Smart cards are being used extensively

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

I. Abstract

Smart cards are being used extensively these days, their importance is also increasing. We now have cards getting smarter by the day; one card does all pays your bank bills, used as an access card to work, includes mobile applications and so on. Applications on smart cards range from banking, mobile and other personal applications these applications can contain very sensitive information. Though these cards have small memories, they are the prime target for attackers as the memories contain the important cryptographic information like keys, PIN's etc. Thus memories are subject to many attacks and their protection is very important.

The use of memories in smart cards has introduced several security problems. Memories have been attacked in several possible ways fault insertion, power profile analysis and so on. It is a proven fact that the contents of the ROM can be deduced using a microscope. Light and eddy current on silicon can introduce faults that can reveal important information.

This survey paper is a one-stop shop that introduces us to the several published attacks targeting on memories of smart cards and the various counter measures to deal with such attacks. The need for such a survey is because attackers can go to any extent to reveal important information if the information is valuable hence we must be aware of all the possible attacks in order improve security of smart cards.

II. Introduction to Smart cards

History of smart cards goes back to 1970 they were first introduces in Japan. The idea was then patented in Europe in 1974; to date several billions of smart cards have been sold around the world []. Smart cards are also often called chip-cards or integrated circuit (IC) cards. The first smart card where microprocessor based, the main component was a microprocessor. With the development of technologies, smart cards have grown smarter, new additional components were added to the existing architecture of smart cards such as EEPROM, additional RAM for better performance and cryptographic modules to perform encryption and decryption. With the years, the structure of a smart card included more and more components aimed at achieving better performance in terms of capabilities and capacity. The number and variety of its applications increased in the same time.

A. Architecture of Smart Cards

Today the architecture of smart cards is as shown in figure 1. They have several modules, 32 bit CPU core, 8K EEPROM, Co-processor to perform cryptographic calculations like 1088-bit modular arithmetic processors, hardware Data Encryption Standard, Advanced Encryption Standard, random number generator, sensors to prevent intrusion attacks by fault injection.

B. Security criteria of Smart Cards

Smart cards need to satisfy the following criteria to meet the minimum security requirements, privacy i.e. only the authorized users can view data , Integrity of data i.e. data stored on the card should be protected against alteration, & Authenticity ensures that the individual is who they claim to be.

Basic properties of smart cards:

It must provide Confidentiality, User identification, Secure software execution, Secure storage, Secure external access, Secure content, Secure data communication and must be resistant to Tamper.

The above are the few basic and essential properties that a smart card must provide in order to be considered as secure.

C. Metrics for classification of attacks

In this paper we classify the several attacks on memories of smart cards based on a few defined metrics. The standardization of smart cards ISO7816 classifies attacks on smart cards. In [1], the following taxonomy of attackers is introduced:

Class I (clever outsiders): They are often very intelligent but may have insufficient knowledge of the system. They may have access to only moderately sophisticated equipment. They often try and take advantage of an existing weakness in the system, rather than try and create one.

Class II (knowledgeable insiders): They have substantial specialized technical education and experience. They have varying degrees of understanding of parts of the system but potential access to most of it. They often have highly sophisticated tools and instruments for analysis.

Class III (funded organizations): They are able to assemble teams of specialists with related and complementary skills backed by great funding resources. They are capable of in-depth analysis of the system, designing sophisticated attacks, and using the most advanced analysis tools. They may use Class II adversaries as part of the attack team.

Other metrics for classification of attacks is estimated cost and severity of the attack.

III. Existing Memory Technologies

There are several existing memory technologies; each technology varies based on the requirements and application. Some of the characteristics are memory size, access time, access technologies and replacement policies; so on. It is necessary to understand the memory technologies to figure out the loopholes and view things in the attacker's perspective.

Most LSI (large-scale integrated circuit) devices and memories use the MOSFET (metal oxide semiconductor field-effect transistor). There are two types of MOSFET: n-channel and p-channel. In the first type, the current flow is dominated by electrons while holes dominate in p-channel type. In most common circuits, they are usually combined in order to take advantage of their different characteristics in the form of complementary MOS (CMOS) [1].

N-channel MOSFET: Current flow is dominated by electrons. Fig 2 represents an n-channel MOSFET. Where G - Gate, D - Drain, S - Source

P-channel MOSFET: Current flow is dominated by holes. Fig 3 represents a p-channel MOSFET.

Memories can be classified in three main classes:

  • Read Write Memories (RWM).
  • Non Volatile Read Write Memories (NVRWM).
  • Read Only Memory (ROM).


ROM's are produced in masses as they are the simplest of the existing semiconductor memory. They are used by the operating system of the smart cards to store constants, instruction for smart cards. In a classical ROM only one word line can be high at a time. For instance, in figure 3 [1], if R1 is going high the column C1, C3, and C5 will be pulled low. The transistors in the superior part of the figure 2 are long L pull-ups. Columns lines C2 and C4 are pulled high through the long L MOSFET. Information stored in memory is usually unknown at the production time. Each memory array is built with n-channel MOSFET's at every intersection of a row and a column. We can program the memory by cutting the connection between the drain of the FET and the column line.

B. DRAM [1][]

Dynamic random access memory (DRAM) is a type of random access memory that stores each bit of data in a separate capacitor within an integrated circuit. Since real capacitors leak charge, the information eventually fades unless the capacitor charge is refreshed periodically. Because of this refresh requirement, it is a dynamic memory as opposed to SRAM and other static memory. The three-transistor cell shown in Fig. 5 is enabled by the write-word line and the read-word line. The cell is written to by placing the appropriate data value on BL1 and on raising the WWL. When reading, BL2 is pre-charged to a load device to VDD or VDD - VT. The series connection of M2 and M3 pulls BL2 to low when a 1 is stored on the capacitance and remains high in the opposite case.

The advantage of DRAM is its structural simplicity: only one transistor and a capacitor are required per bit, compared to four transistors in SRAM. This allows DRAM to reach very high density but they are more sensitive to noise. Unlike flash memory, it is volatile memory, since it loses its data when the power supply is removed. DRAM is presently not used in smart cards. We use Static RAM, mainly for the possibility of employing a power saving mode when CPU goes to sleep, this is not possible in DRAM due to constant need to refresh.

C. SRAM [][]

Static Random Access Memory (SRAM) is a type of semiconductor memory where the word static indicates that, unlike dynamic RAM (DRAM), it does not need to be periodically refreshed, as SRAM uses bi-stable latching circuitry to store each bit. SRAM exhibits data remanence, but is still volatile in the conventional sense that data is eventually lost when the memory is not powered.

Static RAM (SRAM) cell is introduced in Fig. 9 It requires six transistors. The word line enables the access to the cell by controlling the two pass-transistors M5 and M6. In contrast to the ROM cells, two bit lines transferring the stored signal and its inverse are required. Although providing both polarities is not a necessity, doing so improves the noise margins during read and write operations. During read accesses, the bit lines are actively driven high and low by the inverters in the SRAM cell.

Some of the issues faced by SRAM cell is the problem of Data remanence, which will be discussed later in this paper. Other issues are larger area due to the presence of 6 transistors.

D. EPROM [][]

EPROMs make programming the ROM greatly easier. An EPROM, or erasable programmable read only memory, is a type of memory chip that retains its data when its power supply is switched off. In other words, it is non-volatile. It is an array of floating-gate transistors individually programmed by an electronic device that supplies higher voltages than those normally used in digital circuits. Once programmed, an EPROM can be erased only by exposing it to strong ultraviolet light. That UV light usually has a wavelength of 253.7nm (for optimum erasure time) and belongs to the UVC range of UV light. EPROMs are easily recognizable by the transparent fused quartz window in the top of the package, through which the silicon chip is visible, and which permits exposure to UV light during erasing.

E. EEPROM and FLASH [][]

With an on-chip voltage generator it is possible to create a large voltage needed to program the EEPROM memory cell. The gate oxide of an EEPROM is thinner than the one used in EPROM. The result is a tunnel effect (Fowler-Nordheim tunneling) between the substrate and polysilicon. This mechanism permits driving current in both directions. A FLASH memory is based on the two technologies. FLASH memory is programmed as EEPROM. Electrons are used to accumulate charges on polysilicon. The structure of a FLASH and an EEPROM are very close except for the oxide thickness. The main difference is that FLASH memory is programmed using hot electrons and erased using Fowler- Nordheim tunneling. All data and passwords on a card are stored in the EEPROM and can be erased or modified by an unusual voltage supply. Therefore some security processors implemented sensors for environmental changes. Other successful attacks methods include heating the controller to a high temperature or focusing the UV light on the EEPROM, thus removing the security lock. Invasive physical attacks are the most destructive when the card is cut and processor removed. Then the layout of the chip can be reverse engineered [].

IV. Possible attacks on smart card memories along with countermeasures.

Smart card memories are small, both in capacity as well as in physical size; they are subject to many disruptions from attackers or from an inattentive user. We need to be aware of all the possible disruptions and attacks as well as the countermeasures to be able to stop such attacks. Before declaring a card as valid, we need to subject the card to a variety of tests. These tests range from deliberately trying to inject a fault into smart memory, to application of high intensity of static electricity to try and damage the memory. We need to ensure that smart cards are resistant to such attacks. Present smart cards are well equipped to counter these types of attacks.

A. Previous attacks

Bellcore attack: In September 96, Boneh Demillo and Lipton from Bellcore presently Telcordia announced a new type of cryptanalytic attack against RSA-like public key cryptosystems on tamperproof devices such as smart card[].Various threat models were proposed by Bellcore for breaking various cryptographic schemes through hardware fault insertion. The attack was a Class III Attack. In [] we learn that a fault attack is basically used to change the value of any variable in a smartcard algorithm.

The most common enhancement of an RSA signature is using Chinese remainder theorem (CRT). In most smart card CRT-RSA is employed rather than plain RSA as CRT-RSA provides a speed up of 4. In particular, CRT-RSA is susceptible to fault attacks. In Bellcore attack[], the attacker reveals the secret factorization of RSA modulus N by introducing a single fault resulting in a signature that is correct modulo one of the secret prime factors of N, but faulty modulo the other prime factor [].This attack is particularly devastating because the type of fault induced is irrelevant.


In [] they present a mathematical model to as a countermeasure to Bellcore attacks on RSA. Several other types of countermeasures have been proposed such as:

  • Compute a signature twice and compare the two results, this was proposed by Shamir and can be able to detect fault during computation.
  • Verification of Result with the public key before being output.
  • Both these schemes can add to computation overhead.
  • Shamir (in []) proposes a software countermeasure, to check intermediate results modulo a small integer.
  • Smartcard certification authorities, however, require that a smartcard implements a pure RSA signature algorithm. Rather than the variants like CRT-RSA which is vulnerable to fault attacks.
  • In [] we see a new CRT-RSA algorithm that is secure against Bellcore attacks. This algorithm can be adopted as a countermeasure to such attacks.

Dallas Attack []:

In [] Anderson and Kuhn present a Protocol attack on Dallas semiconductor microcontroller(8051 compatible) that were used in numerous transaction terminals and pay- TV access control systems. This system has unique key for each device along with a self destruct alarm. The bus structure can be represented as below, i.e. a pseudo-random instruction is under execution when the CPU is idle. This concept is known as bus encryption.

There exist 2 Block ciphers for the purpose of bus encryption:

  • Encryption of 16 bit address blocks
  • Encryption of 8 bit data block, the key for this encryption is salted is with address of byte being encrypted.

Anderson and Kuhn proposed a simple Class I attack on this Dallas semiconductor. All we need to perform this attack is a logic analyzer, computer and a special read out circuit. Figure 10 shows the step by step analysis of this attack. Step 1 is to feed the CPU with some instruction that has been chosen by the attacker, the attacker is aware of the output of this instruction. The second step is to use the special read of circuit to replace with 2^16 combinations of cipher text before a CPU fetch operation is performed. This process reveals the cipher text and thus revealing the data bus decryption function at the address. Following steps 3 and 4 as shown in figure 10 we can reveal data decryption function for one address and data encryption function for a list of addresses. Finally we can now send the machine instructions directly to the CPU and we can get access to any memory location we wish to access by dumping it at port 90h which is a parallel port, read by the special read out hardware. This attack was a fairly simple attack and a proof to us that even bus encryption based systems can be broken. There always exists an endless competition between security architects and the attackers. Only by performing the attacks can we come up with countermeasures and hence produce more secure systems.

B. Fault insertion attack

In [] fault attacks have been classified into 5 different fault models; each have been represented mathematically.

Preventing Fault-Based Cryptanalysis

Fault-based cryptanalysis can exploit inherent faults, created faults (for example, faults created by a subtle, non-invasive influence on chip-level calculations), or faults planted at the chip level during design and/or manufacturing.

The designers of security systems and components can defend those systems and components against fault-based cryptanalysis by taking certain steps. Among these are the following:

  1. Protect authentication schemes. In "On the Importance of Checking Computations," one of the attacks on authentication schemes relies on a fault in the internal memory of the device. The device should be able to detect and correct its own fault.
  2. Protect signature schemes. RSA algorithms are used to make sure that the sender of a digital message is who he or she claims to be. The algorithm uses the sender's private key to compute a short file, which then becomes the digital signature for the transmission. The attack under discussion here exploits a fault that might occur while the signature is being computed. Signature verification -- checking the signature before the messsage is sent -- can overcome this attack.

C. Simple power analysis (SPA)[]

Simple power analysis is a technique that involves directly interpreting power consumption measurements collected during cryptographic operations []. SPA can yield information about a device's operation as well as key material. SPA analysis requires a very simple circuitry. We can classify these attacks a Class II attacks, as in depth knowledge about cryptographic operations is required for such attacks. Figure 11 shows the simple circuitry required for SPA attacks. To measure the circuit's power consumption, a small resistor is connected in series with the power. The current consumption is given by ohm's law. A high speed sampler with sampling rates as high as 1 GHz is enough to perform such an attack. The total cost of the required equipment is less than 1000 $.

SPA attacks are performed by collecting traces. A trace refers to a set of power consumption measurements taken across a cryptographic operation. E.g., a 1 ms operation sampled at 5 MHz yields a trace of 5000 points. Figure 12 shows the SPA traces of the entire DES operation; we can clearly see all the 16 rounds of DES operation.

Figure 13 expands the SPA traces to read the DES rounds 2 and 3 only, the first arrow represents the start of DES round 2, the SPA trace indicates that the 28 bit key registers C and D is rotated just once, and the 2nd and 3rd arrow indicate that in round 3 the 28 bit key registers C and D are rotated twice. We can perceive even the small changes in rounds 2 and 3 using this technique.

In figure 14 we can see the expanded version and a higher resolution view of the power trace through 2 regions each of 7 clock cycles at 3.5714 MHz. The difference between the upper half trace and lower half is clearly visible. This difference is noticeable at/after clock 6, the upper half of figure 14 represents the execution path where a jump instruction is performed and lower half trace represents the execution path when a jump instruction is not performed. Hence we see that conditional branch instructions are easily noted through SPA traces. The attacker's can thus figure out the sequence of instructions being executed.

Thus the severity of SPA attacks is high, as it can reveal information about the DES key schedule, DES permutations, comparison instructions, Multiplication operation etc.

DES Key schedule: This involves the Rotation of 28 - bit key registers. During implementation we use Conditional branch instructions to check if the bit shifted off the end is a'0' bit and '1' bit each of these have different SPA traces.

DES permutations: During DES permutations a variety of bit permutations are performed and these require branching instructions which can cause different power traces for '0' and '1' similar conditions apply to comparisons operations.

Multipliers: Modular multiplication circuits leaks a lot of data. The Leakage function strongly correlated to the operand values and Hamming weights.

Countermeasures to SPA attacks:

  • Avoid procedures that use secret intermediates/keys for conditional branching.
  • Creative coding is necessary to avoid the above criteria.
  • The best option is to use hard-wired hardware implementations of symmetric cryptographic algorithms rather than a software implementation.

Note: Experimentation on SPA:

Due to non-availability of a smart card reader for this project, It was not possible to obtain SPA traces on a smart card. However, for proof of concept of SPA, I conducted SPA traces on other devices available, like the Telos wireless sensor from EB 205.

Devices required: Telos wireless sensor board, this sensor is used to listen and transmit messages, National Instruments DAQ at sampling frequency of 1 MHz, 50 ohm resistor. We rig up the circuit as shown in Figure 11.

The power traces obtained are as below:

We see that we can clearly find when the sensor is listening for data then it remains idle and then it starts transmitting data. This can be employed to smart cards to obtain power traces. Provided we have a smart card reader.

D. Differential Power Analysis (DPA) []

Another power attack commonly known is the differential power analysis attack. Differential power analysis can be implemented to several cryptographic algorithms, DES, CRT-RSA etc. This technique is more powerful than SPA attacks.

Let us examine the DPA for the DES algorithm. Each of 16 rounds of the DES encryption algorithm performs 8 S-box lookup's.

The steps involved in the DES algorithm during each of the round operation are as follows []:

  • 8 S-boxes each take input of 6 bits EX-ORed with six bits of the R register to produce 4 bit output.
  • The 32 S (4 * 8) output bits are reordered and EX-ORed onto L register.
  • L and R are exchanged or swapped.

In [] we have the following: Let us define a DPA selection function D(C, b, Ks), the DPA selection function is defined to compute the value of 0 = b< 32 of the DES intermediate L at the beginning of the 16th round for cipher text C, where the 6 key bits entering the S box corresponding to bit b are represented by 0 = Ks < 26. If Ks is incorrect, evaluating the selection function D(C, b, Ks) will yield the correct value for bit b.

To implement DPA attack we need to observe m encryption operations and capture the power traces T1..m[1..k] containing k - samples each. In addition the attacker records cipher texts C1..m. DPA uses power consumption traces to determine whether key block Ks is correct.

The correct value of Ks can be identified from the spikes in the differential trace. 4 values of b correspond to each S box, after finding all 8 Ks we can get the 48-bit round sub-key. Remaining 8 key bits can be found easily using exhaustive search or by analysis of one additional round key.

Figure 15 shows four traces prepared using known plain text entering a DES encryption function on a Smart Card. On top is the reference trace showing the average power consumption during DES. Below three are the differential traces, where the first was produced with correct guess of Ks. The lower two are produced for wrong guesses of Ks. These were prepared using 1000 samples (m = 1000).

Countermeasures for DPA:

  • Reduce the signal sizes, and choose operations that leak lesser information during their power consumption, try to balance hamming weights, by physically shielding the device.(Shielding can increase device cost and size)
  • Use of power scramblers, introduce random noise into the power consumption measurements to confuse the attackers.

E. Local modification of memory []

External stimulus like eddy currents and light have proven to produces changes in semiconductor behavior and induces changes in values stored on these semiconductor memories. These physical properties of semiconductors can be taken into advantage by the attacker which can be used to locally modify a memory location. To show how this attack is performed, Let us consider a 6 transistor SRAM memory cell, this attack applicable to all semiconductor memories. In figure 16 transistors M1 and M2 form the inverter, together with transistors M3 and M4 they form a flip-flop controlled by M5 and M6. If somehow M1 is opened for sometime using and external stimulus such as eddy current or light, we can make the flip-flop to change its state. Further, M3 can be controlled to change the state to the opposite value. This shows how we can modify the bits in memory. Each bit in memory is stored by 1 unit of SRAM, this way we can flip the bits as desired.

When a RAM is switched on, the stored values are random. On a faulty static RAM, the great majority of RAM reads 1. So these values are not random anymore. The faults in the RAM are highly are shown in the above figure. When the External stimulus is relatively intense and brutal, the processor submitted to this field can be put in a disrupted mode for several hours and may never return to normal operation. Hence such attacks are quite harmful.

F. Data Remanance [][]

Data remanence is the residual representation of data that has been in some way nominally erased or removed. This residue may be due to data being left intact by a nominal delete operation, or through physical properties of the storage medium. Data remanence may make inadvertent disclosure of sensitive information possible, should the storage media be released into an uncontrolled environment. Such attacks are very dangerous, as even if a part of the key is retrieved very easy to find the whole key as now we require lesser combinations to break the key.

To avoid Data Remanance problem, secure erasing techniques must be employed. It is a known fact that data remanance attacks sometimes employ inspection under the microscope. In order to limit such a weakness, silicon memory manufactures have decided to scramble the memory location such that no two contiguous addresses are placed together or make use a simple scrambling function, this function must be non-trivial.

Countermeasures to prevent such attacks are []:

  • Crypto variables should not be stored in the same memory location
  • Crypto variable should not be stored in the plain-text form in non-volatile memory
  • Cycle EEPROM/flash cells, at least 10-100 times before using them.
  • Do not assume that a key held in RAM has been destroyed when the RAM is cleared.
  • Avoid repeatedly running the same signals over dedicated data lines this makes attackers work easier.
  • Beware of some of the very-intelligent non-volatile memory devices that could leave copies of sensitive information in mapped-out memory blocks after the active copy has been erased.

V. Ideal chips for the development of secure smart cards.

Leading security microcontroller manufacturers for development of smart cards are from companies like ATMEL and INFINEON. Let us see the features of these products and how they provide security against the existing attacks.

VI. Conclusion

  • Technology barrier. Advanced 0.6 micron technology greatly reduces the size and power consumption of cards as well as the relative variations in their operating parameters. This makes it very hard for external SPA/DPA methods to distinguish between normal card fluctuations and data-related fluctuations.
  • Clock fluctuation. A special Clock Software Management facility, when properly used, results in highly variable software timing when the embedded application program is executing.
  • Unpredictable behavior. A built-in timer with Interrupt capability and an Unpredictable Number Generator is used to impose unpredictable variations on software execution behavior, with consequent changes in the pattern of power consumption.
  • Robust design. A modular design allows new hardware variations, including custom variations, to be produced quickly and efficiently, thereby allowing fast response to new attack scenarios.
  • Memory control for multi-applications. An enhanced Memory Access Control system provides secure operating system support for multi-application cards.
  • Security mechanisms and firmware functions. An enhanced set of security mechanisms and firmware functions allow the application to detect and respond appropriately to the occurrence of conditions that might indicate an attack. These conditions include invalid operating conditions, bad opcodes, bad addresses and violations of chip integrity; the possible responses include interrupts, program reset, immediate erasure of all RAM data and flash programming of the entire EEPROM array.


  • A new CRT-RSA algorithm secure against bellcore attacks
  • Johannes Bl&ouml;mer, Martin Otto, Jean-Pierre Seifert October 2003 CCS '03: Proceedings of the 10th ACM conference on Computer and communications security