It has been said that smartcards will one day be as important as computers are today. This statement contains a bit of an error because it implies that smartcards are not computers, when in fact they are.Smartcard’s have proven to be quite useful as a transaction/authorization/identification medium in European countries. As their capabilities grow, they could become the ultimate thin client, eventually replacing all of the things we carry around in our wallets, including credit cards, licenses, cash, and even family photographs.
A smart card – a type of chip card – is a plastic card embedded with a computer chip that stores and transacts data between users. This data is associated with either value or information or both and is stored and processed within the card’s chip, either a memory or microprocessor. The card data is transacted via a reader that is part of a computing system. Infact any plastic card is made “smart” by including an I-chip.
Smart card resembles a credit card in size and shape, but inside it is completely different. First of all, it has an inside -- a normal credit card is a simple piece of plastic. The inside of a smart card usually contains an embedded 8-bit microprocessor. The microprocessor is under a gold contact pad on one side of the card. Think of the microprocessor as replacing the usual magnetic stripe on a credit card or debit card.
Smart cards are much more popular in
Magnetic stripe technology remains in wide use in the
The microprocessor on the smart card is there for security. The host computer and card reader actually "talk" to the microprocessor. The microprocessor enforces access to the data on the card. If the host computer read and wrote the smart card's random access memory (RAM), it would be no different than a diskette.
Smarts cards may have up to 1 kilobyte of RAM, 24 kilobytes of ROM, 16 kilobytes of programmable ROM, and an 8-bit microprocessor running at 5 MHz. The smart card uses a serial interface and receives its power from external sources like a card reader. The processor uses a limited instruction set for applications such as cryptography.
The most common smart card applications are:
- Credit cards
- Electronic cash
- Computer security systems
- Wireless communication
- Loyalty systems (like frequent flyer points)
- Banking
- Satellite TV
- Government identification
Smart Card Specifications:
The smart card is one of the latest additions to the world of information technology. ISO uses the term, Integrated Circuit Card (ICC) to encompass all those devices where an integrated circuit is contained within an ISO ID1 identification card piece of plastic. The card is 85.6mm x 53.98mm x 0.76mm and is the same as the ubiquitous bank card with its magnetic stripe that is used as the payment instrument for numerous financial schemes.
Integrated Circuit Cards come in two forms, contact and contact less. The former is easy to identify because of its gold connector plate. Although the ISO Standard (7816-2) defined eight contacts, only 6 are actually used to communicate with the outside world.
->The contact less card may contain its own battery, particularly in the case of a "Super Smart Card" which has an integrated keyboard and LCD display. In general however the operating power is supplied to the contact less card electronics by an inductive loop using low frequency electronic magnetic radiation. The communications signal may be transmitted in a similar way or can use capacitive coupling or even an optical connection. The Contact Card is the most commonly seen ICC to date. Most contact cards contain a simple 6 integrated circuit although various experiments have taken place using two chips. The chip itself varies considerably between different manufacturers and for a whole gambit of application.
Vcc - is the supply voltage that drives the chips and is generally 5 volts. It should be noted however that in the future we are likely to see a move towards 3 volts taking advantage of advanced semiconductor technology and allowing much lower current levels to be consumed by the integrated circuit.
Vss - is the substrate or ground reference voltage against which the Vcc potential is measured.
Reset - is the signal line that is used to initiate the state of the integrated circuit after power on and is used to start up the program contained in the IC ROM.
Clock signal - is used to drive the logic of the IC and is also used as the reference for the serial communications link. There are two commonly used clock speeds, 3.5795 MHz and 4.9152 MHz.
Vpp - connector is used for the high voltage signal that is necessary to program the EPROM memory.
Serial I/O (SIO) – connector is the signal line by which the chip receives commands and interchanges data with the outside world.
What does the chip contain?
Well, the primary use of the IC card is for the portable storage and retrieval of data. Hence the fundamental component of the IC is a memory module. The following list represents the more commonly used memory types:
Ø ROM Read only memory (mask ROM)
Ø PROM Programmable read only memory
Ø EPROM Erasable programmable ROM
Ø EEPROM Electrically erasable PROM
Ø RAM Random access memory
How the IC card is made
The manufacture of a Smart Card involves a large number of processes of which the embedding of the chip into the plastic card is key in achieving an overall quality product, which is referred to as card fabrication. The whole operation starts with the application requirements specification. From the requirements individual specifications can be prepared for the chip, card, mask ROM software and the application software. The ROM software is provided to the semiconductor supplier who manufactures the chips. The card fabricator embeds the chip in the plastic card. It is also quite normal for the fabricator to load the application software and personalization data. Security is a fundamental aspect in the manufacture of a Smart Card and is intrinsic to the total process.
Advantages of smart card over credit cards:
Well, a smart card:
- is more reliable than a magnetic stripe card
- currently can store a hundred times more information than a magnetic stripe card
- is more difficult to tamper with than magnetic stripes
- can be disposable or reusable
- can perform multiple functions in a wide range of industries
- is compatible with portable electronic devices such as phones, personal digital assistants (PDA s), and PCs is constantly evolving(after all, it incorporates a computer chip)
Three significant interfaces have occurred recently in the smart card industry are:-
PC/SC Microsoft and several other companies introduced PC/SC, a smart card application interface for communicating with smart cards from Win32-based platforms for personal computers. PC/SC does not currently support non-Win32-based systems and may never do so.
OpenCardFramework:
Open Card is an open standard that provides interoperability of smart card applications across NCs, POS, desktops, laptops, set tops, and so on. Open Card promises to provide 100% pure Java smart card applications. Smart card applications often are not pure because they communicate with an external device and/or use libraries on the client. Open Card also provides developers with an interface to PC/SC for use of existing devices on Win32 platforms.
JavaCard:
Java Card was introduced by Schlumberger and submitted as a standard by Java Soft recently. Schlumberger has the only Java card on the market currently, and the company is the first Java Card licensee. Java Card is comprised of standard classes and APIs that let Java applets run directly on a standard ISO 7816 compliant card. Java Cards enable secure and chip-independent execution of different applications.
ISO and ICC
The International Organization for Standardization (ISO) standard 7810 “Identification Cards – Physical Characteristics” defines physical properties such as flexibility, temperature resistance, and dimensions for three different card formats (ID-1, ID-2, and ID-3). The Smart Card standard, ISO 7816, is based on the ID-1 format. In order to give perspective, several different types of ID-1 cards will be described in this section. One type in particular, namely cryptographic coprocessor cards, are becoming very important to current computer and network security systems.
Embossed
Embossing allows for textual information or designs on the card to be transferred to paper by using a simple and inexpensive device. ISO 7811 specifies the embossed marks, covering their form, size, embossing height, and positioning. Transfer of information via embossing may seem primitive, but the simplicity of the system has made worldwide proliferation possible.
Magnetic Stripe
The primary advantage that magnetic stripe technology offers over embossing is a reduction in the flood of paper documents. Parts 2, 4, and 5 of ISO 7811 specify the properties of the magnetic stripe, coding techniques, and positioning. The stripe’s storage capacity is about 1000 bits and anyone with the appropriate read/write device can view or alter the data.
Smartcards
The following Integrated Circuit Cards have conventionally come to be known as “Smartcards”. These are the newest and most clever additions to the ID-1 family, and they also follow the details laid down in the ISO 7816 series. These types of cards allow far greater orders of magnitude in terms of data storage cards with over 20 Kbytes of memory are currently available. Also, and perhaps most important, the stored data can be protected against unauthorized access and tampering. Memory functions such as reading, writing, and erasing can be linked to specific conditions, controlled by both hardware and software. Another advantage of smartcards over magnetic stripe cards is that they are more reliable and have longer expected lifetimes.
Types of smart cards:
There are basically five types of smart cards.
Here will focus on two types of smart cards -- memory and process. - memory cards
- processor cards
- electronic purse cards
- security cards
- JavaCard
Memory Cards
Though referred to as smartcards, memory cards are typically much less expensive and much less functional than microprocessor cards. They contain EEPROM and ROM memory, as well as some address and security logic. In the simplest designs, logic exists to prevent writing and erasing of the data. More complex designs allow for memory read access to be restricted. Typical memory card applications are pre-paid telephone cards and health insurance cards.
Microprocessor Cards
Components of this type of architecture include a CPU, RAM, ROM, and EEPROM. The operating system is typically stored in ROM, the CPU uses RAM as its working memory, and most of the data is stored in EEPROM. A rule of thumb for smartcard silicon is that RAM requires four times as much space as EEPROM, which in turn requires four times as much space as ROM.
Contactless Smartcards
These cards need no longer be inserted into a reader, which could improve end user acceptance. No chip contacts are visible on the surface of the card so that card graphics can express more freedom. The cost is higher as compared to others.
Smart Card Applications
The practical applications of a smart card can be broadly classified into 3 main categories as shown in Figure.
- Data carrier: The card is used as a convenient, portable and secure means of storing information (e.g. medical record).
- Identification: The card provides a secure means of identifying the holder so as to allow access (e.g. PC access authorization).
- Financial: The card can be used for transactions as a replacement for cheques.
Some of the application will be discussed as followed.
Transportation
With billions of transport transactions occurring each day, smart cards have easily found a place in this rapidly growing market. A few of the numerous examples of smart cards in transportation are:
(1) Public Transport
Using contact less smart cards allows a passenger to ride several buses and trains during his daily commute to work while not having to worry about complex fare structures or carrying change.
In London
(2) Electronic Toll Collection
In Singapore
The ERP system consists of three main components: the In-vehicle unit (IU), the gantry, and the central computer system. The IU is an electronic device installed in the vehicle that accepts a stored value Cash Card (smart card). The IU deducts the appropriate ERP charges from the Cash Card each time the vehicle passes through an ERP gantry. Registration plates of vehicles making illegal entries, such as those without an In-vehicle unit, without a Cash Card, or with an insufficient balance on the Cash Card will be photographed by the gantry cameras, for subsequent enforcement action.
(1) Prepaid Telephone Cards
Public telephone using cash are expensive to build as they must be very robust to protect the cash from theft, expensive to operate as there is a need for cash collection and unreliable as cash mechanism become full, jammed.
With smart card, overhead on the line can be minimized as smart card phone can operate offline during a call and only exchange control information with a host computer on a periodic basis. In addition, due to its computational power, smart card open the possibility of the card being used across borders; each operator can make available its public key to the others, thus allowing them to authenticate all cards.
Currently about 80 countries throughout the world use smart cards in payphones. Smart cards are already being used at:
- Toll booths.
- Parking lots.
- Gas stations.
- Vending machines.
- Arcade games.
(2) Securing Mobile Phones
The GSM radio telephone system (Global System for Mobile Communications), which originated in Europe not only allows each national operator to keep control of the security and payment aspects, but at the same time facilitates cross border use of the mobile phones (known as roaming).
The GSM uses a smart card which stores all the personal information of the subscriber. The smart card is inserted into any GSM phone for proper operation. Calls to the subscriber mobile number will be directed accordingly and bills will be charged to the subscriber's personal account. Secure data concerning the GSM subscription is held in the smart card, not in the telephone. A secret code, known as PIN (Personal Identification Number), is also incorporated to protect the subscriber form misuse and fraud.
Utilities
Electric utility companies in the United Kingdom France
Customers can also use card to access information about their account such as amount remaining, amount consumed yesterday or last month, and amount of last credit. An emergency threshold is built in to allow customers to use electricity and pay at a later time. Once the emergency threshold is consumed, electricity is shut off.
Computer Security
(1) Boot Integrity Token System (BITS)
The Boot Integrity Token System (BITS) was developed to protect computer systems from a large number of viruses that affect the booting system, and enforce control of access. BITS is designed so that the computer boots from a boot sector stored on the smart card, bypassing the boot sector on the computer which can easily be infected by a virus.
(2) Authentication in Kerberos
In an open distributed computing environment (DCE), a workstation cannot be trusted to identify its users because the workstation may not be located in a well controlled environment and may be far away from the central server. In order to protect a system from being attacked by remote network hosts, a certain kind of authentication must be taken into account.
Kerberos is one of the systems which provides trusted third-party authentication services to authenticate users on a distributed network environment. Basically, when a user or client requests an access to a particular service from the server, he/she has to obtain a ticket or credential from the Kerberos authentication server (AS). The user then presents that credential to the ticket granting server (TGS) and obtains a service ticket. Hence, the user can request for service by submitting the service ticket to the desired server. Figure shows this authentication protocol.
But an attacker can obtain the credential of another user, and perform off-line attack by using a password guessing approach as the ticket is sealed by password only. This security weakness of Kerberos is pointed out by Mark and Gary (1995) in one of their papers "Integrating Smart Card into Authentication Systems".
In their report, they proposed to integrate smart card into the Kerberos system to overcome this problem. Six different schemes are proposed. The whole idea is to enhance the security of Kerberos authentication by authenticating the user directly at the beginning and before the granting of the initial ticket, so that one user cannot have the ticket of another. And, "the use of smart card requires user logging into the system not only recall a password, but also to be in possession of a token"
Medical / Health
Smart cards can also carry medical information such as details of medical insurance coverage, drug sensitivities, medical records, name and phone number of doctors, and other information vital in an emergency.
In the United States Oklahoma City
Several countries including Spain South Korea Spain
Multi-Applications Smart Card
Most of the smart card systems in use today serve one purpose and are related to just one process which require users to carry multiple cards for multiple applications.
In fact, smart card has the capability to integrate those applications together to form a multiple application card by utilizing its embedded microprocessor and memory storage spaces. However, this kind of integration is always limited by some of the external logical elements rather than technical issues.
At the card level we do not have a fully specified operating system interface, we do not have a properly specified directory structure, application naming standards are incomplete and card level data structures are not fully specified.
Generic Smart Card Operating System
In order to integrate all the applications into a single multi-application card, chip manufacturers, like GemPlus, is now looking forward to develop a generic smart card operating system using Java™, despite the lack of standardization. In fact, GemPlus has started using its first Java Card 2.0 base smart card (GEMENOS, France).
Generic smart cards are smart cards that look like PCs. They do not have any application-oriented functions in their basic functionalities. Consequently, the smart card program is a real operating system which role is to manage the smart card hardware resources for smart card applications. Applications are not pre-defined, they can be dynamically downloaded. The smart card operating system allocates memory for storing application data and activates application functions on reception of commands. For security reasons inherent to smart card micro-controllers, application functions are run on
ISO/IEC standards 11693 and 11694 define standards for optical memory cards. These cards can carry many megabytes of data, but the cards can only be written once and never erased with today’s technology. Though the read and write devices for optical cards are still very expensive, they may find use in applications such as health care where large amounts of data must be stored.
Data Transmissions in smart cards
All communications to and from the smartcard are carried out over the C7 contact. Thus, only one party can communicate at a time, whether it is the card or the terminal. This is termed “half-duplex”. Communication is always initiated by the terminal, which implies a type of client/server relationship between card and terminal.
After a card is inserted into a terminal, it is powered up by the terminal, executes a power-on-reset, and sends an Answer to Reset (ATR) to the terminal. The ATR is parsed, various parameters are extracted, and the terminal then submits the initial instruction to the card. The card generates a reply and sends it back to the terminal. The client/server relationship continues in this manner until processing is completed and the card is removed from the terminal. The physical transmission layer is defined in ISO/IEC 7816-3. It defines the voltage level specifics which end up translating into the “0” and “1” bits.
Logically, there are several different protocols for exchanging information in the client/server relationship. They are designated
“T=” plus a number. The two protocols most commonly seen are T=0 and T=1, T=0 being the most popular.
A brief overview of the T=0 protocol is given below. The references contain more detailed information and descriptions of all the protocols.
In the T=0 protocol, the terminal initiates communications by sending a 5 byte instruction header which includes a class byte (CLA), an instruction byte (INS), and three parameter bytes (P1, P2, and P3). This is followed optionally by a data section. Most commands are either incoming or outgoing from the card’s perspective and the P3 byte specifies the length of the data that will be incoming or outgoing. Error checking is handled exclusively by a parity bit appended to each transmitted byte. If the card correctly receives the 5 bytes, it will return a one-byte acknowledgment equivalent to the received INS byte.
If the terminal is sending more data (incoming command) it will send the number of bytes it specified in P3. Now the card has received the complete instruction and can process it and generate a response. All commands have a two-byte response code, SW1 and SW2, which reports success or an error condition. If a successful command must return additional bytes, the number of bytes is specified in the SW2 byte. In this case, the GET RESPONSE command is used, which is itself a 5-byte instruction conforming to the protocol. In the GET RESPONSE instruction, P3 will be equal to the number of bytes specified in the previous SW2 byte. GET RESPONSE is an outgoing command from the card’s point of view. The terminal and card communicate in this manner, using incoming or outgoing commands, until processing is complete.
Creating environment for building smart card apps
In order to develop smart card applications, you need a few things, namely: a smart card reader; software to communicate with the reader as well as some software to communicate with the card that has been plugged into the reader; and, of course, smart cards and smart-card hardware.
In order to develop smart card applications, you need a few things, namely: a smart card reader; software to communicate with the reader as well as some software to communicate with the card that has been plugged into the reader; and, of course, smart cards and smart-card hardware.
To communicate with a smart card or develop an application that is smart-card capable, you must have a reader. The reader provides a path for your application to send and receive commands from the card. There are many types of readers on the market, the most prevalent being the serial, PC Card, and keyboard models.
This article uses serial readers to support the devices. A serial reader connects to a computer's serial port. Note that the code provided also supports a PC Card reader; most laptops come with PC Card slots built in.
Each manufacturer provides a different protocol for speaking to a reader. Once you can communicate with the reader, there is one protocol for communicating with a smart card: Communication with a smart card is based on the APDU format.
Software for communicating with the reader:
A number of object-oriented classes are needed for the smart card example included in this article. These are:
- ISO command classes for communicating with 7816 protocol
- Classes for communicating with the reader
- Classes for converting data to a manufacturer-specific format
- An application for testing and using the cards for the purpose for which the application was designed
Security Related Standards
Many of the standards thus far mentioned focus on the details of the smartcard, read/write terminal, and low-level software layers. Another important class of standards focuses on how smartcards are integrated into applications that provide computer and network security. This section discusses the principles of these standards, prominent standards, and the players that define and utilize them.
Principles of Smartcard Security Standards
Any standard designed to facilitate the integration of smartcards into computer security systems should follow certain principles in order to be useful and gain acceptance.
Prominent Smartcard Specifications and Standards
The following are emerging as important standards with respect to the integration of smartcards into computer and network
Security applications:
Common Data Security Architecture
Developed by Intel, the Common Data Security Architecture (CDSA) provides an open, interoperable, extensible, and cross-platform software framework that makes computer platforms more secure for all applications including electronic commerce, communications, and digital content. The CDSA 2.0 specifications were adopted by The Open Group in December 1997.
· The card can carry personal account, credit and buying preference information that can be accessed with a mouse click instead of filling out forms.
· Cards can manage and control expenditures with automatic limits and reporting.
· Internet loyalty programs can be deployed across multiple vendors with disparate POS systems and the card acts as a secure central depository for points or rewards.
· ”Micro Payments” - paying nominal costs without transaction fees associated with credit cards or for amounts too small for cash ,like reprint charges.
is dis an ieee paper??
ReplyDelete