Research and implementation of dynamic password terminal based on ARM7 smart card

1 Introduction

At present, there are three main ways to implement dynamic passwords: event-based, time-based, and challenge code-based [1]. Existing dynamic password terminals mainly include scratch cards, tokens, smart cards combined with card readers, and SIM cards. A scratch card is a plastic or paper card. In addition to the card number, each card is printed with 30 to 45 one-time passwords. Each password is printed with a serial number to guide the user to use for easy query. Each password is covered with a scratch film, which is used to record the dynamic password calculated by the background virtual dynamic password device. Each time the user authenticates, he or she scratches a new password according to the system prompt. A token is also a device that can generate and display dynamic passwords. Although these two methods are more secure than static passwords, they require terminal costs, which vary depending on the terminal, and the number of uses is limited [2]. The combination of smart cards and card readers means that when a user logs in, the smart card must be inserted into the card reader to collect the live fingerprint. If the fingerprint is matched successfully, the operation is allowed. This method is not flexible, and the user must bring a card reader with him or her every time he or she logs in [3]. A dynamic password based on a SIM card refers to a password that is generated by a mobile terminal with the help of a telecommunications smart card USIM or PIM card, and is calculated based on a certain encryption algorithm and a certain dynamic parameter (such as time, event, etc.) [4]. This solution can integrate the dynamic password into the SIM card. Although it solves the shortcomings of the first three terminals, it requires users to replace their original SIM cards. The hundreds of millions of SIM cards currently in use need to be replaced with a new generation of cards with dynamic passwords with STK, and the promotion of a large number of new application services requires a large amount of investment; users are also unwilling to spend extra money to replace USIM cards or PIM cards with dynamic passwords that have a single STK application function or are not in urgent need, so the promotion of this card replacement model is difficult [5].

In view of the defects of the above terminals, this paper uses the standard SIM card interface of each mobile phone to expand the STK function of the mobile phone, designs an ultra-thin ARM7 smart card chip attached to the SIM card of the mobile phone, and uses the STK menu to implement the dynamic password terminal operation. This solution provides a safe, convenient, unified and compatible hardware platform for mobile phone application software, and realizes the barrier-free expansion of the STK dynamic password application function of different mobile phones. Mobile phone users do not need to change their mobile phones or SIM cards, and can also change their phones and numbers at will. As long as the smart card is directly attached to the SIM card and inserted into the mobile phone card slot, the dynamic password function of the STK menu can be used without affecting the original services and functions of the mobile phone; at the same time, the PIN code of the dynamic password in the smart card can be replaced through the air download method (OTA), and an open dynamic password application platform is built on the user's mobile phone. The internal hardware encryption method of the smart card solves the security problem of user data transmission and meets the security application requirements of dynamic passwords. This terminal implementation method has a friendly human-machine interface, low investment cost, easy promotion, and broad application prospects.

2 ARM7 Smart Card Hardware Platform Design

The dynamic password hardware implementation platform uses ARM's 32-bit ARM7 contact smart IC chip, which is mainly used for high-end GSM telecom cards, 3G SIM cards and JAVA cards. It has built-in 256K bytes of programmable ROM, 64K bytes of data ROM, and 8K bytes of static RAM. It integrates modules such as timer, interrupt controller, system control, DES, RSA hardware encryption coprocessor, security detection control, and hardware 7816 interface, which is suitable for the STK function expansion design of SIM card. The electrical connection of the smart card hardware platform between the SIM card and the internal circuit of the mobile phone has an overall thickness of less than 0.7 mm. The length and width are consistent with the original SIM card, and all the interface standards of the SIM card are followed. The original interactive function between the mobile phone and the SIM card remains unchanged, and the mobile phone interacts with the mobile phone through the SIM card slot of the mobile phone, making the display screen and keyboard of the mobile phone the human-machine interface of the smart card user. A card operating system (COS for short) is installed inside the smart card. The COS supports three modules: general functions, extended functions and over-the-air download of SIM cards. General functions refer to the realization of the communication layer and instruction protocol stack of ISO 7816 hardware interface and GSM 11.11 part, which is the basis for realizing the communication between smart card, SIM card and mobile phone; extended functions refer to the realization of GSM11.14 protocol stack, which is the basis for realizing STK application. The realization of OTA menu download relies on STK function and data short message channel. COS supporting over-the-air download provides a feasible human-machine interface for users to initiate download application. OTA application download server sends the corresponding service content to the user's mobile phone in the form of data short message according to the user's request, and transparently passes the download data to the ARM smart card chip. COS parses the downloaded short message content after two-way authentication, reorganizes and stores the bytecode data stream of STK menu, and realizes the corresponding STK menu management. For mobile phones, ARM7 smart card is equivalent to SIM card and shields the software and hardware characteristics of its microprocessor and related circuits, while for SIM card, ARM7 smart card is equivalent to mobile phone and shields the software and hardware characteristics of its microprocessor and related circuits. On this basis, the STK function expansion of ARM7 smart card to SIM card is realized, and SIM cards of different specifications are integrated into an open STK application platform. The overall hardware structure logic function block diagram and ARM7 smart card hardware interface are shown in Figure (1) and Figure (2) respectively:

In the ARM7 smart card hardware interface, VDD, GND, RST, and CLK are connected to the corresponding interfaces of the mobile phone and SIM card respectively to keep the lines inside the mobile phone and SIM card connected. IO1 is connected to the IO port of the mobile phone, and IO2 is connected to the IO port of the SIM card. Through these two interfaces, the ARM7 smart card, mobile phone, and SIM card can communicate with each other. [page]

3 Dynamic Password Implementation

3.1 Dynamic Password Implementation Process

The dynamic password authentication system terminal based on ARM7 smart card adopts two-factor authentication. First, the dynamic password is protected by PIN code. The user needs to enter the correct PIN code to generate the dynamic password. Use the mobile phone STK menu function to use the Get Input command to enter the digital PIN code. In addition to entering the correct PIN code, the user is also required to synchronize with the counter of the authentication server to obtain the correct operation password.

The implementation process of dynamic password includes service activation, data synchronization and password acquisition. The activation service mainly includes two parts: key dispersion and data encryption. The smart card and the authentication server both store 10 groups of identical master keys in advance. When the service is activated, the smart card uses the randomly generated key index (KID for short) to select one of the groups (16 bytes), and uses the PBOC algorithm to disperse the key to obtain the session key KC for data encryption. Then, the card number and the randomly generated password encryption key (deskey) are encrypted using the triple data encryption standard algorithm (3DES for short) using KC, and the encryption result is sent to the authentication server together with the key index in the form of a data short message. After receiving the data, the authentication server uses the key index to extract the same master key, and also performs PBOC key dispersion on the master key to obtain the decryption key KC, and then uses KC to decrypt the corresponding smart card ICCID and deskey, and at the same time clears the synchronization counter to achieve synchronization with the card end. Data synchronization is mainly used to prevent the operation of re-acquiring synchronization information when the smart card counter and the authentication server counter are abnormal.

The password acquisition process mainly includes three parts. First, the card serial number (ICCID) and counter Counter are encrypted using the deskey randomly generated by the smart card and the authentication server. Then, the encrypted result is processed by SHA1-HASH to obtain a 20-byte ciphertext. Finally, the HASH result is digitized. The implementation process is shown in Figure (3):

The digitization is to dynamically extract 4 bytes of data from the 20 bytes (160 bits) of the HASH result and convert the 4 bytes of data into an 8-bit decimal number.

3.2 Dynamic password STK menu implementation

The user identification application development tool SIM TOOL KIT (STK for short) is an interactive SIM card operating system derived from the original SIM card passive operating system. Its principle is to provide the mobile phone user interface (UI) with a byte stream that complies with the GSM11.14 specification through the mobile phone SIM card interface. The mobile phone UI parses these byte streams into recognizable menu elements, thereby building an application menu consistent with the mobile phone menu system. This application menu is different from the mobile phone menu. After the user selects the menu, the mobile phone directly transmits this information to the ARM7 smart card instead of the mobile phone operating system. The output of the dynamic password is displayed on the mobile phone screen using the STK menu method. In order to implement the STK operation process, the dynamic password encryption algorithm needs to be encapsulated into byte code (Byte Code) form to perform calculations inside the smart card operating system, and finally the STK display command is used to display the results on the mobile phone terminal. In the specific STK menu design process, the self-designed "Mobile STK Function Simulator" tool was used to simulate the STK menu of the dynamic password. The effect diagram of the STK menu of the dynamic password on the mobile phone is shown in the following figure (4):

The dynamic password token function is implemented in the ARM7 smart card using the STK menu method. The password is generated by the smart card and displayed on the mobile phone screen in the form of an STK menu. The password is dynamically generated and changes with time or number of times, which is unpredictable. The password life cycle is short and valid once. It can overcome the weakness of static passwords that are easily leaked when reused, effectively resist password theft and replay attacks, and has a friendly menu operation interface. Since the user password update stage is completed on the mobile terminal, it can also prevent denial of service attacks and password guessing attacks.

4 Conclusion

This paper uses the mobile terminal STK function expansion technology and the ARM7 smart card hardware platform to implement the dynamic password client STK menu design, which solves the problem that the dynamic password terminal USIM card or PIM card needs to replace the user's SIM card or the high terminal cost of the scratch card or token; the hardware encryption algorithm inside the smart card and the friendly interface provided by the STK menu are used to solve the security and data encryption problems of dynamic password information exchange. The dynamic password terminal system designed and implemented in this paper will be applied and promoted in various network platforms, and will be widely used in more and more commercial occasions. It is estimated that within 5 years, the number of ARM7 smart cards with dynamic password functions used by mobile phone users of the entire project will reach more than 1 million, and the economic benefits will reach more than 15 million yuan.