2. Topics Covered
Defining Smart Cards
Smart Card Architecture
Smart Card – Working
Smart Card – Security
Data Storage in Smart Card
Types of Smart Card
Usage and Application
Advantages and Disadvantages
Future Development
12/13/2011 ITECH 7215 Information Security 2
3. DEFINING SMART CARDS
• Known by other names like Chip Cards, Integrated
Circuit Cards (ICC) and Processor Cards.
• Size is same as any other Credit card
With or without contact information.
• Cards have an operating system.
• The OS provides
A standard way of interchanging information.
An interpretation of the commands and data.
• Cards must interface to a computer or terminal
through a standard card reader.
12/13/2011 ITECH 7215 Information Security 3
4. Card and Card Reader
• Computer based readers:
Connect through USB or COM (Serial) ports
• Dedicated terminals:
Usually with a small screen, keypad, printer,
often also have biometric devices such as
thumb print scanner.
12/13/2011 ITECH 7215 Information Security 4
6. SMART CARD ARCHITECTURE
• 256 bytes to 4KB RAM.
• 8KB to 32KB ROM.
• 1KB to 32KB EEPROM.
• Crypto-coprocessors (implementing 3DES, RSA etc., in hardware) are
optional.
• 8-bit to 16-bit CPU. 8051 based designs are common.
The price of a mid-level chip when produced in bulk is less than US$1.
CLK RST
Vcc
RFU
GND Vpp
RFU I/O
12/13/2011 ITECH 7215 Information Security 6
7. WORKING STRUCTURE
• Central Processing Unit: Heart of the Chip
• All the processing of data preforms in here.
CPU
12/13/2011 ITECH 7215 Information Security 7
8. WORKING STRUCTURE
• security logic: detecting abnormal conditions
e.g. low voltage
CPU
security
logic
12/13/2011 ITECH 7215 Information Security 8
9. WORKING STRUCTURE
• serial i/o interface: contact to the outside world
CPU
security
logic
serial i/o
interface
12/13/2011 ITECH 7215 Information Security 9
10. WORKING STRUCTURE
• test logic: self-test procedures
CPU test logic
security
logic
serial i/o
interface
12/13/2011 ITECH 7215 Information Security 10
11. WORKING STRUCTURE
ROM:
• card operating system
• self-test procedures
• typically 16 kbytes
• future 32/64 kbytes
CPU test logic
security ROM
logic
serial i/o
interface
12/13/2011 ITECH 7215 Information Security 11
12. WORKING STRUCTURE
RAM:
• ‘Buffer memory’ of the processor
• typically 512 bytes
• future 1 kbyte
CPU test logic
security ROM
logic
RAM
serial i/o
interface
12/13/2011 ITECH 7215 Information Security 12
13. WORKING STRUCTURE
EEPROM:
• cryptographic keys
• PIN code CPU test logic
• biometric template security ROM
logic
• balance RAM
serial i/o
• application code interface EEPROM
• typically 8 kbytes
• future 32 kbytes
12/13/2011 ITECH 7215 Information Security 13
14. WORKING STRUCTURE
databus:
• connection between elements of the chip
• 8 or 16 bits wide
Databus
CPU test logic
security ROM
logic
RAM
serial i/o
interface EEPROM
12/13/2011 ITECH 7215 Information Security 14
16. TERMINAL/PC CARD
INTERACTION
• The terminal/PC sends commands to the card
(through the serial line).
• The card executes the command and sends
back the reply.
• The terminal/PC cannot directly access memory
of the card
o Data in the card is protected from
unauthorized access. This is what makes the
card smart.
12/13/2011 ITECH 7215 Information Security 16
17. HOW IT WORKS
Card is inserted in the terminal Card gets power. OS boots up. Sends
ATR (Answer to reset)
ATR negotiations take place to set
up data transfer speeds, capability
negotiations etc.
Card responds with an error
Terminal sends first command to
(because MF selection is only on
select MF
password presentation)
Terminal prompts the user to
provide password
Card verifies P2. Stores a status “P2
Terminal sends password for
Verified”. Responds “OK”
verification
Terminal sends command to select Card responds “OK”
MF again
Card supplies personal data and
Terminal sends command to read EF1
responds “OK”
12/13/2011 ITECH 7215 Information Security 17
18. COMMUNICATION
• Communication between smart card and reader
is standardized:
ISO 7816 standard
• Commands are initiated by the terminal
Interpreted by the card OS
Card state is updated
Response is given by the card.
• Commands have the following structure
• Response from the card include 1..Le bytes
followed by Response Code
12/13/2011 ITECH 7215 Information Security 18
20. SECURITY MECHANISM
• Password
Card holder’s protection
• Cryptographic challenge Response
Entity authentication
• Biometric information
Person’s identification
• A combination of one or more
12/13/2011 ITECH 7215 Information Security 20
21. PASSWORD VERIFICATION
1. Terminal asks the user to provide a password.
2. Password is sent to Card for verification.
3. Scheme can be used to permit user
authentication.
Not a person identification scheme
12/13/2011 ITECH 7215 Information Security 21
22. CRYPTOGRAPHIC VERIFICATION
1. Terminal verify card (INTERNAL AUTH)
• Terminal sends a random number to card to
be hashed or encrypted using a key.
• Card provides the hash or cyphertext.
2. Terminal can know that the card is authentic.
3. Card needs to verify (EXTERNAL AUTH)
• Terminal asks for a challenge and sends the
response to card to verify
• Card thus know that terminal is authentic.
4. Primarily for the “Entity Authentication”
12/13/2011 ITECH 7215 Information Security 22
23. BIOMETRIC MECHANISM
• Finger print identification.
Features of finger prints can be kept on the
card (even verified on the card)
• Photograph/IRIS pattern etc.
Such information is to be verified by a person.
The information can be stored in the card
securely.
12/13/2011 ITECH 7215 Information Security 23
25. DATA STORAGE
• Data is stored in smart cards in EEPROM
• Card OS provides a file structure mechanism
• File types:
Binary file (unstructured)
Fixed size record file
Variable size record file MF
DF DF EF EF
DF EF
EF EF
12/13/2011 ITECH 7215 Information Security 25
26. ACCESSING FILES
• Applications may specify the access controls
• A password (PIN) on the MF selection e.g. SIM
password in mobiles
• Multiple passwords can be used and levels of security
access may be given
• Applications may also use cryptographic
authentication
12/13/2011 ITECH 7215 Information Security 26
28. MAGNETIC STRIPE CARDS
Standard technology for bank cards, driver’s
licenses, library cards, and so on……
12/13/2011 ITECH 7215 Information Security 28
29. OPTICAL CARDS
• Uses a laser to read and write the card
• US Cards Contains:
• Photo ID
• Fingerprint
12/13/2011 ITECH 7215 Information Security 29
30. MEMORY CARDS
• Can store:
Financial Info
Personal Info
Specialized Info
• Cannot process Info
12/13/2011 ITECH 7215 Information Security 30
31. MICROPROCESSOR CARDS
• Has an integrated circuit chip
• Has the ability to:
• Store information
• Carry out local processing
• Perform Complex Calculations
12/13/2011 ITECH 7215 Information Security 31
33. SMART CARD USAGE
Commercial Applications
Banking/payment
Identification
Parking and toll collection
Universities use smart cards for ID purposes and at the
library, vending machines, copy machines, and other services on
campus.
EMV standard
Mobile Telecommunications
SIM cards used on cell phones
All GSM phones with smart cards
Contains mobile phone security, subscription information, phone
number on the network, billing information, and frequently called
numbers
12/13/2011 ITECH 7215 Information Security 33
34. SMART CARD USAGE
• Information Technology
• Secure logon and authentication of users to PCs and networks
• Encryption of sensitive data
• Other Applications
• Over 4 million small dish TV satellite receivers in the US use a
smart card as its removable security element and subscription
information.
• Pre-paid, reloadable telephone cards
• Health Care, stores the history of a patient
• Fast ticketing in public transport, parking, and road tolling in
many countries
• JAVA cards
12/13/2011 ITECH 7215 Information Security 34
35. OTHER SMART CARD
APPLICATIONS
12/13/2011 ITECH 7215 Information Security 35
36. SMART CARD APPLICATIONS
Retail
Sale of goods
Communication
GSM
using Electronic Purses,
Payphones
Credit / Debit
Vending machines
Loyalty programs
Tags & smart labels
Entertainment Transportation
– Pay-TV Public Traffic
– Public event access Parking
control Road Regulation
(ERP)
Car Protection
12/13/2011 ITECH 7215 Information Security 36
37. SMART CARD APPLICATIONS
Healthcare E-commerce
Insurance data sale of information
sale of products
Personal data
sale of tickets, reservations
Personal file
Government
Identification
E-banking
access to accounts
Passport
to do transactions
Driving license shares
12/13/2011 ITECH 7215 Information Security 37
38. SMART CARD APPLICATIONS
Educational facilities Office
Physical access Physical access
Network access Network access
Time registration
Personal data (results)
Secure e-mail & Web
Copiers, vending machines, applications
restaurants, ...
12/13/2011 ITECH 7215 Information Security 38
40. ADVANTAGES
In comparison to it’s predecessor, the magnetic strip
card, smart cards have many advantages including:
• Life of a smart card is longer
• A single smart card can house multiple applications.
Just one card can be used as your
license, passport, credit card, ATM card, ID Card, etc.
• Smart cards cannot be easily replicated and are, as a
general rule much more secure than magnetic stripe
cards. it has relatively powerful processing capabilities
that allow it to do more than a magnetic stripe card
(e.g., data encryption).
• Data on a smart card can be protected against
unauthorized viewing. As a result of this confidential
data, PINs and passwords can be stored on a smart card.
This means, merchants do not have to go online every
time to authenticate a transaction.
12/13/2011 ITECH 7215 Information Security 40
41. DISADVANTAGES
• NOT tamper proof
• Can be lost/stolen
• Lack of user mobility – only possible if user has smart
card reader every he goes
• Has to use the same reader technology
• Can be expensive
• Working from PC – software based token will be
better
• No benefits to using a token on multiple PCs to using
a smart card
• Still working on bugs
12/13/2011 ITECH 7215 Information Security 41
42. FUTURE DEVELOPMENT
• Microprocessor Cards (Contactless Smart Card)
• Microprocessor Cards (Combi / Hybrid Cards)
Hybrid Card:
Has two chips: contact and contactless interface.
The two chips are not connected.
Combi Card:
Has a single chip with a contact and contactless interface.
Can access the same chip via a contact or contactless interface, with
a very high level of security.
12/13/2011 ITECH 7215 Information Security 42
Notes de l'éditeur
Various International Standards for Smart Communication are:Mobile Telecom StandardsETSI: GSM 03.48, TS 23.048ETSI & 3G Smart Card Platform (SCP): TS 102.225, 102.226Government StandardsUS Federal Government: GSC-ISUnder review (US): FIPS 201, PIVISO: new part 13 of 7816 seriesNew Work Item from Japan: approved by ISO SC17Work assigned to ISO SC17/WG4, editor: JapanScope: commands for application management in multi application environmentContribution: a subset of Global Platform Card Specification, endorsed by ANSIUS official contribution to ISO
MF: Master File: A Root or Master File (MF) is the peak of the hierarchy. It contains information and locations of files contained within it.DF: Dedicated File: Dedicated Files (DF) contain the actual data files. Dedicated files are like directories on smart cards. They subdivide the cards to hold files called Elementary Files (EF).EF: Elementary File: The elementary file is where the actual data is stored. It can be of four different types. Transparent File Linear, Variable Length Record File Linear, Fixed Length Record File Cyclic, Fixed Length Record File File Naming and Selection in Data Storage:Each files has a 2 byte file ID and an optional 5-bit SFID (both unique within a DF). DFs may optionally have (globally unique) 16 byte name.OS keeps tack of a current DF and a current EF.Target file specified as either:DF nameFile IDSFIDRelative or absolute path (sequence of File IDs).Parent DF