Combining Encryption Methods in Multipurpose Smart Card

Maryam Savari
Faculty of Computing and Informatics Multimedia University, (MMU) Cyberjaya, Selangor, Malaysia marirooz@yahoo.com

Mohammad Montazerolzohour
Faculty of Computing and Informatics Multimedia University, (MMU) Cyberjaya, Selangor, Malaysia mason.montazer@gmail.com

Yeoh Eng Thiam

Faculty of Computing and Informatics Multimedia University, (MMU) Cyberjaya, Selangor, Malaysia etyeoh@mmu.edu.my

Abstract Smart cards have many applications such as health, ID verification and access control, electronic purse card, banking card, payphone card, passport card and license card. Since, there are many kinds of smart cards, it is difficult to carry and protect them. Losing one card means losing a lot of important information. So in this paper proposes to combine some important cards such as: health, passport and credit system in one multipurpose smart card and find an encryption method to make it enough secure. It should also be efficient in transferring information. It means, we develop an effective encryption system for these three applications in a multipurpose smart card and we propose an optimized encryption system for the applications. Keywords; RSA; ECC; DES; AES; Encryption; Decryption

released together with recommendation for future work and the conclusion of the paper. II. BACKGROUND A. Overview of Encryption Methods for Smart cards The algorithm used in smart cards is block-oriented which means ciphertex and plaintext can only be processed in packets with fixed lengths (such as 8 bytes with DES) [2]. The old principle known as principle of security by concealment is to prevent attackers from finding out how the system works. This system is used today but the modern cryptography is biased on Kerckhoffs principle. This principle known as Auguste Kerckhoff (18351903), is based on secrecy of key. It means secrecy of key is important not secrecy of algorithm. It is recommended that we dont use one principle only because it is easily to broken in a short time [2, 4]. Cryptographic functions in smart cards consist of huge number of algorithms. It means there are a lot of algorithms to be implemented in smart cards. Algorithms in smart cards are not accessible from outside. On the other hand, card reader or any other device cannot have access to the algorithms inside the smart card and they can communicate with smart cards through interface only. Smart cards used public key, private key and hash function. All types of algorithms used in smart cards are shown in Table 1 [2].
TABLE I. ALGORITHMS IN SMART CARD.

I.

INTRODUCTION

Smart card is also called a cheap card or integrated circuit card. Smart cards are used for data storage, transaction and processing with strong security authentication. Smart cards do not have component such as power resource, display area or keyboard [2]. As mentioned above, smart cards are very useful these days, but there are problems with them. Since, there are many kinds of smart cards, it is difficult to carry many cards and protect them. You may lose, leave or forget one of them and it means that you lose important personal information [18]. Another problem with smart cards is limitation of storage in smart cards. Smart cards need to transfer data in a short time and encrypt them very fast. So, having an efficient encryption system is very important [5, 6]. Therefore, we have decided to design a cryptosystem for multipurpose smart cards. Multipurpose smart card is a smart card with many different applications in one smart card [18]. As everyone knows, carrying and protecting one smart card is easier and more comfortable than carrying two or more smart cards. We choose three most important cards such as health card, credit cards and passport cards to be combined in one smart card. So, in this paper we are going to design an efficient encryption system for a multipurpose smart card. In the first section we explain about the encryption methods in smart cards and an overview on combination algorithm. In the second section current algorithms and methods in the health, passport and credit system are considered. In the third section we explained our methodology and the reason why we have chosen this method. Finally in the last section encryption method which we used in our multipurpose smart card is

Type of algorithm Symmetric cryptography algorithm

Asymmetric cryptography algorithm

Algorithm AES (128 bit, 196 bits, 256 bits) DES (56 bit) T-DES (112 bit) IDEA (128bit) DSA ECDSA (160-256 bit) RSA (1024-2048 bit) HMAC MD5 RIPEMD-160 SHA-1 and SHA-256

Hash function

43

978-1-4673-1677-4

There is a list of standard algorithms which are currently used in smart card: For Private Key (symmetric key) the algorithms are DES (Data Encryption Standard), 3DES, and AES (Advanced Encryption Standard), for Public Key (asymmetric key) the algorithms are RSA (Rivest-ShamirAdleman) and ECC (Elliptic Curve Cryptography), and for hash function the algorithms is SHA (Secure Hash Algorithm). Smart cards also offer a full range of signature functions, which are based on asymmetric cryptographic algorithms. B. Combination Algorithm Method The process for this method is as follows: Encryption process: 1- Data are encrypted with a symmetric algorithm. The result of data encryption is cipher text and a key. 2Key is encrypted with the asymmetric algorithm. 3- Encrypted key and cipher text will be sent for receiver. The exact process is shown in the Figure 1.

In a real transaction between a smart card and terminal, since in the terminals there is not any security module so it is impossible to use symmetric cryptographic algorithms because key cannot keep secret without security modules. Using security modules in terminals have some disadvantages like: Using Security modules in the terminals increase the cost of terminals so it is not cost effective to use them in the terminals. Also, in international transaction it will be very complicated and expensive to manage the key when it operates offline [2]. There are two conditions to catch smart card authentication by the terminal 1used An asymmetric cryptographic algorithms must be

2- EMV uses static unilateral authentication with cardspecific keys [2]. Smart card cannot check authentication of terminal when it is using static unilateral authentication, but it is not essential in the EMV application to check authentication of terminal. In fact, the card only proves a transaction certificate for the terminal. Terminal authenticates transaction only by connecting to the relevant card issuer and finding information of cardholder from there. Finally every transaction will be submitted to the relevant card issuer by an authorized merchant. This way reduces huge amount of fraud because allowed transaction will only be those which are authorized by related card issuer. In the following section, I describe payment process with smart card. The customer submits his card to cashier and cashier inserts it to the card reader. If terminal is available the identity of the cardholder must be verified by a signature. In this case, the associated transaction receipt has a marker that indicates that the card user has been identified in this manner [2]. Apart from signature there is another way to verify user which is by entering four-digit PIN. PIN can be checked online or offline. In online it will be checked by the background system and in offline by smart card. If a PIN is used for identification, the transaction certificate indicates which type of PIN check was performed. The payment process is shown graphically in Figure 3 [2].

Figure 1. Encryption process for combination algorithm.

Decryption process: 1- Decrypt symmetric key with private key of asymmetric algorithm. (for example: decrypt DESs key with ECC private key ) 2- Decrypt the cipher text with symmetric key [20]. The exact process is shown in the Figure 2.

Figure 2. Decryption process for combination algorithm.

III. SMART CARD APPLICATIONS In this section we explain the process of each application in a real smart card. A. Health System In most of health card RSA is used because it is standard but in this paper ECC algorithm is used because it is safer and faster than RSA [6, 9]. All the process in real health system is similar to our system except kind of algorithms. So for prevent of redundancy we explain all the process in the section V. B. Credit System The cryptographic mechanisms used in an application are naturally highly dependent on the associated general requirements. This can be seen especially well in the EMV (Europay, MasterCard, and Visa) application [1, 2].

Figure 3. Payment process of transaction in a smart card in an EMV. [2].

In EMV all processes are in encrypted form. Mother Key and ID will be checked by card issuer for authentication of card and user. In online EMV all transaction will be done only with catching authentication of card issuer. In Figure 4 the summary of encryption and decryption Process is shown.

978-1-4673-1677-4

44

Figure 4. Payment process of transaction in an EMV.

We should mention that there are many types of algorithms and methods for these three applications but we tried to analyse which algorithm is more suitable and efficient for a system which consists of more than one application. In our multipurpose smart card there are four main sections. First section is common information and another three sections are health, credit and passport application. Common information consists of common data among three applications and important information in health system which doctor must access in emergency situation such as blood type, age, emergency contacts and etc. Data in this section are encrypted with ECC algorithm. Based on three applications which exist in this multipurpose smart card (passport system credit system and health system) there are three different levels of security in this smart card. It means we use different types of encryption methods in each system. These depended on level of security needed and amount of data needed to transfer between database and smart card [17]. An arrangement of the algorithm needed in each system is shown in Table 2.
TABLE II. ALGORITHMS USED IN THE MULTIPURPOSE SMART CARD.

C. Passport System International Civil Aviation Organization (ICAO) defined standards for passport in the International Organization for Standardization (ISO). E-passport is smart card with integrated circuit which stores similar information in the paper passport. E-passport is used for authentication of card holder. It includes a digital photograph which is used for biometric comparison. In the international border person authentication is with facial recognition technology from digital photography. This interface is one of the advantages of passport card but passport cards have a problem in reliability and security. There is not any encryption between card reader and e-passport. A. Baith Mohamed, Ayman Abdel-Hamid and Kareem Youssri Mohamed used EPC RFID Tags method to solve this problem and in a few systems TDES is used to solve this problem [10]. Since, there are many threats to catch information and every system will face the risk of threats, system should be protected against attacks. Passport cards have been facing these threats as like as other system. Some threats in passport cards are between smart card and card reader and some of them are between card reader and card issuer or server which will authenticate the information of the card holder. Advanced Encryption Standard (AES) is used to prevent attack in transaction between card reader and server also Chip Authentication and Terminal Authentication are implemented to avoid threats between reader and e-passport. There is no encryption algorithm between passport card and card reader [10, 16]. In Figure 5 the process is demonstrated in a simple way.

Applications Health Credit Passport

Asymmetric Algorithms ECC ECC ECC

Semantic Algorithms DES AES -

Method Combination Combination Point Doubling

For asymmetric algorithms, ECC and RSA algorithms are two possible algorithms. In this project ECC algorithm is chosen because ECC with 160 bit key size Provide equivalent security level with 1024 bit key size in RSA. Therefore ECC uses smaller length key size so ECC algorithm has faster computation than RSA algorithm. Also, ECC algorithm is based on difficult mathematics so it has more complexity and ECC need smaller bandwidth and used lower power. On the other hand, the ECC algorithm is suitable for a device with limited storage such as: PDA (Personal Digital Assistant), pagers, cell phones, and smart cards [3, 8, 11, 13, 22, 23]. Possible symmetric algorithms for smart card are DES, TDES and AES algorithm [2]. For health system and credit system we used a combination algorithm method. The amount of data in health system is huge so using only one asymmetric algorithm takes a lot of time for encryption and decryption. On the other hand, using only one symmetric algorithm is not safe enough since the best method for health system is by using combination algorithm. All data are encrypted with symmetric algorithm at first and the key of symmetric algorithm is encrypted with asymmetric algorithm to make the system faster and safer than using only one algorithm. In this multipurpose smart card DES algorithm is chosen for health system because the amount of data to transfer from smart card to database is huge. TDES and AES are not suitable because they take more time for encryption and decryption process. Since there are high levels of data to transfer between database and smart card DES is the best, because DES is much faster than TDES and

Figure 5. Passport Card system.

IV. METHODOLOGY For safety of data transfer with smart card two features are very important: 1- Safeguarding the data and information. 2- Handling of large amount of data.

978-1-4673-1677-4

45

AES algorithm. Also, the level of security in DES algorithm is enough for a system like health system [19, 20]. In credit system the most important requirement is level of security and algorithm with high level of security is the first priority in credit system. The amount of data which transfer between smart card and database is not high and choosing an algorithm with high level of security is more important than speed. Thus, we can choose a slow algorithm with high level of security. Since, combination algorithm is safer than using only one algorithm and the amount of data in credit system is not huge like health system the best method for credit system is combination of AES (symmetric) and ECC (asymmetric) algorithm. AES algorithm is slower than DES and TDES but it is more complicated and safe. In addition, the amount of data in credit system is not large so using AES algorithm does not reduce efficiency of the system. Information is encrypted with AES algorithm at first and the key of AES algorithm will be encrypted with ECC algorithm [2, 19]. The only algorithm used in passport system is ECC algorithm. In the current passport system there is no security algorithm between smart card and card reader. Since, in this project providing an efficient system is one of the most important requirements we used ECC algorithm between smart card and card reader. ECC algorithm has high level of security and it is faster than RSA algorithm. Since, in the passport card biometric verification is used for authentication of the person and it is contact less card, speed is very important [10, 16]. So, ECC algorithm is the best algorithm for passport system. Table 3 demonstrates requirement in security, speed and level of data in every application. According to this table the reason for using every algorithm is clear.
TABLE III. Requirement Application Health System Credit system Passport System IMPORTANT REQUIREMENT IN IN EACH APPLICATION. Level of speed requirement high middle high Level of speed data huge low middle Level of security middle high middle

Figure 6. Multipurpose smart card system with

Figure 7. Multipurpose smart card with its own applications.

Base on Figure 6 at first user must login or register to the system. After login Common Info page will appear and users can choose applications on this page (it also shown on Figure 7). Each application has its own algorithm for encryption and decryption. Data for each application is shown in Figure 6. For better safety all the data must be saved to database in encrypted form only. So when data arrived from database it must decrypt in the smart card at first then demonstrate for end user. Also, when user completes an application data must encrypt again to be sent to the database. Transferred data in encrypted form reduce risk of hacking of data by middleman. V. PROPOSED ENCRYPTION FOR MULTIPURPOSE SMART CARD In this project three applications are combined namely health, credit and passport system. Encryption method in every system is explained here. We implemented this multipurpose smart card in C# language. A. Health System During transfer of data or information a non-authorized person can read or wiretap information of patients. Use of security algorithms is a safe way to prevent access by unauthorized person. There are many kinds of power algorithms for catching high security, but we used DES (Data Encryption Standard) and ECC. In the health application at

In this smart card there is only one PIN number in the system which is taken in the login. After login common information appears and user can choose one of the applications. User cannot run two applications at the same time. Access to each application is possible only after exiting other applications. It means it is not possible to run more than one application at the same time. This make the system more secure. The system process is shown in the Figure 6 and 7.

978-1-4673-1677-4

46

first, mother key exchange for authentication of health and card reader. It is demonstrated in Figure 8.

Figure 11. Process of alternative in the system by doctor.

Figure 8. Encryption Process between Health Card and Card Reader

The process of transaction will be done in this stage. Finally there is a mention, in principle, any desired cryptographic algorithm can be used, since both the associated data elements and the algorithm itself are unambiguously identified by TLV-coded data structures [2] but it is the proficiency of designer to choose the best algorithms for the system according to requirement of the system. B. Credit System In our system in the first stage public information of card holder and account will be demonstrate but information in this section is not changeable by user. Information release from the database in encrypted form and system decrypt and show them. As we explained before information encrypt with AES algorithm at first and the key of AES algorithm encrypt with ECC algorithm (combination algorithm). The only writable section of credit system is transaction section. When a card holder punches goods the amount of balance will be changed so, new balance must be save in the database. In addition, general information should keep in encrypted form in the database. Therefore, credit system need encryption process for finish its job. The process of encryption is shown in the Figure 12. Rest process is exactly same as real credit system which explained before.

Both patient and doctor must be verified by card. This verification is inside the health card. After verification related session of database is opened according to ID entrance. This stage has high level of integrity.

Figure 9. Verification Process of Patient and Doctor in Health System

In the health system, amount of information is large so it takes a lot of time to encrypt data with asymmetric algorithms. Thus, data will be encrypted with a symmetric algorithm like DES and since, symmetric algorithm are not safe enough we encrypt DES key with an asymmetric algorithm like ECC.
Figure 12. Encryption process in credit system

C. Passport System Passport system use only ECC algorithm for Encryption data. Data are not changeable by user. The process of encryption is shown in the Figure 13. Rest process is exactly same as real passport system which explained before.
Figure 10. Health Card communicates with database.

Doctors can write new prescription for patient. This alteration will be saved in health card or database only with doctor digital signature.
Figure 13. Encryption process in passport card.

978-1-4673-1677-4

47

VI. CONCLUSION Combination algorithms are one of the useful and efficient methods which are suitable for applications with high level of data to transfer. Using multipurpose smart card is much better than carrying different cards. Also, using encryption algorithms in passport card make them more secure. Since, data in health system is huge the best algorithm for health system is combination algorithms of DES and ECC. Finally the best algorithm for a credit card is combination of ECC and AES because it is secure enough for credit system. REFERENCES
D. R. Hankerson, S. A. Vanstone, A. J. Menezes, Guide to Elliptic Curve Cryptography, 2003. [2] W. Rankl, W. Effing, Smart card handbook, 3rd ed., John Wiley and Sons Ltd., Baffins Lane, England: Spring Verlag. [3] W. Rankl, W. Efng, Smart Card Applications, Design Models for using and programming smart cards, 2007. Giesecke & GmbH.Devrient, Munich. x Germany, Translated by Kenneth Cox. [4] J. A .Menezes, C.Paul, V.Oorschot, S. A. Vanstone Handbook of Applied Cryptography, 5the ed., 2001. [5] T. Abdurahmonov, M. H. Helmi, Y. E. Thiam, The Implementation of Elliptic Curve Binary Finite Field for the Global Smart Card, Proceedings of 2010 IEEE Student Conference on Research and Development (SCOReD 2010), 13 - 14 Dec 2010, Putrajaya, Malaysia. 978-1-4244-8648-9/10/ 2010 IEEE, 2010, pp. 169-173. [6] T. Abdurahmonov, Y. E. Thiam, M. H. Helmi, Improving Smart Card Security Using Elliptic Curve Cryptography over Prime Field, 2010. [7] T. Abdurahmonov, M. H. Helmi, Y. E. Thiam, Personal Information Requirements of Global Information System, International Conference on Science and Social Research (CSSR 2010), Kuala Lumpur, Malaysia, 2010, pp. 1197-1202. [8] T. Abdurahmonov, Y. E. Thiam, M. H. Helmi, A Proposed Implementation of Elliptic Curve Digital Signature Algorithm (ECDSA) in Global Smart Cards, ITC 2010 Digital library, 2010. [9] T. Abdurahmonov, Y. E. Thiam, M. H. Helmi, Improving Smart Card Security Using Elliptic Curve Cryptography over Prime Field, IEEE Xplore. January 28, 2011, Pp. 169 173. [10] MSc S.Arora, Information Security-Siddhartha Arora Final, 2007, [Online].Available: http://www.porvoo12.net/MSc_Information_Security.pdf. [1]

[11] C. Sanchez-Avilaf, R. Sanchez-Reillo, The Rijndael Block Cipher (AES Proposal): A Comparison with DES, 0-7803-6636-0/01/ 02001 IEEE, 2001, pp. 229-234. [12] M. S. Anoop, Elliptic Curve Cryptography, [Online]. Available:http://scholar.google.com.my/scholar_url?hl=en&q=http://w ww.infosecwriters.com/text_resources/pdf/Elliptic_Curve_AnnopMS.p df&sa=X&scisig=AAGBfm2g4sjHrmiybRY69w8lIxzfFKRFIA&oi=sc holar. [13] A. Nadeem, Dr M. Younus Javed, A Performance Comparison of Data Encryption Algorithms, 0-7803-9421-6/05/ 2005 IEEE, 2005, pp. 84-89. [14] J. H Han, Y. J. Kim, S. I. Jun, K. I. Chung, H. Chang Seo, Implementation of ECC/ECDSA Cryptography Algorithms Based on Java Card, IC Card OS Research Team, ETRI. 22nd International Conference on Distributed Computing Systems Workshops (ICDCSW02) 0-7695-1588-6/02 .2002 IEEE. [15] A. Kleijhorst, van der Velde.E T, Baljon.M H, Gerritsen.M J G M, Oon.H, Secure and Cost-Effective Exchange of Cardiac Images over the Electronic Highway in the Netherlands, 0276-6547/97 1997 IEEE, 1997, pp. 191-194. [16] A. B. Mohamed, A. A. Hamid, K. Y, Mohamed, Implementation of an Improved Secure System Detection for E-passport by using EPCRFIDTags, 2009 [17] Nyamasvisva, E. Tadiwa, H. Halabi, Multi-level security algorithm for randon ZigBee Wireless Sensor Network, In: 4th International Symposium on Information Technology 2010 (ITSim'10), 15-17 June 2010, KLCC, Kuala Lumpur, 2010, pp. 612-617. [18] S. Omar, H. Djuhari, Multi-purpose student card system using smart card technology. Information technology based higher education and training, ITHET 2004. Proceedings of the Fifth International conference on, 2004, pp. 527-532. . [19] C. Sanchez-Avilaf, R. Sanchez-Reillo, The Rijndael Block Cipher (AES Proposal): A Comparison with DES 0-7803-6636-0/01/ 02001 IEEE, 2011, pp. 229-234. [20] S. Ricardo, M. E. Correia, A. Lus, Securing a health information system with a government issued digital identification card, 978-14244-1817-6/082008 IEEE, 2008, pp. 135-142. [21] O. P. Verma, R. Agarwal, D. Dhiraj, T. Shobha, Performance Analysis of Data Encryption Algorithms, 978-1-4244-8679-3/11/ 2011 IEEE, 2011, pp. 399-403. [22] Y. Wang, L. Douglas Maskell, L. Jussipekka, T. Srikanthan, Unied Signed-Digit Number Adder for RSA and ECC Public-key Cryptosystems, 1-4244-0387-1/06/ 2006 IEEE, 2006, pp. 1655-1658. [23] Z. Peng, J. J. Fang, Comparing and Implementation of Public Key Cryptography Algorithms on Smart Card, C 978-1-4244-7237-6/ 2010 IEEE. V12-508-V12-510.

978-1-4673-1677-4

48