Figure Index
Figure 1: Examples of smart card
Figure 2: Smart card physical dimension
Figure 3: Inside a smart card
Figure 4: Connection diagram of smart card
Figure 5: architecture of smart card
6
9
10
10
12
Table Index
Table 1: Functional description
Table 2: sample Instruction Types
Table 3: Parts of various readers
Table 4: Some special features
11
14
15
23
History
The smart card is one of the latest additions to the world of information technology. Similar in
size to today’s plastic payment card, the smart card has a microprocessor or memory chip
embedded in it that, when coupled with a reader, has the processing power to serve many
different applications. As an access-control device, smart cards make personal and business
data available only to the appropriate users. Another application provides users with the ability
to make a purchase or exchange value. Smart cards provide data portability, security and
convenience.
In 1968, German inventor Jurgen Dethloff along with Helmet Grotrupp filed a patent
for using plastic as a carrier for microchips.
In 1970, Dr. Kunitaka Arimura of Japan filed the first and only patent on the smart card
concept
In 1974, Roland Moreno of France files the original patent for the IC card, later dubbed the
“smart card.”
In 1977, three commercial manufacturers, Bull CP8, SGS Thomson, and Schlumberger began
developing the IC card product.
In1979, Motorola developed first single chip Microcontroller for French Banking
In 1982,World's first major IC card testing is done.
In 1992,Nationwide prepaid card project started in Denmark
In 1999 ,Federal Government began a Federal employee smart card identification
SMART CARD TECHNOLOGY
1. Introduction
Plastic ID cards are used extensively for identification and authentication purposes in various
applications such as driving licenses, Bank ATM card, Credit card, Club membership card, and
in various Academic and commercial organizations as well. Some of these cards contain a
magnetic-strip to make it machine readable. However these cards are not secure enough and
given the right kind of equipment, the information on these cards can be modified easily.
Smart card is the youngest and cleverest one in the family of identification card. Its
characteristic feature is in an integrated circuit embedded in the card, which has components for
the transmission, storage and processing of data. Smart card offers many advantages compared
to magnetic-strip card. One of the important advantages is that stored data can be protected
against unauthorized access and modification. Smart cards can be divided into two groups
according to the underlying technology. Cards in the first group use memory based technology
and provides a secure storage of data. Cards in the second group use microprocessor cards and
provide a standardized exchange of information to implement authentication, verification,
secure storage, encryption and decryption etc. Cards in this category use an Operating System
interface.
Fig 1: Example of smart card
1.1 What is Smart Card?
A device that includes an embedded secure integrated circuit that can be either a secure
microcontroller or equivalent intelligence with internal memory or secure memory chip alone.
The card connects to a reader with a physical contact or with a remote contactless radio
frequency interface. With an embedded microcontrollers, smart cards have the unique ability to
secure the large amount of data, carry out their own on-card function & interact intelligently
with a smart card reader. Smart card confirms to international standards(ISO/IEC 7810
andISO/IEC 14443) and is available in variety of form factors,including plastic cards,SIM used
in GSM mobile phones and USB-based tokens.
1.1.1 Memory vs. microprocessor
Smart cards come in two varieties: memory and microprocessor. Memory cards simply store
data and can be viewed as a small floppy disk with optional security. A microprocessor card, on
the other hand, can add, delete and manipulate information in its memory on the card. Similar
to a miniature computer, a microprocessor card has an input/output port operating system and
hard disk with built-in security features.
1.1.2 Contact vs. contactless
Smart cards have two different types of interfaces: contact and contactless. Contact smart cards
are inserted into a smart card reader, making physical contact with the reader. However,
contactless smart cards have an antenna embedded inside the card that enables communication
with the reader without physical contact. A combi card combines the two features with a very
high level of security.
1.2 Why Smart Cards ?
High physical protection of the stored data, especially the private key.
Flexible configuration of access conditions to use the private key for signature operations.
Duplication of private keys can be prevented (this is not so with a soft PSE).
Security evaluation according ITSEC E4 high or CC EAL 4+ or even higher
Use of already available smart card infrastructures e.g. future ECC (European Citicen Cards) or
eHealth cards.
1.3 Classification Of Cards
Embossed : Textual information or designs on the card can be transferred to paper.
Magnetic-Stripe: Advantage over embossing is a reduction in the flood of paper documents.
Smart Cards: Greater capability to store.
Stored data can be protected against unauthorized access and tampering.
Memory functions such as reading, writing, and erasing can be done.
More reliable and have longer expected lifetimes.
Memory-Cards: Less expensive and much less functional than microprocessor cards. Contain
EEPROM and ROM memory, as well as some address and security logic. Applications are prepaid telephone cards and health insurance cards.
Microprocessor-Cards:Components of this type of architecture include a CPU, RAM, ROM,
and EEPROM.
Cryptographic-Coprocessor-Cards:A cryptographic coprocessor reduces the time required
for various operations. The coprocessors include additional arithmetic units developed
specifically for large integer math and fast exponentiation.
Drawback is the cost.
Beneficial for security.
Contactless-Smart Cards : Contacts are one of the most frequent failure points any
electromechanical system due to dirt, wear, etc.
Cards need no longer be inserted into a reader, which could improve end user acceptance.
No chip contacts are visible on the surface of the card.
Optical-Memory-Cards: These cards can carry many megabytes of data, but the cards can
only be written once and never erased with today’s technology.
1.4 OS Based Classification
Smart cards are also classified on the basis of their Operating System. There are many Smart
Card Operating Systems available in the market, the main ones being:
1. MultOS
2. JavaCard
3. Cyberflex
4. StarCOS
5. MFC
Smart Card Operating Systems or SCOS as they are commonly called, are placed on the ROM
and usually occupy lesser than 16 KB. SCOS handle:
• File Handling and Manipulation.
• Memory Management
• Data Transmission Protocols.
1.5 Physical and Electrical Properties of a Smart Card
1.5.1 Physical Dimensions The physical size of a smartcard is designated as ID-1.
The dimensions are 85.6 mm by 54 mm, with a corner radius of 3.18 mm and a thickness of
0.76mm. Specifications address such things as UV radiation, X-ray radiation, the card’s surface
profile, mechanical robustness of card and contacts, electromagnetic susceptibility,
electromagnetic discharges, and temperature resistance.
Fig2. Smartcard physical dimensions.
1.5.2 Electrical Properties The electrical specifications for smart cards are defined
in ISO/IEC 7816 and GSM 11.11. Most smart cards have eight contact fields on the front
face; however, two of these are reserved for future use.
ISO 7816 Design and use of identification cards having integrated circuits with contacts (1987)
This standard in its many parts is probably the most important specification for the lower layers of the
IC card. The first 3 parts in particular are well established and allow total physical and electrical
interoperability as well as defining the communication protocol between the IC card and the CAD (Card
Acceptor Device).
CL
K
RFU
RST
Vcc
GND
RFU
Vpp
I/O
Fig 3: Inside a Smart Card
Fig 4: Connection Diagram of Smart Card
Table1: Functional description
Position
C1
Technical Abbreviation
Vcc
Function
Supply Voltage
C2
RST
Reset
C3
CLK
Clock Frequency
C4
RFU
Reserved for future use
C5
GRD
Ground
C6
RFU
Reserved for future use
C7
I/O
Serial input/output communications
C8
RFU
Reserved for future use
The Vcc supply voltage is specified at 5 volts ± 10%. There is an industry push for smartcard standards to
support 3-volt technology because all mobile phone components are available in a 3-volt configuration, and
smartcards are the only remaining component, which require a mobile phone to have a charge converter.
2. Smart card CPU Architecture
A smart card is a plastic card that contains an embedded integrated circuit (IC).Examples: Our
very Own T-Card!,Credit Cards,Cell Phone SIM Cards.They store and process Information.
Smart Cards Can be used to add authentication and secure access to information systems that
require a high level of security.
The different elements of the smart card are:
CPU( Central Processing Unit ): It is the heart of the chip.
Security logic: It detects abnormal conditions,e.g. low voltage.
Serial i/o interface: Used for contact to the outside world.
Test logic: self-test procedures.
ROM: Rom is card operating system, self-test procedures and have typically 16 kbytes, future
32/64 kbytes.
RAM:‘scratch pad’ of the processor, typically 512 bytes, in future 1 kbyte.
EEPROM: It is used as cryptographic keys,PIN code,biometric template,balance,application
code. It is typically 8 kbytes & in future 32 kbytes.
CPU
databus
s
test logic
ROM
security
logic
serial i/o
interface
Fig 5: Architecture of smart card
RAM
EEPRO
M
2.1 Cryptographic Capabilities
Smart cards have sufficient cryptographic capabilities to support popular security applications
and protocols.
RSA signatures and verifications are supported with a choice of 512, 768, or 1024 bit key
lengths.
The Digital Signature Algorithm (DSA) is less widely implemented than RSA.
Smart cards support the ability to configure multiple PINs that can have different purposes.
Random number generation (RNG) varies among card vendors. Some implement a pseudo
RNG where each card has a unique seed. Some cards have a true, hardware based RNG using
some physical aspect of the silicon.
2.2 Data Transmissions
All communications to and from the smartcard are carried out over the C7 contact.
1.A card is inserted into a terminal; it is powered up by the terminal, executes a power-on-reset,
and sends an Answer to Reset (ATR) to the terminal.
2.The ATR is passed, various parameters are extracted, and the terminal then submits the initial
instruction to the card.
3.The card generates a reply and sends it back to the terminal.
The client/server relationship continues in this manner until processing is completed and the
card is removed from the terminal.
There are several different protocols for exchanging information in the client/server
relationship. They are designated "T=" plus a number.
The two protocols most commonly seen are T=0 and T=1, T=0 being the most popular.
2.3 Instruction Sets
More than 50 instructions and their corresponding execution parameters are defined. . Typically, a smartcard
will implement only a subset of the possible instructions, specific to its application. This is due to memory or
cost limitations.
Instructions can be classified by function as follows:
Table 2: Sample instruction types
File selection
File reading and writing
File searching
File operations
Identification
Authentication
Cryptographic functions
File management
Instructions for electronic purses or credit cards
Operating system completion
Hardware testing
Special instructions for specific applications
Transmission protocol support
2.4 Data Storage
Data is stored in smart cards in E2PROM. Card OS provides a file structure mechanism.
File types may be in the form of Binary file (unstructured), Fixed size record file, Variable size
File structure
There are three categories of files,
Master file (MF)
Dedicated file (DF)
Elementary file (EF)
The Master file(MF) is a mandatory file for conformance with the standard and represents the root of
the file structure. It contains the file control information and allocable memory. Depending on the
particular implementation it may have dedicated files and /or elementary files as descendants .
MF
DF
DF
EF
DF
EF
EF
EF
EF
A dedicated file(DF) has similar properties to the master file and may also have other dedicated files
and/orelementary files as descendants.
An elementary file(EF) is the bottom of any chain from the root MF file and may contain data as well as
file control information. An elementary file has no descendants. A number of elementary file types are
defined as follows,
. Working file
. Public file
. Application control file
2.5 Smart Card Readers Ports
All smartcard-enabled terminals, by definition, have the ability to read and write as long as the
smartcard supports it and the proper access conditions have been fulfilled.
Mechanically, readers have various options including: whether the user must insert/remove the
card versus automated insertion/ejection mechanism, sliding contacts versus landing contacts,
and provisions for displays and keystroke entry.
Table 3: Ports for various readers
Serial Port
PCMCIA
Very common; robust, inexpensive.
Many desktop computers have no free
Cross platform support for
serial ports. Requires external power
Can be slightly more expensive. Many
Excellent for traveling users with
laptop computers
desktop systems don't have PCMCIA
PS/2
Easy to install with a wedge
Slower communication speeds.
Keyboard
Floppy
adapter. Supports protected PIN
Very easy to install
Requires a battery. Communications
Very high data transfer speeds.
speed can be an issue.
Not yet widely available. Shared bus
No need for hardware or software
could pose a security issue.
Not yet widely available.
USB
Built-in
installation.
2.6 Overview current Smart Card Interfaces
Interface
3.1 Password Verification
Terminal asks the user to provide a password. Password is sent to Card for verification.
Scheme can be used to permit user authentication. Not a person identification scheme.
3.2Cryptographic verification
Terminal verify card (INTERNAL AUTH)
Terminal sends a random number to card to be hashed or encrypted using a key. Card provides
the hash or cyphertext. Terminal can know that the card is authentic.
Card needs to verify (EXTERNAL AUTH)
Terminal asks for a challenge and sends the response to card to verify Card thus know that
terminal is authentic.Primarily for the “Entity Authentication”.
3.3 Biometric Technique
Finger print identification: Features of finger prints can be kept on the card (even verified on
the card). Photograph/IRIS pattern etc.such information is to be verified by a person. The
information can be stored in the card securely.
3.4 Working of Smart Card
Card is inserted in the
terminal
ATR negotiations take place
to set up data transfer
speeds, capability
negotiations etc.
Terminal sends first
command to select MF
Terminal prompts the user to
provide password
Terminal sends password for
verification
Terminal sends command to
select MF again
Card gets power. OS boots
up. Sends ATR (Answer to
reset)
Card responds with an error
(because MF selection is only
on password presentation)
Card verifies P2. Stores a
status “P2 Verified”.
Responds
“OK”“OK”
Card responds
Terminal sends command to read
EF1
3.5 Smart Cards For Data Security
There are two methods of using cards for data system security, host-based and card-based. The
safest systems employ both methodologies.
3.5.1Host Based System Security
It treats a card as a simple data carrier. All protection of the data is done from the host
computer. The card data may be encrypted but the transmission to the host can be vulnerable to
attack. A common method of increasing the security is to write in the clear (not encrypted) a
key that usually contains a date and/or time along with a secret reference to a set of keys on the
host. Each time the card is re-written the host can write a reference to the keys. This way each
transmission is different.
3.5.2 Card Based System Security
These systems are typically microprocessor card-based. A card, or token-based system treats a
card as an active computing device. The Interaction between the host and the card can be a
series of steps to determine if the card is authorized to be used in the system. The access to
specific information in the card is controlled by A) the card’s internal Operating System and B)
The preset permissions set by the card issuer regarding the files conditions. There are
predominately two types of card operating systems. First type of card OS is Classic approach .
The second methodology is the Disk Drive approach
3.6 The Smart Card Security Advantage
Some reasons why smartcards can enhance the security of modern day systems are:
PKI is better than passwords ,
Portability of Keys and Certificates,
Auto-disabling PINs Versus Dictionary Attacks,
Counting the Number of Private Key Usages.
4. The Future : Internet Smart Card
Internet smart cards is one of the latest additions to the world of information technology.
Similar in size to today’s plastic payment card, the smart card has a microprocessor or memory
chip embedded in it that, when coupled with a reader, has the processing power to serve many
different applications. This card is connected with Internet protocols & having some IP
Address. It is connected as like a GSM –SIM cards.
4.1 What IP Connectivity Means
Future smart cards will act as network devices (server or client):
i.
Implementation of a TCP/IP stack on the smart card.
ii.
Support of network management/configuration
iii.
Availability of on-card services via application-level
iv.
protocols (at least HTTP)
v.
Triggering of different applications via communication channels, allowing concurrent
program execution
4.2 Security Challenges with IP Connectivity
i.
A simple port scan cannot be misused to analyze the smart card and gain information about
active services and servers on the smart card.
ii.
Typical attacks which use buffer overflows in a server to execute malicious code will be
impossible on smart cards.
iii.
Unauthorized commands which manipulate input in HTML forms processed by a Common
Gateway Interface (CGI) on the smart card will be impossible.
iv.
The network management necessary for organizing the IP connectivity of the smart cards
cannot be used for attacks, as the case in other IT systems.
v.
Authentication and encryption is mandatory for safe connections which are resistant against
known attacks (e.g., Man-In-The-Middle prevented from sniffing and spoofing).
vi.
Standard security protocols such as SSL/TLS are used in a high-performance
implementation to ensure interoperability to other network devices.
vii.
Vendors of smart card operating systems will assure that the wide variety of network attacks
(e.g., spoofing, sniffing, fragmentation attacks, session hijacking, D/DoS, etc.) cannot be
transferred to the future TCP/IP based smart card world.
5. Features of Smart Card
5.1 Advantages
In comparison to it’s predecessor, the magnetic strip card, smart cards have many advantages
including:
i.
Life of a smart card is longer
ii.
A single smart card can house multiple applications. Just one card can be used as your
license, passport, credit card, ATM card, ID Card, etc.
iii.
Smart cards cannot be easily replicated and are, as a general rule much more secure than
magnetic stripe cards
iv.
Data on a smart card can be protected against unauthorized viewing. As a result of this
confidential data, PINs and passwords can be stored on a smart card. This means,
merchants do not have to go online every time to authenticate a transaction
v.
Chip is tamper-resistant
- information stored on the card can be PIN code and/or read-write protected
- capable of performing encryption
- each smart card has its own, unique serial number
vi.
Capable of processing, not just storing information
- Smart cards can communicate with computing devices through a smart card reader
- information and applications on a card can be updated without having to issue new
cards
vii.
A smart card carries more information than can be accommodated on a magnetic stripe
card. It can make a decision, as it has relatively powerful processing capabilities that
allow it to do more than a magnetic stripe card (e.g., data encryption).
5.2 Disadvantages
i.
Can be lost/stolen
ii.
Lack of user mobility – only possible if user has smart card reader every he goes
iii.
Working from PC – software based token will be better
iv.
No benefits to using a token on multiple PCs to using a smart card
v.
Still working on bugs
5.3 Special Features:
Table 4: Some special features
Hardware
Software
Closed package
decoupling applications and operating system
memory encapsulation
application separation (Java card)
Fuses
restricted file access
Curity logic (sensors)
life cycle control
cryptographic coprocessors and random
various cryptographic algorithms and
generator
protocols
5.4 Applications
People worldwide are now using smart cards for a wide variety of daily tasks, these include:
1. Loyalty And Stored Value: Stored value is more convenient and safer than cash.
2. Security Information And Physical Assets: Smart cards achieve great physical security,
because the card restricts access to all but the authorized user(s).
E-mail and PCs are being locked-down with smart cards.
3. E-Commerce: Smart cards make it easy for consumers to securely store information and
cash for purchasing.
4. Personal Finance: This will improve customer service by availing 24-hour electronic funds
transfers over the Internet.
Reduction in cost as transaction can be managed electronically saving time and paperwork.
5. Health Care: Smart cards provide secure storage and distribution of everything from
emergency data to benefits status.
6. Telecommuting And Corporate Network Security: Users can be authenticated and
authorized to have access to specific information based on preset privileges.
7. Campus Badging And Access: Identity cards of employees and students can be enhanced to
incorporate identity with access privileges and store value for cafeterias and stores.
8. Retail: Sale of goods using Electronic Purses, Credit / Debit
Vending machines, Loyalty programs, Tags & smart labels
9.Entertainment: Pay-TV & Public event access control & Car Protection
10. Government: Identification ,Passport & Driving license & Copiers
5.6 Smart Card Examples
5.6.1 Travel Card Example
An example of the services that might be included on a multi-function travel card:
Services that are permanently installed in the card by the card issuer might include:
Electronic ticketing ,Air miles ,Cash replacement
Services that might be added for a particular trip include: Hotel coupons & Car vouchers
5.6.2 Student Card Example
An example of the services that might be included on a Student card:
Services that are permanently installed in the card by the card issuer might include:
School computer access ,Vending machines ,Phone, & Library
Services that might be added on later include: E-mail security & Carpool roster .
Conclusion
Smart cards have proven to be useful for transaction, authorization, and identification media.
They will soon replace all of the things we carry around in our wallets, including credit cards,
licenses, cash, and even family photographs.
Smart cards could be used to voluntarily identify attributes of ourselves no matter where we are
or to which computer network we are attached.
Smart card technology is emerging, applications are everywhere.
Smart cards enhance service and security.
Perfect security does not exist, even not for smart cards.
Risk analysis is essential.