Smart Cards

Future Life
Lt Col Santosh Khadsare FCT&S

Aim of my ppt is to just give you a brief idea about the smart card technology being one of the best steps towards the advancement of science and technology , making our life faster and obviously easier.

Plastic Cards

Visual identity application

Plain plastic card is enough

Magnetic strip (e.g. credit cards)

Visual data also available in machine readable form No security of data

Electronic memory cards

Machine readable data Some security (vendor specific)

What is a Smart Card?

A Smart card is a plastic card about
the size of a credit card, with an embedded microchip that can be loaded with data, used for telephone calling, cash payments , and other applications, and then periodically refreshed for additional use.

What is a smart card?

The standard definition of a a smart card, or integrated circuit card (ICC), is any pocket sized card with embedded integrated circuits.

OR A smart card is a plastic card with a small, built in microcomputer chip and integrated circuit that can store and process a lot of data

History
70s Smart Card First Patent in Germany and later in France and Japan. 80s Mass usage in Pay Phones and Debit Cards. 90s Smart Card based Mobiles Chips & Sim Cards.

History
2000s Payment and Ticketing Applications Credit cards, Mass transit (Smartrip) Healthcare and Identification Insurance information, Drivers license

Dimensions of smart card.

85.6mm x 53.98mm x 0.76mm(defined by ISO 7816)

Why use smart cards?

Can store currently up to 7000 times more data than a magnetic stripe card. Information that is stored on the card can be updated. Magnetic stripe cards are vulnerable to many types of fraud.

Lost/Stolen Cards Skimming Carding/ Phishing

Greatly enhances security by communicating with card readers using PKI algorithms. A single card can be used for multiple applications (cash, identification, building access, etc.) Smart cards provide a 3-fold approach to authentic identification:

Pin Smartcard Biometrics

Card Elements
Magnetic Stripe Logo

Chip
Hologram

Embossing (Card Number / Name / Validity,

etc.)

Smart Cards devices

GND VCC VPP Reset I/O Clock

Varun Arora | varun@varunarora.in | www.varunarora.in

Reserved

Whats in a Card?

CLK

RST Vcc

RFU
GND RFU

Vpp
I/O
Varun Arora | varun@varunarora.in | www.varunarora.in

Electrical signals description

VCC : Power supply input
RST : Either used itself (reset signal supplied from the

interface device) or in combination with an internal reset control circuit (optional use by the card) .
CLK

: Clocking or timing signal (optional use by the Fig : A smart card pin out

card).
GND : Ground (reference voltage).

VPP : Programming voltage input (deprecated / optional use by the card). I/O : Input or Output for serial data to the integrated circuit inside the card.

AUX1(C4): Auxilliary contact; USB devices: D+ AUX2(C8) : Auxilliary contact; USB devices: D-

CARD STRUCTURE
Out of the eight contacts only six are used. Vcc
is the supply voltage, Vss is the ground reference voltage against which the Vcc potential is measured, Vpp connector is used for the high voltage signal,chip receives commands & interchanges data.

Typical Configurations

256 bytes to 4KB RAM. 8KB to 32KB ROM. 1KB to 32KB EEPROM. 8-bit to 16-bit CPU. 8051 based designs are common.

Smart Card Readers

Computer based readers Connect through USB or COM (Serial) ports

Dedicated terminals Usually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner.

Terminal/PC Card Interaction

The terminal/PC sends commands to the card (through the serial line). The card executes the command and sends back the reply. The terminal/PC cannot directly access memory of the card so data in the card is protected from unauthorized access. This is what makes the card smart.

Why Smart Cards?

Security: Data and codes on the card are encrypted by the chip maker. The Smart Cards circuit chip almost impossible to forge. Trust: Minimal human interaction. Portability. Less Paper work: Eco-Friendly

Two Types of Chips

Memory chip

Microprocessor

Acts as a small floppy disk with optional security Are inexpensive Offer little security features

Can add, delete, and manipulate its memory. Acts as a miniature computer that includes an operating system, hard disk, and input/output ports. Provides more security and memory and can even download applications.

From 1 billion to 4 billion units in 10 years

Worldwide smart card shipments
4500 4000 Millions of units 3500 3000 2500 2000 1500 1000 Microprocessor cards Memory cards

4285 3580

3325

2655

500
0

925 960 925 960

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Smart Cards in everyday life

Loyalty

Transport

Ticketing

Payment

Health card Smart Poster Communication

Contact Smart Cards

Requires insertion into a smart card reader with a direct connection This physical contact allows for transmission of commands, data, and card status to take place

Contactless smart card:-

Contactless Smart Cards

Require only close proximity to a reader Both the reader and card have antennas through which the two communicate Ideal for applications that require very fast card interfaces

ISO 14443.
International standard. Deals only contactless smart cards. Defines:a. Interface. b. Radio frequency interface. c. Electrical interface. d. Operating distance. Etc..

Dual interface smart cards.

Also called Combi card. Has a single chip over it.

Has both contact as well as contactless interfaces. We can use the same chip using either contact or contactless interface with a high level of security.

Dual interface smart card.

Hybrid smart card.

Two chips. One with contact interface. Other with contactless interface. No connection between the two chips.

Hybrid smart cards.

Categories of Smart Cards

Based on the type of IC chip embedded on the Smart Card. They are categorized into three types : IC Micro Processor Cards IC Memory Cards Optical Memory Cards

Key Attributes
Security
to make the Digital Life safe and enjoyable

Ease of Use
to enable all of us to access to the Digital World

Privacy
to respect each individuals freedom and intimacy

Biometric techniques

Finger print identification.

Features of finger prints can be kept on the card (even verified on the card)
Such information is to be verified by a person. The information can be stored in the card securely

Photograph/IRIS pattern etc.

Smart Card Readers

Dedicated terminals Usually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner.

Computer based readers Connect through USB or COM (Serial) ports

Terminal/PC Card Interaction

The terminal/PC sends commands to the card (through the serial line). The card executes the command and sends back the reply. The terminal/PC cannot directly access memory of the card

data in the card is protected from unauthorized access. This is what makes the card smart.

Communication mechanisms

Communication between smart card and reader is standardized

ISO 7816 standard Interpreted by the card OS Card state is updated Response is given by the card.

Commands are initiated by the terminal

Commands have the following structure

CLA INS P1 P2 Lc 1..Lc Le

Response from the card include 1..Le bytes followed by Response Code

Security Mechanisms

Password

Card holders protection

Entity authentication Persons identification

Cryptographic challenge Response

Biometric information

A combination of one or more

Password Verification

Terminal asks the user to provide a password. Password is sent to Card for verification. Scheme can be used to permit user authentication.

Not a person identification scheme

Varun Arora | varun@varunarora.in | www.varunarora.in

Cryptographic verification

Terminal verify card (INTERNAL AUTH)

Terminal sends a random number to card to be hashed or encrypted using a key. Card provides the hash or cyphertext.

Terminal can know that the card is authentic. Card needs to verify (EXTERNAL AUTH)

Terminal asks for a challenge and sends the response to card to verify Card thus know that terminal is authentic.
Varun Arora | varun@varunarora.in | www.varunarora.in

Primarily for the Entity Authentication

Biometric techniques

Finger print identification.

Features of finger prints can be kept on the card (even verified on the card)
Such information is to be verified by a person. The information can be stored in the card securely.

Photograph/IRIS pattern etc.

Data storage

Data is stored in smart cards in E2PROM

Card OS provides a file structure mechanism

MF

File types
EF EF

DF
DF EF EF

DF
EF

Binary file (unstructured)

Fixed size record file

Variable size record file

File Naming and Selection

Each files has a 2 byte file ID and an optional 5-bit SFID (both unique within a DF). DFs may optionally have (globally unique) 16 byte name. OS keeps tack of a current DF and a current EF. Current DF or EF can be changed using SELECT FILE command. Target file specified as either:

DF name File ID SFID(Short File Identifier, 1 byte) Relative or absolute path (sequence of File IDs). Parent DF

Basic File Related Commands

Commands for file creation, deletion etc., File size and security attributes specified at creation time. Commands for reading, writing, appending records, updating etc.

Commands work on the current EF. Execution only if security conditions are met.

Each file has a life cycle status indicator (LCSI), one of: created, initialized, activated, deactivated, terminated.

Access control on the files

Applications may specify the access controls

A password (PIN) on the MF selection

For example SIM password in mobiles

Multiple passwords can be used and levels of security access may be given

Applications may also use cryptographic authentication

How does it all work?

Card is inserted in the terminal ATR negotiations take place to set up data transfer speeds, capability negotiations etc. Card gets power. OS boots up. Sends ATR (Answer to reset)

Terminal sends first command to select MF

Terminal prompts the user to provide password Terminal sends password for verification Terminal sends command to select MF again Terminal sends command to read EF1

Card responds with an error (because MF selection is only on password presentation)

Card verifies P2. Stores a status P2 Verified. Responds OK Card responds OK Card supplies personal data and responds OK

So many Smart Cards with us at all times..

In our GSM phone (the SIM card) Inside our Wallets Credit/Debit cards HealthCare cards Loyalty cards Our corporate badge Our Passport Our e-Banking OTP

and the list keeps growing

Our Industries Is rapidly changing

Interactive billboards

Transports

New solutions leveraging on mobile contactless services

eTicketing

Retail

Smart Card Applications

Government programs

Banking & Finance Mobile Communication Pay Phone Cards Transportation Electronic Tolls Passports Electronic Cash Retailer Loyalty Programs Information security

Banking and finance

Electronic purse to replace coins for small purchases in vending machines .

Credit and debit cards

Securing payments across the internet

Smart card Pay phones

Outside of the United States there is a widespread use of

payphones phone company does not have to collect coins the users do not have to have coins or remember long access numbers and PIN codes The risk of vandalism is very low since these payphones are smart card-based. Generally, a phone is attacked if there is some money inside it, as in the case of coin-based payphone

Transportation
Drivers license Mass transit fare collection system

Electronic toll collection system

Its no longer only Cards e-Passport: the first Smart Secure Device

45 Millions e-Passport in 2009

E Governance

As the amount of business and holiday travel increases security continues to be a top concern for governments worldwide. When fully implemented smart passport solutions help to reduce fraud and forgery of travel documents. Enhanced security for travellers Philips launched such a project with the US in 2004.

Student id card

All-purpose student ID card (a/k/a campus card), containing a variety of applications such as electronic purse (for vending machines, laundry machines, library card, and meal card).

Threats in Using Smart Cards

failure rate

probability of breaking: keeping in wallets may

damage the chip on the card.

malware attacks: active malwares on systems

may result in modifying the transactions.

OS Based Classification

Smart cards are also classified on the basis of their Operating System. There are many Smart Card Operating Systems available in the market, the main ones being: 1. MultOS 2. JavaCard 3. Cyberflex 4. StarCOS 5. MFC Smart Card Operating Systems or SCOS as they are commonly called, are placed on the ROM and usually occupy lesser than 16 KB. SCOS handle: File Handling and Manipulation. Memory Management Data Transmission Protocols.

ADVANTAGES

Proven to be more reliable than the magnetic stripe card. Can store up to thousands of times of the information than the magnetic stripe card. Reduces tampering and counterfeiting through high security mechanisms such as advanced encryption and biometrics. Can be disposable or reusable. Performs multiple functions. Has wide range of applications (e.g., banking, transportation, healthcare...) Compatible with portable electronics (e.g., PCs, telephones...) Evolves rapidly applying semi-conductor technology

Disadvantages
Smart cards used for client-side identification and authentication are the most secure way for eg. internet banking applications, but the security is never 100% sure. In the example of internet banking, if the PC is infected with any kind of malware, the security model is broken. Malware can override the communication (both input via keyboard and output via application screen) between the user and the internet banking application (eg. browser). This would result in modifying transactions by the malware and unnoticed by the user. There is malware in the wild with this capability (eg. Trojan. Silentbanker).

Remedies
Banks like Fortis and Dexia in Belgium combine a Smart card with an unconnected card reader to avoid this problem. The customer enters a challenge received from the bank's website, his PIN and the transaction amount into the card reader, the card reader returns an 8-digit signature. This signature is manually copied to the PC and verified by the bank. This method prevents malware from

changing the transaction amount.

Future Aspects
Soon it will be possible to access the data in Smart cards by the use of Biometrics.
Smart card Readers can be built into future computers or peripherals which will enable the users to pay for goods purchased on the internet. In the near future, the multifunctional smart card will replace the traditional magnetic swipe card. Smart Card is not only a data store, but also a programmable, portable, tamper resistant memory storage.

The Smart card success story

Microprocessor Smart Cards Shipments ( Millions of units )
4000 3500 +10% 3000 2500 2000 1500 +27% 1000 500 0 +15%

295
+31%

225 500

+16%

580
Telecom (SIM) Banking - Retail Identity & others

205 410

+22%

2040

2600

3000

2007

2008

2009

By 2020

20 Billion Smart Secure Devices >4 Billion Mobile Appliances users >4 Billion e-ID documents in use

Conclusion Conclusion:
Smart Cards will evolve into a broader family of Devices Smart Cards will evolve into a broaderfamily of Devices More new shapes for new applications More new shapes for new applications
Our Embedded software and ultra-embedded nanotechnologies virtual digital personal attributes Embedded software to ultra-embedded nanotechnologies The only mistake andavoid for our Industry is to entertain an endless

debate about fears.

We will build the best solutions Industry is to entertain an enjoy The only mistake to avoid for our and the best value for people to endless debate many new services about fears.
We will build the best Education Education moresolutions and the best value for people to enjoy many new services

Political ownership and communication will be key to success

Preparing people to use those Smart Secure Devices is as important as teaching them how to read and write

Education more Education

Preparing people to use those Smart Secure Devices is as important as teaching them how to read and write

Conclusion:
Smart Cards will evolve into a broader family of Devices
More new shapes for new applications Our virtual digital personal attributes Embedded software and ultra-embedded nanotechnologies

The only mistake to avoid for our Industry is to entertain an

endless debate about fears.

We will build the best solutions and the best value for people to enjoy many new services Political ownership and communication will be key to success

Education more Education

Preparing people to use those Smart Secure Devices is as important as teaching them how to read and write

Security of Smart Cards

Public Key Infrastructure (PKI) algorithms such as DES, 3DES, RSA and ECC. Key pair generation. Variable timing/clock fluctuation. 0.6 micron components. Data stored on the card is encrypted. Pin Blocking.

Elliptical Curve Cryptography

y=x+ax+b Q(x,y) =kP(x,y) Uses point multiplication to compute and ECDLP to crack. Beneficial for portable devices. Cryptographic coprocessors can be added to speed up encryption and decryption.

CAIN

Confidentiality is obtained by the encryption of the information on the card. Authenticity is gained by using the PKI algorithm and the two/three factor authentication. Integrity is maintained through error-checking and enhanced firmware. Repudiation is lower because each transaction is authenticated and recorded.

Common and Future Uses of Smart Cards

Current uses:

Chicago Transit Card Speed Pass Amex Blue Card Phone Cards University ID cards Health-care cards Access to high level government facilities.
Federally Passed Real-ID act of 2005. ePassports

Future uses:

Data Structure

Data on Smart Cards is organized into a tree hierarchy. This has one master file (MF or root) which contains several elementary files (EF) and several dedicated files (DF). DFs and MF correspond to directories and EFs correspond to files, analogous to the hierarchy in any common OS for PCs.

Data Structure

However, these two hierarchies differ in that DFs can also contain data. DF's, EF's and MF's header contains security attributes resembling user rights associated with a file/directory in a common OS. Any application can traverse the file tree, but it can only move to a node if it has the appropriate rights. The PIN is also stored in an EF but only the card has access permission to this file.