Smart Card
Content
Smart card technology INTRODUCTION
Smart cards are similar in size and shape to the familiar magnetic stripe cards used for credit and debit transactions, but smart cards contain an embedded integrated circuit(chip) that interfaces with terminals (which activate the chip’s power).The chip contains microprocessor and storage or memory. The memory contains a chip operating system (COS) for the microprocessor, communications software, and can contain encryption algorithms, applications software and data. When used with the appropriate applications, smart cards can provide enhanced security and the ability to record, store and update data. When implemented properly they can provide interoperability across services, and allow multiple application or uses, via one card Applications can access data directly form the chip, and smart cards can contain Portable, personal and secure databases. Applications using smart cards as a data Storage medium can save time and expense since access to a central database each time a transaction occurs is not necessary. Smart cards can not replace central records storage, such as a medical records file or bank account. Rather, they can be viewed as” keys” to different databases and can contain an extract of critical data contained in those databases. Unlike magnetic stripe cards – which carry limited information, can be easily duplicated, and are limited to use as a key to on-line functions – smart cards can provide diverse off-line and on-line functionality and read-write capability.
DEPT OF E&C NHCE
1
Smart card technology HISTORY 1968
German inventor Jorgen Dethloff along with Helmet Grotrupp filed a patent for using plastic as a carrier for microchips.
1970
Dr. Kunitaka Arimura of Japan filed the first and only patent on the smart card concept
1974
Roland Moreno of France files the original patent for the IC card, later dubbed the “smart card.”
1977
Three commercial manufacturers, Bull CP8, SGS Thomson, and Schlumberger began developing the IC card product.
1979
Motorola developed first single chip Microcontroller for French Banking
1982
World's first major IC card testing
1992
Nationwide prepaid card project started in Denmark
1999
Federal Government began Federal employee smart card identification
DEPT OF E&C NHCE
2
Smart card technology
INSIGHT Types of Chip Cards
Smart cards are defined according to the type of chip implanted in the card and its capabilities. There is a wide range of options to choose from when designing your system
DEPT OF E&C NHCE
3
Smart card technology
Increased levels of processing power, flexibility and memory add cost. Single function cards are often the most cost-effective solution. Choose the right type of smart card for your application by evaluating cost versus functionality and determine your required level of security. The following chart demonstrates the general rules of thumb.
Memory Cards
Memory cards have no sophisticated processing power and cannot manage files dynamically. All memories communicate to readers through synchronous protocols. There are three primary types’ memory cards:
DEPT OF E&C NHCE
4
Smart card technology
Straight Memory Cards
These cards just store data and have no data processing capabilities. These cards are the lowest cost per bit for user memory. They should be regarded as floppy disks of varying sizes without the lock mechanism. These cards cannot identify themselves to the reader, so your host system has to know what type of card is being inserted into a reader.
Protected / Segmented Memory Cards
These cards have built-in logic to control the access to the memory of the card. Sometimes referred to as Intelligent Memory cards these devices can be set to write protect some or the entire memory array. Some of these cards can be configured to restrict access to both reading and writing. This is usually done through a password or system key. Segmented memory cards can be divided into logical sections for planned multi-functionality
Stored Value Memory Cards
These cards are designed for the specific purpose of storing value or tokens. The cards are either disposable or rechargeable. Most cards of this type incorporate permanent security measures at the point of manufacture. These measures can include password keys and logic that are hard-coded into the chip by the manufacturer. The memory arrays on these devices are set-up as decrements or counters. There is little or no memory left for any other function. For simple applications such as a telephone card the chip has 60 or 12 memory cells, one for each telephone unit. A memory cell is cleared each time a telephone unit is used. Once all the memory units are used, the card becomes useless and is thrown away. This process can be reversed in the case of rechargeable cards.
DEPT OF E&C NHCE
5
Smart card technology
CPU/MPU Microprocessor Multifunction Cards
These cards have on-card dynamic data processing capabilities.
Multifunction smart cards allocate card memory into independent sections assigned to a specific function or application. Within the card is a microprocessor or microcontroller chip that manages this memory allocation and file access. This type of chip is similar to those found inside all personal computers and when implanted in a smart card, manages data in organized file structures, via a card operating system (COS). Unlike other operating systems, this software controls access to the on-card user memory. This capability permits different and multiple functions and/or different applications to reside on the card, allowing businesses to issue and maintain a diversity of ‘products’ through the card. One example of this is a debit card that also enables building access on a college campus. Multifunction cards benefit issuers by enabling them to market their products and services via state-of-the-art transaction technology.
DEPT OF E&C NHCE
6
Smart card technology THE MICROPROCESSOR CHIP
A microprocessor chip has: • An 8K to 64K byte (or more) CPU, Read Only Memory (ROM) that contains the Chip’s operating system; • Random Access Memory (RAM) that serves as a temporary register for data; and • Electrically Erasable Programmable Read Only Memory (EEPROM) that is used for the storage of user data. EEPROM can contain between 1K byte and 64K bytes or more of memory. To highlight the functions of a smart card it is helpful to divide (conceptually) the chip’s memory functions into three areas
• ROM. Read-Only Memory containing the chip’s operating system. The operating System or command set controls all communication between the chip and the outside World. The ROM is masked or written during production by the semiconductor manufacturer and once written, cannot be altered.
• EEPROM. Electronically Erasable Programmable Read-Only Memory is the Read/write memory for the storage of data.6 Access to the EEPROM memory is Controlled by the chip’s operating system, and may contain data such as a PIN that can only be accessed by the operating system. Other data, for example, a card’s Serial number can be written to EEPROM during card manufacture. Most of the EEPROM memory is used to store user data such as a biometric, purse balance, Demographic information, and transaction records and can be rewritten to Approximately 10,000 times.
DEPT OF E&C NHCE
7
Smart card technology
RAM. Random Access Memory, which is volatile, is used as a temporary storage Register by the chip’s microprocessor. For example, when a PIN is being verified, the PIN sent by the terminal/PIN pad is temporarily stored in RAM. The following example will further explain the functions of the memory areas listed above. A commonly used microprocessor chip card would have its operating system Stored in ROM. The operating system or command set would respond to commands, such as “read a record,” “write a record,” and “verifies PIN,” sent to the card by a terminal. Information such as fund balances, card serial number, and demographic information Are stored in EEPROM. The CPU performs all processing functions, such as encryption, while RAM serves as a temporary register for information. During PIN verification, the PIN is temporarily stored in RAM. Since RAM memory is volatile, as soon as a card is powered off, all information stored in RAM is lost. When evaluating card types for a particular application, the amount of memory in various components is important. The EEPROM capacity of a card is Critical because a larger capacity EEPROM can store a greater number of Application records and transaction files. The amount of ROM is also important because a larger capacity ROM contains amore sophisticated operating system, which facilitates complex card and system operations. There is also a relationship Between ROM and EEPROM in some cards because several vendors allow custom code extending the ROM’s operating system to be written in EEPROM. While this technique increases the card's functionality, it decreases the amount of EEPROM available for application and transaction storage.
DEPT OF E&C NHCE
8
Smart card technology
CONTACTLESS MEMORY CARDS
A contact less smart card includes an embedded smart card secure microcontroller or equivalent intelligence, internal memory and a small antenna and communicates with a reader through a contact less radio frequency (RF) interface. Contact less smart card technology is used in applications that need to protect personal information and/or deliver fast, secure transactions, such as transit fare payment cards, government and corporate Identification cards, documents such as electronic passports and visas, and financial payment cards. Contact less smart card have the ability to securely manage, store and provide access to data on the card, perform oncard functions (e.g., encryption) and interact intelligently with a contact less smart card reader. While offering similar capabilities to contact less smart card, contact smart cards require physical contact with the reading mechanism rather than using a contact less interface. The contact less interface provides users with the convenience of allowing the contact less card to be read at short distances with Fast transfer of data. DEPT OF E&C NHCE 9
Smart card technology
Contact less Smart card technology is available in a variety of forms – in plastic cards, watches, key fobs, documents and other handheld devices (e.g., built into mobile phones). For the purpose of this document, “card” is as the used generic term to describe any device in which smart card is used.
Contact less smart card systems are closely related to contact smart card systems. Like contact smart card a system, information is stored on a chip embedded within the contact less smart card. However, unlike the contact smart card, the power supplied to the card as well as the data exchanged between the card and the reader are achieved without the use of contacts, using Magnetic or electromagnetic fields to both powers the card as well as to exchange data with the reader. The contact less smart card contains an antenna embedded within the plastic body of the card (or within a key fob, watch or other document). When the card is brought into the electromagnetic field of the reader, the chip in the card is powered on. Once the chip is powered on, a wireless communication protocol is initiated and established between the card and the reader for data Transfer. The following four functions describe at a high level the sequence of events that happen when a contact less smart card is brought near a card reader:
Energy transfer to the card for powering the integrated circuit (chip) Clock signal transfer Data transfer to the contact less smart card Data transfer from the contact less smart card
DEPT OF E&C NHCE
10
Smart card technology Hence, once the card is brought within range of an electromagnetic field of the required frequency, the card will be powered up, ready to communicate with the reader. Since the contact less smart cards described in this FAQ are based on the ISO/IEC 14443 standard, this frequency is 13.56 MHz and a reader that complies with the standard would have an activation field (range) of about 4 inches (approximately 10 centimeters). In other words the card needs to be within 10 centimeters of a reader for it to be effectively powered; however, the effective range for communications for the card to be read will depend on a number of factors like the power of the reader, the antenna of the reader and the antenna of the card.
Applications that need strong information and communications security use contact less smartcard technology based on an international standard (ISO/IEC 14443) that limits the ability to read the contact less device to approximately 4 inches (10 centimeters). The contact less smart card must be positioned in a target area extremely close to the reader to function, thus reducing any Chance for it to be “read” without the user’s knowledge. Additionally, the information stored on the card is typically protected against theft with secure encryption and communication between the card and the reader is secure and authenticated. Applications using contact less smart cards can protect stored data in a number of ways. First, in order to access the data from a contact less smart card, the application may require knowledge of specific secret keys. In general, without knowledge of these secret keys, the card’s microcontroller and circuitry will block any attempts to access the data on the chip. Second, information stored on cards or documents using contact less smart card technology can be encrypted. In addition, communications between the contact less DEPT OF E&C NHCE 11
Smart card technology smart card and the reader can be encrypted to prevent
eavesdropping. Secure applications also typically require “mutual authentication,” where the contact less smart card first verifies that the reader is authentic and then proves its own authenticity to the reader before starting any further communications. The Ability of a contact less smart card application to verify the authority of the information requestor and provide strong chip and data security make it an excellent guardian of personal information And individual privacy.
Today’s
contact
less
smart
cards
use
advanced
chips
that
incorporate a microcontroller or Equivalent intelligence, as well as internal memory, and have the primary goal of securing data on The chip. Typically, a contact less smart card that targets banking, transport, and ID applications will operate at short range (less than 4 inches or 10 centimeters). This short distance ensures that the user performs a conscious action to transact, avoiding accidental or fraudulent transactions.
Contact less smart cards may also support separate keys for reading and for writing. Thus, being able to read data from a smart card does not enable you to write or update the data, unless the application provider planned it to be so. Contact less smart cards can also support a variety of encryption algorithms for increased security. This is essential for highly demanding applications such as banking, transport, and secure ID because it provides the highest security level possible. RFID tags do not support encryption. Contact less smart card by their nature protects the information that resides in their memory.Contactless smart card chips have built-in tamper-resistance, with both hardware and software capabilities
DEPT OF E&C NHCE
12
Smart card technology that detect and react to tampering attempts. Information stored on cards or documents using contact less smart card technology can be encrypted and communication between the contact less smart card and the reader can also be encrypted to prevent eavesdropping. Plus, a contact less smart card application can verify that the reader is authentic and can prove its own authenticity to the reader before starting a secure transaction. It is important to note, however, that information privacy and security must be designed into an application at the system level by the organization issuing the contact less device, card or Document. Card issuers will usually have a stated privacy policy that describes to cardholder show personal information is used and protected. Card issuers will also typically implement information security requirements throughout a system that will disallow the use of data fraudulently obtained. Given sufficient technology, time, resources and expertise any technology may be compromised. However contact less smart cards is significantly more costly and Complex to compromise than other solutions. Furthermore, in general, the security inherent to contact less smart card-enabled applications and systems are such that system-level application countermeasures may be deployed faster than attackers can use the vulnerability created on any Individual card.
Information (data) can only be written into the contact less smart card memory if authority to do so is provided. Authority is given by the card issuer or application provider who is the only entity that knows the secret keys and that knows how to write data to the card. Plus, the card would need to be within close proximity (4 inches or 10 centimeters for ISO/IEC 14443-compliant cards) of a specific contact less reader. It is important to note that the write protection of the data on the new U.S. electronic passport is very strong and no
DEPT OF E&C NHCE
13
Smart card technology data can be added, deleted or modified in the passport’s contact less smartcard chip once it has been issued to the citizen. Contacts less smart card are passive cards (they do not carry any source of energy) and they do not have any radiation of any kind. Only the RF reader emits energy in the reading process, but it is a tiny fraction of what a cellular phone emits and poses no health risk. No. Contact less smart card has no capabilities to provide physical location information. They have an extremely limited range of response and do not support any capabilities to identify Physical location (unlike the cellular phone system and global positioning system (GPS) technology). Contact less smart card is a secure means of storing and carrying information. In general, contacts less smart cards are more secure and more reliable, have higher data storage capacity, and have a longer expected life than most of the other available options (e.g., magnetic stripe cards or tickets, paper documents). For example, because of the high security, reliability and Convenience of fast transactions, all smart card applications in mass transportation are implemented using contact less smart card technology.
Contact less smart card technology only works when a low power radio frequency signal of 13.56 MHz is applied within a few inches (centimeters) of the passport. The passport chip, having no batteries or power source of its own, relies on getting its power from the reader’s RF signal to operate. Contact less smartcard technology uses very complex microcontroller-based technology that has a sophisticated operating system and many security techniques at its disposal for ensuring the integrity, confidentiality and privacy of information stored and transmitted. The contact less smart card technology in the new passport uses ISO/IEC standards (ISO/IEC 7816-1,-2,-3,-4 and ISO/IEC14443) to securely communicate
DEPT OF E&C NHCE
14
Smart card technology information in a random access manner, using defined protocols, to external authenticated reading equipment. Contact less smart card technology is capable of ensuring reading equipment is authenticated as well as proving its own authenticity to the readers. Communication between the contact less smart card chip and the external personal reading equipment can be encrypted password to or counter biometric eavesdropping. Access to any information can also be protected by identification number (PIN), authentication to Counter skimming effect. The minimum level of protection, as specified by International Civil Aviation Organization (ICAO), would allow the electronic data to be read from the passport providing the reading device can get within a few inches or centimeters (within about 4 inches or 10 centimeters) of the document and is able to maintain this position for several seconds. Beyond this range, the ISO/IEC 14443compliant reader’s RF field is significantly reduced, making it unable to power and communicate with the passport. To power the device from a greater distance requires a very high power RF signal from a non-compliant reader; the very large RF signal required for the reader to power the device from a greater distance effectively disables the reader from “hearing” the weak signal that is produced by the card and that is required to establish normal communication between the card and the reader.ICAO has specified additional optional levels of security that could be implemented
MICROPROCESSOR CARD AND COMBI /HYBRID CARD
DEPT OF E&C NHCE
15
Smart card technology
Cards that contain two distinct places for data storage (with at least one of these a chip) and each storage area with its own type of interface access are called Hybrid cards.
Thus hybrid cards can contain both a magnetic stripe and a chip. These Cards are likely to continue using the magnetic stripe for routine banking and POS Transactions while also is having the capability of introducing chip applications such as stored
DEPT OF E&C NHCE
16
Smart card technology
value, secure database access or information storage. Other applications can be added as they become available. In the transportation industry, the term “hybrid card” has a different meaning than in the Payment sector. A transportation hybrid card contains both contact and contact less Capability. They have two independent chips and systems on one card. The contact and contact less chips cannot communicate with in the card. Finally, a hybrid card can contain a contact chip and a laser strip. Laser strips use the same technology as a CD-ROM and have a high memory capacity at a reasonable cost. However, the read/write devices that support laser strip technology are expensive and cards have a limited use, primarily for storage of personal medical records.
Cards can be multi-technology—combining various different technologies that are used for different purposes. For example, in the figure below, the chip can be used for data storage, the magnetic stripe can be used for physical access control, and the bar code can be used for property asset management.
A combi-card (sometimes known as a dual-interface card), on the other hand, Incorporates contact and contact less capability into a single chip. Contact and
DEPT OF E&C NHCE
17
Smart card technology
Contact less communications can interface with the same memory within the card; hence a single processor supports multiple interfaces. The combi-card chip is conceptualized in the following figure:
MULTI FUNCTION CARD
DEPT OF E&C NHCE
18
Smart card technology
A card that contains several applications (or uses) is referred to as a multiapplication card. For example, a multi-application card may serve as a debit and credit card and may also contain a file on the chip that allows the cardholder to complete health insurance forms automatically, contain basic medical information for use in emergency situations, serve as a means to track frequent flyer miles and allow the cardholder access to a secure parking facility. It may perform these functions through one type of interface (such as only through direct contact) or may be a combi-card. In this example, it is evident that the card would have to ultimately work within the parameters of an open system so that the card could be used at many, unrelated commercial endpoints. Another example of a multi-application card is the campus card. A student uses the card as a basic ID, to check out books from the library, and to decrement value for the meal plan and campus vending machines. The student might also use it for secure access certain buildings and to the university’s computer system. While this is also a multiplication card, it is equally evident that the card need not operate in an open system, because this is a closed system environment with primarily closed applications.
The figure below provides an overview of potential uses for multi application cards
STANDARDS
DEPT OF E&C NHCE 19
Smart card technology
ISO - International Standards Organization ISO 7816-1 to ISO 7816-11
FIPS (Federal Information Processing Standards) FIPS 140 (1-3) FIPS 201
CEN (Committee' Europe'en de Normalization)
DEPT OF E&C NHCE
20
Smart card technology
SECURITY
Data security mechanism and their respective algorithms
• • • • •
The system generates the symmetric session key to encrypt the file. The system sends the session key and file. The smart card first encrypts the data using key. The recipient decrypts the session key and file using same key. Here we used the shared key for both encryption and decryption
DEPT OF E&C NHCE
21
Smart card technology
• • • • •
The system generates the symmetric session key to encrypt the file Then system sends the session key and file Here we use the double encryption method In encryption method we first encrypt the file then we decrypt the file again we encrypt the file In decryption method we first decrypt the file then we encrypt the file again we decrypt the file
DEPT OF E&C NHCE
22
Smart card technology
• • •
Here the smart card locks the box with public key Recipient unlocks the box using private key It is widely used in e-commerce applications
DEPT OF E&C NHCE
23
Smart card technology
Smart card uses
Commercial Applications • Financial Applications • Employee Identification • Ticketing • Parking and toll collection • Universities use smart cards for ID purposes and at the library, vending machines, copy machines, and other services on campus. Mobile Telecommunications • SIM cards used on cell phones • Over 300,000,000 GSM phones with smart cards • Contains mobile phone security, subscription information, and phone number on the network, billing information, and frequently called numbers. Information Technology • Secure logon and authentication of users to PCs and networks • Encryption of sensitive data Other Applications • Over 4 million small dish TV satellite receivers in the US use a smart card as its removable security element and subscription information. • Pre-paid, reload able telephone cards • Health Care, stores the history of a patient
DEPT OF E&C NHCE
24
Smart card technology • Fast ticketing in public transport, parking, and road tolling in many countries • e-log software with smart card technology uses to store the information related to employ clock in and clock out
Manufacturers of smart cards
Advanced Card Systems Ltd (ACS) Axalto CardLogix Gem plus IBM ID TECH I'M Technologies Sharp Siemens Telesec PRISM TechCard
DEPT OF E&C NHCE
25
Smart card technology
Smart about smart cards
In comparison to its predecessor, the magnetic strip card, smart cards have many advantages including: • Life of a smart card is longer • A single smart card can house multiple applications. Just one card can be used as your license, passport, credit card, ATM card, ID card, etc. • Smart cards cannot be easily replicated and are, as a general rule much more secure than magnetic stripe cards • Data on a smart card can be protected against unauthorized viewing. As a result of this confidential data, Pins and passwords can be stored on a smart card. This means, merchants do not have to go online every time to authenticate a transaction • chip is tamper-resistant - information stored on the card can be PIN code and/or readwrite protected - capable of performing encryption - each smart card has its own, unique serial number • capable of processing, not just storing information - Smart cards can communicate with computing devices DEPT OF E&C NHCE 26
Smart card technology through a smart card reader - information and applications on a card can be updated without having to issue new cards • A smart card carries more information than can be accommodated on a magnetic stripe card. It can make a decision, as it has relatively powerful processing capabilities that allow it to do more than a magnetic stripe card (e.g., data encryption )
Disadvantages
+ NOT tamper proof + Can be lost/stolen + Lack of user mobility – only possible if user has smart card reader everywhere he goes + Has to use the same reader technology + Can be expensive + Working from PC – software based token will be better + No benefits to using a token on multiple PCs to using a smart card + Still working on bugs
DEPT OF E&C NHCE
27
Smart card technology
Conclusion
INFORMAON Access ASSURANCE
Comfort Convenience Customization Independence Privacy
confidentiality Integrity Accountability Availability Restoration
DEPT OF E&C NHCE
28
Smart card technology
References
International Standards Organization, http://www.iso.org CardLogix Corporation - Smart Tools Development Kit Handbook http://www.cardlogix.com National Institute of Standards and Technology http://www.nist.gov Trends-Loyalty Programs 12/03 CIO Insight by Margaret L Young And Marcia Stepanek http://www.cioinsight.com Smart card From Wikipedia, the free encyclopedia http://www.wikipedia.com
DEPT OF E&C NHCE
29
Smart cards are similar in size and shape to the familiar magnetic stripe cards used for credit and debit transactions, but smart cards contain an embedded integrated circuit(chip) that interfaces with terminals (which activate the chip’s power).The chip contains microprocessor and storage or memory. The memory contains a chip operating system (COS) for the microprocessor, communications software, and can contain encryption algorithms, applications software and data. When used with the appropriate applications, smart cards can provide enhanced security and the ability to record, store and update data. When implemented properly they can provide interoperability across services, and allow multiple application or uses, via one card Applications can access data directly form the chip, and smart cards can contain Portable, personal and secure databases. Applications using smart cards as a data Storage medium can save time and expense since access to a central database each time a transaction occurs is not necessary. Smart cards can not replace central records storage, such as a medical records file or bank account. Rather, they can be viewed as” keys” to different databases and can contain an extract of critical data contained in those databases. Unlike magnetic stripe cards – which carry limited information, can be easily duplicated, and are limited to use as a key to on-line functions – smart cards can provide diverse off-line and on-line functionality and read-write capability.
DEPT OF E&C NHCE
1
Smart card technology HISTORY 1968
German inventor Jorgen Dethloff along with Helmet Grotrupp filed a patent for using plastic as a carrier for microchips.
1970
Dr. Kunitaka Arimura of Japan filed the first and only patent on the smart card concept
1974
Roland Moreno of France files the original patent for the IC card, later dubbed the “smart card.”
1977
Three commercial manufacturers, Bull CP8, SGS Thomson, and Schlumberger began developing the IC card product.
1979
Motorola developed first single chip Microcontroller for French Banking
1982
World's first major IC card testing
1992
Nationwide prepaid card project started in Denmark
1999
Federal Government began Federal employee smart card identification
DEPT OF E&C NHCE
2
Smart card technology
INSIGHT Types of Chip Cards
Smart cards are defined according to the type of chip implanted in the card and its capabilities. There is a wide range of options to choose from when designing your system
DEPT OF E&C NHCE
3
Smart card technology
Increased levels of processing power, flexibility and memory add cost. Single function cards are often the most cost-effective solution. Choose the right type of smart card for your application by evaluating cost versus functionality and determine your required level of security. The following chart demonstrates the general rules of thumb.
Memory Cards
Memory cards have no sophisticated processing power and cannot manage files dynamically. All memories communicate to readers through synchronous protocols. There are three primary types’ memory cards:
DEPT OF E&C NHCE
4
Smart card technology
Straight Memory Cards
These cards just store data and have no data processing capabilities. These cards are the lowest cost per bit for user memory. They should be regarded as floppy disks of varying sizes without the lock mechanism. These cards cannot identify themselves to the reader, so your host system has to know what type of card is being inserted into a reader.
Protected / Segmented Memory Cards
These cards have built-in logic to control the access to the memory of the card. Sometimes referred to as Intelligent Memory cards these devices can be set to write protect some or the entire memory array. Some of these cards can be configured to restrict access to both reading and writing. This is usually done through a password or system key. Segmented memory cards can be divided into logical sections for planned multi-functionality
Stored Value Memory Cards
These cards are designed for the specific purpose of storing value or tokens. The cards are either disposable or rechargeable. Most cards of this type incorporate permanent security measures at the point of manufacture. These measures can include password keys and logic that are hard-coded into the chip by the manufacturer. The memory arrays on these devices are set-up as decrements or counters. There is little or no memory left for any other function. For simple applications such as a telephone card the chip has 60 or 12 memory cells, one for each telephone unit. A memory cell is cleared each time a telephone unit is used. Once all the memory units are used, the card becomes useless and is thrown away. This process can be reversed in the case of rechargeable cards.
DEPT OF E&C NHCE
5
Smart card technology
CPU/MPU Microprocessor Multifunction Cards
These cards have on-card dynamic data processing capabilities.
Multifunction smart cards allocate card memory into independent sections assigned to a specific function or application. Within the card is a microprocessor or microcontroller chip that manages this memory allocation and file access. This type of chip is similar to those found inside all personal computers and when implanted in a smart card, manages data in organized file structures, via a card operating system (COS). Unlike other operating systems, this software controls access to the on-card user memory. This capability permits different and multiple functions and/or different applications to reside on the card, allowing businesses to issue and maintain a diversity of ‘products’ through the card. One example of this is a debit card that also enables building access on a college campus. Multifunction cards benefit issuers by enabling them to market their products and services via state-of-the-art transaction technology.
DEPT OF E&C NHCE
6
Smart card technology THE MICROPROCESSOR CHIP
A microprocessor chip has: • An 8K to 64K byte (or more) CPU, Read Only Memory (ROM) that contains the Chip’s operating system; • Random Access Memory (RAM) that serves as a temporary register for data; and • Electrically Erasable Programmable Read Only Memory (EEPROM) that is used for the storage of user data. EEPROM can contain between 1K byte and 64K bytes or more of memory. To highlight the functions of a smart card it is helpful to divide (conceptually) the chip’s memory functions into three areas
• ROM. Read-Only Memory containing the chip’s operating system. The operating System or command set controls all communication between the chip and the outside World. The ROM is masked or written during production by the semiconductor manufacturer and once written, cannot be altered.
• EEPROM. Electronically Erasable Programmable Read-Only Memory is the Read/write memory for the storage of data.6 Access to the EEPROM memory is Controlled by the chip’s operating system, and may contain data such as a PIN that can only be accessed by the operating system. Other data, for example, a card’s Serial number can be written to EEPROM during card manufacture. Most of the EEPROM memory is used to store user data such as a biometric, purse balance, Demographic information, and transaction records and can be rewritten to Approximately 10,000 times.
DEPT OF E&C NHCE
7
Smart card technology
RAM. Random Access Memory, which is volatile, is used as a temporary storage Register by the chip’s microprocessor. For example, when a PIN is being verified, the PIN sent by the terminal/PIN pad is temporarily stored in RAM. The following example will further explain the functions of the memory areas listed above. A commonly used microprocessor chip card would have its operating system Stored in ROM. The operating system or command set would respond to commands, such as “read a record,” “write a record,” and “verifies PIN,” sent to the card by a terminal. Information such as fund balances, card serial number, and demographic information Are stored in EEPROM. The CPU performs all processing functions, such as encryption, while RAM serves as a temporary register for information. During PIN verification, the PIN is temporarily stored in RAM. Since RAM memory is volatile, as soon as a card is powered off, all information stored in RAM is lost. When evaluating card types for a particular application, the amount of memory in various components is important. The EEPROM capacity of a card is Critical because a larger capacity EEPROM can store a greater number of Application records and transaction files. The amount of ROM is also important because a larger capacity ROM contains amore sophisticated operating system, which facilitates complex card and system operations. There is also a relationship Between ROM and EEPROM in some cards because several vendors allow custom code extending the ROM’s operating system to be written in EEPROM. While this technique increases the card's functionality, it decreases the amount of EEPROM available for application and transaction storage.
DEPT OF E&C NHCE
8
Smart card technology
CONTACTLESS MEMORY CARDS
A contact less smart card includes an embedded smart card secure microcontroller or equivalent intelligence, internal memory and a small antenna and communicates with a reader through a contact less radio frequency (RF) interface. Contact less smart card technology is used in applications that need to protect personal information and/or deliver fast, secure transactions, such as transit fare payment cards, government and corporate Identification cards, documents such as electronic passports and visas, and financial payment cards. Contact less smart card have the ability to securely manage, store and provide access to data on the card, perform oncard functions (e.g., encryption) and interact intelligently with a contact less smart card reader. While offering similar capabilities to contact less smart card, contact smart cards require physical contact with the reading mechanism rather than using a contact less interface. The contact less interface provides users with the convenience of allowing the contact less card to be read at short distances with Fast transfer of data. DEPT OF E&C NHCE 9
Smart card technology
Contact less Smart card technology is available in a variety of forms – in plastic cards, watches, key fobs, documents and other handheld devices (e.g., built into mobile phones). For the purpose of this document, “card” is as the used generic term to describe any device in which smart card is used.
Contact less smart card systems are closely related to contact smart card systems. Like contact smart card a system, information is stored on a chip embedded within the contact less smart card. However, unlike the contact smart card, the power supplied to the card as well as the data exchanged between the card and the reader are achieved without the use of contacts, using Magnetic or electromagnetic fields to both powers the card as well as to exchange data with the reader. The contact less smart card contains an antenna embedded within the plastic body of the card (or within a key fob, watch or other document). When the card is brought into the electromagnetic field of the reader, the chip in the card is powered on. Once the chip is powered on, a wireless communication protocol is initiated and established between the card and the reader for data Transfer. The following four functions describe at a high level the sequence of events that happen when a contact less smart card is brought near a card reader:
Energy transfer to the card for powering the integrated circuit (chip) Clock signal transfer Data transfer to the contact less smart card Data transfer from the contact less smart card
DEPT OF E&C NHCE
10
Smart card technology Hence, once the card is brought within range of an electromagnetic field of the required frequency, the card will be powered up, ready to communicate with the reader. Since the contact less smart cards described in this FAQ are based on the ISO/IEC 14443 standard, this frequency is 13.56 MHz and a reader that complies with the standard would have an activation field (range) of about 4 inches (approximately 10 centimeters). In other words the card needs to be within 10 centimeters of a reader for it to be effectively powered; however, the effective range for communications for the card to be read will depend on a number of factors like the power of the reader, the antenna of the reader and the antenna of the card.
Applications that need strong information and communications security use contact less smartcard technology based on an international standard (ISO/IEC 14443) that limits the ability to read the contact less device to approximately 4 inches (10 centimeters). The contact less smart card must be positioned in a target area extremely close to the reader to function, thus reducing any Chance for it to be “read” without the user’s knowledge. Additionally, the information stored on the card is typically protected against theft with secure encryption and communication between the card and the reader is secure and authenticated. Applications using contact less smart cards can protect stored data in a number of ways. First, in order to access the data from a contact less smart card, the application may require knowledge of specific secret keys. In general, without knowledge of these secret keys, the card’s microcontroller and circuitry will block any attempts to access the data on the chip. Second, information stored on cards or documents using contact less smart card technology can be encrypted. In addition, communications between the contact less DEPT OF E&C NHCE 11
Smart card technology smart card and the reader can be encrypted to prevent
eavesdropping. Secure applications also typically require “mutual authentication,” where the contact less smart card first verifies that the reader is authentic and then proves its own authenticity to the reader before starting any further communications. The Ability of a contact less smart card application to verify the authority of the information requestor and provide strong chip and data security make it an excellent guardian of personal information And individual privacy.
Today’s
contact
less
smart
cards
use
advanced
chips
that
incorporate a microcontroller or Equivalent intelligence, as well as internal memory, and have the primary goal of securing data on The chip. Typically, a contact less smart card that targets banking, transport, and ID applications will operate at short range (less than 4 inches or 10 centimeters). This short distance ensures that the user performs a conscious action to transact, avoiding accidental or fraudulent transactions.
Contact less smart cards may also support separate keys for reading and for writing. Thus, being able to read data from a smart card does not enable you to write or update the data, unless the application provider planned it to be so. Contact less smart cards can also support a variety of encryption algorithms for increased security. This is essential for highly demanding applications such as banking, transport, and secure ID because it provides the highest security level possible. RFID tags do not support encryption. Contact less smart card by their nature protects the information that resides in their memory.Contactless smart card chips have built-in tamper-resistance, with both hardware and software capabilities
DEPT OF E&C NHCE
12
Smart card technology that detect and react to tampering attempts. Information stored on cards or documents using contact less smart card technology can be encrypted and communication between the contact less smart card and the reader can also be encrypted to prevent eavesdropping. Plus, a contact less smart card application can verify that the reader is authentic and can prove its own authenticity to the reader before starting a secure transaction. It is important to note, however, that information privacy and security must be designed into an application at the system level by the organization issuing the contact less device, card or Document. Card issuers will usually have a stated privacy policy that describes to cardholder show personal information is used and protected. Card issuers will also typically implement information security requirements throughout a system that will disallow the use of data fraudulently obtained. Given sufficient technology, time, resources and expertise any technology may be compromised. However contact less smart cards is significantly more costly and Complex to compromise than other solutions. Furthermore, in general, the security inherent to contact less smart card-enabled applications and systems are such that system-level application countermeasures may be deployed faster than attackers can use the vulnerability created on any Individual card.
Information (data) can only be written into the contact less smart card memory if authority to do so is provided. Authority is given by the card issuer or application provider who is the only entity that knows the secret keys and that knows how to write data to the card. Plus, the card would need to be within close proximity (4 inches or 10 centimeters for ISO/IEC 14443-compliant cards) of a specific contact less reader. It is important to note that the write protection of the data on the new U.S. electronic passport is very strong and no
DEPT OF E&C NHCE
13
Smart card technology data can be added, deleted or modified in the passport’s contact less smartcard chip once it has been issued to the citizen. Contacts less smart card are passive cards (they do not carry any source of energy) and they do not have any radiation of any kind. Only the RF reader emits energy in the reading process, but it is a tiny fraction of what a cellular phone emits and poses no health risk. No. Contact less smart card has no capabilities to provide physical location information. They have an extremely limited range of response and do not support any capabilities to identify Physical location (unlike the cellular phone system and global positioning system (GPS) technology). Contact less smart card is a secure means of storing and carrying information. In general, contacts less smart cards are more secure and more reliable, have higher data storage capacity, and have a longer expected life than most of the other available options (e.g., magnetic stripe cards or tickets, paper documents). For example, because of the high security, reliability and Convenience of fast transactions, all smart card applications in mass transportation are implemented using contact less smart card technology.
Contact less smart card technology only works when a low power radio frequency signal of 13.56 MHz is applied within a few inches (centimeters) of the passport. The passport chip, having no batteries or power source of its own, relies on getting its power from the reader’s RF signal to operate. Contact less smartcard technology uses very complex microcontroller-based technology that has a sophisticated operating system and many security techniques at its disposal for ensuring the integrity, confidentiality and privacy of information stored and transmitted. The contact less smart card technology in the new passport uses ISO/IEC standards (ISO/IEC 7816-1,-2,-3,-4 and ISO/IEC14443) to securely communicate
DEPT OF E&C NHCE
14
Smart card technology information in a random access manner, using defined protocols, to external authenticated reading equipment. Contact less smart card technology is capable of ensuring reading equipment is authenticated as well as proving its own authenticity to the readers. Communication between the contact less smart card chip and the external personal reading equipment can be encrypted password to or counter biometric eavesdropping. Access to any information can also be protected by identification number (PIN), authentication to Counter skimming effect. The minimum level of protection, as specified by International Civil Aviation Organization (ICAO), would allow the electronic data to be read from the passport providing the reading device can get within a few inches or centimeters (within about 4 inches or 10 centimeters) of the document and is able to maintain this position for several seconds. Beyond this range, the ISO/IEC 14443compliant reader’s RF field is significantly reduced, making it unable to power and communicate with the passport. To power the device from a greater distance requires a very high power RF signal from a non-compliant reader; the very large RF signal required for the reader to power the device from a greater distance effectively disables the reader from “hearing” the weak signal that is produced by the card and that is required to establish normal communication between the card and the reader.ICAO has specified additional optional levels of security that could be implemented
MICROPROCESSOR CARD AND COMBI /HYBRID CARD
DEPT OF E&C NHCE
15
Smart card technology
Cards that contain two distinct places for data storage (with at least one of these a chip) and each storage area with its own type of interface access are called Hybrid cards.
Thus hybrid cards can contain both a magnetic stripe and a chip. These Cards are likely to continue using the magnetic stripe for routine banking and POS Transactions while also is having the capability of introducing chip applications such as stored
DEPT OF E&C NHCE
16
Smart card technology
value, secure database access or information storage. Other applications can be added as they become available. In the transportation industry, the term “hybrid card” has a different meaning than in the Payment sector. A transportation hybrid card contains both contact and contact less Capability. They have two independent chips and systems on one card. The contact and contact less chips cannot communicate with in the card. Finally, a hybrid card can contain a contact chip and a laser strip. Laser strips use the same technology as a CD-ROM and have a high memory capacity at a reasonable cost. However, the read/write devices that support laser strip technology are expensive and cards have a limited use, primarily for storage of personal medical records.
Cards can be multi-technology—combining various different technologies that are used for different purposes. For example, in the figure below, the chip can be used for data storage, the magnetic stripe can be used for physical access control, and the bar code can be used for property asset management.
A combi-card (sometimes known as a dual-interface card), on the other hand, Incorporates contact and contact less capability into a single chip. Contact and
DEPT OF E&C NHCE
17
Smart card technology
Contact less communications can interface with the same memory within the card; hence a single processor supports multiple interfaces. The combi-card chip is conceptualized in the following figure:
MULTI FUNCTION CARD
DEPT OF E&C NHCE
18
Smart card technology
A card that contains several applications (or uses) is referred to as a multiapplication card. For example, a multi-application card may serve as a debit and credit card and may also contain a file on the chip that allows the cardholder to complete health insurance forms automatically, contain basic medical information for use in emergency situations, serve as a means to track frequent flyer miles and allow the cardholder access to a secure parking facility. It may perform these functions through one type of interface (such as only through direct contact) or may be a combi-card. In this example, it is evident that the card would have to ultimately work within the parameters of an open system so that the card could be used at many, unrelated commercial endpoints. Another example of a multi-application card is the campus card. A student uses the card as a basic ID, to check out books from the library, and to decrement value for the meal plan and campus vending machines. The student might also use it for secure access certain buildings and to the university’s computer system. While this is also a multiplication card, it is equally evident that the card need not operate in an open system, because this is a closed system environment with primarily closed applications.
The figure below provides an overview of potential uses for multi application cards
STANDARDS
DEPT OF E&C NHCE 19
Smart card technology
ISO - International Standards Organization ISO 7816-1 to ISO 7816-11
FIPS (Federal Information Processing Standards) FIPS 140 (1-3) FIPS 201
CEN (Committee' Europe'en de Normalization)
DEPT OF E&C NHCE
20
Smart card technology
SECURITY
Data security mechanism and their respective algorithms
• • • • •
The system generates the symmetric session key to encrypt the file. The system sends the session key and file. The smart card first encrypts the data using key. The recipient decrypts the session key and file using same key. Here we used the shared key for both encryption and decryption
DEPT OF E&C NHCE
21
Smart card technology
• • • • •
The system generates the symmetric session key to encrypt the file Then system sends the session key and file Here we use the double encryption method In encryption method we first encrypt the file then we decrypt the file again we encrypt the file In decryption method we first decrypt the file then we encrypt the file again we decrypt the file
DEPT OF E&C NHCE
22
Smart card technology
• • •
Here the smart card locks the box with public key Recipient unlocks the box using private key It is widely used in e-commerce applications
DEPT OF E&C NHCE
23
Smart card technology
Smart card uses
Commercial Applications • Financial Applications • Employee Identification • Ticketing • Parking and toll collection • Universities use smart cards for ID purposes and at the library, vending machines, copy machines, and other services on campus. Mobile Telecommunications • SIM cards used on cell phones • Over 300,000,000 GSM phones with smart cards • Contains mobile phone security, subscription information, and phone number on the network, billing information, and frequently called numbers. Information Technology • Secure logon and authentication of users to PCs and networks • Encryption of sensitive data Other Applications • Over 4 million small dish TV satellite receivers in the US use a smart card as its removable security element and subscription information. • Pre-paid, reload able telephone cards • Health Care, stores the history of a patient
DEPT OF E&C NHCE
24
Smart card technology • Fast ticketing in public transport, parking, and road tolling in many countries • e-log software with smart card technology uses to store the information related to employ clock in and clock out
Manufacturers of smart cards
Advanced Card Systems Ltd (ACS) Axalto CardLogix Gem plus IBM ID TECH I'M Technologies Sharp Siemens Telesec PRISM TechCard
DEPT OF E&C NHCE
25
Smart card technology
Smart about smart cards
In comparison to its predecessor, the magnetic strip card, smart cards have many advantages including: • Life of a smart card is longer • A single smart card can house multiple applications. Just one card can be used as your license, passport, credit card, ATM card, ID card, etc. • Smart cards cannot be easily replicated and are, as a general rule much more secure than magnetic stripe cards • Data on a smart card can be protected against unauthorized viewing. As a result of this confidential data, Pins and passwords can be stored on a smart card. This means, merchants do not have to go online every time to authenticate a transaction • chip is tamper-resistant - information stored on the card can be PIN code and/or readwrite protected - capable of performing encryption - each smart card has its own, unique serial number • capable of processing, not just storing information - Smart cards can communicate with computing devices DEPT OF E&C NHCE 26
Smart card technology through a smart card reader - information and applications on a card can be updated without having to issue new cards • A smart card carries more information than can be accommodated on a magnetic stripe card. It can make a decision, as it has relatively powerful processing capabilities that allow it to do more than a magnetic stripe card (e.g., data encryption )
Disadvantages
+ NOT tamper proof + Can be lost/stolen + Lack of user mobility – only possible if user has smart card reader everywhere he goes + Has to use the same reader technology + Can be expensive + Working from PC – software based token will be better + No benefits to using a token on multiple PCs to using a smart card + Still working on bugs
DEPT OF E&C NHCE
27
Smart card technology
Conclusion
INFORMAON Access ASSURANCE
Comfort Convenience Customization Independence Privacy
confidentiality Integrity Accountability Availability Restoration
DEPT OF E&C NHCE
28
Smart card technology
References
International Standards Organization, http://www.iso.org CardLogix Corporation - Smart Tools Development Kit Handbook http://www.cardlogix.com National Institute of Standards and Technology http://www.nist.gov Trends-Loyalty Programs 12/03 CIO Insight by Margaret L Young And Marcia Stepanek http://www.cioinsight.com Smart card From Wikipedia, the free encyclopedia http://www.wikipedia.com
DEPT OF E&C NHCE
29
