INDEX

Certificate

Acknowledgement

History

Contents Page No.1. Introduction 6-11

1.1 What is smart card? 6

1.1.1 Memory vs. Microprocessor

1.1.2 Contact vs. Contactless

1.2 Why Smart Card? 7

1.3 Classification of cards 8

1.4 OS based classification 8

1.5 Physical & Electrical Properties of Smart Card 9

1.5.1 Physical Dimension

1.5.2 Electrical properties

2. Smart Card CPU Architecture 12-17 2.1 Cryptographic capabilities 13

2.2 Data Transmission 13

2.3 Instruction Sets 13

2.4 Data Storage 14

2.5 Smart Card Readers Ports 15

2.6 Overview Current Smart Card Interfaces 16

3. Security Mechanisms 18-20 3.1 Password Verification 18

3.2 Cryptographic Verification 18

3.3 Biometric Technique 18

3.4 Working of Smart Card 19

3.5 Smart cards for Data Security 19

3.5.1 Host based system security 19

3.5.2 Card based system security 20

3.6 The Smart Card Security Advantage 20

4. The Future : Internet Smart Card 21 4.1 What IP connectivity means 21

4.2 Security challenges with IP connectivity 21

5. Features of Smart Card 22-25 5.1 Advantages 22

5.2 Disadvantages 22

5.3 Special Features 23

5.4 Applications 23

5.6 Smart Card Examples 24

ConclusionBibliography

Figure Index

Figure 1: Examples of smart card 6Figure 2: Smart card physical dimension 9Figure 3: Inside a smart card 10Figure 4: Connection diagram of smart card 10Figure 5: architecture of smart card 12

Table Index

Table 1: Functional description 11Table 2: sample Instruction Types 14Table 3: Parts of various readers 15Table 4: Some special features 23

History

The smart card is one of the latest additions to the world of information technology. Similar in

size to today’s plastic payment card, the smart card has a microprocessor or memory chip

embedded in it that, when coupled with a reader, has the processing power to serve many

different applications. As an access-control device, smart cards make personal and business

data available only to the appropriate users. Another application provides users with the ability

to make a purchase or exchange value. Smart cards provide data portability, security and

convenience.

In 1968, German inventor Jurgen Dethloff along with Helmet Grotrupp filed a patent

for using plastic as a carrier for microchips.

In 1970, Dr. Kunitaka Arimura of Japan filed the first and only patent on the smart card

concept

In 1974, Roland Moreno of France files the original patent for the IC card, later dubbed the

“smart card.”

In 1977, three commercial manufacturers, Bull CP8, SGS Thomson, and Schlumberger began

developing the IC card product.

In1979, Motorola developed first single chip Microcontroller for French Banking

In 1982,World's first major IC card testing is done.

In 1992,Nationwide prepaid card project started in Denmark

In 1999 ,Federal Government began a Federal employee smart card identification

SMART CARD TECHNOLOGY

1. Introduction

Plastic ID cards are used extensively for identification and authentication purposes in various

applications such as driving licenses, Bank ATM card, Credit card, Club membership card, and

in various Academic and commercial organizations as well. Some of these cards contain a

magnetic-strip to make it machine readable. However these cards are not secure enough and

given the right kind of equipment, the information on these cards can be modified easily.

Smart card is the youngest and cleverest one in the family of identification card. Its

characteristic feature is in an integrated circuit embedded in the card, which has components for

the transmission, storage and processing of data. Smart card offers many advantages compared

to magnetic-strip card. One of the important advantages is that stored data can be protected

against unauthorized access and modification. Smart cards can be divided into two groups

according to the underlying technology. Cards in the first group use memory based technology

and provides a secure storage of data. Cards in the second group use microprocessor cards and

provide a standardized exchange of information to implement authentication, verification,

secure storage, encryption and decryption etc. Cards in this category use an Operating System

interface.

Fig 1: Example of smart card

1.1 What is Smart Card?A device that includes an embedded secure integrated circuit that can be either a secure

microcontroller or equivalent intelligence with internal memory or secure memory chip alone.

The card connects to a reader with a physical contact or with a remote contactless radio

frequency interface. With an embedded microcontrollers, smart cards have the unique ability to

secure the large amount of data, carry out their own on-card function & interact intelligently

with a smart card reader. Smart card confirms to international standards(ISO/IEC 7810

andISO/IEC 14443) and is available in variety of form factors,including plastic cards,SIM used

in GSM mobile phones and USB-based tokens.

1.1.1 Memory vs. microprocessorSmart cards come in two varieties: memory and microprocessor. Memory cards simply store

data and can be viewed as a small floppy disk with optional security. A microprocessor card, on

the other hand, can add, delete and manipulate information in its memory on the card. Similar

to a miniature computer, a microprocessor card has an input/output port operating system and

hard disk with built-in security features.

1.1.2 Contact vs. contactlessSmart cards have two different types of interfaces: contact and contactless. Contact smart cards

are inserted into a smart card reader, making physical contact with the reader. However,

contactless smart cards have an antenna embedded inside the card that enables communication

with the reader without physical contact. A combi card combines the two features with a very

high level of security.

1.2 Why Smart Cards ?High physical protection of the stored data, especially the private key.

Flexible configuration of access conditions to use the private key for signature operations.

Duplication of private keys can be prevented (this is not so with a soft PSE).

Security evaluation according ITSEC E4 high or CC EAL 4+ or even higher

Use of already available smart card infrastructures e.g. future ECC (European Citicen Cards) or eHealth cards.

1.3 Classification Of Cards

Embossed : Textual information or designs on the card can be transferred to paper.

Magnetic-Stripe: Advantage over embossing is a reduction in the flood of paper documents.

Smart Cards: Greater capability to store.

Stored data can be protected against unauthorized access and tampering.

Memory functions such as reading, writing, and erasing can be done.

More reliable and have longer expected lifetimes.

Memory-Cards: Less expensive and much less functional than microprocessor cards. Contain

EEPROM and ROM memory, as well as some address and security logic. Applications are pre-

paid telephone cards and health insurance cards.

Microprocessor-Cards:Components of this type of architecture include a CPU, RAM, ROM,

and EEPROM.

Cryptographic-Coprocessor-Cards:A cryptographic coprocessor reduces the time required

for various operations. The coprocessors include additional arithmetic units developed

specifically for large integer math and fast exponentiation.

Drawback is the cost.

Beneficial for security.

Contactless-Smart Cards : Contacts are one of the most frequent failure points any electromechanical system due to dirt, wear, etc.

Cards need no longer be inserted into a reader, which could improve end user acceptance.

No chip contacts are visible on the surface of the card.

Optical-Memory-Cards: These cards can carry many megabytes of data, but the cards can only be written once and never erased with today’s technology.

1.4 OS Based ClassificationSmart cards are also classified on the basis of their Operating System. There are many Smart Card Operating Systems available in the market, the main ones being:1. MultOS 2. JavaCard3. Cyberflex4. StarCOS5. MFCSmart Card Operating Systems or SCOS as they are commonly called, are placed on the ROM and usually occupy lesser than 16 KB. SCOS handle:• File Handling and Manipulation.• Memory Management• Data Transmission Protocols.

1.5 Physical and Electrical Properties of a Smart Card 1.5.1 Physical Dimensions The physical size of a smartcard is designated as ID-1.

The dimensions are 85.6 mm by 54 mm, with a corner radius of 3.18 mm and a thickness of

0.76mm. Specifications address such things as UV radiation, X-ray radiation, the card’s surface

profile, mechanical robustness of card and contacts, electromagnetic susceptibility,

electromagnetic discharges, and temperature resistance.

Fig2. Smartcard physical dimensions.

1.5.2 Electrical Properties The electrical specifications for smart cards are defined

in ISO/IEC 7816 and GSM 11.11. Most smart cards have eight contact fields on the front

face; however, two of these are reserved for future use.

ISO 7816 Design and use of identification cards having integrated circuits with contacts (1987)

This standard in its many parts is probably the most important specification for the lower layers of the

IC card. The first 3 parts in particular are well established and allow total physical and electrical

interoperability as well as defining the communication protocol between the IC card and the CAD (Card

Acceptor Device).

Fig 3: Inside a Smart Card

Fig 4: Connection Diagram of Smart Card

Table1: Functional description

Position Technical Abbreviation Function

C1 Vcc Supply Voltage

VccRSTCL

KRFU

VppI/O

GND

RFU

C2 RST Reset

C3 CLK Clock Frequency

C4 RFU Reserved for future use

C5 GRD Ground

C6 RFU Reserved for future use

C7 I/O Serial input/output communications

C8 RFU Reserved for future use

The Vcc supply voltage is specified at 5 volts ± 10%. There is an industry push for smartcard standards to

support 3-volt technology because all mobile phone components are available in a 3-volt configuration, and

smartcards are the only remaining component, which require a mobile phone to have a charge converter.

2. Smart card CPU Architecture A smart card is a plastic card that contains an embedded integrated circuit (IC).Examples: Our

very Own T-Card!,Credit Cards,Cell Phone SIM Cards.They store and process Information.

Smart Cards Can be used to add authentication and secure access to information systems that

require a high level of security.

The different elements of the smart card are:

CPU( Central Processing Unit ): It is the heart of the chip.

Security logic: It detects abnormal conditions,e.g. low voltage.

Serial i/o interface: Used for contact to the outside world.

Test logic: self-test procedures.

ROM: Rom is card operating system, self-test procedures and have typically 16 kbytes, future

32/64 kbytes.

RAM:‘scratch pad’ of the processor, typically 512 bytes, in future 1 kbyte.

EEPROM: It is used as cryptographic keys,PIN code,biometric template,balance,application

code. It is typically 8 kbytes & in future 32 kbytes.

Fig 5: Architecture of smart card

2.1 Cryptographic Capabilities Smart cards have sufficient cryptographic capabilities to support popular security applications

and protocols.

RSA signatures and verifications are supported with a choice of 512, 768, or 1024 bit key

lengths.

CPU

RAM

test logic

ROM

EEPROM

serial i/ointerface

security logic

databuss

The Digital Signature Algorithm (DSA) is less widely implemented than RSA.

Smart cards support the ability to configure multiple PINs that can have different purposes.

Random number generation (RNG) varies among card vendors. Some implement a pseudo

RNG where each card has a unique seed. Some cards have a true, hardware based RNG using

some physical aspect of the silicon.

2.2 Data TransmissionsAll communications to and from the smartcard are carried out over the C7 contact.

1.A card is inserted into a terminal; it is powered up by the terminal, executes a power-on-reset,

and sends an Answer to Reset (ATR) to the terminal.

2.The ATR is passed, various parameters are extracted, and the terminal then submits the initial

instruction to the card.

3.The card generates a reply and sends it back to the terminal.

The client/server relationship continues in this manner until processing is completed and the

card is removed from the terminal.

There are several different protocols for exchanging information in the client/server

relationship. They are designated "T=" plus a number.

The two protocols most commonly seen are T=0 and T=1, T=0 being the most popular.

2.3 Instruction Sets

More than 50 instructions and their corresponding execution parameters are defined. . Typically, a smartcard

will implement only a subset of the possible instructions, specific to its application. This is due to memory or

cost limitations.

Instructions can be classified by function as follows:

Table 2: Sample instruction types

File selection

File reading and writing

File searching

File operations

Identification

Authentication

Cryptographic functions

File management

Instructions for electronic purses or credit cards

Operating system completion

Hardware testing

Special instructions for specific applications

Transmission protocol support

2.4 Data StorageData is stored in smart cards in E2PROM. Card OS provides a file structure mechanism.

File types may be in the form of Binary file (unstructured), Fixed size record file, Variable size

File structure

There are three categories of files,

Master file (MF)

Dedicated file (DF)

Elementary file (EF)

The Master file(MF) is a mandatory file for conformance with the standard and represents the root of

the file structure. It contains the file control information and allocable memory. Depending on the

particular implementation it may have dedicated files and /or elementary files as descendants .

A dedicated file(DF) has similar properties to the master file and may also have other dedicated files

and/orelementary files as descendants.

An elementary file(EF) is the bottom of any chain from the root MF file and may contain data as well as

file control information. An elementary file has no descendants. A number of elementary file types are

defined as follows,

. Working file

. Public file

. Application control file

2.5 Smart Card Readers PortsAll smartcard-enabled terminals, by definition, have the ability to read and write as long as the smartcard supports it and the proper access conditions have been fulfilled.

Mechanically, readers have various options including: whether the user must insert/remove the

card versus automated insertion/ejection mechanism, sliding contacts versus landing contacts,

and provisions for displays and keystroke entry. Table 3: Ports for various readers

Serial Port Very common; robust,

inexpensive. Cross platform

Many desktop computers have no free

serial ports. Requires external power

PCMCIA Excellent for traveling users with

laptop computers

Can be slightly more expensive. Many

desktop systems don't have PCMCIA

MF

DF DF

DF

EF EF

EF

EF EF

PS/2

Keyboard

Easy to install with a wedge

adapter. Supports protected PIN

Slower communication speeds.

Floppy Very easy to install Requires a battery. Communications

speed can be an issue.USB Very high data transfer speeds. Not yet widely available. Shared bus

could pose a security issue.Built-in No need for hardware or software

installation.

Not yet widely available.

2.6 Overview current Smart Card Interfaces Interface Available

Smartcard

Functionality

Supported

PC

Operating

Systems

Availability Integration

Efforts

Timing

CT-API Whole smartcard

functionality

Always

Win32

and on

several

Unix

systems

Available for

all

smartcards

and

terminals

Strongly

dependent on

the

desired

functionality

Fast smartcard

access, but no

resource

management

PC/SC Dependence on

the

ServiceProviders

functions

Mostly

Win32

Available for

most

terminals and

smartcards

Different

smartcards

can

be supported

Strongly

dependent on

the

implementation

PKCS#11 Interface only

for PKI

applications

Win32,

Linux,

Solaris

Only

available for

some

combinations

Easy to use

in

combination

with PKI

Strongly

dependent on

the

implementation

of smartcards

and

terminals

applications

OCF Strongly

dependent on the

different Card

Services

All systems

with a

Java runtime

environment

Available for

a few

terminals, all

CardServices

are seldom

implemented

Easy

integration

in Java

applications

and

Applets

Not very fast,

because of

Java-

Interpreter

3. Security Mechanisms

Password:For Card holder’s protection

Cryptographic challenge Response: Entity authentication

Biometric information: Person’s identification.

3.1 Password Verification

Terminal asks the user to provide a password. Password is sent to Card for verification.

Scheme can be used to permit user authentication. Not a person identification scheme.

3.2Cryptographic verificationTerminal verify card (INTERNAL AUTH)

Terminal sends a random number to card to be hashed or encrypted using a key. Card provides

the hash or cyphertext. Terminal can know that the card is authentic.

Card needs to verify (EXTERNAL AUTH)

Terminal asks for a challenge and sends the response to card to verify Card thus know that

terminal is authentic.Primarily for the “Entity Authentication”.

3.3 Biometric TechniqueFinger print identification: Features of finger prints can be kept on the card (even verified on

the card). Photograph/IRIS pattern etc.such information is to be verified by a person. The

information can be stored in the card securely.

3.4 Working of Smart Card

3.5 Smart Cards For Data SecurityThere are two methods of using cards for data system security, host-based and card-based. The

safest systems employ both methodologies.

3.5.1Host Based System SecurityIt treats a card as a simple data carrier. All protection of the data is done from the host

computer. The card data may be encrypted but the transmission to the host can be vulnerable to

attack. A common method of increasing the security is to write in the clear (not encrypted) a

key that usually contains a date and/or time along with a secret reference to a set of keys on the

host. Each time the card is re-written the host can write a reference to the keys. This way each

transmission is different.

3.5.2 Card Based System SecurityThese systems are typically microprocessor card-based. A card, or token-based system treats a

card as an active computing device. The Interaction between the host and the card can be a

series of steps to determine if the card is authorized to be used in the system. The access to

Card is inserted in the terminal Card gets power. OS boots

up. Sends ATR (Answer to reset)ATR negotiations take place

to set up data transfer speeds, capability negotiations etc.Terminal sends first command to select MF

Card responds with an error (because MF selection is only on password presentation)Terminal prompts the user to

provide passwordTerminal sends password for verification

Card verifies P2. Stores a status “P2 Verified”. Responds “OK”Terminal sends command to

select MF again

Terminal sends command to read EF1

Card responds “OK”

specific information in the card is controlled by A) the card’s internal Operating System and

B) The preset permissions set by the card issuer regarding the files conditions. There are

predominately two types of card operating systems. First type of card OS is Classic approach .

The second methodology is the Disk Drive approach

3.6 The Smart Card Security AdvantageSome reasons why smartcards can enhance the security of modern day systems are:

PKI is better than passwords ,

Portability of Keys and Certificates,

Auto-disabling PINs Versus Dictionary Attacks,

Counting the Number of Private Key Usages.

4. The Future : Internet Smart Card Internet smart cards is one of the latest additions to the world of information technology.

Similar in size to today’s plastic payment card, the smart card has a microprocessor or memory

chip embedded in it that, when coupled with a reader, has the processing power to serve many

different applications. This card is connected with Internet protocols & having some IP

Address. It is connected as like a GSM –SIM cards.

4.1 What IP Connectivity MeansFuture smart cards will act as network devices (server or client):

i. Implementation of a TCP/IP stack on the smart card.

ii. Support of network management/configuration

iii. Availability of on-card services via application-level

iv. protocols (at least HTTP)

v. Triggering of different applications via communication channels, allowing concurrent

program execution

4.2 Security Challenges with IP Connectivity i. A simple port scan cannot be misused to analyze the smart card and gain information about

active services and servers on the smart card.

ii. Typical attacks which use buffer overflows in a server to execute malicious code will be

impossible on smart cards.

iii. Unauthorized commands which manipulate input in HTML forms processed by a Common

Gateway Interface (CGI) on the smart card will be impossible.

iv. The network management necessary for organizing the IP connectivity of the smart cards

cannot be used for attacks, as the case in other IT systems.

v. Authentication and encryption is mandatory for safe connections which are resistant against

known attacks (e.g., Man-In-The-Middle prevented from sniffing and spoofing).

vi. Standard security protocols such as SSL/TLS are used in a high-performance

implementation to ensure interoperability to other network devices.

vii. Vendors of smart card operating systems will assure that the wide variety of network

attacks (e.g., spoofing, sniffing, fragmentation attacks, session hijacking, D/DoS, etc.)

cannot be transferred to the future TCP/IP based smart card world.

5. Features of Smart Card

5.1 Advantages

In comparison to it’s predecessor, the magnetic strip card, smart cards have many advantages

including:

i. Life of a smart card is longer

ii. A single smart card can house multiple applications. Just one card can be used as your

license, passport, credit card, ATM card, ID Card, etc.

iii. Smart cards cannot be easily replicated and are, as a general rule much more secure than

magnetic stripe cards

iv. Data on a smart card can be protected against unauthorized viewing. As a result of this

confidential data, PINs and passwords can be stored on a smart card. This means,

merchants do not have to go online every time to authenticate a transaction

v. Chip is tamper-resistant

- information stored on the card can be PIN code and/or read-write protected

- capable of performing encryption

- each smart card has its own, unique serial number

vi. Capable of processing, not just storing information

- Smart cards can communicate with computing devices through a smart card reader

- information and applications on a card can be updated without having to issue new

cards

vii. A smart card carries more information than can be accommodated on a magnetic stripe

card. It can make a decision, as it has relatively powerful processing capabilities that

allow it to do more than a magnetic stripe card (e.g., data encryption).

5.2 Disadvantages

i. Can be lost/stolen

ii. Lack of user mobility – only possible if user has smart card reader every he goes

iii. Working from PC – software based token will be better

iv. No benefits to using a token on multiple PCs to using a smart card

v. Still working on bugs

5.3 Special Features:

Table 4: Some special features

Hardware Software

Closed package decoupling applications and operating system

memory encapsulation application separation (Java card)

Fuses restricted file access

Curity logic (sensors) life cycle control

cryptographic coprocessors and random

generator

various cryptographic algorithms and

protocols

5.4 Applications

People worldwide are now using smart cards for a wide variety of daily tasks, these include:

1. Loyalty And Stored Value: Stored value is more convenient and safer than cash.

2. Security Information And Physical Assets: Smart cards achieve great physical security,

because the card restricts access to all but the authorized user(s).

E-mail and PCs are being locked-down with smart cards.

3. E-Commerce: Smart cards make it easy for consumers to securely store information and

cash for purchasing.

4. Personal Finance: This will improve customer service by availing 24-hour electronic funds

transfers over the Internet. 

Reduction in cost as transaction can be managed electronically saving time and paperwork.

5. Health Care: Smart cards provide secure storage and distribution of everything from

emergency data to benefits status.

6. Telecommuting And Corporate Network Security: Users can be authenticated and

authorized to have access to specific information based on preset privileges.

7. Campus Badging And Access: Identity cards of employees and students can be enhanced to

incorporate identity with access privileges and store value for cafeterias and stores.

8. Retail: Sale of goods using Electronic Purses, Credit / Debit

Vending machines, Loyalty programs, Tags & smart labels

9.Entertainment: Pay-TV & Public event access control & Car Protection

10. Government: Identification ,Passport & Driving license & Copiers

5.6 Smart Card Examples

5.6.1 Travel Card Example

An example of the services that might be included on a multi-function travel card:

Services that are permanently installed in the card by the card issuer might include: Electronic ticketing ,Air miles ,Cash replacement

Services that might be added for a particular trip include: Hotel coupons & Car vouchers

5.6.2 Student Card Example

An example of the services that might be included on a Student card:

Services that are permanently installed in the card by the card issuer might include: School computer access ,Vending machines ,Phone, & Library

Services that might be added on later include: E-mail security & Carpool roster .

Conclusion

Smart cards have proven to be useful for transaction, authorization, and identification media.

They will soon replace all of the things we carry around in our wallets, including credit cards, licenses, cash, and even family photographs.

Smart cards could be used to voluntarily identify attributes of ourselves no matter where we are or to which computer network we are attached.

Smart card technology is emerging, applications are everywhere.

Smart cards enhance service and security.

Perfect security does not exist, even not for smart cards.

Risk analysis is essential.