Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Smart Cards & RFID Name: Yousef  Yahya Foad ajjawi Dr. Lo’ai Tawalbeh
What is the Smart Card? <ul><li>A smart card is a card that is embedded with either a microprocessor and a memory chip or ...
How Does It Work? <ul><li>Smart Card inserted into Card Acceptor Device (CAD), card reader </li></ul><ul><li>Communicated ...
Where Are They Used? <ul><li>All over the place, more so outside the US </li></ul><ul><li>Medical applications: In Germany...
Smart Card Readers <ul><li>Computer based readers </li></ul><ul><li>Connect through USB or COM (Serial) ports </li></ul><u...
Terminal/PC Card Interaction <ul><li>The terminal/PC sends commands to the card (through the serial line). </li></ul><ul><...
Fields of Smart Card Usage (1) <ul><li>Health Applications </li></ul><ul><li>For example in Germany health insurance compa...
Fields of Smart Card Usage (2) <ul><li>Digital Signatures </li></ul><ul><li>As you know CC evaluation is required here by ...
Some developers <ul><li>Hardware-Vendors : ATMEL, Philips, Renesas (former  Hitachi), Infineon (former Siemens), Samsung, ...
Physical Structure & Life Cycle <ul><li>Physical structure specified by ISO Standard 7810, 7816 </li></ul><ul><li>Printed ...
Life Cycle <ul><li>OS and security keys inside each smart card which have different visibility rules </li></ul><ul><li>Hen...
Massachusetts Bay Transit Authority (MBTA) . <ul><li>The MBTA aims to provide a safe, available, and inexpensive service t...
Smart Cards vs. RFID <ul><li>Contactless Smart Cards </li></ul><ul><li>Identify people </li></ul><ul><li>Store information...
RFID Privacy and Smartcard Privacy RFID = Radio Frequency Identification <ul><li>Transponder (RFID-Tag, RFID-Label) </li><...
RFID and Identity <ul><li>RFID has 3 identity types </li></ul><ul><li>– ID linked to Person: </li></ul><ul><li>direct iden...
Privacy-enhancing solutions for RFID (PETs) <ul><li>System-solutions </li></ul><ul><li>Encryption </li></ul><ul><li>Tag/Re...
<ul><li>Security Evaluation </li></ul><ul><li>Users (e.g. Banks) want high security assurance </li></ul><ul><li>for smart ...
Determining Privacy Risk <ul><li>When Privacy Risk is: </li></ul><ul><li>– High: use smart cards + PETs </li></ul><ul><li>...
Ways of protecting privacy <ul><li>•  “ Privacy by Design” (technological) </li></ul><ul><li>–  examples: encryption, kill...
Contactless Smart Cards and Privacy <ul><li>Data security </li></ul><ul><li>– Personal data (may be) stored in chip’s memo...
Contactless Card
RFID/EPC tags and privacy <ul><li>ICC Principles of Fair RFID/EPC use </li></ul><ul><li>– RFID-use should be legal, honest...
Recommendations <ul><li>•  Do not legislate RFID-technology, but only its applications and use </li></ul><ul><li>– Address...
Sample Applications of RFID Systems <ul><li>Logistics Chains  </li></ul><ul><li>Enterprise Resource Planning Systems </li>...
RFID -Areas of Applications <ul><li>From a cross-industry viewpoint, the following areas of applications can be distinguis...
RFID –Basic Services <ul><li>Identification  </li></ul><ul><li>Example: Which bag is it? </li></ul><ul><li>Localization (t...
RFID: Technology and Standards <ul><li>(A) Active vs. Passive </li></ul><ul><li>(B) „Smart“ vs. „Dumb“ </li></ul><ul><li>(...
Passive <ul><li>no internal power supply </li></ul><ul><li>antenna induces minute electrical current </li></ul><ul><li>dur...
Active <ul><li>Own internal power source </li></ul><ul><li>Transmit at higher power levels than passive tags (Re-)writable...
„ Smart“ vs. „Dumb“ <ul><li>Smart:  </li></ul><ul><li>Microprocessor and Smart Card OS (up to Dual-Interface-Cards with Cr...
Closed Systems vs. Open Systems <ul><li>Closed Systems: </li></ul><ul><li>One application case </li></ul><ul><li>Optimized...
RFID: Some Properties  <ul><li>Radio: no intervisibility, often contactless </li></ul><ul><li>=> no choice to prevent read...
Upcoming SlideShare
Loading in …5
×

Smart Cards

3,428 views

Published on

Published in: Technology, Business
  • Be the first to comment

Smart Cards

  1. 1. Smart Cards & RFID Name: Yousef Yahya Foad ajjawi Dr. Lo’ai Tawalbeh
  2. 2. What is the Smart Card? <ul><li>A smart card is a card that is embedded with either a microprocessor and a memory chip or only a memory chip with non-programmable logic. The microprocessor card can add, delete, and otherwise manipulate information on the card, while a memory-chip card (for example, pre-paid phone cards) can only undertake a pre-defined operation . </li></ul><ul><li>Smart Cards example For RFID ISO-Standards </li></ul>
  3. 3. How Does It Work? <ul><li>Smart Card inserted into Card Acceptor Device (CAD), card reader </li></ul><ul><li>Communicated with CAD through half duplex serial lines with a data rate of up to 9600 bits per second </li></ul><ul><li>Commands follow standard ISO 7816 specifications </li></ul><ul><li>Smart Card can get information from host computer, provide identification, do encryptions/decryption , etc. </li></ul>
  4. 4. Where Are They Used? <ul><li>All over the place, more so outside the US </li></ul><ul><li>Medical applications: In Germany 80 million people can use smart cards when they go to the doctor </li></ul><ul><li>Voting: In Sweden you can vote with your smart card </li></ul><ul><li>Entertainment: Most DSS dishes in the U.S. have smart cards </li></ul><ul><li>Telecommunications: Many cellular phones come with smart cards </li></ul>
  5. 5. Smart Card Readers <ul><li>Computer based readers </li></ul><ul><li>Connect through USB or COM (Serial) ports </li></ul><ul><li>Dedicated terminals </li></ul><ul><li>Usually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner. </li></ul>
  6. 6. Terminal/PC Card Interaction <ul><li>The terminal/PC sends commands to the card (through the serial line). </li></ul><ul><li>The card executes the command and sends back the reply. </li></ul><ul><li>The terminal/PC cannot directly access memory of the card </li></ul><ul><ul><li>data in the card is protected from unauthorized access. This is what makes the card smart. </li></ul></ul>
  7. 7. Fields of Smart Card Usage (1) <ul><li>Health Applications </li></ul><ul><li>For example in Germany health insurance companies will issue an electronic health card </li></ul><ul><li>cards for the health professionals </li></ul><ul><li>electronic passport (ePass, ICAO-specifications) </li></ul><ul><li>No need to say that BSI is active in this field… </li></ul><ul><li>eGovernment / eCard </li></ul><ul><li>Goal: to fit as many applications as possible onto one card in order to avoid multiple cards for every citizen </li></ul><ul><li>BSI is very active to promote this concept in Germany </li></ul><ul><li>Social insurance also related to this </li></ul>
  8. 8. Fields of Smart Card Usage (2) <ul><li>Digital Signatures </li></ul><ul><li>As you know CC evaluation is required here by law in Germany and other countries </li></ul><ul><li>Digital Tachographs </li></ul><ul><li>Smart cards will be used in trucks in Europe instead of paper disks in order to store driving times and similar data </li></ul><ul><li>Access Control in companies and organizations </li></ul><ul><li>Public Transport </li></ul>
  9. 9. Some developers <ul><li>Hardware-Vendors : ATMEL, Philips, Renesas (former Hitachi), Infineon (former Siemens), Samsung, ST microelectronics </li></ul><ul><li>Smart-Card-Vendors : Oberthur, Gemplus, AXALTO (former Schlumberger), IBM, Sony, ORGA Card Systems, T-Systems (Telesec), ASK, Gieseke & Devrient, Austria Card, Siemens </li></ul><ul><li>Other software/application issuers are mainly related to the banking/payment field: Soc. T.Europienne de Monnaie Electronique (a French electronic purse society), Mondex, other banks and credit card companies </li></ul>
  10. 10. Physical Structure & Life Cycle <ul><li>Physical structure specified by ISO Standard 7810, 7816 </li></ul><ul><li>Printed circuit provides five connection points for power and data </li></ul><ul><li>Capability of Smart Card defined by IC chip </li></ul><ul><li>– Microprocessor </li></ul><ul><li>– ROM </li></ul><ul><li>– RAM </li></ul><ul><li>– EEPROM </li></ul>
  11. 11. Life Cycle <ul><li>OS and security keys inside each smart card which have different visibility rules </li></ul><ul><li>Hence life cycle as card passes from manufacturer to application provider to user </li></ul>
  12. 12. Massachusetts Bay Transit Authority (MBTA) . <ul><li>The MBTA aims to provide a safe, available, and inexpensive service to its customers while respecting its customers' basic rights to privacy. </li></ul><ul><li>Currently, the MBTA is pursuing a plan of automated fare collection that will entail the use of RFID smartcards. </li></ul>
  13. 13. Smart Cards vs. RFID <ul><li>Contactless Smart Cards </li></ul><ul><li>Identify people </li></ul><ul><li>Store information </li></ul><ul><li>RFID </li></ul><ul><li>Identify or track objects </li></ul>
  14. 14. RFID Privacy and Smartcard Privacy RFID = Radio Frequency Identification <ul><li>Transponder (RFID-Tag, RFID-Label) </li></ul><ul><li>Antenna </li></ul><ul><li>Integration in Information Systems (i.e. Server, Services, Back Office …Example: inventory control system) </li></ul>
  15. 15. RFID and Identity <ul><li>RFID has 3 identity types </li></ul><ul><li>– ID linked to Person: </li></ul><ul><li>direct identification: personal data on chip (biometrics) </li></ul><ul><li>personal data in database (employee badge) </li></ul><ul><li>– ID linked to Service: </li></ul><ul><li>In combination with person ID (banking, season cards) </li></ul><ul><li>Anonymous (one time public transportation paper tickets) </li></ul><ul><li>– ID linked to Object / Product: </li></ul><ul><li>product information in database (retail products, library books) </li></ul><ul><li>direct identification (car keys) </li></ul><ul><li>Combining Object/Product ID with Individual is additional step, covered by existing privacy principles </li></ul>
  16. 16. Privacy-enhancing solutions for RFID (PETs) <ul><li>System-solutions </li></ul><ul><li>Encryption </li></ul><ul><li>Tag/Reader Authentication </li></ul><ul><li>Range reduction </li></ul><ul><li>Antenna size/design </li></ul><ul><li>Consumer-in-Control Solutions </li></ul><ul><li>“ Kill-switch” </li></ul><ul><li>Removable tags </li></ul><ul><li>Blocker tags </li></ul><ul><li>Shielding </li></ul><ul><li>User interface (NFC-device) </li></ul>
  17. 17. <ul><li>Security Evaluation </li></ul><ul><li>Users (e.g. Banks) want high security assurance </li></ul><ul><li>for smart cards. </li></ul><ul><li>Standard security evaluation procedure: </li></ul><ul><li>– Common Criteria evaluation: EAL 4 or EAL 5 </li></ul><ul><li>– Evaluation is very expensive </li></ul>
  18. 18. Determining Privacy Risk <ul><li>When Privacy Risk is: </li></ul><ul><li>– High: use smart cards + PETs </li></ul><ul><li>– Medium: use smart cards, smart tag + PETs </li></ul><ul><li>– Low: use smart tag (PETs optional) </li></ul>
  19. 19. Ways of protecting privacy <ul><li>• “ Privacy by Design” (technological) </li></ul><ul><li>– examples: encryption, kill command, read range </li></ul><ul><li>– main actors: technology providers, standardization bodies </li></ul><ul><li>– influencing factors: cost, usability </li></ul><ul><li>– public policy: R&D-funding, Launching customer </li></ul><ul><li>• “ Privacy by Design” (organizational) </li></ul><ul><li>– examples: system design, business model </li></ul><ul><li>– main actors: system integrators, end-users (business) </li></ul><ul><li>– influencing factors: business opportunities, customer trust </li></ul><ul><li>– public policy: privacy principles, guidelines, best-practices </li></ul><ul><li>• Rule-based protection </li></ul><ul><li>– examples: self-regulation, law </li></ul><ul><li>– main actors: government, business, stakeholders </li></ul><ul><li>– influencing factors: administrative burdens (cost), market development </li></ul><ul><li>– public policy: compliance verification (“ Trust but Verify”) </li></ul>
  20. 20. Contactless Smart Cards and Privacy <ul><li>Data security </li></ul><ul><li>– Personal data (may be) stored in chip’s memory </li></ul><ul><li>– Password protection </li></ul><ul><li>– Mutual authentication chip and reader </li></ul><ul><li>– Advanced encryption (3DES, AES, PKI) </li></ul><ul><li>– Extremely short operating range: < 10 cm </li></ul><ul><li>– Advanced system design and sensor technology to prevent tempering </li></ul><ul><li>Multi-application smart cards </li></ul><ul><li>– Several applications on a single card </li></ul><ul><li>– Exclusivity Clear separation of applications and data (as if different cards were used) </li></ul><ul><li>Back office and system design </li></ul><ul><li>– Full application of current privacy and data protection laws </li></ul>
  21. 21. Contactless Card
  22. 22. RFID/EPC tags and privacy <ul><li>ICC Principles of Fair RFID/EPC use </li></ul><ul><li>– RFID-use should be legal, honest, decent </li></ul><ul><li>• No personal data stored in RFID-tag </li></ul><ul><li>– Consumer information and choice </li></ul><ul><li>• Labeling </li></ul><ul><li>• How to remove / disable tags </li></ul><ul><li>– Privacy statement including RFID/EPC use </li></ul><ul><li>• What data is collected via RFID </li></ul><ul><li>• Purposes of collection/use </li></ul><ul><li>• Data disclosures (if any) </li></ul><ul><li>– Data security </li></ul><ul><li>– Individual’s right of access to data in RFID-enabled IT-system </li></ul>
  23. 23. Recommendations <ul><li>• Do not legislate RFID-technology, but only its applications and use </li></ul><ul><li>– Address privacy risks of the entire system </li></ul><ul><li>– Current OECD Privacy Principles already apply to system design, applications and data collection and –management </li></ul><ul><li>• Use Privacy-Enhancing Technologies only where relevant </li></ul><ul><li>– Stimulate R&D, standardization and use/acceptance of PETs </li></ul><ul><li>RFID is the enabling technology ! </li></ul>
  24. 24. Sample Applications of RFID Systems <ul><li>Logistics Chains </li></ul><ul><li>Enterprise Resource Planning Systems </li></ul><ul><li>Inventory Control </li></ul><ul><li>Some Benefits </li></ul><ul><li>reducing the sources of errors(for instance reduction of inventory inaccuracies) </li></ul><ul><li>minimizing out of stocks </li></ul><ul><li>reduction of labor costs </li></ul><ul><li>simplification of business processes </li></ul>
  25. 25. RFID -Areas of Applications <ul><li>From a cross-industry viewpoint, the following areas of applications can be distinguished: </li></ul><ul><li>identification of objects </li></ul><ul><li>document authentication </li></ul><ul><li>maintenance and repair, recall campaigns </li></ul><ul><li>theft-protection and stop-loss strategies </li></ul><ul><li>access authorization and routing control </li></ul><ul><li>environmental monitoring and sensor technology </li></ul><ul><li>supply chain management: automation, process control and optimization </li></ul><ul><li>Also : Convenience Tools, Magic, New Learning Tools, New Dimension of Gaming </li></ul>
  26. 26. RFID –Basic Services <ul><li>Identification </li></ul><ul><li>Example: Which bag is it? </li></ul><ul><li>Localization (to a certain extent) </li></ul><ul><li>Example: Where is the bag? => Hint: Location of the reader (active RFIDs: GPS receiver) </li></ul><ul><li>Capturing State </li></ul><ul><li>Example: monitor the temperature of perishable goods </li></ul><ul><li>Mapping into Information Systems </li></ul><ul><li>Examples: Automatic Stocktaking, Customer Relationship Management </li></ul>
  27. 27. RFID: Technology and Standards <ul><li>(A) Active vs. Passive </li></ul><ul><li>(B) „Smart“ vs. „Dumb“ </li></ul><ul><li>(C) Near Field vs. Far Field </li></ul><ul><li>(D) Closed Systems vs. Open Systems </li></ul>
  28. 28. Passive <ul><li>no internal power supply </li></ul><ul><li>antenna induces minute electrical current </li></ul><ul><li>durable </li></ul><ul><li>Need an external antenna which is 80 times bigger than the chip in the best version thus far </li></ul><ul><li>Typical: tags embedded in labels </li></ul>
  29. 29. Active <ul><li>Own internal power source </li></ul><ul><li>Transmit at higher power levels than passive tags (Re-)writable </li></ul><ul><li>(Larger) memory (for example 1 MB) </li></ul><ul><li>Communication ranges of 100 meters or more </li></ul><ul><li>Example: Monitoring the security of ocean containers or trailers stored in a yard or terminal </li></ul>
  30. 30. „ Smart“ vs. „Dumb“ <ul><li>Smart: </li></ul><ul><li>Microprocessor and Smart Card OS (up to Dual-Interface-Cards with Crypto Co-Processor) </li></ul><ul><li>vs. </li></ul><ul><li>Dumb: </li></ul><ul><li>Always the same ID number or State Machine </li></ul>
  31. 31. Closed Systems vs. Open Systems <ul><li>Closed Systems: </li></ul><ul><li>One application case </li></ul><ul><li>Optimized and reduced functionality </li></ul><ul><li>No need for interoperability and compatibility </li></ul><ul><li>Example: proprietary RFID enhanced library </li></ul><ul><li>Open Systems: </li></ul><ul><li>Each antenna can read each tag </li></ul><ul><li>Internet of Things/Objects </li></ul><ul><li>Simple Components and Protocols </li></ul><ul><li>Interoperability and Compatibility important </li></ul><ul><li>Example: Electronic Product Code (EPCglobal) </li></ul>
  32. 32. RFID: Some Properties <ul><li>Radio: no intervisibility, often contactless </li></ul><ul><li>=> no choice to prevent reading event, no consent </li></ul><ul><li>Fix Address (EPC: unique worldwide) </li></ul><ul><li>=> Recogmition and intersection attack </li></ul><ul><li>Embedded pot. Invisible </li></ul><ul><li>=> no choice to decline </li></ul><ul><li>RFIDs are resource weak (in general) </li></ul><ul><li>=> well known and standard PETsnot applicable </li></ul>

×