This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Smart card is a type of card that has an embedded integrated circuit chip that contents can be altered by microcontroller or 3rd party device that can access the internal memory. The card is connected through card reader by means of physical contact or wireless radio frequency interface. The microchips in the smart card have the abilities to store large amounts of data and carry its own function like encryption or mutual authentication. The smart card technology conforms to international standards, ISO/IEC 7816 and ISO/IEC 14443. On top of it, it comes with varies form like plastic cards, fobs, SIM for GSM phones and USB dongle, contact and contactless.
History of Smart Cards
The proliferation of smart cards started in the USA in the early 1950s where the cheap plastic PVC material were much more suitable for everyday use than the paper and cardboard cards previous used, which could not adequately withstand mechanical stresses and climatic effects.
One of the first all plastic smart card to produce in the market is issued by Diners Club in 1950. It allows the exclusive class of individual to pay for his/her goods instead of cash their 'good name'. The entry of Visa and MasterCard led to a very rapid proliferation of credit cards in the market. It started off from USA and European countries following in the next few years. In today's world, shoppers can stop without cash everywhere around the world without the hassle for currency exchange and these cards is never at a loss for means of payment it's so widely used today.
The development of the smart card has been made possible due to the enormous progress in microelectronics in the 1970s. Making it possible to integrate data storage and processing logic on a single integrated circuit chip the size of a small finger. The idea of integrating the processing chip into an identification card was proposed and patent by the German inventors Jurgen Dethloff and Helmut Grotrupp as early as 1968. This was followed in 1970 by a similar patent by Japanese inventor Kunitaka Arimura. However said this, the first real breakthrough in the technology was conducted by Roland Moreno from France in 1974. It was only then that the semiconductor industry was able to supply the necessary integrated circuits at acceptable prices. Even though the patents were all well-protected, developing and the processing of developing it was very difficult and there were many technical problems to be solved before the first prototypes, some requiring to integrate more than several integrating chips. It was until then that it could be transformed into reliable products that could be manufactured to the public at reasonable cost at large quantities. Since the basic invention of the smart card is originated from France and Germany, it is not surprising that they played very leading roles in developing and marketing the smart card in today's world.
The major breakthrough of the technology was achieved in 1984, when a French company called PTT (postal and telecommunications services agency) successful carried out a field trial with telephone cards. In this field trial, smart cards immediately proved to meet all expectations with regards to high reliability and protection against manipulation. Significantly, this breakthrough for smart cards did not come in an area where traditional cards were already used, but in a new application. Introducing new technology in a new in a new application has the great advantage that compatibility with existing systems does not have to be taken into account, so the capabilities of the new technology can be fully exploited.
In 1984, engineers in Germany conducted a comparative tests using different material based on Magnetic-stripe cards, optical-storage cards and smart cards. Smart card proved to be the winners in this pilot study. Inclusive of the advantage of the smart card is the high degree of reliability, security against manipulation and promising the greatest degree of flexibility for future applications.
Further developments followed the successful trials of telephone cards, first in France and then in Germany, with breathtaking speed. By 1986, several million telephone smart cards were in circulation in France alone and it rose to nearly 60 million in 1990 and more than 300 millions worldwide in 1997. Germany experienced similar progress with technology lag of 3 years to France. Telephone cards with integrated chips are currently used in more than 50 countries.
Microprocessor card using EEPROM is first introduced in 1988 by German Post Office as an authorization card for the analog mobile telephone network. The reason for introducing such cards was an increasing incidence of fraud with the magnetic-stripe cards used up to that time. This provide as a fundamental for the introduction of smart cards into the digital GSM network, which was put into service in 1991 in Europe.
The smart card proved to be an ideal medium as it could safely store secret keys and execute cryptographic algorithms. In addition, smart card so small and easy to handle that everybody everywhere used it in their everyday life. Thus, its natural for people trying to crack the smart card and the bank card's measure of security definitely has to be much higher level compared to the normal non-money credited smart card.
French banks were among the first to introducing bank card in 1984 with a trial run of 60,000 cards from 1982. However it took another 10 years before they integrate it with chips. German banks stepped in 1985 using a multi-functional payment card with chip, however it did not manage to issue a specification for the integration of chips and thus, failing the consumers trust. In 1996, multifunctional smart cards with POS (point-of-sales) functions, an electronic purse and optional value-added services were issued in all of Austria. This made Austria the first country to have a nationwide e-purse system.
In the USA, where smart card has had a hard time picking up, begins to establish. VISA experimented with the smart card purse payment system in 1996 Olympic Summer Games in Atlanta. However, the problem associated with making secured payment via the internet but anonymously is still not been solved in a satisfactory manner. Due to this issue, several European countries have initiated the introduction of electronic signature systems after a legal basis for the use of electronic signatures was provided in 1999.
Besides using cards for payment purposes, telephone or healthcare purposes, it has high degree of functional flexibility and they are particularly convenient and user friendly.
Uses of Memory cards
The first smart cards used in mass public were memory cards for telephone applications. These prepaid cards have the balance of the card stored into the chip inside of the card and reducing through each use.
However, using of the type of card is easily manipulated with a magnetic-stripe card where all user would have to do is record the data stored at the time of purchase and rewrite them to the magnetic stripe after using the card. This type of manipulation is known as 'buffering'. However, it can be prevented by using smart phone cards with chips secured by security logic and by using the logic; it makes manipulation impossible and irreversible.
This type of smart card not only applies to telephone cards, but also whenever goods or products are purchased though the 'cashless' means. Examples of possible uses include mass public transport, vending machines, cafeterias or car parks. The advantage of this type of card les in its simplicity behind the technology (the area of the chip is less than a few millimeters) and also its low cost. However, the disadvantage is that the card cannot be reuse once the value is empty and must be discarded.
Another common application of the smart card is the German health insurance card, which is issued since 1994 to every citizen enrolled into the plan. The patient's information is stored into the chip and laser-engraved onto the card. Using a data-storage chip in the card enables it "machine-readable" for authentication.
In short, these type of smart cards have limited functionality and their security logic feature makes it possible to protect privacy and against manipulation. They are usually used as prepaid cards or identification cards in the low cost environment.
Microprocessor cards were first used in the form of bank cards in France. They has the ability to store private keys and execute modern cryptographic algorithms made it possible to implement highly secure offline payment systems.
Since the microprocessor has a limited capacity, its functionality is subjected to the memory available in the processer. However, it can be freely programmed according to the needs and it's limited to the designer's imagination on what they want to implement into it.
Following a drastic cost reduction of smart cards in early 1990s due to mass production, it opens a new chapter every year. The use of smart cards with mobile telephones has been especially important for their international proliferation. After being successfully tested in Germany on their analog telephone system, smart cards were prescribed as the access medium for their own European digital telephone system (GSM). Since this type of cards is separated from the telephone, it opens a new possibility in the marketing strategy where without the smart card, mobile operators or telephone sellers would still be about to sell the telephone separately.
Possible applications for microprocessor cards include identification, access control systems for restricted areas, secure data storage, electronic signatures and electronic purses, as well as multifunctional cards with several applications in a single card. Most modern smart card systems also allow new applications to be installed into even after it has been issued to the user, without compromising on its security. This new flexibility opens up completely new application areas. For example, personal security modules are indispensable if Internet commerce and payments are to be made trustworthy. Such security modules could securely store personal keys and execute high-performance cryptographic algorithms. These tasks can be performed in an elegant manner by a microprocessor with a cryptographic coprocessor. Specifications for secure Internet applications using smart cards are currently being developed throughout the world. Within a few years, we can expect to see every PC equipped with a smart-card interface.
In short, the main advantage of microprocessoer smart cards is their large storage capacity and its ability to store confidential data under high security as well as its ability to execute cryptographic algorithms. This opens door to wide range of application to its current application. The potential of this card by no means yet exhausted and its expanding in contrast of the present semiconductor industry.
Contactless cards are memory cards or microprocessor cards that transfers data without any electrical contract with the terminal. This card has achieved the status of commercial products in the last few years and will be in the next decades. Although contactless can usually work in a matter of 1 centimeters from the terminal, but it does not necessarily have to be held in the user's hand during user, but can be remained in the user's purse.
Contactless cards are particularly suitable for applying wide range of applications in the public and it's very easy to deploy, these are the sample applications and uses,
- Access control in private areas, be it company or apartment
- Public transportation
- Airline staffs check in/ checkout
- Baggage identification
- Immigration identification
With its high security preventive measures, this card when used over a long distance could cause problems and should thus be prevented. A typical example is an electronic purse when a declaration of intent on the part of the cardholder is normally required to complete the finalized transaction. This confirms the amount of the payment and customer's agreement to pay, this provide opportunity for the con artist to remove money from the electronics purse without the knowledge of the cardholder after the user confirmed the indicated amount using the keypad.
The best remedy is by offering dual-interface card where it has both contact and contactless functionality in a single card. Such a card cans communication with the terminal via its contact or contactless terminal according to the user's favor.
Contactless smart card is typically common in the field of public transportation when the frequency and speed of alighting and entering the bus decides the revenues of the transportation company.
Smart card is recognized by international standard of ISO/IEC standards. The standard defines the basic properties of smart cards. ISO stands for International Organization for Standardization, while IEC stands for the International Electro technical Commission.
Cooperation between these 2 organizations will occur when there is duplication of effort and through the cooperation; IEC will cover the fields of electrical technology and electronics, while ISO will cover the rest of other fields. Combined working groups are formed to deal with themes of common interest, and these groups produce combines ISO/IEC standards. Smart Cards belong to this category.
As seen in the table, there are 2 technical committees that are concerned with standardization of the smart cards. With ISO TC68/SC6 responsible for the standardization of cards used in the financial area, while ISO/IEC JTC1/SC17 responsible for general applications.
After more than 20 years effort for standardization, the most important ISO standards for smart cards are now complete and these standards are based on prior ISO standards in the 7810, 7811, 7812 and 7813 families, which define the properties of identification cards in the ID-1 format. These standards include embossed and magnetic-stripe cards.
In the past few years, an increasing number of specifications have been put forward and published by industrial organizations and with no attempt being made to incorporate them into the standardization activities of ISO. This practice is de to the manner of working in which ISO operates is too slow to catch up with the fast pacing, short innovation cycles of the informatics and telecommunication industries. It is a major challenge of the future of ISO to devise a working practice that can safeguard general interest idea without hampering the innovation pace.
Types of Cards
Embossing is the oldest form of cards for adding machine-readable features to identification cards. It still exist in some of the 3rd world countries. The embossed characters, like the numbers embossed on the present day credit cards, can be easily read visually. The nature and location of the embossing are specified n the ISO 7811 standard ('Identification Cards - Recording Technique'). Some magnetic stripes deal with embossing characters too.
At first glance, transferring information by printing from embossed characters may appear quite easy; however the simple technique has made worldwide proliferation of credit cards possible. The exploitation of this technology requires neither electrical energy nor a connection to a telephone network.
Magnetic-stripe cards are read by pulling it across a read head, either manually or automatically, with the data being read and stored electronically. No paper is required.
The magnetic stripe may contain up to 3 tracks, track 1 and 2 are specified to be read-only tracks while track 3 may be written to.
Although the storage capacity is about 1000 bits, which is not very much, it is enough to store required information contained n the embossing. Anymore data can be read or write in the track 3, such as the most recent transaction data in credit card.
However, the main drawback of the technology is that the stored data can be altered very easily. Manipulating the characters inside requires certain amount of manual dexterity, and it can be easily detected by a trained eye. On top of that, the data recorded in the stripe can be easily altered using a standard read/write device, and it is difficult to afterwards prove that the data have been altered. Adding on to its vulnerability, its often used in automated terminals in which visual inspection is not possible. Potential criminal, having retrieved the valid card data, can easily use duplicated cards n such unattended machine with having to forge the visual security features of the cards.
Manufacturers have developed various to protect the data record on the stripes. German Eurocheque cards contain an invisible, unalterable code in the body of the card, which makes it impossible to alter or manipulate the data. However, this technology requires special device in terminal and it increase the cost.
Smart card is the newest and cleverest member of the card identification family. It features an integrated circuit embedded in the card which allowing multiple tasking like transmitting, storing and processing data. The data can be transmitted using either contact or contactless mean, taking advantage of the electromagnetic fields.
Compared to magnetic stripe cards, smart cards offer many times greater capacity for storage. With more than 256kB of memory available, this allows a lot more application to be allowed on the smart cards than magnetic-stripe cards. With the big storage capacity, it is also protected against unauthorized access and manipulation. Since the data can only be accessed using serial interface that is controlled by the operating system and security logic, confidential data can be written to the card and stored in a manner that prevents them from ever being read from outside the card. Such confidential data can only be processed internally by the chip's processing unit.
This makes it possible to construct a variety of security mechanisms, which can also be altered to the specific requirements of a particular application. Combing the ability to compute cryptographic algorithms, this allows smart cards to be used to implement convenient security modules that can be carried by users at all times. Some additional advantages of smart cards are their high level of reliability and long life compared with magnetic-stripe cards, which is lifeline, is limited to 1 or 2 years at most.
Smart cards can be divided into 2 groups, which differ in both functionality and price: memory cards and microprocessor cards.
Memory Smart Cards
The data needed by the application are stored in the EEPROM memory. Access to the memory is controlled by the security logic, which n the simplest case consists only of writes protection or erases protection for the memory or certain memory regions. Transferring of data from the card used via I/O port and some smart cards used the I2C bus, which is commonly used for serial-access memory.
The main function of a memory card is usually optimized for a specified application. Although this severely restricts the flexibility of the cards, it makes them quite inexpensive. Memory cards are typically used for prepaid telephone cards and health cards.
Transferring of data is done though this method:
Microprocessor Smart Card
Microprocessor smart card acts like a normal PC sitting in our home with a CPU and memories such as ROM, EEPROM, RAM and an I/O port.
In the microprocessor unit, ROM will be responsible in storing the chip's operating system, which is 'burned in' when the chip is manufactured. The contents in the ROM chip cannot be changed once produced. The EEPROM is the chip's non-volatile memory, in which data and program code is written to and read from, under the control of the operating system. Ram is the working memory for the processor and is volatile, so all the data stored in it are lost when the chip's power is switched off.
Microprocessor cards are very easy to use in term of flexibility. Simplest to say, they contain a program optimized for a single application, so they can only be used for this particular application. In modern days however, the operating system allows multiple application to run at a same time. Recent technology breakthrough even allows application programs to be loaded into a card after it has already been personalized and issued to the cardholder.
Contactless Smart Cards
Despite the success of the contact smart card on the market, its still bond to some failures. Examples are the wear and tear of the cards, contaminated and in mobile equipment; vibrations can cause brief intermittent contacts. This will affect the integrated circuit chip embedded in card, therefore, there is a risk that the chip may be damaged or destroyed by electrostatic discharge.
These technical problems are elegantly avoided by contactless smart cards. Not compromising on the technology on the contact smart cards, contactless smart card still offers a range of new and attractive potential application. For example, contactless cards does not required to be insert into a card reader, since avoiding the friction caused on the card. This is a great advantage in access-control systems where door has to be opened, since the access authorization of a person can be checked without requiring the card to be removed from a purse and inserted into a reader. Another is using it in public transport where people can be identified in the shortest possible time.
The memory chip embedded in the card body uses inductive coupling, with a single coil for power and data transfers. With this technology, the terminal can both read and write data at a distance of up to 1m. The typical transaction time between the terminal and the card in this system is around 100ms, and a clock frequency of 13.56MHz.
Smart Cards in Singapore
Singapore recently introduces the NETS flashpay card which primary application is the NETS application. This card can be used for paying of goods in the comfort of contactless technology. We can use this for public transportation as well as using it for payment in participating outlets.
Another smart card is the magnetic stripe credit card that can be used for taking public transportation. It's a contactless magnetic stripe credit card that has multi-functional purpose be it crediting your account or using it for mass transport in the comfort of just one single card.
Case Study of the Smart Card and Its Security Measure
2009 NETS flashpay (Singapore)
The NETS flashpay is a new generation contactless, multipurpose stored value CashCard that can be used for your daily purchasing of products or desired goods. On top of its main application which is NETS, it's also a card that you can use for taking public transport. However said that, contactless card has some security breaches that in fond to attacks.
Most know successful attacks on smart cards have been at the logical level. These attackers arise from pure mental reflection or computation. This category includes classical cryptanalysis, as well as attacks that exploit known faults in smart card operating systems.
Attacks can be divided into passive and active types. In a passive attack, the attacker analyzes the ciphertext or cryptographic protocol without modifying it, and many for example make measurements on the semiconductor device. In an active attack, by contrast, the attacker manipulates the data transmission process or the microcontroller.
Modern smart cards are attacked at the physical level, and it normally takes large amount of technical effort. Depending on the attack scenario, the equipment required may include a microscope, a laser cutter, micromanipulators, focused ion beams, chemical etching equipment and very fast computers for analyzing, logging and evaluating the electrical processes in the chip. This equipment and the knowledge of how to use it are available to only a few specialists and organizations, which strongly reduces the probability of an attack at the physical level.
Nevertheless, a card or semiconductor manufacturer must assume that a potential attacker could employ the devices and equipment necessary for such an attack, which means that suitable protection, must be built into the hardware. In order to conduct an attack at the physical level, a few preliminary steps are necessary. The first thing that has to be done is to remove the module from the card, which can easily be done using a sharp knife. After this, the epoxy resin must be removed from the chip.
Anderson and Kuhne used fuming nitric acid for this with an infrared lamp as a heat source, followed by an acetone rinse to clean the chip. After this, the semiconductor chip is free and still fully operational. Many people think that the chip now lies unprotected before them and only has to be 'read out', but this is by no means so. An attacker still has to work through a manifold of security measures before he can gain access to the secrets. The protective measures in the hardware can be divided into passive and active components. The passive components are based directly on the techniques used in semiconductor manufacturing. They include all processes and options that can be used to protect the memory region and the other functional parts of the microcontroller against various types of analysis. There is a full spectrum of active components available on a silicon chip to complement the passive possibilities offered by the semiconductor technology.
Active protection means the integration of various types of sensors into the silicon crystal. These sensors are queried and evaluated by the smart card software as needed. This is naturally only possible when the chip is fully powered and operational. A chip without electrical power cannot measure any sensor signals, let alone evaluate them. Sometimes the boundary between useful protective components and technical gadgetry is particularly narrow where sensors are concerned.
A light-sensitive sensor that is supposed to prevent optical analysis of the memory will not respond if the chip is located on the object carrier of an optical microscope without power or a clock signal. In addition, it is very easy to visually identify such a sensor on the chip surface and cover it with a drop of black ink, so its protective function can easily be neutralized even when the chip is operating. However, this can be countered by distributing a large number of light sensors over the entire chip. Long-term functional security is also an important consideration.
Min response to a brief but non-damaging overheating of the chip makes absolutely no contribution to increased functional security or security against an attack. Consequently, most smart card microcontrollers employ only a few sensors. In the following descriptions, we explain the protective mechanisms of smart card microcontrollers that are the most important and the most often used in practice.
By now, we all understand how secured is the smart card system and we can look forward to it in the next few decades. Be it biometrics or transport taking, we should expect our life to be much easier and lighter wallet. We should expect only all-in-1 card that contain your private information from your credit balance to your accessing your company compound. Frequent travelers would need to go through the hassle of checking in and out in the long queue and SIM card will automatically retrieve your personal information and enters them into your hand phone. Everything will be seamless and contactless and as the semiconductor industry grows, we will be able to install more and more application into our smart card.
- Franz Weikmann, Klaus Vedder: Smart Cards Requirements, Properties and Applications, in: Tagungsband Smart Cards, Vieweg Verlag, Braunschweig 998
- James Nechvatal, Elaine Barker, Lawrence Bassham, William Burr, Morris Dworkin, James Foti, Edward Roback, NIST: Report on the Development of the Advanced Encryption Standard (AES), Internet, 2000
- Dan Boneh, Richard A. DeMillo, Richard J. Lipton: On the Importance of Checking Computations, Math and Cryptography Research Group, Bellcore 1996
- RSA Data Security Inc.: DES Crack Fact Sheet, Internet,1997