Smart Cards
Future Life………
Lt Col Santosh Khadsare FCT&S
Aim of my ppt is to just give you a brief idea about the smart card technology being one of the best steps towards the advancement of science and technology , making our life faster and obviously easier.
Plastic Cards
Visual identity application
Plain plastic card is enough
Magnetic strip (e.g. credit cards)
Visual data also available in machine readable form No security of data
Electronic memory cards
Machine readable data Some security (vendor specific)
What is a Smart Card?
A Smart card is a plastic card about
the size of a credit card, with an embedded microchip that can be loaded with data, used for telephone calling, cash payments , and other applications, and then periodically refreshed for additional use.
What is a smart card?
The standard definition of a a smart card, or integrated circuit card (ICC), is any pocket sized card with embedded integrated circuits.
OR A smart card is a plastic card with a small, built in microcomputer chip and integrated circuit that can store and process a lot of data
History
70’s Smart Card First Patent in Germany and later in France and Japan. 80’s Mass usage in Pay Phones and Debit Cards. 90’s Smart Card based Mobiles Chips & Sim Cards.
History
2000’s Payment and Ticketing Applications Credit cards, Mass transit (Smartrip) Healthcare and Identification Insurance information, Drivers license
Dimensions of smart card.
85.6mm x 53.98mm x 0.76mm(defined by ISO 7816)
Why use smart cards?
Can store currently up to 7000 times more data than a magnetic stripe card. Information that is stored on the card can be updated. Magnetic stripe cards are vulnerable to many types of fraud.
Lost/Stolen Cards Skimming Carding/ Phishing
Greatly enhances security by communicating with card readers using PKI algorithms. A single card can be used for multiple applications (cash, identification, building access, etc.) Smart cards provide a 3-fold approach to authentic identification:
• • •
Pin Smartcard Biometrics
Card Elements
Magnetic Stripe Logo
Chip
Hologram
Embossing (Card Number / Name / Validity,
etc.)
Smart Cards devices
GND VCC VPP Reset I/O Clock
Varun Arora |
[email protected] | www.varunarora.in
Reserved
What’s in a Card?
CLK
RST Vcc
RFU
GND RFU
Vpp
I/O
Varun Arora |
[email protected] | www.varunarora.in
Electrical signals description
VCC : Power supply input
RST : Either used itself (reset signal supplied from the
interface device) or in combination with an internal reset control circuit (optional use by the card) .
CLK
: Clocking or timing signal (optional use by the Fig : A smart card pin out
card).
GND : Ground (reference voltage).
VPP : Programming voltage input (deprecated / optional use by the card). I/O : Input or Output for serial data to the integrated circuit inside the card.
AUX1(C4): Auxilliary contact; USB devices: D+ AUX2(C8) : Auxilliary contact; USB devices: D-
CARD STRUCTURE
Out of the eight contacts only six are used. Vcc
is the supply voltage, Vss is the ground reference voltage against which the Vcc potential is measured, Vpp connector is used for the high voltage signal,chip receives commands & interchanges data.
Typical Configurations
256 bytes to 4KB RAM. 8KB to 32KB ROM. 1KB to 32KB EEPROM. 8-bit to 16-bit CPU. 8051 based designs are common.
Smart Card Readers
Computer based readers Connect through USB or COM (Serial) ports
Dedicated terminals Usually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner.
Terminal/PC Card Interaction
The terminal/PC sends commands to the card (through the serial line). The card executes the command and sends back the reply. The terminal/PC cannot directly access memory of the card so data in the card is protected from unauthorized access. This is what makes the card smart.
Why Smart Cards?
Security: Data and codes on the card are encrypted by the chip maker. The Smart Card’s circuit chip almost impossible to forge. Trust: Minimal human interaction. Portability. Less Paper work: Eco-Friendly
Two Types of Chips
Memory chip
Microprocessor
Acts as a small floppy disk with optional security Are inexpensive Offer little security features
Can add, delete, and manipulate its memory. Acts as a miniature computer that includes an operating system, hard disk, and input/output ports. Provides more security and memory and can even download applications.
From 1 billion to 4 billion units in 10 years…
Worldwide smart card shipments
4500 4000 Millions of units 3500 3000 2500 2000 1500 1000 Microprocessor cards Memory cards
4285 3580
3325
2655
500
0
925 960 925 960
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
Smart Cards in everyday life…
Loyalty
Transport
Ticketing
Payment
Health card Smart Poster Communication
Contact Smart Cards
Requires insertion into a smart card reader with a direct connection This physical contact allows for transmission of commands, data, and card status to take place
Contactless smart card:-
Contactless Smart Cards
Require only close proximity to a reader Both the reader and card have antennas through which the two communicate Ideal for applications that require very fast card interfaces
ISO 14443.
International standard. Deals – only contactless smart cards. Defines:a. Interface. b. Radio frequency interface. c. Electrical interface. d. Operating distance. Etc…..
Dual interface smart cards.
Also called Combi card. Has a single chip over it.
Has both contact as well as contactless interfaces. We can use the same chip using either contact or contactless interface with a high level of security.
Dual interface smart card.
Hybrid smart card.
Two chips. One with contact interface. Other with contactless interface. No connection between the two chips.
Hybrid smart cards.
Categories of Smart Cards
Based on the type of IC chip embedded on the Smart Card. They are categorized into three types : IC Micro Processor Cards IC Memory Cards Optical Memory Cards
Key Attributes
Security
to make the Digital Life safe and enjoyable
Ease of Use
to enable all of us to access to the Digital World
Privacy
to respect each individual’s freedom and intimacy
Biometric techniques
Finger print identification.
Features of finger prints can be kept on the card (even verified on the card)
Such information is to be verified by a person. The information can be stored in the card securely
Photograph/IRIS pattern etc.
Smart Card Readers
Dedicated terminals Usually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner.
Computer based readers Connect through USB or COM (Serial) ports
Terminal/PC Card Interaction
The terminal/PC sends commands to the card (through the serial line). The card executes the command and sends back the reply. The terminal/PC cannot directly access memory of the card
data in the card is protected from unauthorized access. This is what makes the card smart.
Communication mechanisms
Communication between smart card and reader is standardized
ISO 7816 standard Interpreted by the card OS Card state is updated Response is given by the card.
Commands are initiated by the terminal
Commands have the following structure
CLA INS P1 P2 Lc 1..Lc Le
Response from the card include 1..Le bytes followed by Response Code
Security Mechanisms
Password
Card holder’s protection
Entity authentication Person’s identification
Cryptographic challenge Response
Biometric information
A combination of one or more
Password Verification
Terminal asks the user to provide a password. Password is sent to Card for verification. Scheme can be used to permit user authentication.
Not a person identification scheme
Varun Arora |
[email protected] | www.varunarora.in
Cryptographic verification
Terminal verify card (INTERNAL AUTH)
Terminal sends a random number to card to be hashed or encrypted using a key. Card provides the hash or cyphertext.
Terminal can know that the card is authentic. Card needs to verify (EXTERNAL AUTH)
Terminal asks for a challenge and sends the response to card to verify Card thus know that terminal is authentic.
Varun Arora |
[email protected] | www.varunarora.in
Primarily for the “Entity Authentication”
Biometric techniques
Finger print identification.
Features of finger prints can be kept on the card (even verified on the card)
Such information is to be verified by a person. The information can be stored in the card securely.
Photograph/IRIS pattern etc.
Data storage
Data is stored in smart cards in E2PROM
Card OS provides a file structure mechanism
MF
File types
EF EF
DF
DF EF EF
DF
EF
Binary file (unstructured)
Fixed size record file
Variable size record file
File Naming and Selection
Each files has a 2 byte file ID and an optional 5-bit SFID (both unique within a DF). DFs may optionally have (globally unique) 16 byte name. OS keeps tack of a current DF and a current EF. Current DF or EF can be changed using SELECT FILE command. Target file specified as either:
DF name File ID SFID(Short File Identifier, 1 byte) Relative or absolute path (sequence of File IDs). Parent DF
Basic File Related Commands
Commands for file creation, deletion etc., File size and security attributes specified at creation time. Commands for reading, writing, appending records, updating etc.
Commands work on the current EF. Execution only if security conditions are met.
Each file has a life cycle status indicator (LCSI), one of: created, initialized, activated, deactivated, terminated.
Access control on the files
Applications may specify the access controls
A password (PIN) on the MF selection
For example SIM password in mobiles
Multiple passwords can be used and levels of security access may be given
Applications may also use cryptographic authentication
How does it all work?
Card is inserted in the terminal ATR negotiations take place to set up data transfer speeds, capability negotiations etc. Card gets power. OS boots up. Sends ATR (Answer to reset)
Terminal sends first command to select MF
Terminal prompts the user to provide password Terminal sends password for verification Terminal sends command to select MF again Terminal sends command to read EF1
Card responds with an error (because MF selection is only on password presentation)
Card verifies P2. Stores a status “P2 Verified”. Responds “OK” Card responds “OK” Card supplies personal data and responds “OK”
So many Smart Cards with us at all times…..
In our GSM phone (the SIM card) Inside our Wallets Credit/Debit cards HealthCare cards Loyalty cards Our corporate badge Our Passport Our e-Banking OTP
… and the list keeps growing
Our Industries Is rapidly changing
Interactive billboards
Transports
New solutions leveraging on mobile contactless services
eTicketing
Retail
Smart Card Applications
Government programs
Banking & Finance Mobile Communication Pay Phone Cards Transportation Electronic Tolls Passports Electronic Cash Retailer Loyalty Programs Information security
Banking and finance
Electronic purse to replace coins for small purchases in vending machines .
Credit and debit cards
Securing payments across the internet
Smart card Pay phones
Outside of the United States there is a widespread use of
payphones phone company does not have to collect coins the users do not have to have coins or remember long access numbers and PIN codes The risk of vandalism is very low since these payphones are smart card-based. “Generally, a phone is attacked if there is some money inside it, as in the case of coin-based payphone
Transportation
Driver’s license Mass transit fare collection system
Electronic toll collection system
It’s no longer only «Cards» e-Passport: the first Smart Secure Device
45 Millions e-Passport in 2009
E Governance
As the amount of business and holiday travel increases security continues to be a top concern for governments worldwide. When fully implemented smart passport solutions help to reduce fraud and forgery of travel documents. Enhanced security for travellers Philips launched such a project with the US in 2004.
Student id card
All-purpose student ID card (a/k/a campus card), containing a variety of applications such as electronic purse (for vending machines, laundry machines, library card, and meal card).
Threats in Using Smart Cards
failure rate
probability of breaking: keeping in wallets may
damage the chip on the card.
malware attacks: active malwares on systems
may result in modifying the transactions.
OS Based Classification
Smart cards are also classified on the basis of their Operating System. There are many Smart Card Operating Systems available in the market, the main ones being: 1. MultOS 2. JavaCard 3. Cyberflex 4. StarCOS 5. MFC Smart Card Operating Systems or SCOS as they are commonly called, are placed on the ROM and usually occupy lesser than 16 KB. SCOS handle: • File Handling and Manipulation. • Memory Management • Data Transmission Protocols.
ADVANTAGES
Proven to be more reliable than the magnetic stripe card. Can store up to thousands of times of the information than the magnetic stripe card. Reduces tampering and counterfeiting through high security mechanisms such as advanced encryption and biometrics. Can be disposable or reusable. Performs multiple functions. Has wide range of applications (e.g., banking, transportation, healthcare...) Compatible with portable electronics (e.g., PCs, telephones...) Evolves rapidly applying semi-conductor technology
Disadvantages
Smart cards used for client-side identification and authentication are the most secure way for eg. internet banking applications, but the security is never 100% sure. In the example of internet banking, if the PC is infected with any kind of malware, the security model is broken. Malware can override the communication (both input via keyboard and output via application screen) between the user and the internet banking application (eg. browser). This would result in modifying transactions by the malware and unnoticed by the user. There is malware in the wild with this capability (eg. Trojan. Silentbanker).
Remedies…
Banks like Fortis and Dexia in Belgium combine a Smart card with an unconnected card reader to avoid this problem. The customer enters a challenge received from the bank's website, his PIN and the transaction amount into the card reader, the card reader returns an 8-digit signature. This signature is manually copied to the PC and verified by the bank. This method prevents malware from
changing the transaction amount.
Future Aspects
Soon it will be possible to access the data in Smart cards by the use of Biometrics.
Smart card Readers can be built into future computers or peripherals which will enable the users to pay for goods purchased on the internet. In the near future, the multifunctional smart card will replace the traditional magnetic swipe card. Smart Card is not only a data store, but also a programmable, portable, tamper resistant memory storage.
The Smart card success story
Microprocessor Smart Cards Shipments ( Millions of units )
4000 3500 +10% 3000 2500 2000 1500 +27% 1000 500 0 +15%
295
+31%
225 500
+16%
580
Telecom (SIM) Banking - Retail Identity & others
205 410
+22%
2040
2600
3000
2007
2008
2009
By 2020 …
20 Billion Smart Secure Devices >4 Billion Mobile Appliances users >4 Billion e-ID documents in use
Conclusion… Conclusion:
• Smart Cards will evolve into a broader family of Devices • Smart Cards will evolve into a broaderfamily of Devices • More new shapes for new applications • More new shapes for new applications
• Our Embedded software and ultra-embedded nanotechnologies • virtual « digital personal attributes » Embedded software to ultra-embedded nanotechnologies •• The only mistake andavoid for our Industry is to entertain an endless
debate about fears.
• We will build the best solutions Industry is to entertain an enjoy • The only mistake to avoid for our and the best value for people to endless debate many new services about fears.
We will build the best Education •• Education … moresolutions and the best value for people to enjoy many new services
• Political ownership and communication will be key to success
• Preparing people to use those Smart Secure Devices is as important as teaching them how to read and write
• Education … more Education
• Preparing people to use those Smart Secure Devices is as important as teaching them how to read and write
Conclusion:
• Smart Cards will evolve into a broader family of Devices
• More new shapes for new applications • Our virtual « digital personal attributes » • Embedded software and ultra-embedded nanotechnologies
• The only mistake to avoid for our Industry is to entertain an
endless debate about fears.
• We will build the best solutions and the best value for people to enjoy many new services • Political ownership and communication will be key to success
• Education … more Education
• Preparing people to use those Smart Secure Devices is as important as teaching them how to read and write
Security of Smart Cards
Public Key Infrastructure (PKI) algorithms such as DES, 3DES, RSA and ECC. Key pair generation. Variable timing/clock fluctuation. 0.6 micron components. Data stored on the card is encrypted. Pin Blocking.
Elliptical Curve Cryptography
y²=x³+ax+b Q(x,y) =kP(x,y) Uses point multiplication to compute and ECDLP to crack. Beneficial for portable devices. Cryptographic coprocessors can be added to speed up encryption and decryption.
CAIN
Confidentiality is obtained by the encryption of the information on the card. Authenticity is gained by using the PKI algorithm and the two/three factor authentication. Integrity is maintained through error-checking and enhanced firmware. Repudiation is lower because each transaction is authenticated and recorded.
Common and Future Uses of Smart Cards
Current uses:
Chicago Transit Card Speed Pass Amex Blue Card Phone Cards University ID cards Health-care cards Access to high level government facilities.
Federally Passed Real-ID act of 2005. ePassports
Future uses:
Data Structure
Data on Smart Cards is organized into a tree hierarchy. This has one master file (MF or root) which contains several elementary files (EF) and several dedicated files (DF). DFs and MF correspond to directories and EFs correspond to files, analogous to the hierarchy in any common OS for PCs.
Data Structure
However, these two hierarchies differ in that DFs can also contain data. DF's, EF's and MF's header contains security attributes resembling user rights associated with a file/directory in a common OS. Any application can traverse the file tree, but it can only move to a node if it has the appropriate rights. The PIN is also stored in an EF but only the card has access permission to this file.