2.0 enhances the end-to-end security and uses TLS (Transport Layer Security Protocol) for communication. TLS uses the PKI system for handshake and verification, so the requirements for security chips are higher. Must support RSA and HASH algorithms. The traditional SIM chip only supports symmetric algorithms and does not require high speed, which is completely consistent with the TPM chip.
[0071] (3). In the above PKI-based operations, fingerprints are required before each request. The fingerprint processing engine module realizes fingerprint feature entry and fingerprint comparison (the fingerprint entry process is as follows: Figure 5 As shown, the fingerprint matching process is as follows Image 6 (Shown), in the SCSI protocol, the operation instructions for fingerprints are added, and the password-based security system is upgraded to a security system that supports fingerprints. This SCSI command is independent of the existing SCSI command set, but adds support for fingerprint commands to the existing command set. Because the chip interface packaged into the SIM card is limited, fingerprints cannot be collected, so the fingerprint collection is in the main control chip After the acquisition is completed, the image is imported into the chip for comparison. Therefore, it is necessary to add two commands: import picture and search. The fingerprint-based verification method is as follows: the main control chip collects the fingerprint image and imports it into the SIM card chip to extract features and Search for comparison, follow up operations only after the comparison is passed (such as Figure 7 Shown).
[0072] With the addition of the PKI system, mobile payment providers need to support the CA certificate system. Before making a mobile payment, the mobile terminal needs to generate a pair of public and private keys and the corresponding certificate issued by the CA in order to perform subsequent mobile payment operations. The process of generating public and private keys and certificates on the mobile phone is as follows (e.g. Figure 8 Shown):
[0073] (1) The user sends an authentication request, and the request carries user information;
[0074] (2) The CA server authenticates the user's identity through the operator's BOSS system;
[0075] (3) After passing the authentication, return confirmation to the mobile phone;
[0076] (4) The key generation module on the mobile phone generates a pair of public and private key pairs (SK, PK);
[0077] (5) The mobile phone encrypts the generated public key PK and user information with the public key of the CA, and sends it to the CA server to request a certificate;
[0078] (6) After the CA server receives the request, it generates a user certificate and sends the generated certificate to the mobile phone. The certificate contains the signature of the CA server;
[0079] (7) After the mobile phone receives the certificate, it uses the public key of the CA server to verify the signature. If the verification passes, it means that the certificate has been successfully generated and save it.
[0080] After the user has his own certificate, he can make mobile payment. Before the user logs into the mobile payment service system each time, the user's identity authentication is required. The identity authentication process is as follows (such as Picture 9 Shown):
[0081] (1) The mobile phone sends an access request, and the request contains user information;
[0082] (2) The payment system generates a random number R, encrypts it with the user's public key ER=Enc(R, PK), and sends ER to the mobile phone;
[0083] (3) The mobile phone receives the encrypted random number ER, uses its private key SK to decrypt ER to obtain R, and encrypts the decrypted random number with the public key of the payment system DER=Enc(R, PK), Return to the payment system;
[0084] (4) After receiving the DER, the payment system decrypts it with its own private key, and verifies whether the random number R'is equal to R. If it is, the user's identity authentication is passed.
[0085] After passing the identity authentication, users can use the payment system to make mobile payments. The digital signature payment process is as follows (such as Picture 10 Shown):
[0086] (1) The user signs the purchase information instruction TxT with his own private key SK SignedTXT=Sign(TxT, SK), and sends it to the payment system, along with basic user information; such as user ID and mobile phone number Wait.
[0087] (2) The payment system finds the user's certificate based on the user's information, and verifies the validity period information of the certificate;
[0088] (3) The payment system then uses the public key PK in the user certificate to decrypt SignedTXT to verify whether the user's signature is correct;
[0089] (4) After the verification is passed, follow-up payment operations are performed.
[0090] In the mobile payment process, a secure channel needs to be established before the conversation. The establishment of a secure channel involves the encryption and decryption process in the public key system. The process is as follows (such as Picture 11 Shown):
[0091] (1) The server generates a random number R as the session key between the mobile phone and the server, and encrypts R with the user's public key PK ER=Enc(R, PK);
[0092] (2) The server uses R to encrypt the session content TXT that needs to be encrypted, CyberTXT=Enc(TXT, R);
[0093] (3) The server sends ER and CyberTXT to the mobile phone.
[0094] (4) After receiving the mobile phone, use the private key to decrypt the ER to obtain the session key R;
[0095] (5) The mobile phone uses R to decrypt CyberTXT to obtain TXT.
[0096] The above solution combines the PKI technology in TPM with SIM card technology and near-field communication technology to achieve the purpose of on-site mobile payment and remote mobile payment. At the same time, the addition of fingerprint technology enables the authentication-based method to achieve the goal of people and things. Unification has achieved real safety based on people.
[0097] Term explanation:
[0098] TPM: Trusted Platform Module (trusted platform module);
[0099] TCM: Trusted Cryptography Module (trusted cryptography module);
[0100] TCG: Trusted Computing Group (Trusted Computing Group);
[0101] DI: Double Interface (dual interface);
[0102] NFC: Near Field Communication (near field communication);
[0103] RF: Radio Frequency (radio frequency);
[0104] PKI: Public Key Infrastructure (public key infrastructure).
[0105] In addition to the above-mentioned embodiments, the present invention can also have other embodiments. All technical solutions formed by equivalent replacements or equivalent transformations fall within the protection scope of the present invention.
