This document provides an overview of smart cards, including: - Their architecture which includes a CPU, memory (RAM, ROM, EEPROM), security logic, and interface. - How they work by communicating with card readers using standardized commands and responses. - Security mechanisms like passwords, cryptographic challenges, and biometric storage to authenticate users and the card/terminal. - How data is stored in their EEPROM memory organized in a file structure.

1. Smart Cards

2. Topics Covered
 Defining Smart Cards
 Smart Card Architecture
 Smart Card – Working
 Smart Card – Security
 Data Storage in Smart Card
 Types of Smart Card
 Usage and Application
 Advantages and Disadvantages
 Future Development
12/13/2011 ITECH 7215 Information Security 2

3. DEFINING SMART CARDS
• Known by other names like Chip Cards, Integrated
Circuit Cards (ICC) and Processor Cards.
• Size is same as any other Credit card
With or without contact information.
• Cards have an operating system.
• The OS provides
A standard way of interchanging information.
An interpretation of the commands and data.
• Cards must interface to a computer or terminal
through a standard card reader.
12/13/2011 ITECH 7215 Information Security 3

4. Card and Card Reader
• Computer based readers:
Connect through USB or COM (Serial) ports
• Dedicated terminals:
Usually with a small screen, keypad, printer,
often also have biometric devices such as
thumb print scanner.
12/13/2011 ITECH 7215 Information Security 4

5. SMART CARD ARCHITECTURE
12/13/2011 ITECH 7215 Information Security 5

6. SMART CARD ARCHITECTURE
• 256 bytes to 4KB RAM.
• 8KB to 32KB ROM.
• 1KB to 32KB EEPROM.
• Crypto-coprocessors (implementing 3DES, RSA etc., in hardware) are
optional.
• 8-bit to 16-bit CPU. 8051 based designs are common.
The price of a mid-level chip when produced in bulk is less than US$1.
CLK RST
Vcc
RFU
GND Vpp
RFU I/O
12/13/2011 ITECH 7215 Information Security 6

7. WORKING STRUCTURE
• Central Processing Unit: Heart of the Chip
• All the processing of data preforms in here.
CPU
12/13/2011 ITECH 7215 Information Security 7

8. WORKING STRUCTURE
• security logic: detecting abnormal conditions
e.g. low voltage
CPU
security
logic
12/13/2011 ITECH 7215 Information Security 8

9. WORKING STRUCTURE
• serial i/o interface: contact to the outside world
CPU
security
logic
serial i/o
interface
12/13/2011 ITECH 7215 Information Security 9

10. WORKING STRUCTURE
• test logic: self-test procedures
CPU test logic
security
logic
serial i/o
interface
12/13/2011 ITECH 7215 Information Security 10

11. WORKING STRUCTURE
ROM:
• card operating system
• self-test procedures
• typically 16 kbytes
• future 32/64 kbytes
CPU test logic
security ROM
logic
serial i/o
interface
12/13/2011 ITECH 7215 Information Security 11

12. WORKING STRUCTURE
RAM:
• ‘Buffer memory’ of the processor
• typically 512 bytes
• future 1 kbyte
CPU test logic
security ROM
logic
RAM
serial i/o
interface
12/13/2011 ITECH 7215 Information Security 12

13. WORKING STRUCTURE
EEPROM:
• cryptographic keys
• PIN code CPU test logic
• biometric template security ROM
logic
• balance RAM
serial i/o
• application code interface EEPROM
• typically 8 kbytes
• future 32 kbytes
12/13/2011 ITECH 7215 Information Security 13

14. WORKING STRUCTURE
databus:
• connection between elements of the chip
• 8 or 16 bits wide
Databus
CPU test logic
security ROM
logic
RAM
serial i/o
interface EEPROM
12/13/2011 ITECH 7215 Information Security 14

15. SMART CARD WORKING
12/13/2011 ITECH 7215 Information Security 15

16. TERMINAL/PC CARD
INTERACTION
• The terminal/PC sends commands to the card
(through the serial line).
• The card executes the command and sends
back the reply.
• The terminal/PC cannot directly access memory
of the card
o Data in the card is protected from
unauthorized access. This is what makes the
card smart.
12/13/2011 ITECH 7215 Information Security 16

17. HOW IT WORKS
Card is inserted in the terminal Card gets power. OS boots up. Sends
ATR (Answer to reset)
ATR negotiations take place to set
up data transfer speeds, capability
negotiations etc.
Card responds with an error
Terminal sends first command to
(because MF selection is only on
select MF
password presentation)
Terminal prompts the user to
provide password
Card verifies P2. Stores a status “P2
Terminal sends password for
Verified”. Responds “OK”
verification
Terminal sends command to select Card responds “OK”
MF again
Card supplies personal data and
Terminal sends command to read EF1
responds “OK”
12/13/2011 ITECH 7215 Information Security 17

18. COMMUNICATION
• Communication between smart card and reader
is standardized:
ISO 7816 standard
• Commands are initiated by the terminal
Interpreted by the card OS
Card state is updated
Response is given by the card.
• Commands have the following structure
• Response from the card include 1..Le bytes
followed by Response Code
12/13/2011 ITECH 7215 Information Security 18

19. SMART CARD SECURITY
12/13/2011 ITECH 7215 Information Security 19

20. SECURITY MECHANISM
• Password
Card holder’s protection
• Cryptographic challenge Response
Entity authentication
• Biometric information
Person’s identification
• A combination of one or more
12/13/2011 ITECH 7215 Information Security 20

21. PASSWORD VERIFICATION
1. Terminal asks the user to provide a password.
2. Password is sent to Card for verification.
3. Scheme can be used to permit user
authentication.
Not a person identification scheme
12/13/2011 ITECH 7215 Information Security 21

22. CRYPTOGRAPHIC VERIFICATION
1. Terminal verify card (INTERNAL AUTH)
• Terminal sends a random number to card to
be hashed or encrypted using a key.
• Card provides the hash or cyphertext.
2. Terminal can know that the card is authentic.
3. Card needs to verify (EXTERNAL AUTH)
• Terminal asks for a challenge and sends the
response to card to verify
• Card thus know that terminal is authentic.
4. Primarily for the “Entity Authentication”
12/13/2011 ITECH 7215 Information Security 22

23. BIOMETRIC MECHANISM
• Finger print identification.
Features of finger prints can be kept on the
card (even verified on the card)
• Photograph/IRIS pattern etc.
Such information is to be verified by a person.
The information can be stored in the card
securely.
12/13/2011 ITECH 7215 Information Security 23

24. DATA STORAGE
12/13/2011 ITECH 7215 Information Security 24

25. DATA STORAGE
• Data is stored in smart cards in EEPROM
• Card OS provides a file structure mechanism
• File types:
Binary file (unstructured)
Fixed size record file
Variable size record file MF
DF DF EF EF
DF EF
EF EF
12/13/2011 ITECH 7215 Information Security 25

26. ACCESSING FILES
• Applications may specify the access controls
• A password (PIN) on the MF selection e.g. SIM
password in mobiles
• Multiple passwords can be used and levels of security
access may be given
• Applications may also use cryptographic
authentication
12/13/2011 ITECH 7215 Information Security 26

27. SMART CARD TYPES
12/13/2011 ITECH 7215 Information Security 27

28. MAGNETIC STRIPE CARDS
Standard technology for bank cards, driver’s
licenses, library cards, and so on……
12/13/2011 ITECH 7215 Information Security 28

29. OPTICAL CARDS
• Uses a laser to read and write the card
• US Cards Contains:
• Photo ID
• Fingerprint
12/13/2011 ITECH 7215 Information Security 29

30. MEMORY CARDS
• Can store:
Financial Info
Personal Info
Specialized Info
• Cannot process Info
12/13/2011 ITECH 7215 Information Security 30

31. MICROPROCESSOR CARDS
• Has an integrated circuit chip
• Has the ability to:
• Store information
• Carry out local processing
• Perform Complex Calculations
12/13/2011 ITECH 7215 Information Security 31

32. USAGE/APPLICATIONS
12/13/2011 ITECH 7215 Information Security 32

33. SMART CARD USAGE
Commercial Applications
Banking/payment
Identification
Parking and toll collection
Universities use smart cards for ID purposes and at the
library, vending machines, copy machines, and other services on
campus.
EMV standard
Mobile Telecommunications
SIM cards used on cell phones
All GSM phones with smart cards
Contains mobile phone security, subscription information, phone
number on the network, billing information, and frequently called
numbers
12/13/2011 ITECH 7215 Information Security 33

34. SMART CARD USAGE
• Information Technology
• Secure logon and authentication of users to PCs and networks
• Encryption of sensitive data
• Other Applications
• Over 4 million small dish TV satellite receivers in the US use a
smart card as its removable security element and subscription
information.
• Pre-paid, reloadable telephone cards
• Health Care, stores the history of a patient
• Fast ticketing in public transport, parking, and road tolling in
many countries
• JAVA cards
12/13/2011 ITECH 7215 Information Security 34

35. OTHER SMART CARD
APPLICATIONS
12/13/2011 ITECH 7215 Information Security 35

36. SMART CARD APPLICATIONS
Retail
Sale of goods
Communication
GSM
using Electronic Purses,
Payphones
Credit / Debit
Vending machines
Loyalty programs
Tags & smart labels
Entertainment Transportation
– Pay-TV Public Traffic
– Public event access Parking
control Road Regulation
(ERP)
Car Protection
12/13/2011 ITECH 7215 Information Security 36

37. SMART CARD APPLICATIONS
Healthcare E-commerce
Insurance data sale of information
sale of products
Personal data
sale of tickets, reservations
Personal file
Government
Identification
E-banking
access to accounts
Passport
to do transactions
Driving license shares
12/13/2011 ITECH 7215 Information Security 37

38. SMART CARD APPLICATIONS
Educational facilities Office
Physical access Physical access
Network access Network access
Time registration
Personal data (results)
Secure e-mail & Web
Copiers, vending machines, applications
restaurants, ...
12/13/2011 ITECH 7215 Information Security 38

39. ADVANTAGES/DISADVANTAGES
12/13/2011 ITECH 7215 Information Security 39

40. ADVANTAGES
In comparison to it’s predecessor, the magnetic strip
card, smart cards have many advantages including:
• Life of a smart card is longer
• A single smart card can house multiple applications.
Just one card can be used as your
license, passport, credit card, ATM card, ID Card, etc.
• Smart cards cannot be easily replicated and are, as a
general rule much more secure than magnetic stripe
cards. it has relatively powerful processing capabilities
that allow it to do more than a magnetic stripe card
(e.g., data encryption).
• Data on a smart card can be protected against
unauthorized viewing. As a result of this confidential
data, PINs and passwords can be stored on a smart card.
This means, merchants do not have to go online every
time to authenticate a transaction.
12/13/2011 ITECH 7215 Information Security 40

41. DISADVANTAGES
• NOT tamper proof
• Can be lost/stolen
• Lack of user mobility – only possible if user has smart
card reader every he goes
• Has to use the same reader technology
• Can be expensive
• Working from PC – software based token will be
better
• No benefits to using a token on multiple PCs to using
a smart card
• Still working on bugs
12/13/2011 ITECH 7215 Information Security 41

42. FUTURE DEVELOPMENT
• Microprocessor Cards (Contactless Smart Card)
• Microprocessor Cards (Combi / Hybrid Cards)
Hybrid Card:
Has two chips: contact and contactless interface.
The two chips are not connected.
Combi Card:
Has a single chip with a contact and contactless interface.
Can access the same chip via a contact or contactless interface, with
a very high level of security.
12/13/2011 ITECH 7215 Information Security 42