History of Smart Cards - Computer Engineering - Santa Clara ...

bubblesvoltaireInternet και Εφαρμογές Web

10 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

100 εμφανίσεις







Smart Cards


Technology and Application







By


Tina Chhabra

&

Piya (Ray) Chindaphorn



COEN 150

Professor JoAnne Holliday


Santa Clara University

Department of Computer Engineering

May 17, 2004


2

Abstract


A smart card looks like a credit card, but

works very differently. Instead of just
having a magnetic stripe, it contains an embedded microprocessor, which makes them
more secure. Although they are more popular in Europe and Asia, their popularity is
growing rapidly in other areas of the world.


In our paper, we will discuss the history, physical structures, security features,
vulnerabilities, and current and future uses. In addition, a brief description on the
workings along with the overview of the need for developing the smart cards will be
in
cluded.

Introduction

In the early 1950’s, Diner’s Club issued the first all
-
plastic card to be used for
purchases. This synthetic PVC
-
based card produced a more durable card than the
previous conventional paper
-
based cards that it replaced. By the end of

the fifties, two
other corporations joined the movement: American Express and Carte Blanche. Bank of
America issued the first credit card, which later on became VISA. MasterCard was
launched by Interbank not long afterwards. Unfortunately, these cards
were only capable
of showing identification items, such as names, numbers, and some codes, which were
embossed onto the cards. There were no security features built into these cards at all.
Credit card fraud was very unsophisticated.

Eventually, the cost

of fraud and tampering pressured the development of a more
secure card. The magnetic stripe was developed by International Air Transportation
Association (IATA) in the 1970’s. The stripes had a capacity of 210 bits per inch, which
translates to about 80
alphanumeric 7
-
bit characters. Even though the magnetic stripe

3

technology made fraud more challenging, it could still be done. With an appropriate
device, anyone can read, re
-
write, or delete the data on the stripes. Therefore, magnetic
stripe cards wer
e not the most suitable medium for storing sensitive information, and
required an extensive online system for verification and processing.

History of Smart Cards


Two main ideas led to the development of smart cards. The first was by Dr.
Kunitaka Arimura
from Japan who came up with the design of integrating data storage
and arithmetic logic onto a single piece of silicon. He filed the patent for the idea in 1970.
The second design was by German inventors named Jurgen Dethloff and Helmut
Grotrupp. They f
iled the patent in 1968 for the idea of incorporating integrated circuits
(IC) into an identification card.


To help fuel the development, the first computer
-
on
-
a
-
chip was fabricated in 1971
by Intel. As a consequence, in 1974, Roland Moreno, a French i
ndependent inventor,
mounted the chip onto a plastic card and filed a patent for the invention and the device
that reads it. It was later dubbed the “Smart Card.” In the process, Moreno founded the
company Innovatron to set out to sell his ideas. Partly

because of this invention, Moreno
is known as the “Father of Microchip.” Moreno’s main selling idea to the bankers was to
load currency onto the cards to allow the user to spend it with merchants who have the
necessary electronic payment systems.


By 197
7, three commercial manufacturers, Bull CP8, SGS Thomson, and
Schlumberger, began developing the smart card products. In 1979, Schlumberger bought
fifteen percent of Innovatron to start the research and development of the smart card.
Later, that share wa
s increased to thirty
-
four percent. However, in March of 1979,

4

Michel Ugon of Bull Corporation was the first to design the operational microprocessor
card, which was known as the Bull CP8. It holds 1KB of programmable memory, and a
6805 microprocessor co
re produced by Motorola. These were considered to be the first
in intelligent cards. Combining the powers of the microprocessor and the memory, it was
capable of making decisions based on the user’s need to modify, append, retrieve, or
delete the data st
ored. The card was a two
-
chip design in which the memory and the
microprocessor were two separate units, which proved to be an insecure solution. But, it
was not until the technological advances in the 1980’s that allowed the integration of all
the circu
its into one chip. Although, the original card was produced in the US by
Motorola, interests in smart cards for the Americans never took off.



As the rate of fraud and vandalism increased for the coin
-
operated public phones
in Europe in 1983, the telecommunications community demanded a better pay phone
system. The smart card pay phone was chosen. Schlumberger began

installing thousands
of smart card pay phones throughout the continent. By the end of the year, they installed
approximately 160,000 phones. Then, in 1984, one of the largest implementations of the
smart card took place in France. The French banking in
dustry decided to make smart
cards the standard for credit and debit cards. As a result, the Carte Bleue was born


16
million smart cards were produced and put to use. By the following year, France
Telecom put into action seven million smart card
-
based
pay phones. While the use of
smart cards in Europe had already exploded, the first widespread use in the US had just

5

begun. In 1986, 14,000 smart cards were issued to clients of the Bank of Virginia and the
Maryland National Bank. In several other US ci
ties smart card trials were deployed.
However, consumer America was accustomed to magnetic striped cards and was not
ready for the transition. The smart card failed to win consumer confidence. Today’s
widest application of smart cards started in 1995


t
he SIM cards for mobile telephones.



Physical Structures

Categories


There are two main architectures of smart cards, which depend on the type of chip
embedded in the card: integrated circuit (IC) microprocessor cards and integrated circuit
(IC) memory
cards.


Typical components in an IC microprocessor card include a Central Processing
Unit (CPU), Random Access Memory (RAM), Read Only Memory (ROM), and
Electronic Erasable Programmable Read Only Memory (EEPROM). The CPU typically
comes in 8, 16, or 32 bi
t architectures, with an RISC processor running at speeds of 25 to

6

32 MHz. ROM is where the instructions are stored and written during the fabrication
process. These instructions are then used by the Chip Operating System (COS). The
typical ROM size is
about 16KB. RAM is used as the temporary volatile working
memory of the CPU, with sizes of about 512 bytes. EEPROM is used to store data since
it is rewritable, erasable, and non
-
volatile. This permanent storage has sizes from 16KB
to 128KB.


IC micropr
ocessor cards with a full
-
fledged embedded microprocessor can
function as a processor that is capable of executing multiple functions. These functions
include encryption, advanced security mechanism, local data processing, complex
calculations, and other
interactive processes. Only these processor cards are smart
enough to offer the high degree of security needed for currency cards, identification cards,
and sensitive information.


IC memory cards can usually hold up to 16KB of data and have no embedded
C
PU, thus requiring the card reader to process the information. For that reason, they are
much less expensive and much less functional than IC microprocessor cards. They
contain EEPROM and ROM, as well as some security logic. The security logic is used t
o
prevent writing and erasing secured data. In a more complex design, the logic could be
used to restrict the read access. Because of their characteristics, they are most suitable
for fixed operations such as pre
-
paid telephone cards and health insurance

cards. They
are a popular alternative to magnetic
-
stripe cards because of their higher security.

Access Mechanism


There are two communication methods between the media and the reader: contact
and contact
-
less.


7

Contact interface:


The chip and the contac
ts are embedded into the card body as shown in the figure
below. The card’s body size, which is the same as a credit card (85.6 x 54 x 0.76 mm), is
defined in International Standards Organization (ISO) 7816
-
2 along with other
specifications such as module

position and pads.



An insertion into the card reader is required in order to transfer information.
When the contacts on the card come into contact with the sensors of the card reader,
commands from the chip are executed, and information processing sta
rts taking place.
This category of card interface is the more common. A diagram and a table describing
each contact are displayed below.





8


Contact

Desig
nation

Use

C1

Vcc

Power connection through which operating power is
supplied to the microprocessor chip in the card

C2

RST

Reset line through which the IFD can signal to the smart
card's microprocessor chip to initiate its reset sequence of
instructions

C3

CLK

Clock signal line through which a clock signal can be
provided to the microprocessor chip. This line controls the
operation speed and provides a common framework for
data communication between the IFD and the ICC

C4

RFU

Reserved for future use

C5

GND

Ground line providing common electrical ground between
the IFD and the ICC

C6

Vpp

Programming power connection used to program
EEPROM of first generation ICCs.

C7

I/O

Input/output line that provides a half
-
duplex
communication channel between the re
ader and the smart
card

C8

RFU

Reserved for future use



Contact
-
less Interface:


Although the reliability of the contacts have improved dramatically over the years,
contacts are one of the biggest failure points for smart cards. They are usually expose
d to
dirt, wear, and moisture. Contact
-
less cards solve this problem, and also provide
engineers with new and interesting possibilities for various applications. Cards are not

9

required to be inserted into the reader, but need to be put in close proximity

(four to six
inches) for the reader to access the data wirelessly through the antenna inside the card.
The increase in convenience would improve the acceptance of the card.


Since the chip contacts are not embedded on the surface of the cards, there is
m
ore design freedom. In spite of everything, contact
-
less cards are unable to capture the
kind of market that it is capable of. This is due to the high cost of cards. Nonetheless,
this elegant wireless solution has potential down the road.


Hybrid Inter
face:


Hybrid interface is a combination of the two interfaces


contact and contact
-
less.
The card has two separate ICs not connected to each other. Each chip has its own
interface, either contact or contact
-
less. Some are also fitted with the conventi
onal
magnetic stripe, which allow the users to use the card as credit or for debit, but also
capable of providing smart card capabilities. Hybrid cards are typically used for
applications that require a lot of computational power. For example, having one


10

processor performing encryption computations, while the other carries out other types of
computations.


Current uses of smart cards

Some of the
main current uses of smart card technology are employee
identification and authentication, physical security, building security, biometric
information storage, secure access to the Internet, and secure transactions over the
Internet. Smart cards are alread
y being used in many common commercial applications,
such as banking, payments, identification, ticketing and parking or toll collection.
Recently, the information age and the increased popularity of the Internet has presented
many security issues that hav
e developed the need for advanced smart card security
applications, such as secure logon/authentication of users to PC, storage of digital
certificates, passwords, encryption of protected data, wireless communication subscriber
authentication.

Although sma
rt cards are more common in Europe and Asia at the moment, their
popularity is growing worldwide. Banks in Europe and selected places in South Africa
are using the smart card, people in Germany can use the card when they visit their doctor,
people in Swede
n can use their smart cards to vote, and most satellite dishes in the United
States use smart cards. In addition, many cellular phones are now using smart card
technology in their SIM cards.


11

Smart cards can be used in a wide variety of fields because they
can be used with
other technologies to provide authenticated and trusted applications. They can be used to
make identification cards, licenses, and passports more reliable. To prevent illegal
duplication of these items, printed information and photographs
can be digitized and
stored on the card. Only authorized personnel can access this information through access
conditions and passwords. To further ensure security, this can be combined with
biometrics technology so that the biometric information of the sma
rt card owner will be
stored on the card. In this way, biometric scanners will be able to verify the authenticity
of the identification with its owner by comparing the desired body part of the person with
the biometric data stored on the card.

Incorporati
ng a biometric sensor into a smart card reader is a useful way to
combine the two applications in one device. Fingerprint sensors in smart card readers
increase security by matching a biologically inherent attribute from the user with one
corresponding on
the smart card. This procedure is called match on card (MOC).








Future uses of smart cards


Smart card technology is growing rapidly and is being used in more applications.
They are increasingly being used in network computing, especially in Inter
net data

12

exchange and transactions. In the near future, smart cards will be replacing all magnetic
stripes on credit cards. They are increasingly being used for money handling, transfer of
funds, and salary crediting. In the future, smart cards will also r
eplace all magnetic swipe
cards for payphones. This way, call charges are deducted from a prepaid balance
contained in the chip. Similarly, applications requiring coins can be replaced with smart
cards prepaid for by the user. The charges will be taken fro
m the balance on the card until
it reaches zero. Medical care organizations will be using smart card technology in health
cards. It will be used to hold the patient’s medical information, which can be accessed by
doctors. For example, it can contain prescr
iption information that can be looked at by
pharmacists.


Future development of smart card technology will be in the area of contact
-
less
smart cards. Smart cards can be used in security tagging for objects and people. For
example, it can be used to tag p
ersonal property such as jewelry with information about
the user. The cards can also be used as electronic purses so that a user can purchase items
without the need to carry money.

Security mechanisms of smart cards


A smart card and a card accepting devic
e (CAD) communicate using small data
packets called Application Protocol Data Units (APDUs). This communication makes it
difficult for outside sources to attack because it uses a small bit rate (9600 bits per second)
using a serial bi
-
directional transmiss
ion line, the flow of data only travels in one
direction at a time, and the interaction follows a highly complicated protocol.

The smart card and the CAD use a complex protocol to be able to communicate
with one another. The card generates a random number
and sends it to the CAD. The

13

CAD then encrypts this number with a shared encryption key and sends it back to the
smart card. Once it receives the encrypted number, it compares it with the result of its
own encryption. The smart card and the CAD can also es
tablish this communication the
other way around. After this communication is established, each message sent is
confirmed by a message authentication code. This number is calculated from the actual
message, the encryption key, and a randomly generated numbe
r. The most frequently
used encryption techniques are symmetric DES (Date Encryption Standard), 3DES (triple
DES), and public key RSA.

The data on smart cards is structured in a tree hierarchy, similar to how data is
structured in MS
-
DOS. There is one mast
er file which has many elementary and
dedicated files. The headers of each of them contain security features. Moreover, any
application can move through the hierarchy if it has the proper authorization.








Smart cards contain five basic levels of acce
ss privileges to the elementary and
dedicated files. These levels are always, card holder verification 1, card holder
verification 2, administrative, and never.
Always

means that there are no restraints on
access to the files.
Card holder verification 1

in
dicates that access is granted if the proper

14

verification 1 value is given. Similarly,
card holder verification 2

indicates that access is
granted if the proper verification 2 value is given. These are distinct values that
correspond to the two security PI
Ns stored in the card. One of the PINs is a user PIN and
the other is an unblocking PIN.
Administrative

means that the administration has the
authority to decide what restraints will be placed on the files.
Never

means there is no
access to the files.

The

PINs mentioned above are stored in different elementary files. The operating
system determines the number of times an incorrect PIN can be entered successively
before it blocks the card. When the card is blocked, it can only be unblocked using the
unblock
ing PIN pre
-
stored in the smart card. The unblocking PIN can also become
blocked in the same way that the user PIN can be blocked.

Known attacks on smart cards

Although smart cards provide a higher level of security and authentication, their
vulnerabilitie
s are known, as are methodologies to attack their security. Attackers target
the cryptographic algorithms and the access control inside the card. All the critical
information of a smart card is stored in the EEPROM (electrically erasable programmable
read
only memory). Data and passwords stored on a smart card can be modified by
drastically changing the voltage supply. Raising the voltage supply to a level unusual to
the microcontroller clears or erases the security bit stored.

Another known attack is on a
security processor. A voltage drop can remove the
security lock without erasing the secret data sometimes. Dropping the voltage can also be
used in other attacks as well. It can affect the generator that creates the cryptographic
keys and will output a key

of almost all 1’s. As a result of these attacks, some processors

15

contain sensors that sense changes in the surroundings. This technique is not commonly
used because there is voltage flux when power is initially given to the card and it is not
easy to find

the right level to sense the voltage change from an undesired source.

Not only can someone undermine the security of smart cards by trying to attack
the cryptographic algorithms, but one can also physically alter the cards. The chip can be
removed from t
he card by cutting it open and removing the plastic surrounding it.
Techniques have been developed to be able to reverse engineer the chip. Also, there are
methods to be able to observe the operation of the chip to obtain the secrets of how it
operates. Ea
sier said than done, this not possible for the average person to be able to do in
their homes.

Conclusion


Using smart cards is a very clever solution to increasing the security of sensitive
information. Their reliability entirely depends on the small bit

rate, half duplex data flow,
and highly complicated protocol used in the communication between the card and the
reader. Although consumers in the US are too accustomed to the old magnetic cards as
well as its well
-
developed infrastructure, the benefits o
f using smart cards will motivate
the transition to utilizing this more secure technology. However, this transition will have
to be gradual. In addition, a reduction in price for the smart cards and equipment will
greatly increase its acceptance and usag
e. Clearly, as we have shown, the implementation
of smart cards is very broad and the possibilities infinite.


16

References

1.

CHAN, Siu
-
cheung Charles:

http://home.hkstar.com/~alanchan/papers/smartCardSecurity/

2.

Cyber Ads Studio:

http://www.cyberadsstudio.com/
download/CyberAds
-
Presentation
-
Smart%20Cards.pdf

3.

DePaul University:

http://condor.depaul.edu/~elliott/shared/projects
-
archive/DS420Fall99/smartcard/project/SChistory.html

4.

Gemplus Corp Website:

http://www.cs.uku.fi/kurssit/ads/ASC_week1.pdf

5.

GIAC Operations:

http://www.giac.org/practical/mark_trudelle_gsec.doc

6.

How Stuff Works Website:

http://electronics.howstuffworks.com/question332.htm

7.

Jacquinot Consulting, Inc.



CardWerk:

http://www.cardwerk.com/

8.

National Institute of Standards and Technology (NIST):

http:
//smartcard.nist.gov/faq.html

9.

Nemotech Corp. Website:

http://www.getoranged.co.za/sc_history.php

10.

Radserv.org
-

Richard Weaver Jr.:

http://www.radserv.org/it/smartcard/s
-
c
-
history.htm


17

11.

Smart Card Basics:

http://www.smartcardbasics.com/

12.

University of Chicago
Computer Science Department:

http://people.cs.uchicago.edu/~dinoj/smartcard/security.html

13.

University of Texas at Austin Center for Research in Electronic Commerce:

http://cism.bus.utexas.edu/works/articles/smartcardswp.html

14.

University of Wolverhampton:

htt
p://www.scit.wlv.ac.uk/~jphb/cp3349/Hall_Of_Fame/smartcards/smart.html

15.

US General Services Administration:

http://www.gsa.gov/Portal/gsa/ep/channelView.do?pageTypeId=8199&channelPa
ge=%2Fep%2Fchannel%2FgsaOverview.jsp&channelId=
-
13480