SlideShare a Scribd company logo

Gao

Download as PPT, PDF
Md Jasim Uddin
Md Jasim Uddin
1 of 22
Smart Card Security Xufen Gao CS 265 Spring, 2004 San Jose State University
Overview  Introduction  Security Technologies • Physical structure and life cycle • Communication with the outside world • Operating system  Attacks on Smart Card  Conclusion
Introduction  Smart card is a credit card sized plastic card embeds an integrated circuit chip.  Smart card provides memory capacity and computational capabilities.  It is used in the applications that require high security protection and authentication.
Introduction (Cont.)  Main applications of smart card  Credit/debit card  Medical card  Identification card  Entertainment card  Voting card
Security Technologies  Three Points of Views  Physical Structure and Life Cycle  Communication with Outside World  Operating System
Physical Structure Three basic elements A plastic card A printed circuit  An integrated circuit chip
Life Cycle of the Smart Card  Five phases in smart card’s life cycle • Fabrication phase • Pre-personalization phase • Personalization phase • Utilization phase • End-of-lift phase  Every phase has its own limitations on transferring and accessing data
Fabrication Phase  The chip manufacturer makes and tests the integrated circuit chip A unique fabrication key (FK) is added to prevent chip from modifying • FK stays in the chip until it is assembled into the plastic card • FK is derived from a master manufacture key
Pre-personalization Phase  Controlled by the card suppliers  Circuit chip is mounted on the plastic card  A personalization key (PK) replaces the fabrication key  A personalization lock VPER is set to prevent further modification  The card only can accessed by the logical memory addressing
Personalization Phase  Card issuer writes the data files and application data to the card  Stores identity of card holder, PIN, and unblocking PIN  Set a utilization lock VUTIL to indicate the card is in the utilization phase
Utilization Phase  For normal use of the card by the card holder  Application system and logical file access controls are available  There are application security policies to rule the access of the information
End-of-Life Phase  Also called invalidation phase  There are two ways to move the card into this phase • Set an invalidation lock to an individual or master file.  Operating system disables all operations except read for analysis • Block all the PINs to disable all operations  Operating system disables all operations including read
Communication with Outside World  Smart card usually needs external peripherals to cooperate • e.g. needs to connect to card acceptor device to obtain power and input/output information  The untrusted external peripherals reduce the security
Communication with Outside World (Cont.)  To prevent massive data attack • Data exchange limits to 9600 bits/second • Use half duplex mode  Mutual authentication protocol is used between smart card and CAD  Use message authentication code (MAC) to protect integrity
Authentication between Smart Card and CAD Smart Card 1. rs 2. rs encrypted with Ksc 3. Smart card encrypts rs with Ksc and compares it with the data received from CAD 4. rc 5. rc encrypted with Ksc 6. CAD encrypts rc with Ksc and compares it with the data received from smart card Card Acceptor Device (CAD)
Operating System  Logical File Structure  Access Controls
Logical File Structure  Files are in a hierarchal tree form • Master file (MF) • Dedicated file (DF) • Elementary file (EF)  Every file has header and body • Header consists security attributes to indicate user’s rights • Body stores all the headers of its immediate children or data  Application can access files only it has the appropriate right
Access Controls  Depends on the correct presentation of PIN and their management  5 Levels of access conditions • Always (ALW) • Card holder verification 1 (CHV1) • Card holder verification 1 (CHV1) • Administrative (ADM) • Never (NEV)  PIN presentation and management • Counter • Maximum number • Unblocking PIN
Attacks on Smart Card  Logical attacks  Control the voltage or temperate on EEPROM  Physical attacks  Wash away the surface of circuit chip and Examine it  Use UV light Logical and physical attacks are expensive. They are only available in well-funded laboratories. Logical and physical attacks are expensive. They are only available in well-funded laboratories.
Attacks on Smart Cart (Cont.)  Functional attacks • Smart card consists five parties  Cardholder, terminal, data owner, card issuer, card manufacturer, and software manufacturer • There are potential attacks between any two parties • Solutions  Use strong cryptographic protocols to increase tamper resistance  Reduce the party number  Make the system more transparent  Consider the security issue at the beginning of the system design
Conclusion  Smart card uses integrated circuit chip rather than magnetic strip to store data  Smart card can be programmed to compute the cryptographic keys  Smart card is a good device to store important information • Private key • Account numbers • Biometrics information  Smart card has weakness, but it is secure enough for present requirements
Q & A ???

Recommended

Access control basics-2
Access control basics-2Access control basics-2
Access control basics-2grantlerc
 
Physical access control
Physical access controlPhysical access control
Physical access controlAhsin Yousaf
 
Data/File Security & Control
Data/File Security & ControlData/File Security & Control
Data/File Security & ControlAdetula Bunmi
 
Managing your access control systems
Managing your access control systemsManaging your access control systems
Managing your access control systemsWalter Sinchak,
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
Linux Security best Practices with Fedora
Linux Security best Practices with FedoraLinux Security best Practices with Fedora
Linux Security best Practices with FedoraUditha Bandara Wijerathna
 
Arch overview
Arch overviewArch overview
Arch overviewmaojunjie
 
Physical Security
Physical SecurityPhysical Security
Physical Securitykavitha muneeshwaran
 

Recommended

Access control basics-2
Access control basics-2Access control basics-2
Access control basics-2grantlerc
 
Physical access control
Physical access controlPhysical access control
Physical access controlAhsin Yousaf
 
Data/File Security & Control
Data/File Security & ControlData/File Security & Control
Data/File Security & ControlAdetula Bunmi
 
Managing your access control systems
Managing your access control systemsManaging your access control systems
Managing your access control systemsWalter Sinchak,
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
Linux Security best Practices with Fedora
Linux Security best Practices with FedoraLinux Security best Practices with Fedora
Linux Security best Practices with FedoraUditha Bandara Wijerathna
 
Arch overview
Arch overviewArch overview
Arch overviewmaojunjie
 
Physical Security
Physical SecurityPhysical Security
Physical Securitykavitha muneeshwaran
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security PresentationWajahat Rajab
 
Unit 1 embedded systems and applications
Unit 1 embedded systems and applicationsUnit 1 embedded systems and applications
Unit 1 embedded systems and applicationsDr.YNM
 
5 Techniques to Achieve Functional Safety for Embedded Systems
5 Techniques to Achieve Functional Safety for Embedded Systems5 Techniques to Achieve Functional Safety for Embedded Systems
5 Techniques to Achieve Functional Safety for Embedded SystemsAngela Hauber
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Serverless Thin Client
Serverless Thin ClientServerless Thin Client
Serverless Thin Clientguestb980dc366
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)FFRI, Inc.
 
Hardware Security Training By TONEX
Hardware Security Training By TONEXHardware Security Training By TONEX
Hardware Security Training By TONEXBryan Len
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) FFRI, Inc.
 
Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyArti Ambokar
 
Elevator controller for multi story building security
Elevator controller for multi story building securityElevator controller for multi story building security
Elevator controller for multi story building securityMayank Jain
 
5 Things to Know about Safety and Security of Embedded Systems
5 Things to Know about Safety and Security of Embedded Systems5 Things to Know about Safety and Security of Embedded Systems
5 Things to Know about Safety and Security of Embedded SystemsMEN Mikro Elektronik GmbH
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1jemtallon
 
6 weeks training on Embedded System
6 weeks training on Embedded System6 weeks training on Embedded System
6 weeks training on Embedded SystemAryaBhatt Collage of Eingineering and Technology
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control FundamentalsInformation Technology
 
Demilitarized network to secure the data stored in industrial networks
Demilitarized network to secure the data stored in industrial networks Demilitarized network to secure the data stored in industrial networks
Demilitarized network to secure the data stored in industrial networks IJECEIAES
 
Introduction to SmartCards - Michael Perlov
Introduction to SmartCards - Michael PerlovIntroduction to SmartCards - Michael Perlov
Introduction to SmartCards - Michael PerlovFilipe Mello
 
The Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and OperationThe Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and OperationHafiza Abas
 
Track 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for webTrack 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for webST_World
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryNarudom Roongsiriwong, CISSP
 
Smart card system ppt
Smart card system ppt Smart card system ppt
Smart card system ppt Dewanshu Haswani
 
dewanshuppt-130808103546-phpapp02.pdf
dewanshuppt-130808103546-phpapp02.pdfdewanshuppt-130808103546-phpapp02.pdf
dewanshuppt-130808103546-phpapp02.pdfssuser5b47c8
 

More Related Content

What's hot

Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security PresentationWajahat Rajab
 
Unit 1 embedded systems and applications
Unit 1 embedded systems and applicationsUnit 1 embedded systems and applications
Unit 1 embedded systems and applicationsDr.YNM
 
5 Techniques to Achieve Functional Safety for Embedded Systems
5 Techniques to Achieve Functional Safety for Embedded Systems5 Techniques to Achieve Functional Safety for Embedded Systems
5 Techniques to Achieve Functional Safety for Embedded SystemsAngela Hauber
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Serverless Thin Client
Serverless Thin ClientServerless Thin Client
Serverless Thin Clientguestb980dc366
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)FFRI, Inc.
 
Hardware Security Training By TONEX
Hardware Security Training By TONEXHardware Security Training By TONEX
Hardware Security Training By TONEXBryan Len
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) FFRI, Inc.
 
Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyArti Ambokar
 
Elevator controller for multi story building security
Elevator controller for multi story building securityElevator controller for multi story building security
Elevator controller for multi story building securityMayank Jain
 
5 Things to Know about Safety and Security of Embedded Systems
5 Things to Know about Safety and Security of Embedded Systems5 Things to Know about Safety and Security of Embedded Systems
5 Things to Know about Safety and Security of Embedded SystemsMEN Mikro Elektronik GmbH
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1jemtallon
 
Demilitarized network to secure the data stored in industrial networks
Demilitarized network to secure the data stored in industrial networks Demilitarized network to secure the data stored in industrial networks
Demilitarized network to secure the data stored in industrial networks IJECEIAES
 
Introduction to SmartCards - Michael Perlov
Introduction to SmartCards - Michael PerlovIntroduction to SmartCards - Michael Perlov
Introduction to SmartCards - Michael PerlovFilipe Mello
 
The Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and OperationThe Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and OperationHafiza Abas
 

What's hot (18)

Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security Presentation
 
Unit 1 embedded systems and applications
Unit 1 embedded systems and applicationsUnit 1 embedded systems and applications
Unit 1 embedded systems and applications
 
5 Techniques to Achieve Functional Safety for Embedded Systems
5 Techniques to Achieve Functional Safety for Embedded Systems5 Techniques to Achieve Functional Safety for Embedded Systems
5 Techniques to Achieve Functional Safety for Embedded Systems
 
8. operations security
8. operations security8. operations security
8. operations security
 
Serverless Thin Client
Serverless Thin ClientServerless Thin Client
Serverless Thin Client
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
 
Hardware Security Training By TONEX
Hardware Security Training By TONEXHardware Security Training By TONEX
Hardware Security Training By TONEX
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
 
Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodology
 
Elevator controller for multi story building security
Elevator controller for multi story building securityElevator controller for multi story building security
Elevator controller for multi story building security
 
5 Things to Know about Safety and Security of Embedded Systems
5 Things to Know about Safety and Security of Embedded Systems5 Things to Know about Safety and Security of Embedded Systems
5 Things to Know about Safety and Security of Embedded Systems
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1
 
6 weeks training on Embedded System
6 weeks training on Embedded System6 weeks training on Embedded System
6 weeks training on Embedded System
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
 
Demilitarized network to secure the data stored in industrial networks
Demilitarized network to secure the data stored in industrial networks Demilitarized network to secure the data stored in industrial networks
Demilitarized network to secure the data stored in industrial networks
 
Introduction to SmartCards - Michael Perlov
Introduction to SmartCards - Michael PerlovIntroduction to SmartCards - Michael Perlov
Introduction to SmartCards - Michael Perlov
 
The Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and OperationThe Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and Operation
 

Similar to Gao

Track 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for webTrack 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for webST_World
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryNarudom Roongsiriwong, CISSP
 
dewanshuppt-130808103546-phpapp02.pdf
dewanshuppt-130808103546-phpapp02.pdfdewanshuppt-130808103546-phpapp02.pdf
dewanshuppt-130808103546-phpapp02.pdfssuser5b47c8
 
Information Security (Firewall)
Information Security (Firewall)Information Security (Firewall)
Information Security (Firewall)Zara Nawaz
 
Smartcards and Authentication Tokens
Smartcards and Authentication TokensSmartcards and Authentication Tokens
Smartcards and Authentication Tokenssaniacorreya
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passportsRiscure
 
Vanderhoof smartcard-roadmap
Vanderhoof smartcard-roadmapVanderhoof smartcard-roadmap
Vanderhoof smartcard-roadmapHai Nguyen
 
Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Risk Crew
 
Embedded systems presentation power point.ppt
Embedded systems presentation power point.pptEmbedded systems presentation power point.ppt
Embedded systems presentation power point.pptssuser1b4013
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITYMOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITYDEEPAK948083
 
Machine Readable Travel Documents (MRTD) - Biometric Passport
Machine Readable Travel Documents (MRTD) - Biometric PassportMachine Readable Travel Documents (MRTD) - Biometric Passport
Machine Readable Travel Documents (MRTD) - Biometric PassportTariq Tauheed
 
Embedded system in Smart Cards
Embedded system in Smart CardsEmbedded system in Smart Cards
Embedded system in Smart CardsRebecca D'souza
 
Eric java card-basics-140314
Eric java card-basics-140314Eric java card-basics-140314
Eric java card-basics-140314Eric Vétillard
 
Understanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEUnderstanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEGreg Stone
 

Similar to Gao (20)

Track 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for webTrack 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for web
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment Industry
 
Smart card system ppt
Smart card system ppt Smart card system ppt
Smart card system ppt
 
dewanshuppt-130808103546-phpapp02.pdf
dewanshuppt-130808103546-phpapp02.pdfdewanshuppt-130808103546-phpapp02.pdf
dewanshuppt-130808103546-phpapp02.pdf
 
Smartcard
SmartcardSmartcard
Smartcard
 
Information Security (Firewall)
Information Security (Firewall)Information Security (Firewall)
Information Security (Firewall)
 
Smartcards and Authentication Tokens
Smartcards and Authentication TokensSmartcards and Authentication Tokens
Smartcards and Authentication Tokens
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passports
 
Vanderhoof smartcard-roadmap
Vanderhoof smartcard-roadmapVanderhoof smartcard-roadmap
Vanderhoof smartcard-roadmap
 
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
 
Smart Card based Robust Security System
Smart Card based Robust Security SystemSmart Card based Robust Security System
Smart Card based Robust Security System
 
Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891
 
Embedded systems presentation power point.ppt
Embedded systems presentation power point.pptEmbedded systems presentation power point.ppt
Embedded systems presentation power point.ppt
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITYMOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
 
Machine Readable Travel Documents (MRTD) - Biometric Passport
Machine Readable Travel Documents (MRTD) - Biometric PassportMachine Readable Travel Documents (MRTD) - Biometric Passport
Machine Readable Travel Documents (MRTD) - Biometric Passport
 
Embedded system in Smart Cards
Embedded system in Smart CardsEmbedded system in Smart Cards
Embedded system in Smart Cards
 
Smart Cards
Smart CardsSmart Cards
Smart Cards
 
Eric java card-basics-140314
Eric java card-basics-140314Eric java card-basics-140314
Eric java card-basics-140314
 
Understanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEUnderstanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PE
 

Gao

  • 1. Smart Card Security Xufen Gao CS 265 Spring, 2004 San Jose State University
  • 2. Overview  Introduction  Security Technologies • Physical structure and life cycle • Communication with the outside world • Operating system  Attacks on Smart Card  Conclusion
  • 3. Introduction  Smart card is a credit card sized plastic card embeds an integrated circuit chip.  Smart card provides memory capacity and computational capabilities.  It is used in the applications that require high security protection and authentication.
  • 4. Introduction (Cont.)  Main applications of smart card  Credit/debit card  Medical card  Identification card  Entertainment card  Voting card
  • 5. Security Technologies  Three Points of Views  Physical Structure and Life Cycle  Communication with Outside World  Operating System
  • 6. Physical Structure Three basic elements A plastic card A printed circuit  An integrated circuit chip
  • 7. Life Cycle of the Smart Card  Five phases in smart card’s life cycle • Fabrication phase • Pre-personalization phase • Personalization phase • Utilization phase • End-of-lift phase  Every phase has its own limitations on transferring and accessing data
  • 8. Fabrication Phase  The chip manufacturer makes and tests the integrated circuit chip A unique fabrication key (FK) is added to prevent chip from modifying • FK stays in the chip until it is assembled into the plastic card • FK is derived from a master manufacture key
  • 9. Pre-personalization Phase  Controlled by the card suppliers  Circuit chip is mounted on the plastic card  A personalization key (PK) replaces the fabrication key  A personalization lock VPER is set to prevent further modification  The card only can accessed by the logical memory addressing
  • 10. Personalization Phase  Card issuer writes the data files and application data to the card  Stores identity of card holder, PIN, and unblocking PIN  Set a utilization lock VUTIL to indicate the card is in the utilization phase
  • 11. Utilization Phase  For normal use of the card by the card holder  Application system and logical file access controls are available  There are application security policies to rule the access of the information
  • 12. End-of-Life Phase  Also called invalidation phase  There are two ways to move the card into this phase • Set an invalidation lock to an individual or master file.  Operating system disables all operations except read for analysis • Block all the PINs to disable all operations  Operating system disables all operations including read
  • 13. Communication with Outside World  Smart card usually needs external peripherals to cooperate • e.g. needs to connect to card acceptor device to obtain power and input/output information  The untrusted external peripherals reduce the security
  • 14. Communication with Outside World (Cont.)  To prevent massive data attack • Data exchange limits to 9600 bits/second • Use half duplex mode  Mutual authentication protocol is used between smart card and CAD  Use message authentication code (MAC) to protect integrity
  • 15. Authentication between Smart Card and CAD Smart Card 1. rs 2. rs encrypted with Ksc 3. Smart card encrypts rs with Ksc and compares it with the data received from CAD 4. rc 5. rc encrypted with Ksc 6. CAD encrypts rc with Ksc and compares it with the data received from smart card Card Acceptor Device (CAD)
  • 16. Operating System  Logical File Structure  Access Controls
  • 17. Logical File Structure  Files are in a hierarchal tree form • Master file (MF) • Dedicated file (DF) • Elementary file (EF)  Every file has header and body • Header consists security attributes to indicate user’s rights • Body stores all the headers of its immediate children or data  Application can access files only it has the appropriate right
  • 18. Access Controls  Depends on the correct presentation of PIN and their management  5 Levels of access conditions • Always (ALW) • Card holder verification 1 (CHV1) • Card holder verification 1 (CHV1) • Administrative (ADM) • Never (NEV)  PIN presentation and management • Counter • Maximum number • Unblocking PIN
  • 19. Attacks on Smart Card  Logical attacks  Control the voltage or temperate on EEPROM  Physical attacks  Wash away the surface of circuit chip and Examine it  Use UV light Logical and physical attacks are expensive. They are only available in well-funded laboratories. Logical and physical attacks are expensive. They are only available in well-funded laboratories.
  • 20. Attacks on Smart Cart (Cont.)  Functional attacks • Smart card consists five parties  Cardholder, terminal, data owner, card issuer, card manufacturer, and software manufacturer • There are potential attacks between any two parties • Solutions  Use strong cryptographic protocols to increase tamper resistance  Reduce the party number  Make the system more transparent  Consider the security issue at the beginning of the system design
  • 21. Conclusion  Smart card uses integrated circuit chip rather than magnetic strip to store data  Smart card can be programmed to compute the cryptographic keys  Smart card is a good device to store important information • Private key • Account numbers • Biometrics information  Smart card has weakness, but it is secure enough for present requirements

Editor's Notes

  1. 1. Plastic card has a dimension of 85.60mm x 53.98mm x 0.80mm. It must be able to bent in a certain degree without any damages 2. Printed circuit is gold plate that provides the communication between the external power or data and the internal chip. Moreover, it prevents the circuit chip from mechanical stress and static electricity. 3. Integrated circuit chip is The most important component in smart card. It contains microprocessor, read only memory (ROM), non-static random access memory (RAM), and electrically erasable programmable read only memory (EEPROM). The size of the integrated circuit chip is a few millimeters because it is made of silicon, which is easy to break