HTML Injection Attacks: Impact and Mitigation Strategies
Introduction to SmartCards - Michael Perlov
1. Security & Cryptography in Distributed Systems, Fall 1998
SSmmaarrtt CCaarrddss
By Michael Perlov
(perl7849@cs.nyu.edu)
2. Outline of the Presentation
• What is a Smart Card? Examples
• Case Study: IBM MultiFunction Card
• Smart Card Standards
• Additional Resources
08/26/14 Smart Cards 2
3. What is a Smart Card?
• Technical definition:
A card formed of plastic body with an
embedded integrated circuit.
• The devices come in several varieties, from
simple memory cards to those carrying their
own microprocessors.
• There are four major categories
08/26/14 Smart Cards 3
4. Unprotected memory cards
• Act as a storage medium for tokens
• Carry an application code and a simple
mechanism to specify the issuer of the card
• Can’t perform off-line processing
• Used as prepaid phone cards in France,
Holland and Germany
08/26/14 Smart Cards 4
5. Wired logic memory cards
• Have built-in EPROM or EEPROM
• Can be reloaded with data (like monetary
value)
• Contain hard-wired data protection
• Examples are electronic hotel keys and
new-generation phone cards used in the
Benelux countries
08/26/14 Smart Cards 5
6. Microprocessor cards
• Typically have
– an 8-bit microprocessor with an OS in ROM
– 96 to 512 KB of RAM
– 3 to 16 KB of ROM
– Use EEPROM for non-volatile memory, with
capacities ranging from 1 to 16 KB
• Some have an additional cryptography
coprocessor eith extra RAM to perform
private-key (DES) and/or public-key (RSA)
cryptography
08/26/14 Smart Cards 6
7. • Many cards of this type are multi-functional,
providing the option of hosting
several applications from various industry
domains on a single card, key domains
being:
– Banking & Payment Systems
• debit/credit
• electronic purse
– Health Care
• health records
• health insurance
08/26/14 Smart Cards 7
8. – Travel & Transportation
• ticketless air travel
• car rental
– Electronic commerce
• cyber shopping
• secure access/payment via the Internet
• We will look at an example of this kind of
card in the case-study later on in the talk
08/26/14 Smart Cards 8
9. Contactless cards
• Antenna is embedded in the plastic
• How it works:
– The antenna picks up an electromagnetic signal
that emanates from the reader
– The signal powers the card and transmits the
data
– The card updates its internal state and transmits
a signal back
• Useful when applications require high
throughput, for ex. in mass transit
08/26/14 Smart Cards 9
10. Case Study - IBM Multifunction
Card
Overview
• A sophisticated smart card solution, built on
top of the IBM MFC (Multifunction Card)
OS
• The chip can be fed with data and a variety
of application programs that can be updated
whenever necessary
• Supports private-key (DES) and public-key
(RSA) cryptography
08/26/14 Smart Cards 10
12. File system
• Has a tree structure and can be compared
with the file structure of a PC’s harddisk
• Has the following file hierarchy:
– Master Files (MF) - root directory
– Dedicated Files (DF) - application directories
– Elementary Files (EF) - application data files
08/26/14 Smart Cards 12
13. Access conditions
• Each file contained in the directory tree of a
MultiFunction Card contains predefined
access conditions assigned for each of the
following access methods:
– Read: read, seek, etc
– Update: update, decrease, etc.
– Administer: create/delete, invalidate, restore,
etc.
08/26/14 Smart Cards 13
14. • The following access conditions can be
specified:
– Always (ALW) - access without restriction
– Card Holder verification (CHV) - card holder
must present his secret CHV
– External Authentication (AUT) - external world
must authenticate itself
– Protected (ENC) - either the command or the
response is shielded with a cryptogram
– Never (NEV) - the data cannot be accessed
under any circumstances
08/26/14 Smart Cards 14
15. Commands supported by MFC OS
– Application data commands
• Read - reads data from a selected file
• Select - selects a file
• Update - updates a record in a data file
• Append - appends a record to a file
– Security commands
• Get challenge - generate an 8-byte random number
• Verify CHV
• External authentication - authentication of the
external world based on a previously generated
random number and a secret key
• Load key file - loads or updates cryptographic keys
08/26/14 Smart Cards 15
16. – Additional/modified commands available with
public-key cryptography cards
• Calculate hash
• External authenticate - extension to the standard
external authentication function using public-key
cryptography
• Generate signature - generates a digital signature
based on a a card’s secret key (using RSA)
• Verify signature - verifies a digital signature using
a public key
– Card management commands
• Create file
• Delete file
08/26/14 Smart Cards 16
18. Standards
Standardization plays a key role in the
acceptance and growth of the smart card
industry. Only the appropriate international
standards can assure that a smart card fits
into different card readers and terminals at
different locations in the world
08/26/14 Smart Cards 18
19. Smart card standardization is driven from two
sides:
• The international standards organizations
(ISO, ANSI, etc)
– ISO began working on standards for chip cards
as early as 1983
– The foundation of virtually all existing smart
card standards is ISO 7816, which specifies
• physical & electrical characteristics
• formats and protocols for information exchange
• functions provided by smart cards
08/26/14 Smart Cards 19
20. • The industry. Key players include
Mastercard, Visa, Europay, IBM, Sun and
others
– EMV
• Specification for the application of smart cards to
the payment industry
• Created by Europay, Mastercard and Visa
– OpenCard Framework
• A set of guidelines announced by IBM, Netscape
and Sun
• Provides an architecture and a set of APIs for
building smart card-aware solutions on OpenCard-compliant
network computers
08/26/14 Smart Cards 20
21. • Consists of four major components:
– CardTerminal - encapsulates all card terminal related
classes
– CardAgent - provides a common interface for a multitude
of card operating sysetms
– CardIO - provides access to the file system of a smart card
– CardAgentExtension - provides non-file related smart card
functionality
08/26/14 Smart Cards 21
22. – JavaCard
• Is a standard set of APIs and classes that allows
Java applets to run directly on a standard ISO 7816
compliant card
• The specifications are announced by Sun and Visa,
with the support of leading smart card suppliers
• Provides all the benefits of Java - portability,
security, etc.
– Smart Card SDK
• Developed by Microsoft
• Provides a set of APIs for developers to write smart
card-aware Windows applications to operate with
smart card readers that conform to the specification
• The first integrated smart card PCs were to begin
shipping this year
08/26/14 Smart Cards 22