Your SlideShare is downloading. ×
Smart Cards
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Smart Cards

2,730
views

Published on

Published in: Technology, Business

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,730
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
232
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Smart Cards & RFID Name: Yousef Yahya Foad ajjawi Dr. Lo’ai Tawalbeh
  • 2. What is the Smart Card?
    • A smart card is a card that is embedded with either a microprocessor and a memory chip or only a memory chip with non-programmable logic. The microprocessor card can add, delete, and otherwise manipulate information on the card, while a memory-chip card (for example, pre-paid phone cards) can only undertake a pre-defined operation .
    • Smart Cards example For RFID ISO-Standards
  • 3. How Does It Work?
    • Smart Card inserted into Card Acceptor Device (CAD), card reader
    • Communicated with CAD through half duplex serial lines with a data rate of up to 9600 bits per second
    • Commands follow standard ISO 7816 specifications
    • Smart Card can get information from host computer, provide identification, do encryptions/decryption , etc.
  • 4. Where Are They Used?
    • All over the place, more so outside the US
    • Medical applications: In Germany 80 million people can use smart cards when they go to the doctor
    • Voting: In Sweden you can vote with your smart card
    • Entertainment: Most DSS dishes in the U.S. have smart cards
    • Telecommunications: Many cellular phones come with smart cards
  • 5. Smart Card Readers
    • Computer based readers
    • Connect through USB or COM (Serial) ports
    • Dedicated terminals
    • Usually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner.
  • 6. Terminal/PC Card Interaction
    • The terminal/PC sends commands to the card (through the serial line).
    • The card executes the command and sends back the reply.
    • The terminal/PC cannot directly access memory of the card
      • data in the card is protected from unauthorized access. This is what makes the card smart.
  • 7. Fields of Smart Card Usage (1)
    • Health Applications
    • For example in Germany health insurance companies will issue an electronic health card
    • cards for the health professionals
    • electronic passport (ePass, ICAO-specifications)
    • No need to say that BSI is active in this field…
    • eGovernment / eCard
    • Goal: to fit as many applications as possible onto one card in order to avoid multiple cards for every citizen
    • BSI is very active to promote this concept in Germany
    • Social insurance also related to this
  • 8. Fields of Smart Card Usage (2)
    • Digital Signatures
    • As you know CC evaluation is required here by law in Germany and other countries
    • Digital Tachographs
    • Smart cards will be used in trucks in Europe instead of paper disks in order to store driving times and similar data
    • Access Control in companies and organizations
    • Public Transport
  • 9. Some developers
    • Hardware-Vendors : ATMEL, Philips, Renesas (former Hitachi), Infineon (former Siemens), Samsung, ST microelectronics
    • Smart-Card-Vendors : Oberthur, Gemplus, AXALTO (former Schlumberger), IBM, Sony, ORGA Card Systems, T-Systems (Telesec), ASK, Gieseke & Devrient, Austria Card, Siemens
    • Other software/application issuers are mainly related to the banking/payment field: Soc. T.Europienne de Monnaie Electronique (a French electronic purse society), Mondex, other banks and credit card companies
  • 10. Physical Structure & Life Cycle
    • Physical structure specified by ISO Standard 7810, 7816
    • Printed circuit provides five connection points for power and data
    • Capability of Smart Card defined by IC chip
    • – Microprocessor
    • – ROM
    • – RAM
    • – EEPROM
  • 11. Life Cycle
    • OS and security keys inside each smart card which have different visibility rules
    • Hence life cycle as card passes from manufacturer to application provider to user
  • 12. Massachusetts Bay Transit Authority (MBTA) .
    • The MBTA aims to provide a safe, available, and inexpensive service to its customers while respecting its customers' basic rights to privacy.
    • Currently, the MBTA is pursuing a plan of automated fare collection that will entail the use of RFID smartcards.
  • 13. Smart Cards vs. RFID
    • Contactless Smart Cards
    • Identify people
    • Store information
    • RFID
    • Identify or track objects
  • 14. RFID Privacy and Smartcard Privacy RFID = Radio Frequency Identification
    • Transponder (RFID-Tag, RFID-Label)
    • Antenna
    • Integration in Information Systems (i.e. Server, Services, Back Office …Example: inventory control system)
  • 15. RFID and Identity
    • RFID has 3 identity types
    • – ID linked to Person:
    • direct identification: personal data on chip (biometrics)
    • personal data in database (employee badge)
    • – ID linked to Service:
    • In combination with person ID (banking, season cards)
    • Anonymous (one time public transportation paper tickets)
    • – ID linked to Object / Product:
    • product information in database (retail products, library books)
    • direct identification (car keys)
    • Combining Object/Product ID with Individual is additional step, covered by existing privacy principles
  • 16. Privacy-enhancing solutions for RFID (PETs)
    • System-solutions
    • Encryption
    • Tag/Reader Authentication
    • Range reduction
    • Antenna size/design
    • Consumer-in-Control Solutions
    • “ Kill-switch”
    • Removable tags
    • Blocker tags
    • Shielding
    • User interface (NFC-device)
  • 17.
    • Security Evaluation
    • Users (e.g. Banks) want high security assurance
    • for smart cards.
    • Standard security evaluation procedure:
    • – Common Criteria evaluation: EAL 4 or EAL 5
    • – Evaluation is very expensive
  • 18. Determining Privacy Risk
    • When Privacy Risk is:
    • – High: use smart cards + PETs
    • – Medium: use smart cards, smart tag + PETs
    • – Low: use smart tag (PETs optional)
  • 19. Ways of protecting privacy
    • • “ Privacy by Design” (technological)
    • – examples: encryption, kill command, read range
    • – main actors: technology providers, standardization bodies
    • – influencing factors: cost, usability
    • – public policy: R&D-funding, Launching customer
    • • “ Privacy by Design” (organizational)
    • – examples: system design, business model
    • – main actors: system integrators, end-users (business)
    • – influencing factors: business opportunities, customer trust
    • – public policy: privacy principles, guidelines, best-practices
    • • Rule-based protection
    • – examples: self-regulation, law
    • – main actors: government, business, stakeholders
    • – influencing factors: administrative burdens (cost), market development
    • – public policy: compliance verification (“ Trust but Verify”)
  • 20. Contactless Smart Cards and Privacy
    • Data security
    • – Personal data (may be) stored in chip’s memory
    • – Password protection
    • – Mutual authentication chip and reader
    • – Advanced encryption (3DES, AES, PKI)
    • – Extremely short operating range: < 10 cm
    • – Advanced system design and sensor technology to prevent tempering
    • Multi-application smart cards
    • – Several applications on a single card
    • – Exclusivity Clear separation of applications and data (as if different cards were used)
    • Back office and system design
    • – Full application of current privacy and data protection laws
  • 21. Contactless Card
  • 22. RFID/EPC tags and privacy
    • ICC Principles of Fair RFID/EPC use
    • – RFID-use should be legal, honest, decent
    • • No personal data stored in RFID-tag
    • – Consumer information and choice
    • • Labeling
    • • How to remove / disable tags
    • – Privacy statement including RFID/EPC use
    • • What data is collected via RFID
    • • Purposes of collection/use
    • • Data disclosures (if any)
    • – Data security
    • – Individual’s right of access to data in RFID-enabled IT-system
  • 23. Recommendations
    • • Do not legislate RFID-technology, but only its applications and use
    • – Address privacy risks of the entire system
    • – Current OECD Privacy Principles already apply to system design, applications and data collection and –management
    • • Use Privacy-Enhancing Technologies only where relevant
    • – Stimulate R&D, standardization and use/acceptance of PETs
    • RFID is the enabling technology !
  • 24. Sample Applications of RFID Systems
    • Logistics Chains
    • Enterprise Resource Planning Systems
    • Inventory Control
    • Some Benefits
    • reducing the sources of errors(for instance reduction of inventory inaccuracies)
    • minimizing out of stocks
    • reduction of labor costs
    • simplification of business processes
  • 25. RFID -Areas of Applications
    • From a cross-industry viewpoint, the following areas of applications can be distinguished:
    • identification of objects
    • document authentication
    • maintenance and repair, recall campaigns
    • theft-protection and stop-loss strategies
    • access authorization and routing control
    • environmental monitoring and sensor technology
    • supply chain management: automation, process control and optimization
    • Also : Convenience Tools, Magic, New Learning Tools, New Dimension of Gaming
  • 26. RFID –Basic Services
    • Identification
    • Example: Which bag is it?
    • Localization (to a certain extent)
    • Example: Where is the bag? => Hint: Location of the reader (active RFIDs: GPS receiver)
    • Capturing State
    • Example: monitor the temperature of perishable goods
    • Mapping into Information Systems
    • Examples: Automatic Stocktaking, Customer Relationship Management
  • 27. RFID: Technology and Standards
    • (A) Active vs. Passive
    • (B) „Smart“ vs. „Dumb“
    • (C) Near Field vs. Far Field
    • (D) Closed Systems vs. Open Systems
  • 28. Passive
    • no internal power supply
    • antenna induces minute electrical current
    • durable
    • Need an external antenna which is 80 times bigger than the chip in the best version thus far
    • Typical: tags embedded in labels
  • 29. Active
    • Own internal power source
    • Transmit at higher power levels than passive tags (Re-)writable
    • (Larger) memory (for example 1 MB)
    • Communication ranges of 100 meters or more
    • Example: Monitoring the security of ocean containers or trailers stored in a yard or terminal
  • 30. „ Smart“ vs. „Dumb“
    • Smart:
    • Microprocessor and Smart Card OS (up to Dual-Interface-Cards with Crypto Co-Processor)
    • vs.
    • Dumb:
    • Always the same ID number or State Machine
  • 31. Closed Systems vs. Open Systems
    • Closed Systems:
    • One application case
    • Optimized and reduced functionality
    • No need for interoperability and compatibility
    • Example: proprietary RFID enhanced library
    • Open Systems:
    • Each antenna can read each tag
    • Internet of Things/Objects
    • Simple Components and Protocols
    • Interoperability and Compatibility important
    • Example: Electronic Product Code (EPCglobal)
  • 32. RFID: Some Properties
    • Radio: no intervisibility, often contactless
    • => no choice to prevent reading event, no consent
    • Fix Address (EPC: unique worldwide)
    • => Recogmition and intersection attack
    • Embedded pot. Invisible
    • => no choice to decline
    • RFIDs are resource weak (in general)
    • => well known and standard PETsnot applicable

×