Aim of my ppt is to just give you a brief idea about the smart card technology being one of the best steps towards the advancement of science and technology,making our life faster and obviously easier.
Smart Cards Future Life……… Santosh Khadsare
Aim of my ppt is to just give you a briefidea about the smart card technologybeing one of the best steps towards theadvancement of science and technology ,making our life faster and obviouslyeasier.
Plastic Cards Visual identity application Plain plastic card is enough Magnetic strip (e.g. credit cards) Visual data also available in machine readable form No security of data Electronic memory cards Machine readable data Some security (vendor specific)
What is a Smart Card? A Smart card is a plastic card about the size of a credit card, with an embedded microchip that can be loaded with data, used for telephone calling, cash payments , and other applications, and then periodically refreshed for additional use.
History70’sSmart Card First Patent in Germany and later in France and Japan.80’sMass usage in Pay Phones and Debit Cards.90’sSmart Card based Mobiles Chips & Sim Cards.
History2000’sPayment and Ticketing ApplicationsCredit cards, Mass transit (Smartrip)Healthcare and IdentificationInsurance information, Drivers license
Dimensions of smart card.85.6mm x 53.98mm x 0.76mm(defined by ISO 7816)
Why use smart cards? Can store currently up to 7000 times more data than a magnetic stripe card. Information that is stored on the card can be updated. Magnetic stripe cards are vulnerable to many types of fraud. Lost/Stolen Cards Skimming Carding/ Phishing Greatly enhances security by communicating with card readers using PKI algorithms. A single card can be used for multiple applications (cash, identification, building access, etc.) Smart cards provide a 3-fold approach to authentic identification: • Pin • Smartcard • Biometrics
Card ElementsMagnetic Stripe Logo Chip Hologram Embossing (Card Number / Name / Validity, etc.)
What’s in a Card? CL RST K VccRFUGNDRFU Vpp I/O Varun Arora | firstname.lastname@example.org | www.varunarora.in
Electrical signals descriptionVCC : Power supply inputRST : Either used itself (reset signal supplied from theinterface device) or in combination with an internalreset control circuit (optional use by the card) .CLK : Clocking or timing signal (optional use by thecard). Fig : A smart card pin outGND : Ground (reference voltage).VPP : Programming voltage input (deprecated / optional use by the card).I/O : Input or Output for serial data to the integrated circuit inside the card.AUX1(C4): Auxilliary contact; USB devices: D+AUX2(C8) : Auxilliary contact; USB devices: D-
CARD STRUCTURE Out of the eight contacts only six are used. Vcc is the supply voltage, Vss is the ground reference voltage against which the Vcc potential is measured, Vpp connector is used for the high voltage signal,chip receives commands & interchanges data.
Typical Configurations 256 bytes to 4KB RAM. 8KB to 32KB ROM. 1KB to 32KB EEPROM. 8-bit to 16-bit CPU. 8051 based designs are common.
Smart Card Readers Computer based readers Connect through USB or COM (Serial) portsDedicated terminalsUsually with a small screen, keypad, printer,often also have biometric devices such as thumbprint scanner.
Terminal/PC Card Interaction The terminal/PC sends commands to the card (through the serial line). The card executes the command and sends back the reply. The terminal/PC cannot directly access memory of the card so data in the card is protected from unauthorized access. This is what makes the card smart.
Why Smart Cards? Security: Data and codes on the card are encrypted by the chip maker. The Smart Card’s circuit chip almost impossible to forge. Trust: Minimal human interaction. Portability. Less Paper work: Eco-Friendly
Two Types of Chips Memory chip Microprocessor Acts as a small floppy Can add, delete, and disk with optional manipulate its memory. security Acts as a miniature Are inexpensive computer that includes an Offer little security operating system, hard features disk, and input/output ports. Provides more security and memory and can even download applications.
From 1 billion to 4 billion units in 10 years… Worldwide smart card shipments 4500 4285 4000 3580 3500 Microprocessor cards Millions of units Memory cards 3000 2500 3325 2655 2000 1500 1000 500 925 960 925 960 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
Smart Cards in everyday life… Loyalty Transport Ticketing Payment Health cardSmart Poster Communication
Contact Smart Cards Requires insertion into a smart card reader with a direct connection This physical contact allows for transmission of commands, data, and card status to take place
Contactless Smart Cards Require only close proximity to a reader Both the reader and card have antennas through which the two communicate Ideal for applications that require very fast card interfaces
ISO 14443. International standard. Deals – only contactless smart cards. Defines:-a. Interface.b. Radio frequency interface.c. Electrical interface.d. Operating distance.Etc…..
Dual interface smart cards. Also called Combi card. Has a single chip over it. Has both contact as well as contactless interfaces. We can use the same chip using either contact or contactless interface with a high level of security.
Categories of Smart CardsBased on the type of IC chipembedded on the Smart Card.They are categorized into three types :- IC Micro Processor Cards IC Memory Cards Optical Memory Cards
Key AttributesSecurity to make the Digital Life safe and enjoyableEase of Use to enable all of us to access to the Digital WorldPrivacy to respect each individual’s freedom and intimacy E SAF
Biometric techniques Finger print identification. Features of finger prints can be kept on the card (even verified on the card) Photograph/IRIS pattern etc. Such information is to be verified by a person. The information can be stored in the card securely
Smart Card Readers Dedicated terminals Computer based readers Usually with a small Connect through USB or screen, keypad, printer, COM (Serial) ports often also have biometric devices such as thumb print scanner.
Terminal/PC Card Interaction The terminal/PC sends commands to the card (through the serial line). The card executes the command and sends back the reply. The terminal/PC cannot directly access memory of the card data in the card is protected from unauthorized access. This is what makes the card smart.
Communication mechanisms Communication between smart card and reader is standardized ISO 7816 standard Commands are initiated by the terminal Interpreted by the card OS Card state is updated Response is given by the card. Commands have the following structure CLA INS P1 P2 Lc 1..Lc Le Response from the card include 1..Le bytes followed by Response Code
Security Mechanisms Password Card holder’s protection Cryptographic challenge Response Entity authentication Biometric information Person’s identification A combination of one or more
Password Verification Terminal asks the user to provide a password. Password is sent to Card for verification. Scheme can be used to permit user authentication. Not a person identification scheme Varun Arora | email@example.com | www.varunarora.in
Cryptographic verification Terminal verify card (INTERNAL AUTH) Terminal sends a random number to card to be hashed or encrypted using a key. Card provides the hash or cyphertext. Terminal can know that the card is authentic. Card needs to verify (EXTERNAL AUTH) Terminal asks for a challenge and sends the response to card to verify Card thus know that terminal is authentic. Primarily for the “Entity Authentication” Varun Arora | firstname.lastname@example.org | www.varunarora.in
Biometric techniques Finger print identification. Features of finger prints can be kept on the card (even verified on the card) Photograph/IRIS pattern etc. Such information is to be verified by a person. The information can be stored in the card securely.
Data storage Data is stored in smart cards in E2PROM Card OS provides a file structure mechanism MF File types Binary file (unstructured) DF DF EF EF Fixed size record file DF EF Variable size record file EF EF
File Naming and Selection Each files has a 2 byte file ID and an optional 5-bit SFID (both unique within a DF). DFs may optionally have (globally unique) 16 byte name. OS keeps tack of a current DF and a current EF. Current DF or EF can be changed using SELECT FILE command. Target file specified as either: DF name File ID SFID(Short File Identifier, 1 byte) Relative or absolute path (sequence of File IDs). Parent DF
Basic File Related Commands Commands for file creation, deletion etc., File size and security attributes specified at creation time. Commands for reading, writing, appending records, updating etc. Commands work on the current EF. Execution only if security conditions are met. Each file has a life cycle status indicator (LCSI), one of: created, initialized, activated, deactivated, terminated.
Access control on the files Applications may specify the access controls A password (PIN) on the MF selection For example SIM password in mobiles Multiple passwords can be used and levels of security access may be given Applications may also use cryptographic authentication
An example scenario (institute ID card) What happens ifFree user Read: the Select: P2 forgets his upon verification Write: requirements: Security password? verification EF1 (personal data) by K1, K2 or K3 EF1: Solution1: Add supervisor Name: Varun Arora PF/Roll: 13 passwordbe modified only by Should MF Read: Free the DOSA/DOFA/Registrar Solution2: Allow EF2 (Address) Write: Password DOSA/DOFA/Registrar to Readable to all (P1) #320, MSc (off) modifyVerification EF3 475, SICSR (Res) EF2: Solution3: Allow both to Card holder should be able happen to modifyEF3 (password) EF4 (keys)EF3 (password) K1 (DOSA’s key)P1 (User password) Read: NeverP1 (User password) K2 (DOFA’s key)P2 (sys password) Write: Once K3 (Registrar’s key) Read: Never Write: Password Verification (P1)
An example scenario (institute ID card) EF1 (personal data) Library manages its own keys in EF3 EF2 (Address) under DF1 MF EF3 (password) Institute manages its EF4 (keys) keys and data under Modifiable: By admin DF1 (Lib) MF staff. Read: all EF2 (Privilege info) Thus library canEF1 (Issue record) Max Duration: 20 days develop applications Max Books: 10 independent of theBk# dt issue dt retn Reserve Collection: Yes rest. Keys EF3:Bk# dt issue dt retn K1: Issue staff key K2: Admin staff keyBk# dt issue dt retn Modifiable: By issueBk# dt issue dt retn staff. Read all
How does it all work?Card is inserted in the terminal Card gets power. OS boots up. Sends ATR (Answer to reset)ATR negotiations take place toset up data transfer speeds,capability negotiations etc.Terminal sends first command to Card responds with an errorselect MF (because MF selection is only on password presentation)Terminal prompts the user toprovide passwordTerminal sends password for Card verifies P2. Stores a statusverification “P2 Verified”. Responds “OK”Terminal sends command to Card responds “OK”select MF again Card supplies personal data and responds “OK”Terminal sends command to read EF1
So many Smart Cards with us at all times….. In our GSM phone (the SIM card) Inside our Wallets Credit/Debit cards HealthCare cards Loyalty cards Our corporate badge Our Passport Our e-Banking OTP … and the list keeps growing
Our Industries Is rapidly changing Interactive billboards Transports New solutions leveraging on mobile contactless services eTicketing Retail
Banking and financeElectronic purse to replace coins for small purchases in vendingmachines .Credit and debit cardsSecuring payments across the internet
Smart card Pay phones Outside of the United States there is a widespread use of payphones phone company does not have to collect coins the users do not have to have coins or remember long access numbers and PIN codes The risk of vandalism is very low since these payphones are smart card-based. “Generally, a phone is attacked if there is some money inside it, as in the case of coin-based payphone
Transportation Driver’s license Mass transit fare collection system Electronic toll collection system
It’s no longer only «Cards»e-Passport: the first Smart Secure Device 45 Millions e-Passport in 2009
E Governance As the amount of business and holiday travel increases security continues to be a top concern for governments worldwide. When fully implemented smart passport solutions help to reduce fraud and forgery of travel documents. Enhanced security for travellers Philips launched such a project with the US in 2004.
Student id card All-purpose student ID card (a/k/a campus card), containing a variety of applications such as electronic purse (for vending machines, laundry machines, library card, and meal card).
Threats in Using Smart Cardsfailure rateprobability of breaking: keeping in wallets maydamage the chip on the card.malware attacks: active malwares on systemsmay result in modifying the transactions.
OS Based Classification Smart cards are also classified on the basis of their Operating System. There are many Smart Card Operating Systems available in the market, the main ones being: 1. MultOS 2. JavaCard 3. Cyberflex 4. StarCOS 5. MFC Smart Card Operating Systems or SCOS as they are commonly called, are placed on the ROM and usually occupy lesser than 16 KB. SCOS handle: • File Handling and Manipulation. • Memory Management • Data Transmission Protocols.
ADVANTAGES Proven to be more reliable than the magnetic stripe card. Can store up to thousands of times of the information than the magnetic stripe card. Reduces tampering and counterfeiting through high security mechanisms such as advanced encryption and biometrics. Can be disposable or reusable. Performs multiple functions. Has wide range of applications (e.g., banking, transportation, healthcare...) Compatible with portable electronics (e.g., PCs, telephones...) Evolves rapidly applying semi-conductor technology
DisadvantagesSmart cards used for client-side identification andauthentication are the most secure way for eg. internet bankingapplications, but the security is never 100% sure.In the example of internet banking, if the PC is infected withany kind of malware, the security model is broken. Malwarecan override the communication (both input via keyboard andoutput via application screen) between the user and theinternet banking application (eg. browser). This would result inmodifying transactions by the malware and unnoticed by theuser. There is malware in the wild with this capability (eg.Trojan. Silentbanker).
Remedies…Banks like Fortis and Dexia in Belgium combine a Smart card with an unconnected card reader toavoid this problem. The customer enters a challenge received from the banks website, his PIN andthe transaction amount into the card reader, the card reader returns an 8-digit signature. Thissignature is manually copied to the PC and verified by the bank. This method prevents malware fromchanging the transaction amount.
Future Aspects Soon it will be possible to access the data in Smart cards by the use of Biometrics. Smart card Readers can be built into future computers or peripheralswhich will enable the users to pay for goods purchased on the internet. In the near future, the multifunctional smart card will replace thetraditional magnetic swipe card. Smart Card is not only a data store, but also a programmable, portable,tamper resistant memory storage.
By 2020 …20 Billion Smart Secure Devices>4 Billion Mobile Appliances users>4 Billion e-ID documents in use
Conclusion: Conclusion… • Smart Cards will evolve into a broader family of Devices• Smart Cards will evolve into a broaderfamily of Devices • More new shapes for new applications • More new shapes for new applications • Embedded software attributes » • Our virtual « digital personaland ultra-embedded nanotechnologies •• The only mistake andavoid for our Industry is to entertain an endless Embedded software to ultra-embedded nanotechnologies debate about fears. • We will build the best solutions Industry is to entertain an enjoy• The only mistake to avoid for our and the best value for people to endlessdebate many new services about fears. •• Education … moresolutions and the best value for people to enjoy many new We will build the best Education services • Preparing people to use those Smart Secure Devices is as important as • Political ownership how communication will be key to success teaching them and to read and write• Education … more Education • Preparing people to use those Smart Secure Devices is as important as teaching them how to read and write
Conclusion:• Smart Cards will evolve into a broader family of Devices • More new shapes for new applications • Our virtual « digital personal attributes » • Embedded software and ultra-embedded nanotechnologies• The only mistake to avoid for our Industry is to entertain anendless debate about fears. • We will build the best solutions and the best value for people to enjoy many new services • Political ownership and communication will be key to success• Education … more Education • Preparing people to use those Smart Secure Devices is as important as teaching them how to read and write
Security of Smart Cards Public Key Infrastructure (PKI) algorithms such as DES, 3DES, RSA and ECC. Key pair generation. Variable timing/clock fluctuation. 0.6 micron components. Data stored on the card is encrypted. Pin Blocking.
Elliptical Curve Cryptography y²=x³+ax+b Q(x,y) =kP(x,y) Uses point multiplication to compute and ECDLP to crack. Beneficial for portable devices. Cryptographic coprocessors can be added to speed up encryption and decryption.
CAIN Confidentiality is obtained by the encryption of the information on the card. Authenticity is gained by using the PKI algorithm and the two/three factor authentication. Integrity is maintained through error-checking and enhanced firmware. Repudiation is lower because each transaction is authenticated and recorded.
Common and Future Uses of Smart Cards Current uses: Chicago Transit Card Speed Pass Amex Blue Card Phone Cards University ID cards Health-care cards Access to high level government facilities. Future uses: Federally Passed Real-ID act of 2005. ePassports
Data Structure Data on Smart Cards is organized into a tree hierarchy. This has one master file (MF or root) which contains several elementary files (EF) and several dedicated files (DF). DFs and MF correspond to directories and EFs correspond to files, analogous to the hierarchy in any common OS for PCs.
Data Structure However, these two hierarchies differ in that DFs can also contain data. DFs, EFs and MFs header contains security attributes resembling user rights associated with a file/directory in a common OS. Any application can traverse the file tree, but it can only move to a node if it has the appropriate rights. The PIN is also stored in an EF but only the card has access permission to this file.