Smart Cards & RFID Name: Yousef  Yahya Foad ajjawi Dr. Lo’ai Tawalbeh
What is the Smart Card? <ul><li>A smart card is a card that is embedded with either a microprocessor and a memory chip or ...
How Does It Work? <ul><li>Smart Card inserted into Card Acceptor Device (CAD), card reader </li></ul><ul><li>Communicated ...
Where Are They Used? <ul><li>All over the place, more so outside the US </li></ul><ul><li>Medical applications: In Germany...
Smart Card Readers <ul><li>Computer based readers </li></ul><ul><li>Connect through USB or COM (Serial) ports </li></ul><u...
Terminal/PC Card Interaction <ul><li>The terminal/PC sends commands to the card (through the serial line). </li></ul><ul><...
Fields of Smart Card Usage (1) <ul><li>Health Applications </li></ul><ul><li>For example in Germany health insurance compa...
Fields of Smart Card Usage (2) <ul><li>Digital Signatures </li></ul><ul><li>As you know CC evaluation is required here by ...
Some developers <ul><li>Hardware-Vendors : ATMEL, Philips, Renesas (former  Hitachi), Infineon (former Siemens), Samsung, ...
Physical Structure & Life Cycle <ul><li>Physical structure specified by ISO Standard 7810, 7816 </li></ul><ul><li>Printed ...
Life Cycle <ul><li>OS and security keys inside each smart card which have different visibility rules </li></ul><ul><li>Hen...
Massachusetts Bay Transit Authority (MBTA) . <ul><li>The MBTA aims to provide a safe, available, and inexpensive service t...
Smart Cards vs. RFID <ul><li>Contactless Smart Cards </li></ul><ul><li>Identify people </li></ul><ul><li>Store information...
RFID Privacy and Smartcard Privacy RFID = Radio Frequency Identification <ul><li>Transponder (RFID-Tag, RFID-Label) </li><...
RFID and Identity <ul><li>RFID has 3 identity types </li></ul><ul><li>– ID linked to Person: </li></ul><ul><li>direct iden...
Privacy-enhancing solutions for RFID (PETs) <ul><li>System-solutions </li></ul><ul><li>Encryption </li></ul><ul><li>Tag/Re...
<ul><li>Security Evaluation </li></ul><ul><li>Users (e.g. Banks) want high security assurance </li></ul><ul><li>for smart ...
Determining Privacy Risk <ul><li>When Privacy Risk is: </li></ul><ul><li>– High: use smart cards + PETs </li></ul><ul><li>...
Ways of protecting privacy <ul><li>•  “ Privacy by Design” (technological) </li></ul><ul><li>–  examples: encryption, kill...
Contactless Smart Cards and Privacy <ul><li>Data security </li></ul><ul><li>– Personal data (may be) stored in chip’s memo...
Contactless Card
RFID/EPC tags and privacy <ul><li>ICC Principles of Fair RFID/EPC use </li></ul><ul><li>– RFID-use should be legal, honest...
Recommendations <ul><li>•  Do not legislate RFID-technology, but only its applications and use </li></ul><ul><li>– Address...
Sample Applications of RFID Systems <ul><li>Logistics Chains  </li></ul><ul><li>Enterprise Resource Planning Systems </li>...
RFID -Areas of Applications <ul><li>From a cross-industry viewpoint, the following areas of applications can be distinguis...
RFID –Basic Services <ul><li>Identification  </li></ul><ul><li>Example: Which bag is it? </li></ul><ul><li>Localization (t...
RFID: Technology and Standards <ul><li>(A) Active vs. Passive </li></ul><ul><li>(B) „Smart“ vs. „Dumb“ </li></ul><ul><li>(...
Passive <ul><li>no internal power supply </li></ul><ul><li>antenna induces minute electrical current </li></ul><ul><li>dur...
Active <ul><li>Own internal power source </li></ul><ul><li>Transmit at higher power levels than passive tags (Re-)writable...
„ Smart“ vs. „Dumb“ <ul><li>Smart:  </li></ul><ul><li>Microprocessor and Smart Card OS (up to Dual-Interface-Cards with Cr...
Closed Systems vs. Open Systems <ul><li>Closed Systems: </li></ul><ul><li>One application case </li></ul><ul><li>Optimized...
RFID: Some Properties  <ul><li>Radio: no intervisibility, often contactless </li></ul><ul><li>=> no choice to prevent read...
Upcoming SlideShare
Loading in...5
×

Smart Cards

2,978
-1

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,978
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
241
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Smart Cards

  1. 1. Smart Cards & RFID Name: Yousef Yahya Foad ajjawi Dr. Lo’ai Tawalbeh
  2. 2. What is the Smart Card? <ul><li>A smart card is a card that is embedded with either a microprocessor and a memory chip or only a memory chip with non-programmable logic. The microprocessor card can add, delete, and otherwise manipulate information on the card, while a memory-chip card (for example, pre-paid phone cards) can only undertake a pre-defined operation . </li></ul><ul><li>Smart Cards example For RFID ISO-Standards </li></ul>
  3. 3. How Does It Work? <ul><li>Smart Card inserted into Card Acceptor Device (CAD), card reader </li></ul><ul><li>Communicated with CAD through half duplex serial lines with a data rate of up to 9600 bits per second </li></ul><ul><li>Commands follow standard ISO 7816 specifications </li></ul><ul><li>Smart Card can get information from host computer, provide identification, do encryptions/decryption , etc. </li></ul>
  4. 4. Where Are They Used? <ul><li>All over the place, more so outside the US </li></ul><ul><li>Medical applications: In Germany 80 million people can use smart cards when they go to the doctor </li></ul><ul><li>Voting: In Sweden you can vote with your smart card </li></ul><ul><li>Entertainment: Most DSS dishes in the U.S. have smart cards </li></ul><ul><li>Telecommunications: Many cellular phones come with smart cards </li></ul>
  5. 5. Smart Card Readers <ul><li>Computer based readers </li></ul><ul><li>Connect through USB or COM (Serial) ports </li></ul><ul><li>Dedicated terminals </li></ul><ul><li>Usually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner. </li></ul>
  6. 6. Terminal/PC Card Interaction <ul><li>The terminal/PC sends commands to the card (through the serial line). </li></ul><ul><li>The card executes the command and sends back the reply. </li></ul><ul><li>The terminal/PC cannot directly access memory of the card </li></ul><ul><ul><li>data in the card is protected from unauthorized access. This is what makes the card smart. </li></ul></ul>
  7. 7. Fields of Smart Card Usage (1) <ul><li>Health Applications </li></ul><ul><li>For example in Germany health insurance companies will issue an electronic health card </li></ul><ul><li>cards for the health professionals </li></ul><ul><li>electronic passport (ePass, ICAO-specifications) </li></ul><ul><li>No need to say that BSI is active in this field… </li></ul><ul><li>eGovernment / eCard </li></ul><ul><li>Goal: to fit as many applications as possible onto one card in order to avoid multiple cards for every citizen </li></ul><ul><li>BSI is very active to promote this concept in Germany </li></ul><ul><li>Social insurance also related to this </li></ul>
  8. 8. Fields of Smart Card Usage (2) <ul><li>Digital Signatures </li></ul><ul><li>As you know CC evaluation is required here by law in Germany and other countries </li></ul><ul><li>Digital Tachographs </li></ul><ul><li>Smart cards will be used in trucks in Europe instead of paper disks in order to store driving times and similar data </li></ul><ul><li>Access Control in companies and organizations </li></ul><ul><li>Public Transport </li></ul>
  9. 9. Some developers <ul><li>Hardware-Vendors : ATMEL, Philips, Renesas (former Hitachi), Infineon (former Siemens), Samsung, ST microelectronics </li></ul><ul><li>Smart-Card-Vendors : Oberthur, Gemplus, AXALTO (former Schlumberger), IBM, Sony, ORGA Card Systems, T-Systems (Telesec), ASK, Gieseke & Devrient, Austria Card, Siemens </li></ul><ul><li>Other software/application issuers are mainly related to the banking/payment field: Soc. T.Europienne de Monnaie Electronique (a French electronic purse society), Mondex, other banks and credit card companies </li></ul>
  10. 10. Physical Structure & Life Cycle <ul><li>Physical structure specified by ISO Standard 7810, 7816 </li></ul><ul><li>Printed circuit provides five connection points for power and data </li></ul><ul><li>Capability of Smart Card defined by IC chip </li></ul><ul><li>– Microprocessor </li></ul><ul><li>– ROM </li></ul><ul><li>– RAM </li></ul><ul><li>– EEPROM </li></ul>
  11. 11. Life Cycle <ul><li>OS and security keys inside each smart card which have different visibility rules </li></ul><ul><li>Hence life cycle as card passes from manufacturer to application provider to user </li></ul>
  12. 12. Massachusetts Bay Transit Authority (MBTA) . <ul><li>The MBTA aims to provide a safe, available, and inexpensive service to its customers while respecting its customers' basic rights to privacy. </li></ul><ul><li>Currently, the MBTA is pursuing a plan of automated fare collection that will entail the use of RFID smartcards. </li></ul>
  13. 13. Smart Cards vs. RFID <ul><li>Contactless Smart Cards </li></ul><ul><li>Identify people </li></ul><ul><li>Store information </li></ul><ul><li>RFID </li></ul><ul><li>Identify or track objects </li></ul>
  14. 14. RFID Privacy and Smartcard Privacy RFID = Radio Frequency Identification <ul><li>Transponder (RFID-Tag, RFID-Label) </li></ul><ul><li>Antenna </li></ul><ul><li>Integration in Information Systems (i.e. Server, Services, Back Office …Example: inventory control system) </li></ul>
  15. 15. RFID and Identity <ul><li>RFID has 3 identity types </li></ul><ul><li>– ID linked to Person: </li></ul><ul><li>direct identification: personal data on chip (biometrics) </li></ul><ul><li>personal data in database (employee badge) </li></ul><ul><li>– ID linked to Service: </li></ul><ul><li>In combination with person ID (banking, season cards) </li></ul><ul><li>Anonymous (one time public transportation paper tickets) </li></ul><ul><li>– ID linked to Object / Product: </li></ul><ul><li>product information in database (retail products, library books) </li></ul><ul><li>direct identification (car keys) </li></ul><ul><li>Combining Object/Product ID with Individual is additional step, covered by existing privacy principles </li></ul>
  16. 16. Privacy-enhancing solutions for RFID (PETs) <ul><li>System-solutions </li></ul><ul><li>Encryption </li></ul><ul><li>Tag/Reader Authentication </li></ul><ul><li>Range reduction </li></ul><ul><li>Antenna size/design </li></ul><ul><li>Consumer-in-Control Solutions </li></ul><ul><li>“ Kill-switch” </li></ul><ul><li>Removable tags </li></ul><ul><li>Blocker tags </li></ul><ul><li>Shielding </li></ul><ul><li>User interface (NFC-device) </li></ul>
  17. 17. <ul><li>Security Evaluation </li></ul><ul><li>Users (e.g. Banks) want high security assurance </li></ul><ul><li>for smart cards. </li></ul><ul><li>Standard security evaluation procedure: </li></ul><ul><li>– Common Criteria evaluation: EAL 4 or EAL 5 </li></ul><ul><li>– Evaluation is very expensive </li></ul>
  18. 18. Determining Privacy Risk <ul><li>When Privacy Risk is: </li></ul><ul><li>– High: use smart cards + PETs </li></ul><ul><li>– Medium: use smart cards, smart tag + PETs </li></ul><ul><li>– Low: use smart tag (PETs optional) </li></ul>
  19. 19. Ways of protecting privacy <ul><li>• “ Privacy by Design” (technological) </li></ul><ul><li>– examples: encryption, kill command, read range </li></ul><ul><li>– main actors: technology providers, standardization bodies </li></ul><ul><li>– influencing factors: cost, usability </li></ul><ul><li>– public policy: R&D-funding, Launching customer </li></ul><ul><li>• “ Privacy by Design” (organizational) </li></ul><ul><li>– examples: system design, business model </li></ul><ul><li>– main actors: system integrators, end-users (business) </li></ul><ul><li>– influencing factors: business opportunities, customer trust </li></ul><ul><li>– public policy: privacy principles, guidelines, best-practices </li></ul><ul><li>• Rule-based protection </li></ul><ul><li>– examples: self-regulation, law </li></ul><ul><li>– main actors: government, business, stakeholders </li></ul><ul><li>– influencing factors: administrative burdens (cost), market development </li></ul><ul><li>– public policy: compliance verification (“ Trust but Verify”) </li></ul>
  20. 20. Contactless Smart Cards and Privacy <ul><li>Data security </li></ul><ul><li>– Personal data (may be) stored in chip’s memory </li></ul><ul><li>– Password protection </li></ul><ul><li>– Mutual authentication chip and reader </li></ul><ul><li>– Advanced encryption (3DES, AES, PKI) </li></ul><ul><li>– Extremely short operating range: < 10 cm </li></ul><ul><li>– Advanced system design and sensor technology to prevent tempering </li></ul><ul><li>Multi-application smart cards </li></ul><ul><li>– Several applications on a single card </li></ul><ul><li>– Exclusivity Clear separation of applications and data (as if different cards were used) </li></ul><ul><li>Back office and system design </li></ul><ul><li>– Full application of current privacy and data protection laws </li></ul>
  21. 21. Contactless Card
  22. 22. RFID/EPC tags and privacy <ul><li>ICC Principles of Fair RFID/EPC use </li></ul><ul><li>– RFID-use should be legal, honest, decent </li></ul><ul><li>• No personal data stored in RFID-tag </li></ul><ul><li>– Consumer information and choice </li></ul><ul><li>• Labeling </li></ul><ul><li>• How to remove / disable tags </li></ul><ul><li>– Privacy statement including RFID/EPC use </li></ul><ul><li>• What data is collected via RFID </li></ul><ul><li>• Purposes of collection/use </li></ul><ul><li>• Data disclosures (if any) </li></ul><ul><li>– Data security </li></ul><ul><li>– Individual’s right of access to data in RFID-enabled IT-system </li></ul>
  23. 23. Recommendations <ul><li>• Do not legislate RFID-technology, but only its applications and use </li></ul><ul><li>– Address privacy risks of the entire system </li></ul><ul><li>– Current OECD Privacy Principles already apply to system design, applications and data collection and –management </li></ul><ul><li>• Use Privacy-Enhancing Technologies only where relevant </li></ul><ul><li>– Stimulate R&D, standardization and use/acceptance of PETs </li></ul><ul><li>RFID is the enabling technology ! </li></ul>
  24. 24. Sample Applications of RFID Systems <ul><li>Logistics Chains </li></ul><ul><li>Enterprise Resource Planning Systems </li></ul><ul><li>Inventory Control </li></ul><ul><li>Some Benefits </li></ul><ul><li>reducing the sources of errors(for instance reduction of inventory inaccuracies) </li></ul><ul><li>minimizing out of stocks </li></ul><ul><li>reduction of labor costs </li></ul><ul><li>simplification of business processes </li></ul>
  25. 25. RFID -Areas of Applications <ul><li>From a cross-industry viewpoint, the following areas of applications can be distinguished: </li></ul><ul><li>identification of objects </li></ul><ul><li>document authentication </li></ul><ul><li>maintenance and repair, recall campaigns </li></ul><ul><li>theft-protection and stop-loss strategies </li></ul><ul><li>access authorization and routing control </li></ul><ul><li>environmental monitoring and sensor technology </li></ul><ul><li>supply chain management: automation, process control and optimization </li></ul><ul><li>Also : Convenience Tools, Magic, New Learning Tools, New Dimension of Gaming </li></ul>
  26. 26. RFID –Basic Services <ul><li>Identification </li></ul><ul><li>Example: Which bag is it? </li></ul><ul><li>Localization (to a certain extent) </li></ul><ul><li>Example: Where is the bag? => Hint: Location of the reader (active RFIDs: GPS receiver) </li></ul><ul><li>Capturing State </li></ul><ul><li>Example: monitor the temperature of perishable goods </li></ul><ul><li>Mapping into Information Systems </li></ul><ul><li>Examples: Automatic Stocktaking, Customer Relationship Management </li></ul>
  27. 27. RFID: Technology and Standards <ul><li>(A) Active vs. Passive </li></ul><ul><li>(B) „Smart“ vs. „Dumb“ </li></ul><ul><li>(C) Near Field vs. Far Field </li></ul><ul><li>(D) Closed Systems vs. Open Systems </li></ul>
  28. 28. Passive <ul><li>no internal power supply </li></ul><ul><li>antenna induces minute electrical current </li></ul><ul><li>durable </li></ul><ul><li>Need an external antenna which is 80 times bigger than the chip in the best version thus far </li></ul><ul><li>Typical: tags embedded in labels </li></ul>
  29. 29. Active <ul><li>Own internal power source </li></ul><ul><li>Transmit at higher power levels than passive tags (Re-)writable </li></ul><ul><li>(Larger) memory (for example 1 MB) </li></ul><ul><li>Communication ranges of 100 meters or more </li></ul><ul><li>Example: Monitoring the security of ocean containers or trailers stored in a yard or terminal </li></ul>
  30. 30. „ Smart“ vs. „Dumb“ <ul><li>Smart: </li></ul><ul><li>Microprocessor and Smart Card OS (up to Dual-Interface-Cards with Crypto Co-Processor) </li></ul><ul><li>vs. </li></ul><ul><li>Dumb: </li></ul><ul><li>Always the same ID number or State Machine </li></ul>
  31. 31. Closed Systems vs. Open Systems <ul><li>Closed Systems: </li></ul><ul><li>One application case </li></ul><ul><li>Optimized and reduced functionality </li></ul><ul><li>No need for interoperability and compatibility </li></ul><ul><li>Example: proprietary RFID enhanced library </li></ul><ul><li>Open Systems: </li></ul><ul><li>Each antenna can read each tag </li></ul><ul><li>Internet of Things/Objects </li></ul><ul><li>Simple Components and Protocols </li></ul><ul><li>Interoperability and Compatibility important </li></ul><ul><li>Example: Electronic Product Code (EPCglobal) </li></ul>
  32. 32. RFID: Some Properties <ul><li>Radio: no intervisibility, often contactless </li></ul><ul><li>=> no choice to prevent reading event, no consent </li></ul><ul><li>Fix Address (EPC: unique worldwide) </li></ul><ul><li>=> Recogmition and intersection attack </li></ul><ul><li>Embedded pot. Invisible </li></ul><ul><li>=> no choice to decline </li></ul><ul><li>RFIDs are resource weak (in general) </li></ul><ul><li>=> well known and standard PETsnot applicable </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×