BIRLA INSTITUTE OF TECHNOLOGY

MESRA, RANCHI

JAIPUR

REPORT ON

“SMART CARDS”

PROJECT GUIDE: SUBMITTED BY:-

VIVEK GAUR AASTHA MAHESHWARI

4BE/4055/07
BE(VIII)-CSE

1
 CONTENTS

 INTRODUCTION
 WHAT IS A SMART CARD?
 WHY USE A SMART CARD?
 COMPONENTS OF A SMART CARD
 DATA STORAGE
 HOW A SMART CARD WORKS?
 TYPES OF A SMART CARD
 CONTACT SMART CARDS
 MEMORY CARDS
 CPU/MPU MICROPROCESSOR MULTIFUNCTION
UNITS
 CONTACTLESS SMART CARDS
 DUAL INTERFACE CARDS
 SMART CARD READERS
 COMMUNICATION MECHANISM
 SMART CARD OPERATING SYSTEMS
 SMART CARD SECURITY
 APPLICATIONS
 CONCLUSION
 REFERENCES

2
INTRODUCTION
The Internet's impact upon society, everyday life, and work is often compared to
that of the telephone at the beginning of the 20th century. In very much the same way
those business people and their customers started using the telephone to conduct business
and deal with day-to-day issues back then; we are now switching from the telephone to
the Internet. The more we rely on Internet technology - such as World Wide Web
(WWW), electronic mail, and Internet telephony - the more dependent we are on having
some means of making our communications secure and authenticated. At the same time,
mobility is gaining in importance. General network-centric applications - where resources
are located throughout the Internet and access to them is possible from any location -
require authenticated access and secured transactions. We hence need technology that
will provide security without limiting mobility.

Smart cards represent an ideal solution: They are small and easy to carry around,
yet have enough processing power and data storage to store user profiles, encrypt and
decrypt data, and support electronic commerce applications.

The machine intelligence i.e. the 'smarts' of a smart card gives users the power to
encrypt sensitive information and conduct transactions securely and privately. Unlikely, a
credit card, where having the number is important, if you don't have a user's physical
smart card, you don't have his data. In short, the smart card is not only an electronic
record, it is a private and personal computer.

WHAT IS A SMART CARD?

A Smart Card is a plastic card the size of a credit card with an integrated circuit built
into it. This integrated circuit may consist only of EEPROM in the case of a memory
card, or it may also contain ROM, RAM and even a CPU.

Most smart cards have been designed with the look and feel of a credit or debit card,
but can function on at least three levels (credit - debit - personal information). Smart
cards include a microchip as the central processing unit, random access memory (RAM)
and data storage of around 10MB. Smart cards contain an operating system just like
personal computers. Smart cards can store and process information and are fully
interactive. Advanced smart cards also contain a file structure with secret keys and
encryption algorithms. Due to the encrypted file system, data can be stored in separated
files with full security.

A "smart card" is also characterized as follows:

• Dimensions are normally credit card size. The ID-1 of ISO 7810 standard defines
them as 85.60 × 53.98 mm. Another popular size is ID-000 which is 25 x 15 mm.
Both are .76 mm thick.

3
 • Contains a security system - tamper-resistant properties (e.g. a secure crypto-
processor, secure file system, human-readable features) and is capable of
providing security services (e.g. confidentiality of information in the memory).
• Asset managed by way of a central administration system which interchanges
information and configuration settings with the card through the security system.
The latter includes card hotlisting, updates for application data.
• Card data is transferred to the central administration system through card reading
devices, such as ticket readers, ATMs etc.

Smart cards are secure, compact and intelligent data carriers. Smart cards should
be regarded as specialized computers capable of processing, storing and safeguarding
thousands of bytes of data. Smart cards have electrical contacts and a thin metallic plate
just above center line on one side of the card. Beneath this dime-sized plate is an
integrated circuit (IC) chip containing a central processing unit (CPU), random access
memory (RAM) and non-volatile data storage. Data stored in the smart card's microchip
can be accessed only through the chip operating system (COS), providing a high level of
data security. This security takes the form of passwords allowing a user to access parts of
the IC chip's memory or encryption/decryption measures which translate the bytes stored
in memory into useful information.

CAPACITY

Smart cards typically hold 2,000 to 8,000 electronic bytes of data (the equivalent of
several pages of data). Because those bytes can be electronically coded, the effective
storage capacity of each card is significantly increased. Magnetic-stripe cards, such as
those issued by banks and credit card companies, lack the security of microchips but
remain inexpensive due to their status as a single-purpose card. Smart cards can be a
carrier of multiple records for multiple purposes. Once those purposes are maximized, the
smart card is often viewed as superior and, ultimately, less expensive. The distributed
processing possible with smart cards reduces the need for ever-larger mainframe
computers and the expense of local and long-distance phone circuits required to maintain
an on-line connection to a central computer.

4
WHY USE A SMART CARD?
Smart cards
• Greatly improve convenience and security of transactions.
• Provide temper-proof storage of user data and account identity.
• More reliable than a magnetic stripe card.
• Currently can store a hundred times more information than a magnetic stripe card.
• More difficult to tamper with than mag stripes.
• Provide vital components of system security for the exchange of data
through any type of network.

• Can be disposable or reusable.

• Can perform multiple functions in a wide range of industries.
• Compatible with portable electronic devices such as phones, personal digital
assistants (PDAs), and PCs.
• Constantly evolving (after all, it incorporates a computer chip).
•

COMPONENTS OF A SMART CARD

5
Vcc is the supply voltage that drives the chip and is generally 5volts. Vss is the substrate
or ground reference voltage against which the Vcc potential is measured.

Reset is the signal line that is used to initiate the state of the integrated circuit after power
on.

The clock signal is used to drive the logic of the IC and is also used as the reference for
the serial communications link.

Typical configurations of smart cards are

• 256 bytes to 4KB RAM.

• 8KB to 32KB ROM.
• 1 KB to 32 KB EEPROM.
• Crypto-coprocessors (implementing 3DES, RSA, etc., in hardware) are optional.
• 8 bit to 16 bit CPU. 8051 CPU based designs are common.

The data stored in the smart card can be accessed only the chip operating system (COS),
providing a high level of security.

6
DATA STORAGE
Data is stored in EEPROM of the smart card. It is organized into a tree structure
in the OS of the card. This has one MF (master file or root file), which contains several
dedicated files (DF) and several elementary files (EF). MFs and DFs correspond to
directories and EFs to the files, analogous to the hierarchy in any common OS t the PCs.
However, these two hierarchies differ in that DFs can also contain data, MFs, DFs and
EFs headers contains security attributes resembling the user rights associated with a
file/directory in a common OS. Any application can traverse the file tree, but it can only
move to a node if it has appropriate valid right.

File naming and selection:

Each file has 2-byte file ID and an optional 5-bit SFID (both unique within a DF).
DFs may optionally have (globally unique) 16 byte name. OS keeps tack of a current DF
can be changed using a select file command. The target file is specified as either: DF
name, File ID, SFID, relative or absolute path (sequence of file IDs), parent DF.

File related commands:

The various commands for file creation, deletion, file size and security and
attributes are specified at the time of its creation. Files also have commands for reading,
writing, updating, appending records, etc. Commands were on the current EF. However,
execution of command takes place only if the security conditions are met. Each file has a
life cycle status indicator (LCSI), one of: created initialized, activated, deactivated and
terminated.

Access control on the file:

Applications may specify the access controls for example SIM password in
mobiles. Multiple passwords can be used and levels of security access may be given.
Also cryptographic authentication may be used for specific high security applications.
PINs are allotted for access control. The OS blocks the card after wrong PIN is entered
several consecutive times. Once blocked card can be unblocked by unblocking PIN only.
If the PIN is blocked, the attribute of every file related with the PIN is changed. After the
unblocking PIN is keyed in all the attributes are restored.

7
 HOW A SMART CARD WORKS?

Block diagram showing working of a Smart Card

8
 TYPES OF SMART CARDS
Smart cards are defined according to

1). How the card data is read and written,

2).The type of chip implanted within the card and its capabilities.

9
 CONTACT SMART CARDS

Contact smart cards are the size of a conventional credit or debit card. The contain
a single, embedded, integrated circuit chip that contains either just memory or memory
plus a microprocessor. Memory-only chips are functionally similar to a small floppy disk.
They are less expensive than microprocessor chips, but they also offer less security. They
should not be used to store sensitive or valuable information

Contact smart cards must be inserted into a card acceptor device. Pins attached to
this reader make "contact" with pads on the surface of the card to read and store the
information contained in the card's chip. This type of e-card is used to assist with network
security, vending, meal plans, loyalty programs, electronic cash transfers, government
IDs, campus IDs, e-commerce, health cards, and many more applications.

MEMORY CARDS
Memory Cards are electronic data storage devices, but have no processor on the card with
which to manipulate that data. Memory cards are popular as high-security alternatives to
magnetic stripe cards.

Memory cards have no sophisticated processing power and cannot manage files
dynamically. All memory cards communicate to readers through synchronous protocols. In all
memory cards you read and write to a fixed address on the card. There are three primary types of
memory cards: 1). Straight, 2). Protected, and 3). Stored Value.

1. Straight Memory Cards

These cards just store data and have no data processing capabilities. They have the lowest
cost per bit for user memory. They should be regarded as floppy disks of varying sizes without
the lock mechanism. These cards cannot identify themselves to the reader, so the host system has

10
to know what type of card is being inserted into a reader. These cards are easily duplicated and
cannot be tracked by on-card identifiers.

2. Protected / Segmented Memory Cards

These cards have built-in logic to control the access to the memory of the card. Sometimes
referred to as Intelligent Memory cards, these devices can be set to write protect some or all of
the memory array. Some of these cards can be configured to restrict access to both reading and
writing. This is usually done through a password or system key. Segmented memory cards can
be divided into logical sections for planned multi-functionality. These cards are not easily
duplicated but can possibly be impersonated by hackers. They typically can be tracked by an on-
card identifier.

3. Stored Value Memory Cards

These cards are designed for the specific purpose of storing value or tokens. The cards are
either disposable or rechargeable. Most cards of this type incorporate permanent security
measures at the point of manufacture. These measures can include password keys and logic that
are hard-coded into the chip by the manufacturer. The memory arrays on these devices are set-up
as decrements or counters. There is little or no memory left for any other function. For simple
applications such as a telephone card the chip has 60 or 12 memory cells, one for each telephone
unit. A memory cell is cleared each time a telephone unit is used. Once all the memory units are
used, the card becomes useless and is thrown away. This process can be reversed in the case of
rechargeable cards.

CPU/MPU MICROPROCESSOR MULTIFUNCTION CARDS

These cards have on-card dynamic data processing capabilities. Multifunction smart cards
allocate card memory into independent sections or files assigned to a specific function or
application. Within the card is a microprocessor or microcontroller chip that manages this
memory allocation and file access. This type of chip is similar to those found inside all personal
computers and when implanted in a smart card, manages data in organized file structures, via a
card operating system (COS). Specifically, the technology enables secure identification of users
and permits information updates without replacement of the installed base of cards, simplifying
program changes and reducing costs. For the card user, multifunction means greater convenience
and security, and ultimately, consolidation of multiple cards down to a select few that serve
many purposes. There are many configurations of chips in this category including chips that
support cryptographic PKI functions with on board math co-processors or Java virtual machine
hardware blocks.

11
CONTACTLESS SMART CARD

A contactless smart card includes an embedded smart card secure microcontroller or

equivalent intelligence, internal memory and a small antenna to communicate with reader
through a contactless radio frequency (RF) interface. Contactless smart card technology is used
in applications that need to protect personal information and/or deliver fast, secure transactions,
such as transit fare payment cards, government and corporate identification cards, documents
such as electronic passports and visas, and financial payment cards. A contactless card requires
only close proximity to a reader. Both the reader and the card have antennae, and the two
communicate using Radio Frequencies (RF) over this contactless link. The range is typically
one-half to three inches for non-battery-powered cards, as used in Delhi Metro for a recent
application. These cards function with a limited memory and communicate at 125 MHz.

Drawbacks: Contactless card drawbacks include the limits of cryptographic functions and
user memory versus microprocessor cards and the limited distance between card and reader
required for operation.

DUAL INTERFACE CARDS

Dual-interface card provides both the contact and the contactless interface on one single
card. They have one smart IC chip embedded in the card that can be accessed through either
contact pads or an embedded antenna.

A popular usage of Dual-interface card is the mass transit application where a contact-
type acceptor is used to place a cash value in the chip's memory and the contactless interface is
used to deduct a fare from the card.

12
 SMART CARD READERS
Smart cards are portable data cards that must communicate with another device to gain
access to a display device or a network. Cards can be plugged into a reader, commonly referred
to as a card terminal, or they can operate using radio frequencies (RF).Smart Card Readers are a
fundamental part of the smartcard technology jigsaw. They are essentially the ‘front end’ of
every smart card transaction that takes place. Smart Card Readers are also known as card
programmers (because they can write to a card), card terminals, card acceptance device (CAD)
or an interface device (IFD).card Contact Types refers to how the contact between a card reader
and a smart card is physically made. There are two primary types of contact: landing contact and
friction contact (also known as sliding or wiping). For card readers featuring friction contact, the
contact part is fixed. The contact wipes on the card surface and the chip when a card is inserted.
For card readers featuring the landing type, the contact part is movable. The contact "lands" on
the chip after a card is wholly inserted. In general, card readers of the landing type provide better
protection to the card than the friction type.

To process a smart card the computer has to be equipped with a smart card reader
possessing the following mandatory features:

• Smart Card Interface Standard - ISO 7816 is an international standard that describes the
interface requirements for contact-type smart cards. These standards have multiple parts.
• Driver

COMMUNICATION MECHANISM

The mechanisms of communication between smart card and reader are standardized as per ISO
7816 standard. Commands are initiated by the terminal or PC. They are interpreted by the OS of
the card, which updates the card state and responds accordingly. A smart card and card accepting
device (CAD) communicates via means of small data packets called APDUs (Application
Protocol Data Units).The following command structure is followed by all smart cards:

CLA INS P1 P2 Lc 1………….Lc Le

Where,

CLA  class of command INS  instruction of command

P1  P1 parameter P2  P2 parameter

Lc  variable to hold actual bytes

Le  expected reply bytes

13
SMART CARD OPERATING SYSTEMS
The two primary types of smart card operating systems are:

1). Fixed File Structure

2). Dynamic Application System.

As with card types, selection of a card OS depends on the application the card is
developed for. The other defining difference is in the Encryption Capabilities of the OS and the
Chip.

1). Fixed File Structure

This type treats the card as a secure computing and storage device. Files and permissions are
set in advance by the issuer. These specific parameters are ideal and economical for a fixed type
of card structure and functions that will not change in the near future. An example of this kind of
card is a low-cost employee multi-function badge.

2). Dynamic Application System

This type of operating system, which includes the MULTOS and JAVA card varieties,
enables developers to build, test, and deploy different applications securely. Because the OS and
applications are more separate, updates can easily and repeatedly be made. An example card is a
SIM card for mobile GSM where updates and security are downloaded to the phone and
dynamically changed.

JAVA CARD
JavaCard is a multi-application smart card operating system which provides an API with
a set of standard classes through which common java applets can be loaded and executed on the
smart card. Java's portability allows smart cards to become a general-purpose computing
platform while creating a potentially huge market for application software and development.

14
 SMART CARD SECURITY
The self containment of smart card makes them resistant to hacker attacks as they do not
need to depend on potentially vulnerable external resources. The password provides protection to
the card holder. The entity authentication is ensured through cryptography; and personal
identification by biometric information. A combination of these can be used to increase the level
of security.

Technology and security are strongly related. Hackers find sophisticated ways to get at
secure data on cards. Manufacturers counter the hacker attempts with more secure locks and keys
on the cards. Thus forming an infinite improvement loop, with both sides driving each other to
invent better technology.

Security of the following four different aspects needs to be taken care of :

communication, hardware, operating system, software.

COMMUNICATION SECURITY:
Card accepting device (CAD) and smart cards communicate with each other through
small data packets. Small bitrates (9600 bits per second), half duplex mode and use of properly
designed protocol makes the communication channel difficult to attack. Cryptographic
verification is used to identify each other. CAD sends a random number to card to be hashed or
encrypted using a key. Card returns the encrypted number to CAD, which compares it with its
own encryption to know that the card is authentic. Card also needs to verify the CAD and this
process is performed in reverse primarily for the entity authentication. The most common
encryption methods used are symmetric DES (Data Encryption Standard),3DES(triple DES) and
public key RSA (Rivest Shamir Adlermans’s algorithm) for secure communication between card
and CAD. Biometric techniques are also used for identification of the card holder. Features of
finger prints can be kept on the card and verified to future enhance the security mechanism.

HARDWARE SECURITY:
All data and passwords are stored in the EEPROM and can be erased or modified by
unusual voltage supply. The lock on the EEPROM can also be removed by heating or exposure
to ultra violet light. There are various technologies, which make the cards safer, but the attackers
develop another method to hack it. Possible responses against the attack include interrupts and
program resets.

OS SECURITY:
It is ensured through access control with password and encryption.

SOFTWARE SECURITY:
Software security is provided by the software producers with properly encrypted data and
transfers. For this purpose, hardware and OS based instructions and libraries supporting
advanced cryptographic algorithms have been developed.

15
 SECURITY MECHANISM
PASSWORD VERIFICATION:
In this scheme, terminal asks the user to provide a password. Password is sent to Card for
verification. The drawback is that this scheme can be used to permit user authentication, but not
for person identification.

CRYPTOGRAPHIC VERIFICATION:
Primarily used for Entity Authentication.

BIOMETRIC TECHNIQUES:
In an ID system that combines smart and biometric technologies to verify the identity of
individuals, a “live” biometric image (e.g. scan of a fingerprint or hand biometric geometry) is
captured at the point of interaction and compared to a stored biometric images that was captured
when the individual enrolled in the ID system. Smart cards provide the secure, convenient and
cost-effective ID technology that stores the enrolled biometric template and compares it to the
“live” biometric template.

APPLICATIONS

FINANCE
Smart cards are used for electronic purse payment Applications. In this application, the
smart card carries a stored monetary value. Cardholders generally use these cards to replace cash
in making frequent, low-value transactions.

Contactless Payment
Introduction of contactless credit and debit cards has focused on markets that have lower
value transactions, where consumers use cash for payment, and where transaction speed and
consumer convenience are critical. Some contactless payment issuers are: American Express,
Atmel, IBM, Infineon Technologies, MasterCard Worldwide, Sun Microsystems, Texas
Instruments, Visa USA.

GOVERNMENT:
• Electronic Benefits Transfer using smart cards to carry Food Stamp and WIC food
benefits in lieu of paper coupons and vouchers.
• Agricultural producer smart marketing card to track quotas.

TRANSPORTATION

Drivers License
Driving license with a Smart Card containing a memory chip prevents vehicle owners
from giving false addresses and resorting to forgery of documents. It contains the details of

16
fitness, pollution and insurance documents beside personal details of the owner. Gujarat was the
first state in India to implement the smart card license system in 1999.

Mass Transit Fare Collection System

The transit agencies have made significant investments in contactless smart card based
Automatic Far Collection (FAC) systems. These new systems that incorporate the latest
developments in Information Technology (IT), use contactless smart card as the primary fare
medium. The fare collection system currently operational in Delhi Metro is a perfect example for
this.

E-Passport
E-passport is another major application area. It contains an embedded contactless smart
card chip. The chip is used to store biographic data on the passport; once unlocked the data can
be displayed on a screen at passport control. The new technology enhances the security of the
passport and facilitates the movements of travelers at ports of entry.

HEALTHCARE
Imagine this…..every patient comes to the doctor with a relatively complete medical
profile and insurance information. The physician would immediately be able to see what
diseases, allergies and drug sensitivities had been diagnosed and what drugs the patient had been
taking.

IDENTITY
All purpose student ID card containing a variety of applications such as electronic purse
(for vending machines, laundry machines, library card, and meal card). In addition, public
corporation (including Microsoft, Sun Microsystems) use smart employee ID cards to secure
access to physical facilities and computer systems and networks.

TELECOMMUNICATION
Smart cards are used extensively in the telecommunications industry worldwide.

GSM PHONES
According to the GSM Association, there were over 2.27 billion GSM subscribers
worldwide as of first quarter of 2007. GSM mobile phones include a smart card, the SIM, which
is configured with information essential to authenticating mobile phones, thus allowing a phone
to receive service whenever the phone is within coverage of a suitable network. The smart card is
used to secure initiation of calls and identification of caller (for billing purposes) on any Global
System for Mobile Communications (GSM) phone.

MOBILE PAYMENT
Mobile phone users are already familiar with using their phones to pay for products such
as games, ring tones and other digital contents.

17
 CONCLUSION
From a technological perspective, trends include improved memory, more sophisticated
applications, and integration with traditional information systems. Network Programs anticipates
a significant enhancement in the technology leading to more diverse and robust solutions, plus
higher volumes which can reduce the cost of deploying these systems.

Usage of 20 billion Smart Secure devices has been forecasted by 2020. People worldwide
can use smart cards for a variety of daily applications such as access to a place like libraries and
buying groceries. A typical day in 2020 will see smart objects being used by consumers and
citizens to access and enjoy personalized educational and entertainment experiences, for civil
and online identification purposes, to protect and monitor their health against unexpected threats,
for access, for transit, for payments, for faster and more convenient shopping experiences and
much more.

18
 REFERENCES

1) en.wikepedia.org

2) www.docstoc.com

3) Smart Card Applications by Wolfgang Rankl, Mr Kenneth Cox

19