Smart Cards
04/13/2023 ITECH 7215 Information Security 2
Topics Covered Defining Smart Cards Smart Card Architecture Smart Card – Working Smart Card – Security Data Storage in Smart Card Types of Smart Card Usage and Application Advantages and Disadvantages Future Development
DEFINING SMART CARDS
• Known by other names like Chip Cards, Integrated Circuit Cards (ICC) and Processor Cards.
• Size is same as any other Credit card With or without contact information.
• Cards have an operating system.• The OS provides
A standard way of interchanging information.An interpretation of the commands and data.
• Cards must interface to a computer or terminal through a standard card reader.
04/13/2023 ITECH 7215 Information Security 3
Card and Card Reader• Computer based readers:
Connect through USB or COM (Serial) ports• Dedicated terminals:
Usually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner.
04/13/2023 ITECH 7215 Information Security 4
SMART CARD ARCHITECTURE
04/13/2023 ITECH 7215 Information Security 5
SMART CARD ARCHITECTURE• 256 bytes to 4KB RAM.
• 8KB to 32KB ROM.• 1KB to 32KB EEPROM.• Crypto-coprocessors (implementing 3DES, RSA etc., in hardware) are
optional.• 8-bit to 16-bit CPU. 8051 based designs are common.The price of a mid-level chip when produced in bulk is less than US$1.
CLK
RSTVcc
Vpp
I/ORFU
GNDRFU
04/13/2023 ITECH 7215 Information Security 6
WORKING STRUCTURE
• Central Processing Unit: Heart of the Chip• All the processing of data preforms in here.
CPU
04/13/2023 ITECH 7215 Information Security 7
WORKING STRUCTURE
• security logic: detecting abnormal conditionse.g. low voltage
CPU
security logic
04/13/2023 ITECH 7215 Information Security 8
WORKING STRUCTURE
• serial i/o interface: contact to the outside world
CPU
security logic
serial i/ointerface
04/13/2023 ITECH 7215 Information Security 9
WORKING STRUCTURE
• test logic: self-test procedures
CPU
security logic
serial i/ointerface
test logic
04/13/2023 ITECH 7215 Information Security 10
WORKING STRUCTUREROM:• card operating system• self-test procedures• typically 16 kbytes• future 32/64 kbytes
CPU
security logic
serial i/ointerface
test logic
ROM
04/13/2023 ITECH 7215 Information Security 11
WORKING STRUCTURE
RAM:• ‘Buffer memory’ of the processor• typically 512 bytes• future 1 kbyte
CPU
security logic
serial i/ointerface
test logic
ROM
RAM
04/13/2023 ITECH 7215 Information Security 12
WORKING STRUCTURE
EEPROM:• cryptographic keys• PIN code• biometric template• balance• application code• typically 8 kbytes• future 32 kbytes
CPU
security logic
serial i/ointerface
test logic
ROM
RAM
EEPROM
04/13/2023 ITECH 7215 Information Security 13
WORKING STRUCTUREdatabus:• connection between elements of the chip• 8 or 16 bits wide
CPU
security logic
serial i/ointerface
test logic
ROM
RAM
EEPROM
Databus
04/13/2023 ITECH 7215 Information Security 14
SMART CARD WORKING
04/13/2023 ITECH 7215 Information Security 15
TERMINAL/PC CARD INTERACTION
• The terminal/PC sends commands to the card (through the serial line).
• The card executes the command and sends back the reply.
• The terminal/PC cannot directly access memory of the card o Data in the card is protected from
unauthorized access. This is what makes the card smart.
04/13/2023 ITECH 7215 Information Security 16
HOW IT WORKS
04/13/2023 ITECH 7215 Information Security 17
Card is inserted in the terminal Card gets power. OS boots up. Sends ATR (Answer to reset)
ATR negotiations take place to set up data transfer speeds, capability negotiations etc.
Terminal sends first command to select MF
Card responds with an error (because MF selection is only on password presentation)
Terminal prompts the user to provide password
Terminal sends password for verification
Card verifies P2. Stores a status “P2 Verified”. Responds “OK”
Terminal sends command to select MF again
Card responds “OK”
Terminal sends command to read EF1 Card supplies personal data and responds “OK”
COMMUNICATION• Communication between smart card and reader is
standardized: ISO 7816 standard
• Commands are initiated by the terminal Interpreted by the card OSCard state is updatedResponse is given by the card.
• Commands have the following structure
• Response from the card include 1..Le bytes followed by Response Code
04/13/2023 ITECH 7215 Information Security 18
SMART CARD SECURITY
04/13/2023 ITECH 7215 Information Security 19
SECURITY MECHANISM
• PasswordCard holder’s protection
• Cryptographic challenge ResponseEntity authentication
• Biometric informationPerson’s identification
• A combination of one or more
04/13/2023 ITECH 7215 Information Security 20
PASSWORD VERIFICATION
1. Terminal asks the user to provide a password.2. Password is sent to Card for verification.3. Scheme can be used to permit user
authentication.Not a person identification scheme
04/13/2023 ITECH 7215 Information Security 21
CRYPTOGRAPHIC VERIFICATION
1. Terminal verify card (INTERNAL AUTH)• Terminal sends a random number to card to
be hashed or encrypted using a key.• Card provides the hash or cyphertext.
2. Terminal can know that the card is authentic.3. Card needs to verify (EXTERNAL AUTH)
• Terminal asks for a challenge and sends the response to card to verify
• Card thus know that terminal is authentic.4. Primarily for the “Entity Authentication”
04/13/2023 ITECH 7215 Information Security 22
BIOMETRIC MECHANISM
• Finger print identification.Features of finger prints can be kept on the card (even verified on the card)
• Photograph/IRIS pattern etc.Such information is to be verified by a
person. The information can be stored in the card securely.
04/13/2023 ITECH 7215 Information Security 23
DATA STORAGE
04/13/2023 ITECH 7215 Information Security 24
DATA STORAGE
• Data is stored in smart cards in EEPROM• Card OS provides a file structure mechanism• File types:
Binary file (unstructured)Fixed size record fileVariable size record file
04/13/2023 ITECH 7215 Information Security 25
MF
DF DF
DF
EF EF
EF
EF EF
ACCESSING FILES
• Applications may specify the access controls• A password (PIN) on the MF selection e.g. SIM
password in mobiles• Multiple passwords can be used and levels of security
access may be given
• Applications may also use cryptographic authentication
04/13/2023 ITECH 7215 Information Security 26
SMART CARD TYPES
04/13/2023 ITECH 7215 Information Security 27
MAGNETIC STRIPE CARDS
Standard technology for bank cards, driver’s licenses, library cards, and so on……
04/13/2023 ITECH 7215 Information Security 28
OPTICAL CARDS
• Uses a laser to read and write the card• US Cards Contains:• Photo ID• Fingerprint
04/13/2023 ITECH 7215 Information Security 29
MEMORY CARDS
• Can store:Financial InfoPersonal InfoSpecialized Info
• Cannot process Info
04/13/2023 ITECH 7215 Information Security 30
MICROPROCESSOR CARDS
• Has an integrated circuit chip• Has the ability to:• Store information• Carry out local processing• Perform Complex Calculations
04/13/2023 ITECH 7215 Information Security 31
USAGE/APPLICATIONS
04/13/2023 ITECH 7215 Information Security 32
SMART CARD USAGE
Commercial ApplicationsBanking/payment Identification Parking and toll collection Universities use smart cards for ID purposes and at the library, vending machines, copy machines, and other services on campus. EMV standard
Mobile TelecommunicationsSIM cards used on cell phonesAll GSM phones with smart cards Contains mobile phone security, subscription information, phone number on the network, billing information, and frequently called numbers
04/13/2023 ITECH 7215 Information Security 33
SMART CARD USAGE
• Information Technology• Secure logon and authentication of users to PCs and networks • Encryption of sensitive data
• Other Applications• Over 4 million small dish TV satellite receivers in the US use a
smart card as its removable security element and subscription information.
• Pre-paid, reloadable telephone cards• Health Care, stores the history of a patient• Fast ticketing in public transport, parking, and road tolling in
many countries• JAVA cards
04/13/2023 ITECH 7215 Information Security 34
OTHER SMART CARD APPLICATIONS
04/13/2023 ITECH 7215 Information Security 35
SMART CARD APPLICATIONSRetail
Sale of goodsusing Electronic Purses, Credit / DebitVending machinesLoyalty programsTags & smart labels
04/13/2023 ITECH 7215 Information Security 36
CommunicationGSMPayphones
TransportationPublic TrafficParkingRoad Regulation (ERP)Car Protection
Entertainment– Pay-TV– Public event access
control
SMART CARD APPLICATIONS
HealthcareInsurance dataPersonal dataPersonal file
GovernmentIdentificationPassportDriving license
04/13/2023 ITECH 7215 Information Security 37
E-commercesale of informationsale of productssale of tickets, reservations
E-bankingaccess to accountsto do transactionsshares
SMART CARD APPLICATIONS
Educational facilitiesPhysical accessNetwork accessPersonal data (results)Copiers, vending machines, restaurants, ...
04/13/2023 ITECH 7215 Information Security 38
OfficePhysical accessNetwork accessTime registrationSecure e-mail & Web applications
ADVANTAGES/DISADVANTAGES
04/13/2023 ITECH 7215 Information Security 39
ADVANTAGESIn comparison to it’s predecessor, the magnetic strip card, smart cards have many advantages including:
• Life of a smart card is longer• A single smart card can house multiple applications.
Just one card can be used as your license, passport, credit card, ATM card, ID Card, etc.
• Smart cards cannot be easily replicated and are, as a general rule much more secure than magnetic stripe cards. it has relatively powerful processing capabilities that allow it to do more than a magnetic stripe card (e.g., data encryption).
• Data on a smart card can be protected against unauthorized viewing. As a result of this confidential data, PINs and passwords can be stored on a smart card. This means, merchants do not have to go online every time to authenticate a transaction.
04/13/2023 ITECH 7215 Information Security 40
DISADVANTAGES
• NOT tamper proof • Can be lost/stolen• Lack of user mobility – only possible if user has
smart card reader every he goes• Has to use the same reader technology• Can be expensive• Working from PC – software based token will be
better• No benefits to using a token on multiple PCs to using
a smart card• Still working on bugs
04/13/2023 ITECH 7215 Information Security 41
FUTURE DEVELOPMENT
• Microprocessor Cards (Contactless Smart Card)
• Microprocessor Cards (Combi / Hybrid Cards)Hybrid Card:
Has two chips: contact and contactless interface. The two chips are not connected.
Combi Card:Has a single chip with a contact and contactless interface. Can access the same chip via a contact or contactless interface, with a very high level of security.
04/13/2023 ITECH 7215 Information Security 42