Smart Cards

Future Life………

Santosh Khadsare
Aim of my ppt is to just give you a brief
idea about the smart card technology
being one of the best steps towards the
advancement of science and technology ,
making our life faster and obviously
easier.
 Plastic Cards
 Visual identity application
 Plain plastic card is enough
 Magnetic strip (e.g. credit cards)
 Visual data also available in machine readable form
 No security of data

 Electronic memory cards

 Machine readable data
 Some security (vendor specific)
What is a Smart Card?
A Smart card is a plastic card about
the size of a credit card, with an
embedded microchip that can be
loaded with data, used for telephone
calling, cash payments , and other
applications, and then periodically
refreshed for additional use.
What is a smart card?
 History

70’s
Smart Card First Patent in Germany and later in
France and Japan.
80’s
Mass usage in Pay Phones and Debit Cards.
90’s
Smart Card based Mobiles Chips & Sim Cards.
 History
2000’s

Payment and Ticketing Applications

Credit cards, Mass transit (Smartrip)

Healthcare and Identification

Insurance information, Drivers license
 Dimensions of smart card.
85.6mm x 53.98mm x 0.76mm(defined by ISO 7816)
 Why use smart cards?
 Can store currently up to 7000 times more data than a magnetic stripe card.
 Information that is stored on the card can be updated.
 Magnetic stripe cards are vulnerable to many types of fraud.
 Lost/Stolen Cards
 Skimming
 Carding/ Phishing
 Greatly enhances security by communicating with card readers using PKI
algorithms.
 A single card can be used for multiple applications (cash, identification,
building access, etc.)
 Smart cards provide a 3-fold approach to authentic identification:
• Pin
• Smartcard
• Biometrics
 Card Elements
Magnetic Stripe

Logo

Chip

Hologram

Embossing
(Card Number / Name / Validity, etc.)
Smart Cards devices

GND
VCC
VPP
Reset
I/O
Clock Varun Arora |
[email protected] |
Reserved www.varunarora.in
 What’s in a Card?

CL RST
K Vcc
RFU

GND

RFU
Vpp
I/O

Varun Arora |
[email protected] |
www.varunarora.in
 Electrical signals description
VCC : Power supply input
RST : Either used itself (reset signal supplied from the

interface device) or in combination with an internal

reset control circuit (optional use by the card) .
CLK
: Clocking or timing signal (optional use by the
card).
Fig : A smart card pin out
GND : Ground (reference voltage).

VPP : Programming voltage input (deprecated / optional use by the card).

I/O : Input or Output for serial data to the integrated circuit inside the card.
AUX1(C4): Auxilliary contact; USB devices: D+
AUX2(C8) : Auxilliary contact; USB devices: D-
CARD STRUCTURE

Out of the eight contacts only six are used. Vcc is

the supply voltage, Vss is the ground reference

voltage against which the Vcc potential is
measured, Vpp connector is used for the high
voltage signal,chip receives commands &
interchanges data.
 Typical Configurations
 256 bytes to 4KB RAM.
 8KB to 32KB ROM.
 1KB to 32KB EEPROM.
 8-bit to 16-bit CPU. 8051 based designs
are common.
 Smart Card Readers
Computer based readers
Connect through USB or COM (Serial) ports

Dedicated terminals
Usually with a small screen, keypad, printer,
often also have biometric devices such as thumb
print scanner.
 Terminal/PC Card Interaction
 The terminal/PC sends commands to the card
(through the serial line).
 The card executes the command and sends back
the reply.
 The terminal/PC cannot directly access memory
of the card so
data in the card is protected from
unauthorized access. This is what makes the
card smart.
Why Smart Cards?

Security: Data and codes on the card are encrypted by the

chip maker. The Smart Card’s circuit chip almost impossible
to forge.
Trust: Minimal human interaction.
Portability.
Less Paper work: Eco-Friendly
 Two Types of Chips
Memory chip Microprocessor
 Acts as a small floppy  Can add, delete, and
disk with optional manipulate its memory.
security  Acts as a miniature
 Are inexpensive computer that includes an
 Offer little security operating system, hard
features disk, and input/output
ports.
 Provides more security and
memory and can even
download applications.
From 1 billion to 4 billion units in 10
years…
Worldwide smart card shipments
4500 4285
4000
3580
3500 Microprocessor cards
Millions of units

Memory cards
3000
2500 3325
2655
2000
1500
1000
500 925 960
925 960
0
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
 Smart Cards in
everyday life…

Loyalty

Transport

Ticketing

Payment

Health card

Smart Poster

Communication
 Contact Smart Cards
 Requires insertion into a
smart card reader with a
direct connection
 This physical contact
allows for transmission of
commands, data, and card
status to take place
Contactless smart card:-
 Contactless Smart Cards

 Require only close proximity to a

reader
 Both the reader and card have
antennas through which the two
communicate
 Ideal for applications that require
very fast card interfaces
 ISO 14443.
 International standard.
 Deals – only contactless smart cards.

 Defines:-

a. Interface.

b. Radio frequency interface.

c. Electrical interface.

d. Operating distance.

Etc…..
 Dual interface smart cards.
 Also called Combi card.

 Has a single chip over it.

 Has both contact as well as contactless

interfaces.

 We can use the same chip using either contact or

contactless interface with a high level of security.
Dual interface smart card.
 Hybrid smart card.

 Two chips.
 One with contact interface.

 Other with contactless interface.

 No connection between the two chips.

Hybrid smart cards.
 Categories of Smart Cards

Based on the type of IC chip

embedded on the Smart Card.
They are categorized into
three types :-
 IC Micro Processor Cards
 IC Memory Cards
 Optical Memory Cards
 Key Attributes

Security
to make the Digital Life safe and enjoyable
Ease of Use
to enable all of us to access to the Digital World
Privacy
to respect each individual’s freedom and intimacy

E
SAF
 Biometric techniques
 Finger print identification.
 Features of finger prints can be kept on the card
(even verified on the card)
 Photograph/IRIS pattern etc.
 Such information is to be verified by a person. The
information can be stored in the card securely
 Smart Card Readers
 Dedicated terminals
 Computer based readers
 Usually with a small
Connect through USB or
screen, keypad, printer, COM (Serial) ports
often also
have biometric devices
such as thumb print
scanner.
 Terminal/PC Card Interaction
 The terminal/PC sends commands to the card
(through the serial line).
 The card executes the command and sends back
the reply.
 The terminal/PC cannot directly access memory
of the card
 data in the card is protected from unauthorized
access. This is what makes the card smart.
 Communication mechanisms
 Communication between smart card and reader is
standardized
 ISO 7816 standard
 Commands are initiated by the terminal
 Interpreted by the card OS
 Card state is updated
 Response is given by the card.
 Commands have the following structure

CLA INS P1 P2 Lc 1..Lc Le

 Response from the card include 1..Le bytes followed by
Response Code
 Security Mechanisms
 Password
 Card holder’s protection
 Cryptographic challenge Response
 Entity authentication
 Biometric information
 Person’s identification
 A combination of one or more
 Password Verification
 Terminal asks the user to provide a password.
 Password is sent to Card for verification.
 Scheme can be used to permit user
authentication.
 Not a person identification scheme

Varun Arora |
[email protected] |
www.varunarora.in
 Cryptographic verification
 Terminal verify card (INTERNAL AUTH)
 Terminal sends a random number to card to be hashed
or encrypted using a key.
 Card provides the hash or cyphertext.
 Terminal can know that the card is authentic.
 Card needs to verify (EXTERNAL AUTH)
 Terminal asks for a challenge and sends the response to
card to verify
 Card thus know that terminal is authentic.
 Primarily for the “Entity Authentication”
Varun Arora |
[email protected] |
www.varunarora.in
 Biometric techniques
 Finger print identification.
 Features of finger prints can be kept on the card
(even verified on the card)
 Photograph/IRIS pattern etc.
 Such information is to be verified by a person. The
information can be stored in the card securely.
 Data storage
 Data is stored in smart cards in E2PROM
 Card OS provides a file structure mechanism

MF File types
Binary file (unstructured)
DF DF EF EF
Fixed size record file
DF EF Variable size record file

EF EF
 File Naming and Selection
 Each files has a 2 byte file ID and an optional 5-bit
SFID (both unique within a DF). DFs may
optionally have (globally unique) 16 byte name.
 OS keeps tack of a current DF and a current EF.
 Current DF or EF can be changed using SELECT
FILE command. Target file specified as either:
 DF name
 File ID
 SFID(Short File Identifier, 1 byte)
 Relative or absolute path (sequence of File IDs).
 Parent DF
 Basic File Related Commands
 Commands for file creation, deletion etc., File size
and security attributes specified at creation time.
 Commands for reading, writing, appending records,
updating etc.
 Commands work on the current EF.
 Execution only if security conditions are met.
 Each file has a life cycle status indicator (LCSI),
one of: created, initialized, activated, deactivated,
terminated.
 Access control on the files
 Applications may specify the access controls
 A password (PIN) on the MF selection
 For example SIM password in mobiles
 Multiple passwords can be used and levels of
security access may be given
 Applications may also use cryptographic
authentication
An example scenario (institute ID
card) What happens
Read: ifFree
the user
Select: P2 Write:
forgets his upon
Security verification
requirements:
password?
verification EF1 (personal data) by K1, K2 or K3
EF1:
Solution1: Add supervisor
Name: Varun Arora
PF/Roll: 13 password
Should be modified only by
MF Read: Free
the DOSA/DOFA/Registrar
Solution2: Allow
EF2 (Address) Write: Password to
DOSA/DOFA/Registrar
Readable to all (P1)
Verification
#320, MSc (off) modify EF3
475, SICSR (Res) EF2:
Solution3: Allow both to
Card holder should be able
happen
to modify
EF3 (password) EF4 (keys)
EF3 (password) K1 (DOSA’s key)
P1 (User password) Read: Never
P1 (User password) K2 (DOFA’s key)
P2 (sys password) Write: Once
K3 (Registrar’s key)

Read: Never
Write: Password
Verification (P1)
An example scenario (institute ID
card)
EF1 (personal data) Library manages its
own keys in EF3
EF2 (Address)
under DF1
MF
EF3 (password)
Institute manages its
EF4 (keys) keys and data under
Modifiable: By admin
DF1 (Lib) MF staff. Read: all
EF2 (Privilege info) Thus library can
EF1 (Issue record)
Max Duration: 20 days develop applications
Max Books: 10 independent of the
Bk# dt issue dt retn Reserve Collection: Yes rest.
EF3: Keys
Bk# dt issue dt retn
K1: Issue staff key
K2: Admin staff key
Bk# dt issue dt retn Modifiable: By issue
Bk# dt issue dt retn staff. Read all
 How does it all work?
Card is inserted in the terminal
Card gets power. OS boots up.
Sends ATR (Answer to reset)
ATR negotiations take place to
set up data transfer speeds,
capability negotiations etc.

Terminal sends first command to Card responds with an error

select MF
Terminal prompts the user to
provide password
Terminal sends password for
verification
Terminal sends command to
select MF again
Terminal sends command to read EF1
(because MF selection is only on
password presentation)
Card verifies P2. Stores a status
“P2 Verified”. Responds “OK”
Card responds “OK”
Card supplies personal data and
responds “OK”
 So many Smart Cards with us at all
times…..
 In our GSM phone (the SIM card)
 Inside our Wallets
 Credit/Debit cards

 HealthCare cards

 Loyalty cards

 Our corporate badge

 Our Passport
 Our e-Banking OTP

 … and the list keeps growing

Our Industries Is rapidly changing

Interactive billboards Transports

New solutions leveraging

on mobile contactless
services

eTicketing Retail
 Smart Card Applications

Government programs
 Banking & Finance
 Mobile Communication
 Pay Phone Cards
 Transportation
 Electronic Tolls
 Passports
 Electronic Cash
 Retailer Loyalty Programs
 Information security
 Banking and finance

Electronic purse to replace coins for small purchases in vending

machines .

Credit and debit cards

Securing payments across the internet

 Smart card Pay phones

 Outside of the United States there is a widespread use of

payphones
 phone company does not have to collect coins
 the users do not have to have coins or remember long
access numbers and PIN codes
 The risk of vandalism is very low since these payphones are
smart card-based. “Generally, a phone is attacked if there is
some money inside it, as in the case of coin-based payphone
 Transportation

 Driver’s license

 Mass transit fare collection system

 Electronic toll collection system

 It’s no longer only «Cards»
e-Passport: the first Smart Secure Device

45 Millions e-Passport in 2009

 E Governance
 As the amount of business and holiday travel
increases security continues to be a top concern for
governments worldwide.
 When fully implemented smart passport solutions
help to reduce fraud and forgery of travel
documents.
 Enhanced security for travellers
 Philips launched such a project
with the US in 2004.
 Student id card
 All-purpose student ID card (a/k/a campus
card), containing a variety of applications
such as electronic purse (for vending
machines, laundry machines, library card, and
meal card).
 Threats in Using Smart
Cards

failure rate
probability of breaking: keeping in wallets may
damage the chip on the card.
malware attacks: active malwares on systems
may result in modifying the transactions.
 OS Based Classification
 Smart cards are also classified on the basis of their Operating System. There
are many Smart Card Operating Systems available in the market, the main
ones being:
1. MultOS
2. JavaCard
3. Cyberflex
4. StarCOS
5. MFC
Smart Card Operating Systems or SCOS as they are commonly called, are
placed on the ROM and usually occupy lesser than 16 KB. SCOS handle:
• File Handling and Manipulation.
• Memory Management
• Data Transmission Protocols.
 ADVANTAGES
 Proven to be more reliable than the magnetic stripe card.
 Can store up to thousands of times of the information than the magnetic stripe card.
 Reduces tampering and counterfeiting through high security mechanisms such as
advanced encryption and biometrics.
 Can be disposable or reusable.
 Performs multiple functions.
 Has wide range of applications (e.g., banking, transportation, healthcare...)
 Compatible with portable electronics (e.g., PCs, telephones...)
 Evolves rapidly applying semi-conductor technology
 Disadvantages
Smart cards used for client-side identification and
authentication are the most secure way for eg. internet banking
applications, but the security is never 100% sure.
In the example of internet banking, if the PC is infected with
any kind of malware, the security model is broken. Malware
can override the communication (both input via keyboard and
output via application screen) between the user and the
internet banking application (eg. browser). This would result in
modifying transactions by the malware and unnoticed by the
user. There is malware in the wild with this capability (eg.
Trojan. Silentbanker).
 Remedies…
Banks like Fortis and Dexia in Belgium combine a Smart card with an unconnected card reader to
avoid this problem. The customer enters a challenge received from the bank's website, his PIN and
the transaction amount into the card reader, the card reader returns an 8-digit signature. This
signature is manually copied to the PC and verified by the bank. This method prevents malware from
changing the transaction amount.
 Future Aspects
 Soon it will be possible to access the data in Smart cards by the use of Biometrics.
 Smart card Readers can be built into future computers or peripherals
which will enable the users to pay for goods purchased on the internet.
 In the near future, the multifunctional smart card will replace the
traditional magnetic swipe card.
 Smart Card is not only a data store, but also a programmable, portable,
tamper resistant memory storage.
 The Smart card success story
Microprocessor Smart Cards Shipments ( Millions of units )

4000 295
+31%
3500
+10%
225 580
+16%
Telecom (SIM)
3000
205 +22%
500
2500 Banking - Retail
410
2000 Identity & others
+15%
1500 3000
+27% 2600
1000 2040
500

0
2007 2008 2009
 By 2020 …

20 Billion Smart Secure Devices

>4 Billion Mobile Appliances users

>4 Billion e-ID documents in use

 Conclusion:
Conclusion…
• Smart
• Smart Cards
Cards will
will evolveinto
evolve into aa broader
broader family
familyofofDevices
Devices
• More
• More new shapes
new shapes for newfor new applications
applications
• Our• virtual
Embedded software
« digital personaland ultra-embedded
attributes » nanotechnologies
•• The
Embedded software and
only mistake ultra-embedded
to avoid nanotechnologies
for our Industry is to entertain an endless
debate about fears.
• Wemistake
• The only will build to
theavoid
best solutions
for our and the best
Industry isvalue for peoplean
to entertain to endless
enjoy
debate many
aboutnew services
fears.
•• Education
We will build…
themore Education
best solutions and the best value for people to enjoy many new
services
• Preparing people to use those Smart Secure Devices is as important as
• Political
teachingownership and communication
them how will be key to success
to read and write

• Education … more Education

• Preparing people to use those Smart Secure Devices is as important as teaching them
how to read and write
 Conclusion:
• Smart Cards will evolve into a broader family of Devices
• More new shapes for new applications
• Our virtual « digital personal attributes »
• Embedded software and ultra-embedded nanotechnologies

• The only mistake to avoid for our Industry is to entertain an

endless debate about fears.
• We will build the best solutions and the best value for people to enjoy many new
services
• Political ownership and communication will be key to success

• Education … more Education

• Preparing people to use those Smart Secure Devices is as important as teaching
them how to read and write
 Security of Smart Cards
 Public Key Infrastructure (PKI) algorithms such
as DES, 3DES, RSA and ECC.
 Key pair generation.
 Variable timing/clock fluctuation.
 0.6 micron components.
 Data stored on the card is encrypted.
 Pin Blocking.
 Elliptical Curve Cryptography
 y²=x³+ax+b
 Q(x,y) =kP(x,y)
 Uses point multiplication to
compute and ECDLP to
crack.
 Beneficial for portable
devices.
 Cryptographic coprocessors
can be added to speed up
encryption and decryption.
 CAIN
 Confidentiality is obtained by the encryption of
the information on the card.
 Authenticity is gained by using the PKI
algorithm and the two/three factor
authentication.
 Integrity is maintained through error-checking
and enhanced firmware.
 Repudiation is lower because each transaction is
authenticated and recorded.
 Common and Future Uses of Smart
Cards
 Current uses:
 Chicago Transit Card
 Speed Pass
 Amex Blue Card
 Phone Cards
 University ID cards
 Health-care cards
 Access to high level
government facilities.
 Future uses:
 Federally Passed Real-ID
act of 2005.
 ePassports
 Data Structure
 Data on Smart Cards is organized into a tree
hierarchy. This has one master file (MF or root)
which contains several elementary files (EF) and
several dedicated files (DF).
 DFs and MF correspond to directories and EFs
correspond to files, analogous to the hierarchy in
any common OS for PCs.
 Data Structure
 However, these two hierarchies differ in that
DFs can also contain data. DF's, EF's and MF's
header contains security attributes resembling
user rights associated with a file/directory in a
common OS.
 Any application can traverse the file tree, but it
can only move to a node if it has the appropriate
rights.
 The PIN is also stored in an EF but only the
card has access permission to this file.