A Smart Card Document (2)

7/31/2019 A Smart Card Document (2)

1/22

A smart card, typically a type of chip card, is a plastic card that contains an embedded

computer chipeither a memory or microprocessor typethat stores and transacts data. This

data is usually associated with either value, information, or both and is stored andprocessed within the card's chip. The card data is transacted via a reader that is part of a

computing system. Systems that are enhanced with smart cards are in use today throughout

several key applications, including healthcare, banking, entertainment, and transportation.All applications can benefit from the added features and security that smart cards provide.

According to Eurosmart, worldwide smart card shipments will grow 10% in 2010 to 5.455

billion cards. Markets that have been traditionally served by other machine readable cardtechnologies, such as barcode and magnetic stripe, are converting to smart cards as the

calculated return on investment is revisited by each card issuer year after year.

Applications

First introduced in Europe nearly three decades ago, smart cards debuted as a stored value

tool for payphones to reduce theft. As smart cards and other chip-based cards advanced,

people found new ways to use them, including charge cards for credit purchases and forrecord keeping in place of paper.

In the U.S., consumers have been using chip cards for everything from visiting libraries to

buying groceries to attending movies, firmly integrating them into our everyday lives.Several U.S. states have chip card programs in progress for government applications

ranging from the Department of Motor Vehicles to Electronic Benefit Transfers (EBTs).

Many industries have implemented the power of smart cards in their products, such as the

GSM digital cellular phones as well as TV-satellite decoders.

Why Smart Cards

Smart cards improve the convenience and security of any transaction. They provide

tamper-proof storage of user and account identity. Smart card systems have proven to bemore reliable than other machine-readable cards, like magnetic stripe and barcode, with

many studies showing card read life and reader life improvements demonstrating much

lower cost of system maintenance. Smart cards also provide vital components of systemsecurity for the exchange of data throughout virtually any type of network. They protect

against a full range of security threats, from careless storage of user passwords to

sophisticated system hacks. The costs to manage password resets for an organization orenterprise are very high, thus making smart cards a cost-effective solution in these

environments. Multifunction cards can also be used to manage network system access and

store value and other data. Worldwide, people are now using smart cards for a wide varietyof daily tasks, which include:

SIM Cards and Telecommunication

The most prominent application of smart card technology is in Subscriber Identity Modules

(SIM), required for all phone systems under the Global System for Mobile Communication(GSM) standard. Each phone utilizes the unique identifier, stored in the SIM, to manage


2/22

the rights and privileges of each subscriber on various networks. This use case represents

over half of all smart cards consumed each year. The Universal Subscriber Identification

Modules (USIM) is also being used to bridge the identity gap as phones transition betweenGSM, UTMS, and 3G network operators.

Loyalty and Stored Value

Another use of smart cards is stored value, particularly loyalty programs, that track andprovide incentives to repeat customers. Stored value is more convenient and safer than

cash. For issuers, float is realized on unspent balances and residuals on balances that are

never used.

For multi-chain retailers that administer loyalty programs across many different businessesand POS systems, smart cards can centrally locate and track all data. The applications are

numerous, such as transportation, parking, laundry, gaming, retail, and entertainment.

Securing Digital Content and Physical Assets

In addition to information security, smart cards can ensure greater security of services and

equipment by restricting access to only authorized user(s).

Information and entertainment is being delivered via satellite or cable to the home DVR

player or cable box or cable-enabled PC. Home delivery of service is encrypted and

decrypted via the smart card per subscriber access. Digital video broadcast systems have

already adopted smart cards as electronic keys for protection./p>

Smart cards can also act as keys to machine settings for sensitive laboratory equipment and

dispensers for drugs, tools, library cards, health club equipment etc. In some environments,

smart card enabled- SD and microSD cards are protecting digital content as it is beingdelivered to the mobile hand-sets/phones.

E-Commerce

Smart cards make it easy for consumers to securely store information and cash for

purchasing. The advantages they offer consumers are:

The card can carry personal account, credit and buying preference information thatcan be accessed with a mouse click instead of filling out forms.

Cards can manage and control expenditures with automatic limits and reporting.

Internet loyalty programs can be deployed across multiple vendors with disparatePOS systems and the card acts as a secure central depository for points or rewards.

Micro Payments - paying nominal costs without transaction fees associated with

credit cards, or for amounts too small for cash, like reprint charges.

Bank Issued Smart Cards


3/22

Around the globe, bank controlled co-ops (Visa, MasterCard, Discover, and American

Express) have rolled out millions of smart cards under the EMV (Europay, MasterCard,

VISA) standard. Often referred to as chip and PINcards; these are the de facto types ofcards for bank issuance in most countries except the U.S. As Canada has just recently

started its regulatory shift to EMV cards, the U.S. will be the sole island in North America

that has not yet made the adoption, which is being driven by the increased types of fraudwith both credit and debit cards. Smart cards have been proven to secure transactions with

regularity, so much so that the EMV standard has become the norm.

As banks enter competition in newly opened markets such as investment brokerages, they

are securing transactions via smart cards at an increased rate. This means:

Smart cards increase trust through improved security. Two-Factor Authentication

insures protection of data and value across the internet. Threats such as the "Man in

the middle" and "Trojan Horses" that replay a user name and password are

eliminated

This is improving customer service. Customers can use secure smart cards for fast,24-hour electronic funds transfers over the internet

Costs are reduced: transactions that normally would require a bank employee's timeand paperwork can be managed electronically by the customer with a smart card

Healthcare Informatics

The explosion of health care data introduces new challenges in maintaining the efficiency

of patient care and privacy safeguards. Smart cards address both of these challenges withsecure, mobile storage and distribution of patient information, from emergency data to

benefits status. Many socialized countries have already adopted smart cards as credentials

for their health networks and as a means of carrying an immediately retrievable ElectronicHealth Record (EHR). Smart card benefits in healthcare include:

Rapid, accurate identification of patients; improved treatment

Reducing fraud through authentication of provider/patient visits and insurance

eligibility

A convenient way to carry data between systems or to sites without systems

Reducing record maintenance costs

Embedded Medical Device Control

For years, embedded controllers have been in many types of machines, governing the

quality and precision of their function. In Healthcare, embedded smart cards ensure the bestand safest delivery of care in devices such as dialysis machines, blood analyzers and laser

eye surgery equipment.

Enterprise and Network Security


4/22

Microsoft Windows, Sun Microsystems (a subsidiary of Oracle Corporation) and all new

versions of Linux have built-in software hooks to deploy smart cards as a replacement for

user name and passwords. Microsoft has built a complete credential platform around theScard DLL and Crypto Service Provider (CSP). With enterprises realizing that Public Key

Infrastructure (PKI)-enhanced security is what is needed for widely deployed employees, a

smart card badge is the new standard. Business-to-business Intranets and Virtual PrivateNetworks (VPNs) are enhanced by the use of smart cards. Users can be authenticated and

authorized to have access to specific information based on preset privileges. Additional

applications range from secure email to electronic commerce.

Physical Access

Businesses and universities of all types need simple identity cards for all employees and

students. Most of these individuals are also granted access to certain data, equipment, and

departments according to their status. Multifunction, microprocessor-based smart cardsincorporate identity with access privileges and can also store value for use in various

locations, such as cafeterias and stores. Many hotels have also adopted ISO 7816 type card

readers to secure staff-only rooms and facilities.

All U.S. government and many corporations have now incorporated a contactless reader asan access point to their facilities. Some companies have incorporated a biometric

component to this credential as well. The older systems deploy a simple proximity card

system as the gate keeper. But as the security requirements have become stronger and thecost of ISO ISO 14443 standard systems have become lower, the world is rapidly adopting

this new standard. This market shift is partially driven by the US governments adoption of

the mandated Personal Identity Verification (PIV) standard. There is a rich ecosystem ofsuppliers and integrators for this standard.

Smart cards are defined according to 1). How the card data is read and written 2). The type

of chip implanted within the card and its capabilities. There is a wide range of options to

choose from when designing your system.


5/22

Card Construction

Mostly all chip cards are built from layers of differing materials, or substrates, that when

brought together properly gives the card a specific life and functionality. The typical cardtoday is made from PVC, Polyester or Polycarbonate. The card layers are printed first and

then laminated in a large press. The next step in construction is the blanking or die cutting.

This is followed by embedding a chip and then adding data to the card. In all, there may beup to 30 steps in constructing a card. The total components, including software and

plastics, may be as many as 12 separate items; all this in a unified package that appears tothe user as a simple device.


6/22

Contact Cards

These are the most common type of smart card. Electrical contacts located on the outside of

the card connect to a card reader when the card is inserted. This connector is bonded to the

encapsulated chip in the card.


7/22

Increased levels of processing power, flexibility and memory will add cost. Single function

cards are usually the most cost-effective solution. Choose the right type of smart card foryour application by determining your required level of security and evaluating cost versus

functionality in relation to the cost of the other hardware elements found in a typical

workflow. All of these variables should be weighted against the expected lifecycle of thecard. On average the cards typically comprise only 10 to 15 percent of the total system cost

with the infrastructure, issuance, software, readers, training and advertising making up the

other 85 percent. The following chart demonstrates some general rules of thumb:

Card Function Trade-Offs


8/22

Memory Cards

Memory cards cannot manage files and have no processing power for data management.

All memory cards communicate to readers through synchronous protocols. In all memory

cards you read and write to a fixed address on the card. There are three primary types ofmemory cards: Straight,Protected, and Stored Value. Before designing in these cards into

a proposed system the issuer should check to see if the readers and/or terminals support the

communication protocols of the chip. Most contactless cards are variants on the protected

memory/segmented memory card idiom.

Straight Memory Cards

These cards just store data and have no data processing capabilities. Often made with I2Cor serial flash semiconductors, these cards were traditionally the lowest cost per bit for user

memory. This has now changed with the larger quantities of processors being built for theGSM market. This has dramatically cut into the advantage of these types of devices. They

should be regarded as floppy disks of varying sizes without the lock mechanism. These

cards cannot identify themselves to the reader, so your host system has to know what type

of card is being inserted into a reader. These cards are easily duplicated and cannot betracked by on-card identifiers.


9/22

Protected / Segmented Memory Cards

These cards have built-in logic to control the access to the memory of the card. Sometimes

referred to as Intelligent Memory cards, these devices can be set to write- protect some orthe entire memory array. Some of these cards can be configured to restrict access to both

reading and writing. This is usually done through a password or system key. Segmented

memory cards can be divided into logical sections for planned multi-functionality. Thesecards are not easily duplicated but can possibly be impersonated by hackers. They typically

can be tracked by an on-card identifier.

Stored Value Memory Cards

These cards are designed for the specific purpose of storing value or tokens. The cards areeither disposable or rechargeable. Most cards of this type incorporate permanent security

measures at the point of manufacture. These measures can include password keys and logic

that are hard-coded into the chip by the manufacturer. The memory arrays on these devices

are set-up as decrements or counters. There is little or no memory left for any other

function. For simple applications such as a telephone card, the chip has 60 or 12 memorycells, one for each telephone unit. A memory cell is cleared each time a telephone unit is

used. Once all the memory units are used, the card becomes useless and is thrown away.This process can be reversed in the case of rechargeable cards.

CPU/MPU Microprocessor Multifunction Cards

These cards have on-card dynamic data processing capabilities. Multifunction smart cards

allocate card memory into independent sections or files assigned to a specific function or

application. Within the card is a microprocessor or microcontroller chip that manages thismemory allocation and file access. This type of chip is similar to those found inside all

personal computers and when implanted in a smart card, manages data in organized file

structures, via a card operating system (COS). Unlike other operating systems, this

software controls access to the on-card user memory. This capability permits different andmultiple functions and/or different applications to reside on the card, allowing businesses

to issue and maintain a diversity of products through the card. One example of this is a

debit card that also enables building access on a college campus. Multifunction cardsbenefit issuers by enabling them to market their products and services via state-of-the-art

transaction and encryption technology. Specifically, the technology enables secure

identification of users and permits information updates without replacement of the installedbase of cards, simplifying program changes and reducing costs. For the card user,

multifunction means greater convenience and security, and ultimately, consolidation of

multiple cards down to a select few that serve many purposes.

There are many configurations of chips in this category, including chips that supportcryptographic Public Key Infrastructure (PKI) functions with on-board math co-processors

or JavaCard with virtual machine hardware blocks. As a rule of thumb - the more

functions, the higher the cost.


10/22

Contactless Cards

These are smart cards that employ a radio frequency (RFID) between card and reader

without physical insertion of the card. Instead, the card is passed along the exterior of the

reader and read. Types include proximity cards which are implemented as a read-only

technology for building access. These cards function with a very limited memory andcommunicate at 125 MHz. Another type of limited card is the Gen 2 UHF Card that

operates at 860 MHz to 960 MHz.

True read and write contactless cards were first used in transportation applications forquick decrementing and reloading of fare values where their lower security was not an

issue. They communicate at 13.56 MHz and conform to the ISO 14443 standard. These

cards are often protected memory types. They are also gaining popularity in retail storedvalue since they can speed up transactions without lowering transaction processing

revenues (i.e. Visa and MasterCard), unlike traditional smart cards.

Variations of the ISO14443 specification include A, B, and C, which specify chips fromeither specific or various manufacturers. A=NXP-(Philips) B=Everybody else and C=Sonyonly chips. Contactless card drawbacks include the limits of cryptographic functions and

user memory, versus microprocessor cards and the limited distance between card and

reader required for operation.

Multi-mode Communication Cards

These cards have multiple methods of communications, including ISO7816, ISO14443 and

UHF gen 2. How the card is made determines if it is a Hybrid or dual interface card. Theterm can also include cards that have a magnetic-stripe and or bar-code as well.

Hybrid Cards

Hybrid cards have multiple chips in the same card. These are typically attached to each

interface separately, such as a MIFARE chip and antenna with a contact 7816 chip in the

same card.

Dual Interface Card

These cards have one chip controlling the communication interfaces. The chip may be

attached to the embedded antenna through a hard connection, inductive method or with a

flexible bump mechanism.

Multi-component Cards

These types of cards are for a specific market solution. For example, there are cards where

the fingerprint sensor is built on the card. Or one company has built a card that generates a

one-time password and displays the data for use with an online banking application. Vault


11/22

cards have rewriteable magnetic stripes. Each of these technologies is specific to a

particular vendor and is typically patented.

Smart Card Form Factors

The expected shape for cards is often referred to as CR80. Banking and ID cards aregoverned by the ISO 7810 specification. But this shape is not the only form factor thatcards are deployed in. Specialty shaped cutouts of cards with modules and/or antennas are

being used around the world. The most common shapes are SIM. SD and MicroSD cards

can now be deployed with the strength of smart card chips. USB flash drive tokens are alsoavailable that leverage the same technology of a card in a different form factor.

Integrated Circuits and Card Operating Systems

The two primary types of smart card operating systems are (1)fixed file structure and (2)dynamic application system. As with all smartcard types, the selection of a card operating

system depends on the application that the card is intended for. The other definingdifference lies in the encryption capabilities of the operating system and the chip. The typesof encryption are Symmetric Key andAsymmetric Key (Public Key).

The chip selection for these functions is vast and supported by many semiconductor

manufacturers. What separates a smart card chip from other microcontrollers is often

referred to as trusted silicon. The device itself is designed to securely store datawithstanding outside electrical tampering or hacking. These additional security features

include a long list of mechanisms such as no test points, special protection metal masks and

irregular layouts of the silicon gate structures. The trusted silicon semiconductor vendor listbelow is current for 2010:

Atmel

EM Systems

Infineon

Microchip

NXP

Renesas Electronics

Samsung

Sharp

Sony

ST Microelectronics

Many of the features that users have come to expect, such as specific encryption

algorithms, have been incorporated into the hardware and software libraries of the chip

architectures. This can often result in a card manufacturer not future-proofing their design

by having their card operating systems only ported to a specific device. Care should betaken in choosing the card vendor that can support your project over time as card operating

system-only vendors come in and out of the market. The tools and middleware that support


12/22

card operating systems are as important as the chip itself. The tools to implement your

project should be easy to use and give you the power to deploy your project rapidly.

Please see the security section on this website for more information regarding PKI.

Fixed File Structure Card Operating System

This type treats the card as a secure computing and storage device. Files and permissions

are set in advance by the issuer. These specific parameters are ideal and economical for a

fixed type of card structure and functions that will not change in the near future. Manysecure stored value and healthcare applications are utilizing this type of card. An example

of this kind of card is a low-cost employee multi-function badge or credential. Contrary to

some biased articles, these style cards can be used very effectively with a stored biometric

component and reader. Globally, these types of microprocessor cards are the mostcommon.

Dynamic Application Card Operating System

This type of operating system, which includes the JavaCard and proprietary MULTOS

card varieties, enables developers to build, test, and deploy different on card applications

securely. Because the card operating systems and applications are more separate, updatescan be made. An example card is a SIM card for mobile GSM where updates and security

are downloaded to the phone and dynamically changed. This type of card deployment

assumes that the applications in the field will change in a very short time frame, thusnecessitating the need for dynamic expansion of the card as a computing platform. The

costs to change applications in the field are high, due to the ecosystem requirements of

security for key exchange with each credential. This is a variable that should be scrutinizedcarefully in the card system design phase.

Smart Card Readers & Terminals

Readers and terminals operate with smart cards to obtain card information and perform a

transaction.

Generally, a reader interfaces with a PC for the majority of its processing requirements. A

terminal is a self-contained processing device. Both readers and terminals read and write to

smart cards.

Readers
http://www.cardlogix.com/products/readers/http://www.cardlogix.com/products/readers/


13/22

Contact

This type of reader requires a physical connection to the cards, made by inserting the card

into the reader. This is the most common reader type for applications such as ID and StoredValue. The card-to-reader communications is often ISO 7816 T=0 only. This

communication has the advantage of direct coupling to the reader and is considered more

secure. The other advantage is speed. The typical PTS Protocol Type Selection (ISO7816-3) negotiated speed can be up to 115 kilo baud. This interface enables larger data transport

without the overhead of anti-collision and wireless breakdown issues that are a result from

the card moving in and out of the reader antenna range.

Contactless

This type of reader works with a radio frequency that communicates when the card comes

close to the reader. Many contactless readers are designed specifically for Payment,

Physical Access Control and Transportation applications. The dominant protocol under theISO 14443 is MIFARE, followed by the EMV standards.

Interface


14/22

A contact reader is primarily defined by the method of it's interface to a PC. These methods

include RS232 serial ports, USB ports, PCMCIA slots, floppy disk slots, parallel ports,

infrared IRDA ports and keyboards and keyboard wedge readers. Some readers supportmore than one type of card such as the tri mode insert readers from MagTek. These readers

support magnetic stripe-contact and contactless read operations all in one device.

Reader & terminal to card communication

All cards and readers that follow ISO 7816-3 standards have a standardized set of

commands that enable communication for CPU cards.

These commands, called APDUs (Application Protocol Data Units) can be executed at a

very low level, or they can be scripted into APIs which enable the user to send commandsfrom an application to a reader.

The reader communicates with the card where the response to the request takes place.

From a technical perspective, the key is the APIs that are chosen. These layers of software

can enable effective application communication with smart cards and readers from more

than one manufacturer. Most terminal SDKs come with a customized API for that platform.They are typically in some form of C, C++ or C # and will have the header files included.

Many smart card readers have specific drivers/APIs for memory cards. For ISO7816

processor cards the PC/SC interface is often employed, but it has limitations. This isespecially important if you have both memory and microprocessor cards that can are used

in the same system. Some APIs give the software designer the ability to select readers from

multiple vendors.

The following are some of the function calls provided for transporting APDUs and theirfunctions:

Reader Select

Reader Connect

Reader Disconnect

Card Connect

Card Disconnect

Proprietary Commands for specific readers and cards

Allow ISO Commands to be passed to cards using standard ISO format

Allow ISO Commands to be sent to cards using a simplified or shortcut format (As

in the CardLogix Winplex API)

Applications Development

The development of PC applications for readers has been simplified by the PersonalComputer/Smart Card (PC/SC) standard. This standard is supported by all major operating

systems. The problem with the PC/SC method is that it does not support all of the reader

functions offered by each manufacturer such as LED control and card latching/locking.


15/22

When just using the drivers for each reader manufacturer there is no connection the

functions of the card.

The better choice is Application Programming Interfaces (API's) that are part of readilyavailable in Software Design Kits (SDKs) that support specific manufacturer's card

families. Check these kits for a variety of reader manufacture supported. M.O.S. T. andSmart Toolz from CardLogix is a good example of a well rounded Smart Card SDK.

Terminals

Unlike readers, terminals are more similar to a self contained PC, with most featuring

operating systems and development tools. Terminals are often specific to the use case suchas Security, health informatics or POS (Point of sale). Connectivity in the terminals is

typically via Transmission Control Protocol/Internet Protocol (TCP-IP) or GSM network.

Many terminals today feature regular OS's making deployment easier such as Datastripwith windows CE or Exadigm with Linux.

Smart Card Security

Smart cards provide computing and business systems the enormous benefit of portable and

secure storage of data and value. At the same time, the integration of smart cards into yoursystem introduces its own security management issues, as people access card data far and

wide in a variety of applications.

The following is a basic discussion of system security and smart cards, designed to

familiarize you with the terminology and concepts you need in order to start your security

planning.

What Is Security?

Security is basically the protection of something valuable to ensure that it is not stolen, lost,

or altered. The term "data security" governs an extremely wide range of applications and

touches everyone's daily life. Concerns over data security are at an all-time high, due to the
http://www.cardlogix.com/docs/brochures/CardLogix_7200037_IdentitySolutions.pdfhttp://www.cardlogix.com/docs/brochures/CardLogix_7200037_IdentitySolutions.pdf


16/22

rapid advancement of technology into virtually every transaction, fromparking meters to

national defense.

Data is created, updated, exchanged and stored via networks. A network is any computingsystem where users are highly interactive and interdependent and by definition, not all in

the same physical place. In any network, diversity abounds, certainly in terms of types ofdata, but also types of users. For that reason, a system of security is essential to maintain

computing and network functions, keep sensitive data secret, or simply maintain workersafety. Any one company might provide an example of these multiple security concerns:

Take, for instance, a pharmaceutical manufacturer:

Type of Data Security Concern Type of Access

Drug FormulaBasis of business income.

Competitor spyingHighly selective list of executives

Accounting,

RegulatoryRequired by law Relevant executives and departments

Personnel Files Employee privacy Relevant executives and departments

Employee ID

Non-employee access.

Inaccurate payroll, benefitsassignment

Relevant executives and departments

Facilities Access authorization

Individuals per function and

clearance such as customers, visitors,or vendors

Building safety,

emergency responseAll employees Outside emergency response

What Is Information Security?

Information security is the application of measures to ensure the safety and privacy of data

by managing its storage and distribution. Information security has both technical and socialimplications. The first simply deals with the 'how' and 'how much' question of applying

secure measures at a reasonable cost. The second grapples with issues of individual

freedom, public concerns, legal standards and how the need for privacy intersects them.This discussion covers a range of options open to business managers, system planners and

programmers that will contribute to your ultimate security strategy. The eventual choice

rests with the system designer and issuer.

The Elements of Data Security

In implementing a security system, all data networks deal with the following main

elements:

Hardware, including servers, redundant mass storage devices, communicationchannels and lines, hardware tokens (smart cards) and remotely located devices

(e.g., thin clients or Internet appliances) serving as interfaces between users and

computers
http://www.cardlogix.com/products/cards/smart/scfamilies/transportation.asphttp://www.cardlogix.com/products/cards/smart/scfamilies/transportation.asphttp://www.cardlogix.com/products/readers/http://www.cardlogix.com/products/cards/smart/scfamilies/transportation.asphttp://www.cardlogix.com/products/readers/


17/22

Software, including operating systems, database management systems,

communication and security application programs

Data, including databases containing customer - related information.

Personnel, to act as originators and/or users of the data; professional personnel,

clerical staff, administrative personnel, and computer staf

The Mechanisms of Data Security

Working with the above elements, an effective data security system works with the

following key mechanisms to answer:

Has My Data Arrived Intact? (Data Integrity) This mechanism ensures that datawas not lost or corrupted when it was sent to you

Is The Data Correct And Does It Come From The Right Person?

(Authentication) This proves user or system identities

Can I Confirm Receipt Of The Data And Sender Identity Back To The

Sender? (Non-Repudiation) Can I Keep This Data Private? (Confidentiality) - Ensures only senders and

receivers access the data. This is typically done by employing one or more

encryption techniques to secure your data

Can I Safely Share This Data If I Choose? (Authorization and Delegation) Youcan set and manage access privileges for additional users and groups

Can I Verify The That The System Is Working? (Auditing and Logging)

Provides a constant monitor and troubleshooting of security system function

Can I Actively Manage The System? (Management) Allows administration ofyour security

Smart Card Security, Part 2

Data Integrity

This is the function that verifies the characteristics of a document and a transaction.

Characteristics of both are inspected and confirmed for content and correct authorization.Data Integrity is achieved with electronic cryptography that assigns a unique identity to

data like a fingerprint. Any attempt to change this identity signals the change and flags any

tampering.

Authentication

This inspects, then confirms, the proper identity of people involved in a transaction of data

or value. In authentication systems, authentication is measured by assessing themechanisms strength and how many factors are used to confirm the identity. In a PKI

system a Digital Signature verifies data at its origination by producing an identity that can
http://www.cardlogix.com/products/software/http://www.cardlogix.com/products/software/


18/22

be mutually verified by all parties involved in the transaction. A cryptographic hash

algorithm produces a Digital Signature.

Non-Repudiation

This eliminates the possibility of a transaction being repudiated, or invalidated byincorporating a Digital Signature that a third party can verify as correct. Similar in conceptto registered mail, the recipient of data re-hashes it, verifies the Digital Signature, and

compares the two to see that they match.

Authorization and Delegation

Authorization is the processes of allowing access to specific data within a system.

Delegation is the utilization of a third party to manage and certify each of the users of your

system. (Certificate Authorities).

Authorization and Trust Model

(Click image for larger version.)

Auditing and Logging

This is the independent examination and recording of records and activities to ensure

compliance with established controls, policy, and operational procedures, and to

recommend any indicated changes in controls, policy, or procedures.

Management

Is the oversight and design of the elements and mechanisms discussed above and below.

Card management also requires the management of card issuance, replacement andretirement as well as polices that govern a system.

Cryptography / Confidentiality

Confidentiality is the use of encryption to protect information from unauthorizeddisclosure. Plain text is turned into cipher text via an algorithm, and then decrypted back

into plain text using the same method.
http://www.smartcardbasics.com/smart_card_images/panel4_trust_lrg.gif


19/22

Cryptography is the method of converting data from a human readable form to a modified

form, and then back to its original readable form, to make unauthorized access difficult.

Cryptography is used in the following ways:

Ensure data privacy, by encrypting data

Ensures data integrity, by recognizing if data has been manipulated in anunauthorized way

Ensures data uniqueness by checking that data is "original", and not a "copy" of the"original". The sender attaches a unique identifier to the "original" data. This

unique identifier is then checked by the receiver of the data.

The original data may be in a human-readable form, such as a text file, or it may be in acomputer-readable form, such as a database, spreadsheet or graphics file. The original data

is called unencrypted data or plain text. The modified data is called encrypted data or

cipher text. The process of converting the unencrypted data is called encryption. The

process of converting encrypted data to unencrypted data is called decryption.

Data Security Mechanisms and their Respective Algorithms

(Click image for larger version.)

In order to convert the data, you need to have an encryption algorithm and a key. If thesame key is used for both encryption and decryption that key is called a secret key and the

algorithm is called a symmetric algorithm. The most well-known symmetric algorithm is

DES (Data Encryption Standard).
http://e/sridhar/my%20study/smart%20cards/Smart%20Card%20Security,%20Part%202_files/panel7_dsm_lrg.gif


20/22

The Data Encryption Standard (DES) was invented by the IBM Corporation in the 1970's.

During the process of becoming a standard algorithm, it was modified according to

recommendations from the National Security Agency (NSA). The algorithm has beenstudied by cryptographers for over 30 years. During this time, no methods have been

published that describe a way to break the algorithm, except for brute-force techniques.

DES has a 56-bit key, which offers 256 or 7 x 1016 possible variations. There are a verysmall numbers of weak keys, but it is easy to test for these keys and they are easy to avoid.

Triple-DES is a method of using DES to provide additional security. Triple-DES can be

done with two or with three keys. Since the algorithm performs an encrypt-decrypt-encrypt

sequence, this is sometimes called the EDE mode. This diagram shows Triple-DES three-key mode used for encryption:

The Advanced Encryption Standard (AES) is the newest symmetric-key encryption

standard adopted by the U.S. government. The standard comprises three block ciphers,

AES-128, AES-192 and AES-256, adopted from a larger collection originally published as

Rijndael. Each of these ciphers has a 128-bit block size, with key sizes of 128, 192 and 256bits, respectively. The AES ciphers have been analyzed extensively and are now used

worldwide, as was the case with its predecessor, the Data Encryption Standard (DES).

AES was announced by National Institute of Standards and Technology (NIST) as U.S.FIPS PUB 197 (FIPS 197) on November 26, 2001 after a 5-year standardization process in

which fifteen competing designs were presented and evaluated before Rijndael was

selected as the most suitable. It became effective as a Federal government standard on May26, 2002 after approval by the Secretary of Commerce. It is available in many different

encryption packages. AES is the first publicly accessible and open cipher approved by the

NSA for top secret information.


21/22

If different keys are used for encryption and decryption, the algorithm is called an

asymmetric algorithm. The most well-known asymmetric algorithm is RSA, named after its

three inventors (Rivest, Shamir, and Adleman). This algorithm uses two keys, called theprivate key. These keys are mathematically linked. Here is a diagram that illustrates an

asymmetric algorithm:

Asymmetric algorithms involve extremely complex mathematics typically involving thefactoring of large prime numbers. Asymmetric algorithms are typically stronger than a

short key length symmetric algorithm. But because of their complexity they are used in

signing a message or a certificate. They not ordinarily used for data transmission

encryption.

Conclusions

Smart cards can add convenience and safety to any transaction of value and data; but the

choices facing today's managers can be daunting. We hope this site has adequately

presented the options and given you enough information to make informed evaluations ofperformance, cost and security that will produce a smart card system that fits today's needs

and those of tomorrow. It is our sincere belief that informed users make better choices,

which leads to better business for everybody.

Terminology

ATR: Answer to reset

BCD: Binary-coded decimal

CHV: Card Holder Verification

COS: Card operating system

DF: Dedicated File

IC: Integrated circuit

PC/SC: Personal computer / smart card

MF: Master File


22/22

PPS: Protocol and Parameter Select

RFU: Reserved for Future Use

A Smart Card Document (2)

Documents

Transcript of A Smart Card Document (2)