• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Smart Cards

Smart Cards






Total Views
Views on SlideShare
Embed Views



1 Embed 1

http://www.slideshare.net 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Smart Cards Smart Cards Presentation Transcript

    • Smart Cards & RFID Name: Yousef Yahya Foad ajjawi Dr. Lo’ai Tawalbeh
    • What is the Smart Card?
      • A smart card is a card that is embedded with either a microprocessor and a memory chip or only a memory chip with non-programmable logic. The microprocessor card can add, delete, and otherwise manipulate information on the card, while a memory-chip card (for example, pre-paid phone cards) can only undertake a pre-defined operation .
      • Smart Cards example For RFID ISO-Standards
    • How Does It Work?
      • Smart Card inserted into Card Acceptor Device (CAD), card reader
      • Communicated with CAD through half duplex serial lines with a data rate of up to 9600 bits per second
      • Commands follow standard ISO 7816 specifications
      • Smart Card can get information from host computer, provide identification, do encryptions/decryption , etc.
    • Where Are They Used?
      • All over the place, more so outside the US
      • Medical applications: In Germany 80 million people can use smart cards when they go to the doctor
      • Voting: In Sweden you can vote with your smart card
      • Entertainment: Most DSS dishes in the U.S. have smart cards
      • Telecommunications: Many cellular phones come with smart cards
    • Smart Card Readers
      • Computer based readers
      • Connect through USB or COM (Serial) ports
      • Dedicated terminals
      • Usually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner.
    • Terminal/PC Card Interaction
      • The terminal/PC sends commands to the card (through the serial line).
      • The card executes the command and sends back the reply.
      • The terminal/PC cannot directly access memory of the card
        • data in the card is protected from unauthorized access. This is what makes the card smart.
    • Fields of Smart Card Usage (1)
      • Health Applications
      • For example in Germany health insurance companies will issue an electronic health card
      • cards for the health professionals
      • electronic passport (ePass, ICAO-specifications)
      • No need to say that BSI is active in this field…
      • eGovernment / eCard
      • Goal: to fit as many applications as possible onto one card in order to avoid multiple cards for every citizen
      • BSI is very active to promote this concept in Germany
      • Social insurance also related to this
    • Fields of Smart Card Usage (2)
      • Digital Signatures
      • As you know CC evaluation is required here by law in Germany and other countries
      • Digital Tachographs
      • Smart cards will be used in trucks in Europe instead of paper disks in order to store driving times and similar data
      • Access Control in companies and organizations
      • Public Transport
    • Some developers
      • Hardware-Vendors : ATMEL, Philips, Renesas (former Hitachi), Infineon (former Siemens), Samsung, ST microelectronics
      • Smart-Card-Vendors : Oberthur, Gemplus, AXALTO (former Schlumberger), IBM, Sony, ORGA Card Systems, T-Systems (Telesec), ASK, Gieseke & Devrient, Austria Card, Siemens
      • Other software/application issuers are mainly related to the banking/payment field: Soc. T.Europienne de Monnaie Electronique (a French electronic purse society), Mondex, other banks and credit card companies
    • Physical Structure & Life Cycle
      • Physical structure specified by ISO Standard 7810, 7816
      • Printed circuit provides five connection points for power and data
      • Capability of Smart Card defined by IC chip
      • – Microprocessor
      • – ROM
      • – RAM
      • – EEPROM
    • Life Cycle
      • OS and security keys inside each smart card which have different visibility rules
      • Hence life cycle as card passes from manufacturer to application provider to user
    • Massachusetts Bay Transit Authority (MBTA) .
      • The MBTA aims to provide a safe, available, and inexpensive service to its customers while respecting its customers' basic rights to privacy.
      • Currently, the MBTA is pursuing a plan of automated fare collection that will entail the use of RFID smartcards.
    • Smart Cards vs. RFID
      • Contactless Smart Cards
      • Identify people
      • Store information
      • RFID
      • Identify or track objects
    • RFID Privacy and Smartcard Privacy RFID = Radio Frequency Identification
      • Transponder (RFID-Tag, RFID-Label)
      • Antenna
      • Integration in Information Systems (i.e. Server, Services, Back Office …Example: inventory control system)
    • RFID and Identity
      • RFID has 3 identity types
      • – ID linked to Person:
      • direct identification: personal data on chip (biometrics)
      • personal data in database (employee badge)
      • – ID linked to Service:
      • In combination with person ID (banking, season cards)
      • Anonymous (one time public transportation paper tickets)
      • – ID linked to Object / Product:
      • product information in database (retail products, library books)
      • direct identification (car keys)
      • Combining Object/Product ID with Individual is additional step, covered by existing privacy principles
    • Privacy-enhancing solutions for RFID (PETs)
      • System-solutions
      • Encryption
      • Tag/Reader Authentication
      • Range reduction
      • Antenna size/design
      • Consumer-in-Control Solutions
      • “ Kill-switch”
      • Removable tags
      • Blocker tags
      • Shielding
      • User interface (NFC-device)
      • Security Evaluation
      • Users (e.g. Banks) want high security assurance
      • for smart cards.
      • Standard security evaluation procedure:
      • – Common Criteria evaluation: EAL 4 or EAL 5
      • – Evaluation is very expensive
    • Determining Privacy Risk
      • When Privacy Risk is:
      • – High: use smart cards + PETs
      • – Medium: use smart cards, smart tag + PETs
      • – Low: use smart tag (PETs optional)
    • Ways of protecting privacy
      • • “ Privacy by Design” (technological)
      • – examples: encryption, kill command, read range
      • – main actors: technology providers, standardization bodies
      • – influencing factors: cost, usability
      • – public policy: R&D-funding, Launching customer
      • • “ Privacy by Design” (organizational)
      • – examples: system design, business model
      • – main actors: system integrators, end-users (business)
      • – influencing factors: business opportunities, customer trust
      • – public policy: privacy principles, guidelines, best-practices
      • • Rule-based protection
      • – examples: self-regulation, law
      • – main actors: government, business, stakeholders
      • – influencing factors: administrative burdens (cost), market development
      • – public policy: compliance verification (“ Trust but Verify”)
    • Contactless Smart Cards and Privacy
      • Data security
      • – Personal data (may be) stored in chip’s memory
      • – Password protection
      • – Mutual authentication chip and reader
      • – Advanced encryption (3DES, AES, PKI)
      • – Extremely short operating range: < 10 cm
      • – Advanced system design and sensor technology to prevent tempering
      • Multi-application smart cards
      • – Several applications on a single card
      • – Exclusivity Clear separation of applications and data (as if different cards were used)
      • Back office and system design
      • – Full application of current privacy and data protection laws
    • Contactless Card
    • RFID/EPC tags and privacy
      • ICC Principles of Fair RFID/EPC use
      • – RFID-use should be legal, honest, decent
      • • No personal data stored in RFID-tag
      • – Consumer information and choice
      • • Labeling
      • • How to remove / disable tags
      • – Privacy statement including RFID/EPC use
      • • What data is collected via RFID
      • • Purposes of collection/use
      • • Data disclosures (if any)
      • – Data security
      • – Individual’s right of access to data in RFID-enabled IT-system
    • Recommendations
      • • Do not legislate RFID-technology, but only its applications and use
      • – Address privacy risks of the entire system
      • – Current OECD Privacy Principles already apply to system design, applications and data collection and –management
      • • Use Privacy-Enhancing Technologies only where relevant
      • – Stimulate R&D, standardization and use/acceptance of PETs
      • RFID is the enabling technology !
    • Sample Applications of RFID Systems
      • Logistics Chains
      • Enterprise Resource Planning Systems
      • Inventory Control
      • Some Benefits
      • reducing the sources of errors(for instance reduction of inventory inaccuracies)
      • minimizing out of stocks
      • reduction of labor costs
      • simplification of business processes
    • RFID -Areas of Applications
      • From a cross-industry viewpoint, the following areas of applications can be distinguished:
      • identification of objects
      • document authentication
      • maintenance and repair, recall campaigns
      • theft-protection and stop-loss strategies
      • access authorization and routing control
      • environmental monitoring and sensor technology
      • supply chain management: automation, process control and optimization
      • Also : Convenience Tools, Magic, New Learning Tools, New Dimension of Gaming
    • RFID –Basic Services
      • Identification
      • Example: Which bag is it?
      • Localization (to a certain extent)
      • Example: Where is the bag? => Hint: Location of the reader (active RFIDs: GPS receiver)
      • Capturing State
      • Example: monitor the temperature of perishable goods
      • Mapping into Information Systems
      • Examples: Automatic Stocktaking, Customer Relationship Management
    • RFID: Technology and Standards
      • (A) Active vs. Passive
      • (B) „Smart“ vs. „Dumb“
      • (C) Near Field vs. Far Field
      • (D) Closed Systems vs. Open Systems
    • Passive
      • no internal power supply
      • antenna induces minute electrical current
      • durable
      • Need an external antenna which is 80 times bigger than the chip in the best version thus far
      • Typical: tags embedded in labels
    • Active
      • Own internal power source
      • Transmit at higher power levels than passive tags (Re-)writable
      • (Larger) memory (for example 1 MB)
      • Communication ranges of 100 meters or more
      • Example: Monitoring the security of ocean containers or trailers stored in a yard or terminal
    • „ Smart“ vs. „Dumb“
      • Smart:
      • Microprocessor and Smart Card OS (up to Dual-Interface-Cards with Crypto Co-Processor)
      • vs.
      • Dumb:
      • Always the same ID number or State Machine
    • Closed Systems vs. Open Systems
      • Closed Systems:
      • One application case
      • Optimized and reduced functionality
      • No need for interoperability and compatibility
      • Example: proprietary RFID enhanced library
      • Open Systems:
      • Each antenna can read each tag
      • Internet of Things/Objects
      • Simple Components and Protocols
      • Interoperability and Compatibility important
      • Example: Electronic Product Code (EPCglobal)
    • RFID: Some Properties
      • Radio: no intervisibility, often contactless
      • => no choice to prevent reading event, no consent
      • Fix Address (EPC: unique worldwide)
      • => Recogmition and intersection attack
      • Embedded pot. Invisible
      • => no choice to decline
      • RFIDs are resource weak (in general)
      • => well known and standard PETsnot applicable