Академический Документы
Профессиональный Документы
Культура Документы
In this seminar ,is giving some basic concepts about smart cards. The physical and logical
structure of the smart card and the corresponding security access control have been discussed in
this seminar . It is believed that smart cards offer more security and confidentiality than the other
kinds of information or transaction storage. Moreover, applications applied with smart card
technologies are illustrated which demonstrate smart card is one of the best solutions to provide
and enhance their system with security and integrity. The seminar also covers the contactless
type smart card briefly. Different kinds of scheme to organise and access of multiple application
smart card are discussed. The first and second schemes are practical and workable on these days,
and there is real applications developed using those models. For the third one, multiple
independent applications in a single card, there is still a long way to go to make it becomes
feasible because of several reasons.
At the end of the paper, an overview of the attack techniques on the smart card is discussed as
well. Having those attacks does not mean that smart card is unsecure. It is important to realise
that attacks against any secure systems are nothing new or unique. Any systems or technologies
claiming 100% secure are irresponsible. The main consideration of determining whether a
system is secure or not depends on whether the level of security can meet the requirement of the
system.
Table of contents
Sl No Contents Page No
1 Introduction
2 Physical Structure and Life Cycle
3
4
5
6
7
8
9
10
1. Introduction
The smart card is one of the latest additions to the world of information technology. Similar in
size to today's plastic payment card, the smart card has a microprocessor or memory chip
embedded in it that, when coupled with a reader, has the processing power to serve many
different applications. As an access-control device, smart cards make personal and business data
available only to the appropriate users. Another application provides users with the ability to
make a purchase or exchange value. Smart cards provide data portability, security and
convenience. Smart cards come in two varieties: memory and microprocessor. Memory cards
simply store data and can be viewed as a small floppy disk with optional security. A
microprocessor card, on the other hand, can add, delete and manipulate information in its
memory on the card. Similar to a miniature computer, a microprocessor card has an input/output
port operating system and hard disk with built-in security features. On a fundamental level,
microprocessor cards are similar to desktop computers. They have operating systems, they store
data and applications, they compute and process information and they can be protected with
sophisticated security tools. The self-containment of smart card makes it resistant to attack as it
does not need to depend upon potentially vulnerable external resources. Because of this
characteristic, smart cards are often used in different applications, which require strong security
protection and authentication.
For examples, smart card can act as an identification card, which is used to prove the identity of
the card holder. It also can be a medical card, which stores the medical history of a person.
Furthermore, the smart card can be used as a credit/debit bank card which allows off-line
transactions. All of these applications require sensitive data to be stored in the card, such as
biometrics information of the card owner, personal medical history, and cryptographic keys for
authentication, etc.
In the near future, the traditional magnetic strip card will be replaced and integrated together into
a single card by using the multi-application smart card, which is known as an electronic purse or
wallet in the smart card industry. The smart card is becoming more and more significant and will
play an important role in our daily life. It will be used to carry a lot of sensitive and critical data
about the consumers ever more than before
5. Procedural Protection
After an overview of the physical and logical protection given by the smart card, its time to look
at how we can make use of the smart card to protect and secure our systems in the real life.
Because of the on-board computing power of the smart card, it is possible to achieve off-line
transactions and verifications. For instance, a smart card and a card acceptor device (CAD) can
identify each other by using the mutual active authentication method. Moreover, data and codes
stored on the card are encrypted by the chip manufacturer by using computational scrambling
encryption, which makes the circuit chip almost impossible to be forged. All of these features
together with the protected access control are discussed in the previous section.
Today, smart cards are being used in different areas because they can be used together with other
technologies, such as asymmetric cryptographic algorithms and biometrics identification, to
provide highly assured and trusted applications. This section discusses three particular areas
where demonstrated how different systems can make use of the smart card to enhance their
securities.
5.1 Identification of Documents
Traditional document based identifications, such as identification card, licenses, passport/visa,
and so on, are always considered unreliable. All of them are easy to be forged and copied.
Particularly with today’s technologies, high quality colour photocopies, printers, and scanners
are easily accessed and owned, as a result high quality fraudulent documents can be produced
easily. This makes the inspection of documents more and more difficult.
The smart card probably is the best solution to solve this problem. Printed information and
photographs can be digitised and stored into the card. By setting up the access condition and
password on files, only authorised persons or authorities, such as government departments, are
allowed to access the information. Moreover, together with the biometrics technology,
biometrics information of the card holder can be placed on the card, so that the smart card can
corporate with biometrics scanner to identify or verify whether the card is owned by the card
holder or not. This significantly improves the reliability of the document the smart card carries.
The operation procedures could be similar to the traditional paper based identification system.
However, instead of verifying the documents by observation of an inspection officer, a card
acceptor device will be used. The device which contains the authorised code and PIN can unlock
the file and retrieve the owner’s information for verification. In the case when biometrics is used,
the user can be authenticated by placing the required portion of his/her body onto a biometrics
reader, the data collected by the reader can be used to compare with the one in the card.
Nowadays, many organisations or governments in different countries already have research on
this issues. For example, many airlines intend to develop their electronic tickets by using smart
cards which co-operate with the baggage handling system in some airports. The smart card
typically stores the passenger’s flight details such as name, seat number, flight number, baggage
details and so on. This helps to verify correct passenger checked-in and identify the owner of
baggage in case of lost or unclaimed baggages. More importantly the system may help to identify
criminals and terrorists.
In summary, it is anticipated that using the smart card as an identification document will be the
future trend replacing traditional paper-based certificates. Information stored on the card about
the owner will be increasing and becoming more and more sensitive. Therefore, the current
access control system based on PIN presentation may not be secure enough. It is suggested that
the card operating system may have to co-operate with some kind of authentication algorithms to
protect all the files or even the whole system.
5.2 Authentication in Kerberos
In an open distributed computing environment (DCE), a workstation cannot be trusted to identify
its users because the workstation may not be located in a well controlled environment and may
be far away from the central server. A user can be an intruder who may try to attack the system
or pretend to be someone else to extract information from the system which he/she is not entitled
to. In order to protect a system from being attacked by remote network hosts, a certain kind of
authentication must be taken into account.
Kerberos is one of the systems which provides trusted third-party authentication services to
authenticate users on a distributed network environment. Basically, when a user or client
requests an access to a particular service from the server, he/she has to obtain a ticket or
credential from the Kerberos authentication server (AS). The user then presents that credential to
the ticket granting server (TGS) and obtains a service ticket. Hence, the user can request for
service by submitting the service ticket to the desired server. Figure 3 shows this authentication
protocol.
Smart cards have two different types of interfaces: contact and contactless. Contact smart cards
are inserted into a smart card reader, making physical contact with the reader. However,
contactless smart cards have an antenna embedded inside the card that enables communication
with the reader without physical contact. Recently, card manufacturers have developed "combi"
cards, which offer the functionality of both contact and contactless technology. A combi card
combines the two features with a very high level of security.
Contactless smart cards offer advantages to both the organization issuing the card and the
cardholder. The issuing organization can support multiple applications on a single card,
consolidating an appropriate mix of technologies and supporting a variety of security policies for
different situations. Applications such as logical access to computer networks, electronic
payment, electronic ticketing and transit can be combined with physical access to offer a multi-
application and multi-technology ID credential. The issuer can also record and update
appropriate privileges from a single central location. The organization as a whole incurs lower
maintenance costs over the system life, due to the elimination of mechanical components and
reader resistance to vandalism and harsh environmental conditions. With hybrid and dual-
interface cards, issuers can also implement systems that benefit from multiple card technologies.
6.1.Contactless Technologies Support Physical Access Control Applications
There are three primary contactless technologies considered for physical access control
applications: 125 kHz, ISO/IEC 14443, and ISO/IEC 15693 technologies. 125 kHz read-only
technology is used by the majority of today’s RFID access control systems and is based on de
facto industry standards rather than international standards. 125 kHz technology allows for a
secure, uniquely coded number to be transmitted and processed by a back-end system. The back-
end system then determines the rights and privileges associated with that card. Cards that comply
with these standards are intelligent, read/ write devices capable of storing different kinds of data
and operating at different ranges. Standards-based contactless smart cards can authenticate a
person’s identity, determine the appropriate level of access, and admit the cardholder to a
facility, all from data stored on the card. These cards can include additional authentication
factors (such as biometric templates or PINs) and other card technologies, including a contact
smart card chip, to satisfy the requirements of legacy applications or applications for which a
different technology is more appropriate.
Contactless smart card technologies offer security professionals features that can enhance
systems designed to control physical or logical access (i.e., access to networks or other online
resources). Contactless cards differ from traditional contact smart cards by not requiring physical
connectivity to the card reader. The card is simply presented in close enough proximity to the
reader and uses radio frequencies (RF) to exchange information. The use of contactless
technologies is particularly attractive for secure physical access, where the ID credential and
reader must work in harsh operating conditions, with a high volume of use or with a high degree
of user convenience. For example, consider the use of a contactless card to control access to
public transportation. The card can be presented to the reader without having to be removed from
a wallet or purse. The fare is automatically deducted from the card and access is granted. Adding
funds through appropriate machines at transit centers or banks then refreshes the card. The
process is simple, safe, and accurate.
6.2.Types of Contactless Cards
There are three types of contactless credentials (cards or tokens):
• Memory
• Wired logic
• Microcontroller (MCU)
Memory cards use a chip or other electronic device to store authentication information. In their
most secure form, memory cards store a unique serial number and include the ability to
permanently lock sections of memory or allow write access only through password-protected
mechanisms. Other than these basic mechanisms, memory cards employ no additional security to
protect their contents. System-level methods can be used to encrypt and decrypt the information
stored on the card.
Wired logic cards have a special purpose electronic circuit designed on the chip and use a fixed
method to authenticate themselves to readers, verify that readers are trusted, and encrypt
communications. Wired logic cards lack the ability to be modified after manufacturing or
programming.
MCU cards implement authentication/encryption methods in software or firmware. Contactless
smart cards with an embedded MCU have more sophisticated security capabilities, such as the
ability to perform their own on-card security functions (e.g., encryption, hardware and software-
based tamper resistance features to protect card contents, biometric verification and digital
signatures) and interact intelligently with the card reader. Contactless MCU cards also have
greater memory capability and run card operating systems (for example, JavaCard or MULTOS).
Both hybrid and dual-interface contactless cards are becoming available. On a hybrid card,
multiple independent technologies share the common plastic card body but do not communicate
or interact with each other. For example, one card could carry a magnetic stripe, bar code, 125
kHz technology, picture ID, contact smart card module and either ISO/IEC 14443 or ISO/IEC
15693 contactless smart card technology. The advantage of a hybrid card is that existing installed
systems can be supported, while new features and functionality can also be offered through smart
card technologies. A dual-interface card includes a single chip with both contact and contactless
capabilities. Contact and contactless technologies can therefore be implemented on one card,
each addressing the application requirements most suited to its capabilities and sharing the same
data.
Hybrid and dual-interface technologies are complementary and, with thoughtful implementation,
transparent to the end user. With current technologies, security system designers can implement
an architecture that includes multiple ID credential technologies. This creates a significant
opportunity for more efficient credential management, improved user convenience, and easier
administration of multiple security policies and procedures. Through the use of the appropriate
card technology, cryptography, and digital signatures, logical access control can be incorporated
into networks and databases. And because the credential is a plastic card, it also supports the use
of pictures, logos, visual inspection information, holograms, digital watermarks, microprinting,
and other security markings to deter counterfeiting and impersonation. A single card is also more
efficient for the user, simplifying coordination for changes, reducing memorization for
complicated passwords or personal identification numbers (PINs), and decreasing the time for
authentication.
6.3.Benefits of Contactless Smart Card Technology
Contactless smart card technology is ideal for physical access control applications. Because ID
credentials and readers are typically exposed to the elements and have high usage, sealed
contactless technology prevents damage when cards and readers are exposed to dirt, water, cold,
and other harsh environmental conditions. With no mechanical reader heads or moving parts,
maintenance costs are minimized. Finally, with read ranges that can extend to many inches,
contactless technology offers the user the convenience of “hands free” access. The key benefits
of using contactless smart card technology for physical access are summarized below.
• High speed of access and high throughput
• Useable in harsh or dirty environments
• User friendly
– Less intrusive
– Does not require insertion of the card into the reader
– No issues with orientation of the card
– May be kept in wallet or purse for personal security during use
• Same high level of security as contact smart cards (e.g., digital signatures)
• Protected storage of data on the card
• Flexibility to incorporate multiple applications with different modes
– Contactless only card
– Dual interface contact/contactless card
– Hybrid card that includes 125 kHz technology, 13.56 MHz technology, magnetic stripe,
barcode, hologram, photo, and other card security features.
– Dual interface contact/contactless card that includes 13.56 MHz technology, magnetic stripe,
barcode, hologram, photo, and other card security features
• Reduced maintenance costs for card readers (as compared to magnetic stripe and contact card
readers)
• Reduced vandalism of readers
• More durable and reliable cards (no external parts that can wear out or be contaminated)
• Well-suited to accommodate local security staffing, training and implementation
• Established international standards (ISO/IEC)
10.Conclusion
It is believed that smart cards offer more security and confidentiality than the other kinds of
information or transaction storage. Moreover, applications applied with smart card technologies
are illustrated which demonstrate smart card is one of the best solutions to provide and enhance
their system with security and integrity.
Finally, it is concluded that the smart card is an intrinsically secure device. It is a safe place to
store valuable information such as private keys, account numbers, and valuable personal data
such as biometrics information. The smart card is also a secure place to perform off-line
processes such as public or private key encryption and decryption. The smart card can be an
element of solution to a security problem in the modern world.
References
Electronics Today 07/2004
www.smartcardforum.org
www.gemplus.com