2. Aim of my ppt is to just give you a brief
idea about the smart card technology
being one of the best steps towards the
advancement of science and technology ,
making our life faster and obviously
easier.
3. Plastic Cards
Visual identity application
Plain plastic card is enough
Magnetic strip (e.g. credit cards)
Visual data also available in machine readable form
No security of data
Electronic memory cards
Machine readable data
Some security (vendor specific)
4. What is a Smart Card?
A Smart card is a plastic card about
the size of a credit card, with an
embedded microchip that can be
loaded with data, used for telephone
calling, cash payments , and other
applications, and then periodically
refreshed for additional use.
6. History
70’s
Smart Card First Patent in Germany and later in
France and Japan.
80’s
Mass usage in Pay Phones and Debit Cards.
90’s
Smart Card based Mobiles Chips & Sim Cards.
7. History
2000’s
Payment and Ticketing Applications
Credit cards, Mass transit (Smartrip)
Healthcare and Identification
Insurance information, Drivers license
9. Why use smart cards?
Can store currently up to 7000 times more data than a magnetic stripe card.
Information that is stored on the card can be updated.
Magnetic stripe cards are vulnerable to many types of fraud.
Lost/Stolen Cards
Skimming
Carding/ Phishing
Greatly enhances security by communicating with card readers using PKI
algorithms.
A single card can be used for multiple applications (cash, identification,
building access, etc.)
Smart cards provide a 3-fold approach to authentic identification:
• Pin
• Smartcard
• Biometrics
12. What’s in a Card?
CL RST
K Vcc
RFU
GND
RFU
Vpp
I/O
Varun Arora |
varun@varunarora.in |
www.varunarora.in
13. Electrical signals description
VCC : Power supply input
RST : Either used itself (reset signal supplied from the
interface device) or in combination with an internal
reset control circuit (optional use by the card) .
CLK
: Clocking or timing signal (optional use by the
card).
Fig : A smart card pin out
GND : Ground (reference voltage).
VPP : Programming voltage input (deprecated / optional use by the card).
I/O : Input or Output for serial data to the integrated circuit inside the card.
AUX1(C4): Auxilliary contact; USB devices: D+
AUX2(C8) : Auxilliary contact; USB devices: D-
14. CARD STRUCTURE
Out of the eight contacts only six are used. Vcc is
the supply voltage, Vss is the ground reference
voltage against which the Vcc potential is
measured, Vpp connector is used for the high
voltage signal,chip receives commands &
interchanges data.
15. Typical Configurations
256 bytes to 4KB RAM.
8KB to 32KB ROM.
1KB to 32KB EEPROM.
8-bit to 16-bit CPU. 8051 based designs
are common.
16. Smart Card Readers
Computer based readers
Connect through USB or COM (Serial) ports
Dedicated terminals
Usually with a small screen, keypad, printer,
often also have biometric devices such as thumb
print scanner.
17. Terminal/PC Card Interaction
The terminal/PC sends commands to the card
(through the serial line).
The card executes the command and sends back
the reply.
The terminal/PC cannot directly access memory
of the card so
data in the card is protected from
unauthorized access. This is what makes the
card smart.
18. Why Smart Cards?
Security: Data and codes on the card are encrypted by the
chip maker. The Smart Card’s circuit chip almost impossible
to forge.
Trust: Minimal human interaction.
Portability.
Less Paper work: Eco-Friendly
19. Two Types of Chips
Memory chip Microprocessor
Acts as a small floppy Can add, delete, and
disk with optional manipulate its memory.
security Acts as a miniature
Are inexpensive computer that includes an
Offer little security operating system, hard
features disk, and input/output
ports.
Provides more security and
memory and can even
download applications.
20. From 1 billion to 4 billion units in 10
years…
Worldwide smart card shipments
4500 4285
4000
3580
3500 Microprocessor cards
Millions of units
Memory cards
3000
2500 3325
2655
2000
1500
1000
500 925 960
925 960
0
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
21. Smart Cards in
everyday life…
Loyalty
Transport
Ticketing
Payment
Health card
Smart Poster
Communication
22. Contact Smart Cards
Requires insertion into a
smart card reader with a
direct connection
This physical contact
allows for transmission of
commands, data, and card
status to take place
24. Contactless Smart Cards
Require only close proximity to a
reader
Both the reader and card have
antennas through which the two
communicate
Ideal for applications that require
very fast card interfaces
25. ISO 14443.
International standard.
Deals – only contactless smart cards.
Defines:-
a. Interface.
b. Radio frequency interface.
c. Electrical interface.
d. Operating distance.
Etc…..
26. Dual interface smart cards.
Also called Combi card.
Has a single chip over it.
Has both contact as well as contactless
interfaces.
We can use the same chip using either contact or
contactless interface with a high level of security.
30. Categories of Smart Cards
Based on the type of IC chip
embedded on the Smart Card.
They are categorized into
three types :-
IC Micro Processor Cards
IC Memory Cards
Optical Memory Cards
31. Key Attributes
Security
to make the Digital Life safe and enjoyable
Ease of Use
to enable all of us to access to the Digital World
Privacy
to respect each individual’s freedom and intimacy
E
SAF
32. Biometric techniques
Finger print identification.
Features of finger prints can be kept on the card
(even verified on the card)
Photograph/IRIS pattern etc.
Such information is to be verified by a person. The
information can be stored in the card securely
33. Smart Card Readers
Dedicated terminals
Computer based readers
Usually with a small
Connect through USB or
screen, keypad, printer, COM (Serial) ports
often also
have biometric devices
such as thumb print
scanner.
34. Terminal/PC Card Interaction
The terminal/PC sends commands to the card
(through the serial line).
The card executes the command and sends back
the reply.
The terminal/PC cannot directly access memory
of the card
data in the card is protected from unauthorized
access. This is what makes the card smart.
35. Communication mechanisms
Communication between smart card and reader is
standardized
ISO 7816 standard
Commands are initiated by the terminal
Interpreted by the card OS
Card state is updated
Response is given by the card.
Commands have the following structure
CLA INS P1 P2 Lc 1..Lc Le
Response from the card include 1..Le bytes followed by
Response Code
36. Security Mechanisms
Password
Card holder’s protection
Cryptographic challenge Response
Entity authentication
Biometric information
Person’s identification
A combination of one or more
37. Password Verification
Terminal asks the user to provide a password.
Password is sent to Card for verification.
Scheme can be used to permit user
authentication.
Not a person identification scheme
Varun Arora |
varun@varunarora.in |
www.varunarora.in
38. Cryptographic verification
Terminal verify card (INTERNAL AUTH)
Terminal sends a random number to card to be hashed
or encrypted using a key.
Card provides the hash or cyphertext.
Terminal can know that the card is authentic.
Card needs to verify (EXTERNAL AUTH)
Terminal asks for a challenge and sends the response to
card to verify
Card thus know that terminal is authentic.
Primarily for the “Entity Authentication”
Varun Arora |
varun@varunarora.in |
www.varunarora.in
39. Biometric techniques
Finger print identification.
Features of finger prints can be kept on the card
(even verified on the card)
Photograph/IRIS pattern etc.
Such information is to be verified by a person. The
information can be stored in the card securely.
40. Data storage
Data is stored in smart cards in E2PROM
Card OS provides a file structure mechanism
MF File types
Binary file (unstructured)
DF DF EF EF
Fixed size record file
DF EF Variable size record file
EF EF
41. File Naming and Selection
Each files has a 2 byte file ID and an optional 5-bit
SFID (both unique within a DF). DFs may
optionally have (globally unique) 16 byte name.
OS keeps tack of a current DF and a current EF.
Current DF or EF can be changed using SELECT
FILE command. Target file specified as either:
DF name
File ID
SFID(Short File Identifier, 1 byte)
Relative or absolute path (sequence of File IDs).
Parent DF
42. Basic File Related Commands
Commands for file creation, deletion etc., File size
and security attributes specified at creation time.
Commands for reading, writing, appending records,
updating etc.
Commands work on the current EF.
Execution only if security conditions are met.
Each file has a life cycle status indicator (LCSI),
one of: created, initialized, activated, deactivated,
terminated.
43. Access control on the files
Applications may specify the access controls
A password (PIN) on the MF selection
For example SIM password in mobiles
Multiple passwords can be used and levels of
security access may be given
Applications may also use cryptographic
authentication
44. An example scenario (institute ID
card) What happens ifFree user
Read: the
Select: P2 forgets his upon verification
Write: requirements:
Security password?
verification EF1 (personal data) by K1, K2 or K3
EF1:
Solution1: Add supervisor
Name: Varun Arora
PF/Roll: 13 passwordbe modified only by
Should
MF Read: Free
the DOSA/DOFA/Registrar
Solution2: Allow
EF2 (Address) Write: Password
DOSA/DOFA/Registrar to
Readable to all (P1)
#320, MSc (off) modifyVerification
EF3
475, SICSR (Res) EF2:
Solution3: Allow both to
Card holder should be able
happen
to modify
EF3 (password) EF4 (keys)
EF3 (password) K1 (DOSA’s key)
P1 (User password) Read: Never
P1 (User password) K2 (DOFA’s key)
P2 (sys password) Write: Once
K3 (Registrar’s key)
Read: Never
Write: Password
Verification (P1)
45. An example scenario (institute ID
card)
EF1 (personal data) Library manages its
own keys in EF3
EF2 (Address)
under DF1
MF
EF3 (password)
Institute manages its
EF4 (keys) keys and data under
Modifiable: By admin
DF1 (Lib) MF staff. Read: all
EF2 (Privilege info) Thus library can
EF1 (Issue record)
Max Duration: 20 days develop applications
Max Books: 10 independent of the
Bk# dt issue dt retn Reserve Collection: Yes rest. Keys
EF3:
Bk# dt issue dt retn
K1: Issue staff key
K2: Admin staff key
Bk# dt issue dt retn Modifiable: By issue
Bk# dt issue dt retn staff. Read all
46. How does it all work?
Card is inserted in the terminal
Card gets power. OS boots up.
Sends ATR (Answer to reset)
ATR negotiations take place to
set up data transfer speeds,
capability negotiations etc.
Terminal sends first command to Card responds with an error
select MF (because MF selection is only on
password presentation)
Terminal prompts the user to
provide password
Terminal sends password for Card verifies P2. Stores a status
verification “P2 Verified”. Responds “OK”
Terminal sends command to Card responds “OK”
select MF again Card supplies personal data and
responds “OK”
Terminal sends command to read EF1
47. So many Smart Cards with us at all
times…..
In our GSM phone (the SIM card)
Inside our Wallets
Credit/Debit cards
HealthCare cards
Loyalty cards
Our corporate badge
Our Passport
Our e-Banking OTP
… and the list keeps growing
48. Our Industries Is rapidly changing
Interactive billboards Transports
New solutions leveraging
on mobile contactless
services
eTicketing Retail
49. Smart Card Applications
Government programs
Banking & Finance
Mobile Communication
Pay Phone Cards
Transportation
Electronic Tolls
Passports
Electronic Cash
Retailer Loyalty Programs
Information security
50. Banking and finance
Electronic purse to replace coins for small purchases in vending
machines .
Credit and debit cards
Securing payments across the internet
51. Smart card Pay phones
Outside of the United States there is a widespread use of
payphones
phone company does not have to collect coins
the users do not have to have coins or remember long
access numbers and PIN codes
The risk of vandalism is very low since these payphones are
smart card-based. “Generally, a phone is attacked if there is
some money inside it, as in the case of coin-based payphone
52. Transportation
Driver’s license
Mass transit fare collection system
Electronic toll collection system
53. It’s no longer only «Cards»
e-Passport: the first Smart Secure Device
45 Millions e-Passport in 2009
54. E Governance
As the amount of business and holiday travel
increases security continues to be a top concern for
governments worldwide.
When fully implemented smart passport solutions
help to reduce fraud and forgery of travel
documents.
Enhanced security for travellers
Philips launched such a project
with the US in 2004.
55. Student id card
All-purpose student ID card (a/k/a campus
card), containing a variety of applications
such as electronic purse (for vending
machines, laundry machines, library card, and
meal card).
56.
57. Threats in Using Smart
Cards
failure rate
probability of breaking: keeping in wallets may
damage the chip on the card.
malware attacks: active malwares on systems
may result in modifying the transactions.
58. OS Based Classification
Smart cards are also classified on the basis of their Operating System. There
are many Smart Card Operating Systems available in the market, the main
ones being:
1. MultOS
2. JavaCard
3. Cyberflex
4. StarCOS
5. MFC
Smart Card Operating Systems or SCOS as they are commonly called, are
placed on the ROM and usually occupy lesser than 16 KB. SCOS handle:
• File Handling and Manipulation.
• Memory Management
• Data Transmission Protocols.
59. ADVANTAGES
Proven to be more reliable than the magnetic stripe card.
Can store up to thousands of times of the information than the magnetic stripe card.
Reduces tampering and counterfeiting through high security mechanisms such as
advanced encryption and biometrics.
Can be disposable or reusable.
Performs multiple functions.
Has wide range of applications (e.g., banking, transportation, healthcare...)
Compatible with portable electronics (e.g., PCs, telephones...)
Evolves rapidly applying semi-conductor technology
60. Disadvantages
Smart cards used for client-side identification and
authentication are the most secure way for eg. internet banking
applications, but the security is never 100% sure.
In the example of internet banking, if the PC is infected with
any kind of malware, the security model is broken. Malware
can override the communication (both input via keyboard and
output via application screen) between the user and the
internet banking application (eg. browser). This would result in
modifying transactions by the malware and unnoticed by the
user. There is malware in the wild with this capability (eg.
Trojan. Silentbanker).
61. Remedies…
Banks like Fortis and Dexia in Belgium combine a Smart card with an unconnected card reader to
avoid this problem. The customer enters a challenge received from the bank's website, his PIN and
the transaction amount into the card reader, the card reader returns an 8-digit signature. This
signature is manually copied to the PC and verified by the bank. This method prevents malware from
changing the transaction amount.
62. Future Aspects
Soon it will be possible to access the data in Smart cards by the use of Biometrics.
Smart card Readers can be built into future computers or peripherals
which will enable the users to pay for goods purchased on the internet.
In the near future, the multifunctional smart card will replace the
traditional magnetic swipe card.
Smart Card is not only a data store, but also a programmable, portable,
tamper resistant memory storage.
63. The Smart card success story
Microprocessor Smart Cards Shipments ( Millions of units )
4000 295
+31%
3500
+10%
225 580
+16%
Telecom (SIM)
3000
205 +22%
500
2500 Banking - Retail
410
2000 Identity & others
+15%
1500 3000
+27% 2600
1000 2040
500
0
2007 2008 2009
64. By 2020 …
20 Billion Smart Secure Devices
>4 Billion Mobile Appliances users
>4 Billion e-ID documents in use
65. Conclusion:
Conclusion…
• Smart Cards will evolve into a broader family of Devices
• Smart Cards will evolve into a broaderfamily of Devices
• More new shapes for new applications
• More new shapes for new applications
• Embedded software attributes »
• Our virtual « digital personaland ultra-embedded nanotechnologies
•• The only mistake andavoid for our Industry is to entertain an endless
Embedded software to ultra-embedded nanotechnologies
debate about fears.
• We will build the best solutions Industry is to entertain an enjoy
• The only mistake to avoid for our and the best value for people to endless
debate many new services
about fears.
•• Education … moresolutions and the best value for people to enjoy many new
We will build the best Education
services
• Preparing people to use those Smart Secure Devices is as important as
• Political ownership how communication will be key to success
teaching them and to read and write
• Education … more Education
• Preparing people to use those Smart Secure Devices is as important as teaching them
how to read and write
66. Conclusion:
• Smart Cards will evolve into a broader family of Devices
• More new shapes for new applications
• Our virtual « digital personal attributes »
• Embedded software and ultra-embedded nanotechnologies
• The only mistake to avoid for our Industry is to entertain an
endless debate about fears.
• We will build the best solutions and the best value for people to enjoy many new
services
• Political ownership and communication will be key to success
• Education … more Education
• Preparing people to use those Smart Secure Devices is as important as teaching
them how to read and write
67.
68. Security of Smart Cards
Public Key Infrastructure (PKI) algorithms such
as DES, 3DES, RSA and ECC.
Key pair generation.
Variable timing/clock fluctuation.
0.6 micron components.
Data stored on the card is encrypted.
Pin Blocking.
69. Elliptical Curve Cryptography
y²=x³+ax+b
Q(x,y) =kP(x,y)
Uses point multiplication to
compute and ECDLP to
crack.
Beneficial for portable
devices.
Cryptographic coprocessors
can be added to speed up
encryption and decryption.
70. CAIN
Confidentiality is obtained by the encryption of
the information on the card.
Authenticity is gained by using the PKI
algorithm and the two/three factor
authentication.
Integrity is maintained through error-checking
and enhanced firmware.
Repudiation is lower because each transaction is
authenticated and recorded.
71. Common and Future Uses of Smart
Cards
Current uses:
Chicago Transit Card
Speed Pass
Amex Blue Card
Phone Cards
University ID cards
Health-care cards
Access to high level
government facilities.
Future uses:
Federally Passed Real-ID
act of 2005.
ePassports
72. Data Structure
Data on Smart Cards is organized into a tree
hierarchy. This has one master file (MF or root)
which contains several elementary files (EF) and
several dedicated files (DF).
DFs and MF correspond to directories and EFs
correspond to files, analogous to the hierarchy in
any common OS for PCs.
73. Data Structure
However, these two hierarchies differ in that
DFs can also contain data. DF's, EF's and MF's
header contains security attributes resembling
user rights associated with a file/directory in a
common OS.
Any application can traverse the file tree, but it
can only move to a node if it has the appropriate
rights.
The PIN is also stored in an EF but only the
card has access permission to this file.
Notes de l'éditeur
Aim of my ppt is to just give you a brief idea about the smart card technology being one of the best steps towards the advancement of science and technology,making our life faster and obviously easier.