Smmart Card

8/9/2019 Smmart Card

1/27

INTRODUCTION

The smart card is one of the latest additions to the world of information technology and perhaps

some of the most widely used ,but underestimated Electronics device in use today. In many cases

these device are in the front line , defending citizens and system alike against against attacks on

information security . Because they have tended to be small and often concealed ,smart Cards havecarried on their important work ,largely unnoticed, but this is changing .High profile use of smart

cards for IDs, Passports, credit cards and e-tickets. The smart card has a microprocessor or memory

chip embedded in it that, when coupled with a reader, has the processing power to serve manydifferent applications. As an access-control device, smart cards make personal and business data

available only to the appropriate users. Another application provides users with the ability to make

a purchase or exchange value. Smart cards provide data portability, security and convenience.

Smart cards come in two varieties: memory and microprocessor Memory cards simply store dataand can be viewed as a small floppy disk with optional security A microprocessor card, on the

other hand ,can add, delete and manipulate information in its memory on the card. Similar to a

miniature computer, a microprocessor card has an input/output port operating system and hard disk

with built-in security features. On a fundamental level,microprocessor cards are similar to desktopcomputers. They have operating systems, they store data and applications, they compute and

process information and they can be protected with sophisticated security tools. The self-

containment of smart card makes it resistant to attack as itdoes not need to depend upon potentially vulnerable external resources. Because of this

characteristic, smart cards are often used in different applications, which require

strong security protection and authentication. For examples, smart card can act as an identificationcard, which is used to prove the identity of the card holder. It also can be a medical card, which

stores the medical history of a person. Furthermore, the smart card can be used as a credit/debit

bank card which allows off-line transactions. All of these applications require sensitive data to be

stored in the card, such as biometrics information of the card owner, personal medical history, and

cryptographic keys for authentication, etc.In the near future, the traditional magnetic strip card will be replaced and

integrated together into a single card by using the multi-application smart card, which is known asan electronic purse or wallet in the smart card industry. The smart card is becoming more and more

significant and will play an important role in our daily life. It will be used to carry a lot of sensitive

and critical data about the consumers ever more than before .

Now we can say that

A SMART CARD:-

1-Can participate in an automated electronics transaction

2-Is used primarily to add security and3-Is not easily forged or copied

4-Can store data securely5-can host/run a range of security algorithms and functions

This definition will now be applied to a few well known card type to see if they are truly

SMART


2/27

HISTORICAL MILESTONE

Although considered a leading edge technology, IC contact cards, an original French invention,

have been with us for over 20 years. Since the 1970s, the history of smart cards has reflected steadyadvances in chip capabilities and capacity, as well as increases in the number and variety of

applications.

1970 Dr. Kunitaka Arimura of Japan filed the first and only patent on the

smart card concept.

1974 Roland Moreno of France filed the original patent for the IC card, later dubbed the

"smart card".

1977 Three commercial manufacturers, Bull CP8, SGS Thomson, and Schlumbergerbegan developing the IC card product.

1979 Motorola developed the first secure single chip microcontroller for use in French

banking.1982 Field testing of serial memory phone cards took place in France--the world's first

major IC card test.

1984 Field trials of ATM bank cards with chips were successfully conducted.

1986 In March, 14,000 cards equipped with the Bull CP8 were distributed to clients ofthe Bank of Virginia and the Maryland National Bank. Also, 50,000 Casio cards

were distributed to clients of the First National Palm Beach Bank and the Mall bank.

1987 First large-scale smart card application implemented in the United States with the

U.S. Department of Agricultures nationwide Peanut Marketing Card.

1991 First Electronic Benefits Transfer (EBT) smart card project launched for the

Wyoming Special Supplemental Nutrition Program for Women, Infants, and

Children (WIC).1992 A nationwide prepaid (electronic purse) card project (DANMONT) was started in

Denmark.

1993 Field test of multi-function smart card applications in Rennes, France, where the

Telecarte function (for public phones) was enabled in a Smart Bank Card.

1994 Europay, MasterCard, and Visa (EMV) published joint specifications for global

microchip-based bank cards (smart cards). Germany began issuance of 80 million

serial memory chip cards as citizen health cards.

1995 Over 3 million digital mobile phone subscribers worldwide begin initiating and billing

calls with smart cards.

First of 40,000 multi-functional, multi-technology MARC cards with chips wereissued to U.S. Marines in Hawaii

1996 Over 1.5 million VISA Cash stored value cards were issued at the Atlanta Olympics.MasterCard and Visa began sponsorship of competing consortia to work on solving

the problems of smart card interoperability; two different card solutions were

developed: the Java Card backed by Visa, and the Multi-application OperatingSystem (MULTOS) backed by MasterCard.


3/27

1998 In September 1998, the U.S. Governments General Services Administration and

the United States Navy joined forces and implemented a nine-application smart card

system and card management solution at the Smart Card Technology Center in

Washington, DC. The Technology Center's primary purpose is to demonstrate and

evaluate the integration of multi-application smart cards with other types of

technology, showcasing systems available for use in the Federal Government.Microsoft announced its new Windows smart card operating system.

France began piloting a smart health card for its 50 million citizens.

1999 The U.S. Governments General Services Administration has been involved in theSmart Access Common ID Project for the past year. The Smart Access Common ID

Card program will establish a contract vehicle for use by all Federal agencies to

acquire a standard, interoperable employee identification card, from one or morevendors, capable of providing both physical and logical (system/network) access to

all Federal employees.

PHYSICAL STRUCTURE

This section discusses the physical structure of a smart card and examines the components ofasmart card. It will also discuss all the phases of a cards life cycle, and explores how the microcontroller handles and transfers data securely from the card manufacturer to the application

supplier and then to the bearer. As a result, we can determine how the data or information

stored on the card can be protected.

There are two main way to distinguish card type . On the one hand it is based on the related

application /Issuer type ,on the other it is the technical features and/or physical characteristics.

As there is close relation between the twoe.g.an ID card for government bearing security feature

in the card body.

In banking there are the standard debit/credit card inID-1 format both with similar

characteristics: A multi-layer card body with printed design ,some optional printed securityfeatures, a magnetic strip ,a signature panel ,a hologram and more with a chip .The optical

personalization of the card is either done by embossing or by laser engraving.

New variations include non-standard ISO/IEC7810 cards in smaller sizes(e.g-VISA mini)

or different shapes. With the evolving trend to contactless payment even other form factors have

have shown up like key fobs or modules embedded in the shell of mobile phone. For a card body

which has no security element ,optical personalization is either done by inkjet and thermal transfer printing

or by laser engraving . Mobile phones which takes a complete ID-1 card are long gone ,but even the

ISO/IEC 7810ID -000 plug -in size has already a smaller successor : The Mini UICC or 3rd

FormFactor(3FF).


4/27

Card Type Explanation Size

ID-1 Usual smart card 54,0x85,6mm

Plug-In For GSM 15,0x25,0mm

Mini-UICC For GSM(3FF) 12,0x15,0mm

Visa Mini For Credit/Debit 40,0x65,6mm


5/27

The physical structure of a smart card is specified by the International Standards

Organization (ISO) 7810, 7816/1 and 7816/2. Generally it is made up of three elements. The

plastic card is the most basic one and has the dimensions of 85.60mm x 53.98mm x 0.80mm.A printed circuit and an integrated circuit chip are embedded on the card. Figure shows an

overview of the physical structure of a smart card.

Fig:- Physical structure of smart card

The printed circuit conforms to ISO standard 7816/3 which provides five connection pointsfor power and data. It is hermetically fixed in the recess provided on the card and is burned

onto the circuit chip, filled with a conductive material, and sealed with contacts protruding.

The printed circuit protects the circuit chip from mechanical stress and static electricity.

Communication with the chip is accomplished through contacts that overlay the printed circuit.

The capability of a smart card is defined by its integrated circuit chip. Typically, anintegrated circuit chip consists of a microprocessor, read only memory (ROM), no static

random access memory (RAM) and electrically erasable programmable read only memory

(EEPROM) which will retain its state when the power is removed. The current circuit chipis made from silicon which is not flexible and particularly easy to break. Therefore, in order

to avoid breakage when the card is bent, the chip is restricted to only a few millimeters in size.

Furthermore, the physical interface which allows data exchange between the integrated

circuit chip and the card acceptor device (CAD) is limited to 9600 bits per second. Thecommunication line is a bi-directional serial transmission line which conforms to ISO

standard 7816/3. All the data exchanges are under the control of the central processing unit

in the integrated circuit chip. Card commands and input data are sent to the chip which

responses with status words and output data upon the receipt of these commands and data.Information is sent in half duplex mode, which means transmission of data is in one

direction at a time. This protocol together with the restriction of the bit rate prevent massive

data attack on the card. In general, the size, the thickness and bend requirements for thesmart card are designed to protect the card from being spoiled physically. However, this

also limits the memory and processing resources that may be placed on the card. As a

result, the smart card always has to incorporate with other external peripherals to operate.For example, it may require a device to provide and supply user input and output, time

and date information, power and so on. These limitations may degr ade the security of the

smart card in some circumstances, as the external elements are untrusted and precarious


6/27

PRODUCTION AND LIFE CYCLEThere is an operating system inside each smart card which may contain a manufacturer

identification number (ID), type of component, serial number, profile information, and so on.

More important, the system area may contain different security keys, such as manufacturer keyor fabrication key (KF), and personalization key (KP). All of this information should be kept

secret and not be revealed by others.Hence, from the manufacturer to the application

provider, then the card holder, the production of a smart card is divided into different phases.

Limitation on transfer and access of data is incremental at different phases in order to protect

different areas in the smart card. There are five main phases for a typical smart card life cycle.

MATERIALS

The basic material used for cards is either supplied as foil for laminating or granulate in case of

injection moulding .The classical material used is PVC ,but due to environmental discussion and

higher lifetime requirements as well , other materials gain importance.

LIFE CYCLE OF SMART CARD

There is an operating system inside each smart card which may contain a manufactureridentification number (ID), type of component, serial number, profile information, and so on.

More important, the system area may contain different security keys, such as manufacturer key

or fabrication key (KF), and personalization key (KP). All of this information should be kept

secret and not be revealed by others.

Hence, from the manufacturer to the application provider, then the card holder, the production

of a smart card is divided into different phases. Limitation on transfer and access of data

Material Advantages(+) / Disadvantage (-)

PVC ( Polyvinyl chloride)

(+) Low price ,many years of experience ,recycling possible

(-) Environmental compatibility ,limited thermal stability

PC (Polycarbonate) (+) High temperature stability and mechanical strength ,recyclingpossible(-) High price ,low scratch resistance

ABS (Acrylonitrilebutadiene styrene)

(+ ) injection moulding suitable ,temperature stability ,recycling

possible

(-)does not comply with ISO standard ,not classified as

environmentally friendly

PETG (Polyethyleneterephthalates)

(+) best material regarding environmental compatibility, middle price

,recycling possible(-) process not as easy and wellknown as for PVC


7/27

is incremental at different phases in order to protect different areas in the smart card. There arefive main phases for a typical smart card life cycle. We will discuss each of them below.

FABRICATION PHASE

This phase is carried out by the chip manufacturers. The silicon integrated circuit chip is createdand tested in this phase. A fabrication key (KF) is added to protect the chip from fraudulent

modification until it is assembled into the plastic card support. The KF of each chip is unique andis derived from a master manufacturer key. Other fabrication data will be written to the circuitchip at the end of this phase. Then the chip is ready to deliver to the card manufacturer with the

protection of the key KF.

CUTTING

PRE-PERSONALISATION PHASE

This phase is carried out by the card suppliers. In this phase, the chip will be mounted on the

plastic cardwhich may have the logo of the application provider printed on it. The connectionbetween the chip and the printed circuit will be made, and the whole unit can be tested. For

added security and to allow secure delivery of the card to the card issuer, the fabrication key will

be replaced by a personalisation key (KP). After that, a personalisation lock VPER will be written

to prevent further modification of the KP. In addition, physical memory access instructions will

be disabled. Access of the card can be done only by using logical memory addressing. Thisrserves the system and fabrication areas being accessed or modified


8/27

GLUING

PERSONALISATION PHASE

This phase is conducted by the card issuers. It completes the creation of logical data structures.

Data files contents and application data are written to the card. Information of card holder

identity, PIN, and unblocking PIN will be stored as well. At the end, a utilization lock VUTIL will

be written to indicate the card is in the utilization phase.

FINISHED MODULES

UTILIZATION PHASEThis is the phase for the normal use of the card by the cardholder. The application system,logical file access controls, and others are activated. Access of information on the card will be

limited by the security policies set by the application. This will be discussed in detail in the next

section.


9/27

MODULE ON BODY

END -OF -LIFE PHASEThis phase is also known as INVALIDATION PHASE . There are two ways to move the

card into this phase. One is initiated by the application which writes the invalidation lock to an

individual file or the master file. All the operations including writing and updating will bedisabled by the operating system. Only read instructions may remain active for analysis

purposes. The another way to put the card into this phase is that, when the control system

irreversibly blocks access because both the PIN and unblocking PIN are blocked, then all theoperations will be blocked including reads

OUR CARD IS READY TO USE


10/27

Finally, summarizes the conditions and memory accesses of a smart card during the

various phases which are mentioned above

Areas/Phases Fabrication Pre-

personalization

Personalization Utilizations End-

of-

Life

Access mode Physical addressing Logical addressing

System Not accessible

Fabrication

(keys)

Write KF Write KP Not accessible

Fabrication

(data)

Read, write,

erase

Read Read

Directory Read, write, erase According to logical file access

conditions

Data Read, write, erase According to logical file access

conditions

Optional Read, write, erase Not accessible

Table :-Phases and access rights of smart card's life cycle

(Source: Philips DX smart card reference manual, 1995)


11/27

TYPE OF SMART CARDSIn thissection we will carry a report on type of smart card .

(a)Magnetic strip cards(b)Chip cards

(c)Microprocessor Chip cards

(d)Contactless smart cards

MAGNETIC STRIP CARDS

Magnetic strip cards are widely used in a range of applications. They are low cost and easy to use

(read/write).This type of card is used for credit/debit and financial application.(ATMs) .


12/27

CHIP CARDS

As the name suggests a chip card is basically a plastic card that ,rather like the magnetic strip

card that has an electronic chip embedded in it.Historically these cards were easy to identify byvirtual of the contact that where usually gold/silver in colour.A chip card is accessed by placing it

within a card reader which simply makes physical contact with the gold pads,allowing the chip to

be powered and locked and for communication to take place.

Fig:- CONTACTS OF CHIP CARD

MICROPROCESSOR CHIP CARDS

A smart card contain a temper resistance microprocessor chip(incorporating countermeasures

against known attack)that is difficult to forge or copy.It can participate in automated electronics

transaction ,can store data securely and run/host a range of security protocols algorithms.

The considerations so far has focused on conventional smart cards i.e those that makeuse of electrical contact t the chip .However there is growing interest and usage for cards that do

not have physical contact but exploit radio technique instead.

The most common and least expensive smart cards are memory cards. This type of smart

Cards, contains EEPROM(Electrically Erasable Programmable Read-Only Memory),

non-volatile memory. Because it is non-volatile when you remove the card from the

reader , power is cut off, card stores the data. You can think of EEPROM, inside, just like

a normal data storage device which has a file system and managed via a microcontroller

(mostly 8 bit). This microcontroller is responsible for accessing the files and accepting

the communication. The data can be locked with a PIN (Personal Identification Number),


13/27

your password. PIN's are normally 3 to 8 digit numbers those are written to a special file

on the card. Because this type is not capable of cryptography, memory cards are used in

storing telephone credits, transportation tickets or electronic cash.

Fig-Microprocessor Card

ROM/RAM contains card operating system and working storage. EEPROM used for data storage

Typical specifications-8-bit CPU

Advertised as 16-bit by combining 8-bit register pairs-16K-32K ROM

-256-512 bytes RAM

-4K-16K EEPROMAdvertised in bits to make it sound biggerSize ratio of memory cells:

RAM = 4xEEPROM size

= 16xROM size

Everything has to be fabbed on the same die.

,


14/27

CONTACT-LESS SMART CARD:-

Thecontactless smart card, in which the chip communicates with the card reader

through RFID(Radio frequency ID) induction technology (at data rates of 106 to 848 kbit/s). These

cards require only close proximity to an antenna to complete transaction. They are often used when

transactions must be processed quickly or hands-free, such as on mass transit systems, where smartcards can be used without even removing them from a wallet.

The standard for contactless smart card communications is ISO/IEC 14443. It defines two types of

contactless cards ("A" and "B"), allows for communications at distances up to 10 cm. There had

been proposals for ISO/IEC 14443 types C, D, E, F and G that have been rejected by the

International Organization for Standardization. An alternative standard for contactless smart cards

is ISO/IEC 15693, which allows communications at distances up to 50 cm. Transportation

service BEST uses smart cards for bus pass, which predate the ISO/IEC 14443 standard. All of

them are primarily designed for public transportation payment and other electronicpurse applications.

A related contactless technology is RFID (Radio Frequency IDentification). In certain cases, it can

be used for applications similar to those of contactless smart cards, such as for electronic toll

collection. RFID devices usually do not include writeable memory or microcontroller processing

capability as contactless smart cards often do.

There are dual-interface cards that implement contactless and contact interfaces on a single card

with some shared storage and processing. An example is Porto's multi-application transport card,

called Andante, that uses a chip in contact and contactless (ISO/IEC 14443 Type B).
http://en.wikipedia.org/wiki/Proximity_cardhttp://en.wikipedia.org/wiki/Proximity_cardhttp://en.wikipedia.org/wiki/RFIDhttp://en.wikipedia.org/wiki/Wallethttp://en.wikipedia.org/wiki/ISO/IEC_14443http://en.wikipedia.org/wiki/ISO/IEC_15693http://en.wikipedia.org/wiki/Brihanmumbai_Electric_Supply_and_Transporthttp://en.wikipedia.org/wiki/Public_transportationhttp://en.wikipedia.org/wiki/Electronic_pursehttp://en.wikipedia.org/wiki/Electronic_pursehttp://en.wikipedia.org/wiki/RFIDhttp://en.wikipedia.org/wiki/Electronic_toll_collectionhttp://en.wikipedia.org/wiki/Electronic_toll_collectionhttp://en.wikipedia.org/wiki/Portohttp://en.wikipedia.org/wiki/Andante_tickethttp://en.wikipedia.org/wiki/Andante_tickethttp://en.wikipedia.org/wiki/Portohttp://en.wikipedia.org/wiki/Electronic_toll_collectionhttp://en.wikipedia.org/wiki/Electronic_toll_collectionhttp://en.wikipedia.org/wiki/RFIDhttp://en.wikipedia.org/wiki/Electronic_pursehttp://en.wikipedia.org/wiki/Electronic_pursehttp://en.wikipedia.org/wiki/Public_transportationhttp://en.wikipedia.org/wiki/Brihanmumbai_Electric_Supply_and_Transporthttp://en.wikipedia.org/wiki/ISO/IEC_15693http://en.wikipedia.org/wiki/ISO/IEC_14443http://en.wikipedia.org/wiki/Wallethttp://en.wikipedia.org/wiki/RFIDhttp://en.wikipedia.org/wiki/Proximity_card


15/27

Like smart cards with contacts, contactless cards do not have a battery. Instead, they use a built-

in inductor to capture some of the incident radio-frequency interrogation signal, rectify it, and use it

to power the card's electronics.

Contactless smart cards offer advantages to both the organization issuing the card and the

cardholder. The issuing organization can support multiple applications on a single card,consolidating an appropriate mix of technologies and supporting a variety of security policies for

different situations. Applications such as logical access to computer networks, electronic

payment, electronic ticketing and transit can be combined with physical access to offer a multi-

application and multi-technology ID credential. The issuer can also record and update

appropriate privileges from a single central location. The organization as a whole incurs lower

maintenance costs over the system life, due to the elimination of mechanical components and

reader resistance to vandalism and harsh environmental conditions. With hybrid and dual-

interface cards, issuers can also implement systems that benefit from multiple card technologies.

CONTCTLESS TECHNOLOGY SUPPORT PHYSICAL ACCESS

CONTROL APPLICATION

There are three primary contactless technologies considered for physical access control

applications: 125 kHz, ISO/IEC 14443, and ISO/IEC 15693 technologies. 125 kHz read-only

technology is used by the majorityof todays RFID access control systems and is based on de

facto industry standards rather than international standards. 125 kHz technology allows for a

secure, uniquely coded number to be transmitted and processed by a back-end system. The back-

end system then determines the rights and privileges associated with that card. Cards that comply

with these standards are intelligent, read/ write devices capable of storing different kinds of data

and operating at different ranges. Standards-based contactless smart cards can authenticate apersons identity, determine the appropriate level of access, and admit the cardholder to a

facility, all from data stored on the card. These cards can include additional authentication

factors (such as biometric templates or PINs) and other card technologies, including a contact

smart card chip, to satisfy the requirements of legacy applications or applications for which a

different technology is more appropriate.

Contactless smart card technologies offer security professionals features that can enhance

systems designed to control physical or logical access (i.e., access to networks or other online

resources). Contactless cards differ from traditional contact smart cards by not requiring physicalconnectivity to the card reader. The card is simply presented in close enough proximity to the

reader and uses radio frequencies (RF) to exchange information. The use of contactless

technologies is particularly attractive for secure physical access, where the ID credential and

reader must work in harsh operating conditions, with a high volume of use or with a high degree

of user convenience. For example, consider the use of a contactless card to control access to

public transportation. The card can be presented to the reader without having to be removed from
http://en.wikipedia.org/wiki/Inductorhttp://en.wikipedia.org/wiki/Rectifierhttp://en.wikipedia.org/wiki/Rectifierhttp://en.wikipedia.org/wiki/Inductor


16/27

a wallet or purse. The fare is automatically deducted from the card and access is granted. Adding

funds through appropriate machines at transit centers or banks then refreshes the card. The

process is simple, safe, and accurate.

TYPE OF CONTACTLESS CARD

There are three types of contactless credentials (cards or token)

1 .Memory

2. Wired Logic

3. Microcontroller

Memory cards use a chip or other electronic device to store authentication information. In their

most secure form, memory cards store a unique serial number and include the ability to

permanently lock sections of memory or allow write access only through password-protected

mechanisms. Other than these basic mechanisms, memory cards employ no additional security to

protect their contents. System-level methods can be used to encrypt and decrypt the information

stored on the card.Wired logic cards have a special purpose electronic circuit designed on the chip and use a fixed

method to authenticate themselves to readers, verify that readers are trusted, and encrypt

communications.Wired logic cards lack the ability to be modified after manufacturing or

programming.

MCU cards implement authentication/encryption methods in software or firmware. Contactless

smart cards with an embedded MCU have more sophisticated security capabilities, such as the

ability to perform their own on-card security functions (e.g., encryption, hardware and software-

based tamper resistance features to protect card contents, biometric verification and digital

signatures) and interact intelligently with the card reader. Contactless MCU cards also have

greater memory capability and run card operating systems (for example,JavaCard or MULTOS).

Both hybrid and dual-interface contactless cards are becoming available. On a hybrid card,

multiple independent technologies share the common plastic card body but do not communicate

or interact with each other. For example, one card could carry a magnetic stripe, bar code, 125

kHz technology, picture ID, contact smart card module and either ISO/IEC 14443 or ISO/IEC

15693 contactless smart card technology. The advantage of a hybrid card is that existing installed

systems can be supported, while new features and functionality can also be offered through smart

card technologies. A dual-interface card includes a single chip with both contact and contactless

capabilities. Contact and contactless technologies can therefore be implemented on one card,

each addressing the application requirements most suited to its capabilities and sharing the same

data.

Hybrid and dual-interface technologies are complementary and, with thoughtful implementation,

transparent to the end user. With current technologies, security system designers can implementan architecture that includes multiple ID credential technologies. This creates a significant

opportunity for more efficient credential management, improved user convenience, and easier

administration of multiple security policies and procedures. Through the use of the appropriatecard technology, cryptography, and digital signatures, logical access control can be incorporated

into networks and databases. And because the credential is a plastic card, it also supports theuseof pictures, logos, visual inspection information, holograms, digital watermarks, microprinting,


17/27

and other security markings to deter counterfeiting and impersonation. A single card is also more

efficient for the user, simplifying coordination for changes, reducing memorization for

complicated passwords or personal identification numbers (PINs), and decreasing the time for

authentication.

BENEFITS OF CONTACTLESS SMART CARD TECHNOLOGY

Contactless smart card technology is ideal for physical access control applications. Because ID

credentials and readers are typically exposed to the elements and have high usage, sealed

contactless technology prevents damage when cards and readers are exposed to dirt, water, cold,

and other harsh environmental conditions. With no mechanical reader heads or moving parts,

maintenance costs are minimized. Finally, with read ranges that can extend to many inches,

contactless technology offers the user the convenience of hands free access. The key benefits

of using contactless smart card technology for physical access are summarized below.

High speed of access and high throughputUseable in harsh or dirty environments

User Friendly

Less intrusive

Does not require insertion of the card into the reader

No issues with orientation of the card

May be kept in wallet or purse for personal security during use

Same high level of security as contact smart cards (e.g., digital signatures)

Protected storage of data on the card

Flexibility to incorporate multiple applications with different modes

Contactless only card

Dual interface contact/contactless card

Hybrid card that includes 125 kHz technology, 13.56 MHz technology, magnetic stripe,

barcode, hologram, photo, and other card security features.

Dual interface contact/contactless card that includes 13.56 MHz technology, magnetic stripe,

barcode, hologram, photo, and other card security features.

Reduced maintenance costs for card readers (as compared to magnetic stripe and contact card

readers)

Reduced vandalism of readers

More durable and reliable cards (no external parts that can wear out or be contaminated)

Well-suited to accommodate local security staffing, training and implementation

Established international standards (ISO/IEC)


18/27

HOW DOES SMART CARD WORKS

After a smart card is issued to the consumer by the application provider, the protection of the

card will be controlled by the application operating system mainly. Physical addressing mode ofaccessing data is no longer available. Access of data has to be done through the logical file

structure on the card. This section will discuss how the operating system accomplishes the

security protection of the data stored on the card by examining the logical file structure and the

corresponding access controls of a smart card.


19/27

APPLICATION OF SMART CARD

Main Application

Public phone card (Pre-Paid)

Cellular Phone GSM card

Banking Card (Debit/Credit Card)

Health card

New Application

Electronics Purse

Transportation

Security Of Information

Identity

Retail &Loyalty

Physical Access ControlSatellite TV

IT Access Control

University Identification

Government Identification

Applications Of smart Card Sector wise

0

5

10

15

20

25

30

35

40

Telecom Mobile Com. Identity Finance Transport Other


20/27

Most of the smart card systems in use today serve one purpose and are related to just one

process. For example, the smart telephone card which makes public telephones convenient,

electronic money which replaces coins and bank notes, the medical card which stores medical

history and insurance information, and the electronic identification card which control access to

data and facilities, etc. All of these applications are stored in different smart card systems

separately, and lead to the same situation and problem as with the traditional magnetic stripe card

system which require users to carry multiple cards for multiple applications.

In fact, as mentioned above, the smart card has the capability to integrate those applications

together to form a multiple application card by utilising its embedded microprocessor and

memory storage spaces. However, this kind of integration is always limited by some of the

external logical elements rather than technical issues. For instance, in single application card

system, data stored in the card or even the card itself always belongs to the card issuer. In the

case of more than one application residing in a single card, this becomes impractical.

Moreover, we also have to consider how to partition the memory spaces for differentapplications, and manage the rights and privileges of data accessing. This also relates to data

directory configuration and securities between each of them. Furthermore, the ability for

applications to communicate or share data between each others is another important concern

which may affect the whole design of the system and its operability.

Therefore, based on the natures and purposes of different applications, we discuss three different

kinds of infrastructure of multiple application smart card systems. The first one is minor

applications which co-operate with a dominant application. The second one will be the

integration of multiple applications under a single specification. At last, multiple independent

applications installed on a single card will be taken into an account.

Minor Applications Co-operate With Dominant Application.

While most of the existing smart card applications do not fully utilise both of the memory

storage and processing power of the card, it is feasible to integrate other minor applications

which make use of the existing resources and functionalities of the dominant system together.

This kind of system always requires co-operation between application providers. Figure shows

an overview of this system.

Minor applications co-operate with dominant Application.


21/27

Data Directory Configuration and Partitioning

As the minor applications reside under the existing dominant application and co-operate with it,

they should be acted as a subset under the dominant application logically. Figure below shows

the logical view and relationship between applications.

Logical view of applications in this model

Technically, this can be done by placing minor applications under different sub-directories or

functional groups which are below the dominant application directory. Dedicated files (DFs) canbe used to separate and organize applications. Figure displays the structure and organization of

memory spaces inside the smart card.

Fig-Structure and organisation inside the smart car

d.


22/27

Multiple Applications Under Single SpecificationIn the present days, many card applications serve similar purposes or make use of similar

resources to perform their services, such as different kinds of identification cards or licenses,

different sort of merchant incentive card which stores "points" for frequent purchaser programs,

and credit/debit cards from different financial institutes, etc. These applications are suitable and

feasible to integrate together in order to increase functionality of the card and decrease the

resources spending by sharing common required information such as card holders information.

One of the conditions for applications to be united in this system is that they have to be governed

by a single specification or standard under a certain authority.

Fig-Multiple applications under single specification

MORE APPLICATION

All the different identification cards and licenses issued from the government, such as citizen

identification card,driving license, fishing or hunting license, passport, councils library card,and etc, can be integrated together under the system discussed here, because they all conform to

a single specification from the government and act as identification purposes. Another example

is the multiple merchant incentives which allow card holders to store "points" for frequentpurchaser programs across multiple merchants. This is workable as most of those programs

require only basic information of the card holder and lower level of security, therefore those

information can be shared together in order to verify the owner. In summary, applications

integrated together under this scheme can reduce the repetitive of resources and facilitate the

management of different applications.


23/27


24/27

ADVANTAGE :

Through one card we can use it for several purpose. Easy to carry because of small size . Easy to operate Less Probability of loss of data Less Probability of Stoling. More Secure Globally Use Tamper Resistance Low Cost Easy to Replace Economically Benifits

DISADVANTAGE :

Today World is full of techie. So one can not offer perfect security against any technology .The

smart card also suffer from these techie. There is fraud and hacking also found to smart card.In

magnetic strip card , fraud become comman now a day .

SkimmingIn this the information from valid cards magnetic strip is copied to another card for

use in fraudulent automated transactions.

CounterfeitingHere the plastic carrier /card is very carefully copied ,but the magnetic strip may

be blank or valid .

ATTACK ON SMART CARD

As discussed in all above, the smart card seems to be a superior tool for enhancing system

security and provides a place for secure storage. One of the security features provided by most of

the smart card operating systems, is the cryptographic facilities. They provide encryption and

decryption of data for the card; some of them can even be used to generate cryptographic keys.

The secret of the cryptographic algorithm, the keys stored, and the access control inside the

smart card become the targets of attackers. Nowadays many companies and cryptographers

claime to be able to break the smart card and its microcontroller. Some of them perform logical

non-invasive attacks, some of them attack the card physically while others just prove their

success by mathematical theorems The first two briefly and examine how the attacks are

achieved. For the third one, since their attacks are theoretical and relate to a lot of complicated

mathematical calculations and formulas is not discussed here.


25/27

LOGICAL ATTACK:

As all the key material of a smart card is stored in the electrically erasable programmable read

only memory (EEPROM), and due to the fact that EEPROM write operations can be affected by

unusual voltages and temperatures, information can be trapped by raising or dropping the

supplied voltage to the microcontroller. It can see several examples of attacking the smart card

microcontroller by adjusting the voltage are provided.

For example, a widely known attack of PIC16C84 microcontroller is that the security bit of the

controller can be clear with erasing the memory by raising the voltage VCC to VPP - 0.5V. An

attack on DS5000 securityprocessor is another example. A short voltage drop can release the

security lock without erasing the secret data sometimes. Low voltage can facilitate other attacks

as well, such as an analogue random generator used to create cryptographic keys will produce an

output of almost all 1s when the supply voltage is lowered slightly.

For these reasons, some security processors implemented sensors which will cause an alarm

when there is any environmental changes. However, these kinds of sensors always causesfalse alarm due to the occurrence of fluctuations when the card is powered up and the

circuit is stabilising. Therefore this scheme is not commonly used.

PHYSICAL ATTACK:

Invasive physical attacks are typical. Before this kind of attack can be performed, the circuit chip

has to be removed from the plastic card. This can be done by simply using a sharp knife to cut

away the plastic behind the chip module until the epoxy resin becomes visible. And then the

resin can be dissolved by adding a few drops of fuming nitric acid (>98% HNO3). The acid and

resin can be washed away by shaking the card in acetone until the silicon surface is fully

exposed. Ultimately the chip can be examined and attacked directly.There are many different ways to perform physical attacks. For instance, erasing the security

lock bit by focusing UV light on the EPROM, probing the operation of the circuit by using

microprobing needles, or using laser cutter microscopes to explore the chip, and so on.

However, these kinds of attacks are only available for well funded laboratories as the costs

associated are considerably high. As the technology advances quickly, manufacturers update and

enhance their products constantly. Therefore, as soon as the hackers find ways of hacking the

system, the problems could be solved by the new generation of technology.

THE FUTURE


26/27

:

.


27/27

Documents

Smmart Card