Sunteți pe pagina 1din 33


In this seminar ,is giving some basic concepts about smart cards. The physical and logical
structure of the smart card and the corresponding security access control have been discussed in
this seminar . It is believed that smart cards offer more security and confidentiality than the other
kinds of information or transaction storage. Moreover, applications applied with smart card
technologies are illustrated which demonstrate smart card is one of the best solutions to provide
and enhance their system with security and integrity. The seminar also covers the contactless
type smart card briefly. Different kinds of scheme to organise and access of multiple application
smart card are discussed. The first and second schemes are practical and workable on these days,
and there is real applications developed using those models. For the third one, multiple
independent applications in a single card, there is still a long way to go to make it becomes
feasible because of several reasons.

At the end of the paper, an overview of the attack techniques on the smart card is discussed as
well. Having those attacks does not mean that smart card is unsecure. It is important to realise
that attacks against any secure systems are nothing new or unique. Any systems or technologies
claiming 100% secure are irresponsible. The main consideration of determining whether a
system is secure or not depends on whether the level of security can meet the requirement of the
Table of contents
Sl No Contents Page No
1 Introduction
2 Physical Structure and Life Cycle
1. Introduction

The smart card is one of the latest additions to the world of information technology. Similar in
size to today's plastic payment card, the smart card has a microprocessor or memory chip
embedded in it that, when coupled with a reader, has the processing power to serve many
different applications. As an access-control device, smart cards make personal and business data
available only to the appropriate users. Another application provides users with the ability to
make a purchase or exchange value. Smart cards provide data portability, security and
convenience. Smart cards come in two varieties: memory and microprocessor. Memory cards
simply store data and can be viewed as a small floppy disk with optional security. A
microprocessor card, on the other hand, can add, delete and manipulate information in its
memory on the card. Similar to a miniature computer, a microprocessor card has an input/output
port operating system and hard disk with built-in security features. On a fundamental level,
microprocessor cards are similar to desktop computers. They have operating systems, they store
data and applications, they compute and process information and they can be protected with
sophisticated security tools. The self-containment of smart card makes it resistant to attack as it
does not need to depend upon potentially vulnerable external resources. Because of this
characteristic, smart cards are often used in different applications, which require strong security
protection and authentication.

For examples, smart card can act as an identification card, which is used to prove the identity of
the card holder. It also can be a medical card, which stores the medical history of a person.
Furthermore, the smart card can be used as a credit/debit bank card which allows off-line
transactions. All of these applications require sensitive data to be stored in the card, such as
biometrics information of the card owner, personal medical history, and cryptographic keys for
authentication, etc.

In the near future, the traditional magnetic strip card will be replaced and integrated together into
a single card by using the multi-application smart card, which is known as an electronic purse or
wallet in the smart card industry. The smart card is becoming more and more significant and will
play an important role in our daily life. It will be used to carry a lot of sensitive and critical data
about the consumers ever more than before

2. Physical Structure and Life Cycle

This section discusses the physical structure of a smart card and examines the components of a
smart card. It will also discuss all the phases of a card’s life cycle, and explores how the micro
controller handles and transfers data securely from the card manufacturer to the application
supplier and then to the bearer. As a result, we can determine how the data or information stored
on the card can be protected.
2.1 Physical Structure
The physical structure of a smart card is specified by the International Standards Organization
(ISO) 7810, 7816/1 and 7816/2. Generally it is made up of three elements. The plastic card is the
most basic one and has the dimensions of 85.60mm x 53.98mm x 0.80mm. A printed circuit and
an integrated circuit chip are embedded on the card. Figure 1 shows an overview of the physical
structure of a smart card.

Figure 1: Physical structure of a smart card

The printed circuit conforms to ISO standard 7816/3 which provides five connection points for
power and data. It is hermetically fixed in the recess provided on the card and is burned onto the
circuit chip, filled with a conductive material, and sealed with contacts protruding. The printed
circuit protects the circuit chip from mechanical stress and static electricity. Communication with
the chip is accomplished through contacts that overlay the printed circuit.
The capability of a smart card is defined by its integrated circuit chip. Typically, an integrated
circuit chip consists of a microprocessor, read only memory (ROM), no static random access
memory (RAM) and electrically erasable programmable read only memory (EEPROM) which
will retain its state when the power is removed. The current circuit chip is made from silicon
which is not flexible and particularly easy to break. Therefore, in order to avoid breakage when
the card is bent, the chip is restricted to only a few millimeters in size.
Furthermore, the physical interface which allows data exchange between the integrated circuit
chip and the card acceptor device (CAD) is limited to 9600 bits per second. The communication
line is a bi-directional serial transmission line which conforms to ISO standard 7816/3. All the
data exchanges are under the control of the central processing unit in the integrated circuit chip.
Card commands and input data are sent to the chip which responses with status words and output
data upon the receipt of these commands and data. Information is sent in half duplex mode,
which means transmission of data is in one direction at a time. This protocol together with the
restriction of the bit rate prevent massive data attack on the card.
In general, the size, the thickness and bend requirements for the smart card are designed to
protect the card from being spoiled physically. However, this also limits the memory and
processing resources that may be placed on the card. As a result, the smart card always has to
incorporate with other external peripherals to operate. For example, it may require a device to
provide and supply user input and output, time and date information, power and so on. These
limitations may degrade the security of the smart card in some circumstances, as the external
elements are untrusted and precarious.
3. Life Cycle of a Smart Card
There is an operating system inside each smart card which may contain a manufacturer
identification number (ID), type of component, serial number, profile information, and so on.
More important, the system area may contain different security keys, such as manufacturer key
or fabrication key (KF), and personalization key (KP). All of this information should be kept
secret and not be revealed by others.
Hence, from the manufacturer to the application provider, then the card holder, the production of
a smart card is divided into different phases. Limitation on transfer and access of data is
incremental at different phases in order to protect different areas in the smart card. There are five
main phases for a typical smart card life cycle. We will discuss each of them below.
3.1Fabrication Phase
This phase is carried out by the chip manufacturers. The silicon integrated circuit chip is created
and tested in this phase. A fabrication key (KF) is added to protect the chip from fraudulent
modification until it is assembled into the plastic card support. The KF of each chip is unique and
is derived from a master manufacturer key. Other fabrication data will be written to the circuit
chip at the end of this phase. Then the chip is ready to deliver to the card manufacturer with the
protection of the key KF.
3.1.1 Pre-personalisation Phase
This phase is carried out by the card suppliers. In this phase, the chip will be mounted on the
plastic card which may have the logo of the application provider printed on it. The connection
between the chip and the printed circuit will be made, and the whole unit can be tested. For
added security and to allow secure delivery of the card to the card issuer, the fabrication key will
be replaced by a personalisation key (KP). After that, a personalisation lock VPER will be written
to prevent further modification of the KP. In addition, physical memory access instructions will
be disabled. Access of the card can be done only by using logical memory addressing. This
rserves the system and fabrication areas being accessed or modified.
3.1.2.Personalisation Phase
This phase is conducted by the card issuers. It completes the creation of logical data structures.
Data files contents and application data are written to the card. Information of card holder
identity, PIN, and unblocking PIN will be stored as well. At the end, a utilization lock VUTIL will
be written to indicate the card is in the utilization phase.
3.1.3 Utilization Phase
This is the phase for the normal use of the card by the cardholder. The application system,
logical file access controls, and others are activated. Access of information on the card will be
limited by the security policies set by the application. This will be discussed in detail in the next
3.1.4 End-of-Life Phase (Invalidation Phase)
There are two ways to move the card into this phase. One is initiated by the application which
writes the invalidation lock to an individual file or the master file. All the operations including
writing and updating will be disabled by the operating system. Only read instructions may
remain active for analysis purposes. The another way to put the card into this phase is that, when
the control system irreversibly blocks access because both the PIN and unblocking PIN are
blocked, then all the operations will be blocked including reads.
Finally, table 1 summarizes the conditions and memory accesses of a smart card during the
various phases which are mentioned above.

Areas/Phases Fabrication Pre- Personalisation Utilisation End-

personalisation of-

Access mode Physical addressing Logical addressing

System Not accessible

Fabrication Write KF Write KP Not accessible


Fabrication Read, write, Read Read

(data) erase

Directory Read, write, erase According to logical file access


Data Read, write, erase According to logical file access


Optional Read, write, erase Not accessible


Table 1: Phases and access rights of smart card's life cycle

(Source: Philips DX smart card reference manual, 1995)

4. Logical Structure and Access Controls

After a smart card is issued to the consumer by the application provider, the protection of the
card will be controlled by the application operating system mainly. Physical addressing mode of
accessing data is no longer available. Access of data has to be done through the logical file
structure on the card. This section will discuss how the operating system accomplishes the
security protection of the data stored on the card by examining the logical file structure and the
corresponding access controls of a smart card.
4.1 Logical File Structure
In general, in terms of data storage, a smart card can be viewed as a disk drive where files are
organised in a hierarchical form through directories. Similar to MS-DOS, there is one master file
(MF) which is like the root directory. Under the root, we can have different files which are called
elementary files (EFs). We can also have various subdirectories called dedicated files (DFs).
Under each subdirectory will be elementary files again. The main difference of a smart card file
structure and a MS-DOS file structure is that dedicated files can also contain data. Figure 2
shows logical view of a smart card file structure.

Figure 2: Logical file structure of smart card

In smart card terminology, the root or master file (MF), besides the header part which consists of
itself, the body part contains the headers of all of the dedicated files and elementary files which
contain the MF in their parental hierarchy. The dedicated file (DF) is a functional grouping of
files consisting of itself and all the files which are immediate childs of the DF. The elementary
file (EF) simply consists of its header and the body which stores the data.
The ways that the data is managed within a file differ and are dependent on different operating
systems. Some of them may manage the data simply by offset and length, while the others may
organise data in fixed or variable lengths of records such as Global System for Mobile
Communication (GSM) system. In any cases, the file must be selected before performing any
operations. This is equivalent to opening a file.
The logical access and selection mechanisms are activated after the power is supplied to the card
while the master file is selected automatically. The selection operation allows movement around
the tree. It can be descending by selecting an EF or a DF, or it can be ascending by selecting a
MF or DF. Horizontal movement can be done by selecting an EF from another EF as well.
After the success of selection, the header of the file can be retrieved, which stores the
information about the file such as identification number, description, types, size, and so on.
Particularly, it stores the attribute of the file which states the access conditions and current status.
Access of the data in the file depends on whether those conditions can be fulfilled or not. This
will be described in the following section.
In short, the file structure of the smart card operating system is similar to other common
operating systems such as MS-DOS and UNIX. However, in order to provide greater security
control, the attribute of each file is enhanced by adding accessing conditions and file status fields
in the file header. Moreover, file lock is also provided to prevent the file being accessed. These
security mechanisms and algorithms provide a logical protection of the smart card.
4.2 Access Control
The smart card access control system covers file access mainly. Each file is attached by a header
which indicates the access conditions or requirements of the file and the current status as well.
The fundamental principle of the access control is based on the correct presentation of PIN
numbers and their management.
4.2.1 PIN Presentations
The PINs are normally stored in separate elementary files, EFCHV1 and EFCHV2 for example. Use
of the access conditions on those files can prevent the PINs from being changed. The PIN can be
changed by issuing the change PIN instruction together with the new and old PIN. However, for
most of the smart card operating systems, the corresponding PIN will be invalidated or blocked
when a fixed number of invalid PINs are presented consecutively. The number of times will vary
with different systems.
At this moment, all the files require that PIN will be blocked and unaccessible. Unblocking has
to be carried out with the knowledge of the correct PIN and a specific unblocking PIN stored in
the card. Still, if an invalid unblocking PIN is presented consecutively and up to a particular
number of times, the unblocking PIN will be blocked as well. Then both of the PIN and the
unblocking PIN will be invalidated and are no longer to be restored. This is called an irreversible
blockage. Some of the systems may even invalidate the whole card in order to prevent further
4.2.2 PIN Management
To achieve the protection and blockage of the PINs mentioned above, two counters have to be
implemented for each of the card holder verification numbers (CHVs). The counters are
composed in such a way that any possible errors in writing or erasing will be avoided, which
could adversely affect the access control on the card. There are three states in the management of
the PIN which are described below.
 PIN has been presented:
Files or functions which have PIN presentation as a pre-requisite or condition can be carried out.
Every time the PIN is presented correctly, the PIN counter will be reset to the maximum number
of tries, three for example.
 PIN has not been presented or was presented incorrectly:
The PIN counter will be decremented by one after each incorrect PIN was presented. All the
operations or instructions which require PIN presentation will be invalidated. If the PIN counter
reaches zero, then the PIN will be blocked.
 PIN is blocked:
In this state, all the operations require PIN presentation and even the PIN presentation instruction
itself is blocked. Unblock PIN instruction has to be carried out. If correct unblocking PIN is
presented, the PIN counter will be reset to the maximum number of tries and backed to the first
state. However, if invalid unblocking PIN is presented, the unblock PIN counter will be
decremented by one and when this counter reaches zero, the PIN can never be unblocked again.
Summing up the file structure and access control the smart card provided, data stored on the card
can be protected either individually by setting access conditions in the header of each file or
hierarchically by grouping files together under a single dedicated file (DF) with access
conditions set on it. Furthermore, the irreversible blockage gives maximum protection to the card
so that enormous intrusions are impossible.

5. Procedural Protection
After an overview of the physical and logical protection given by the smart card, its time to look
at how we can make use of the smart card to protect and secure our systems in the real life.
Because of the on-board computing power of the smart card, it is possible to achieve off-line
transactions and verifications. For instance, a smart card and a card acceptor device (CAD) can
identify each other by using the mutual active authentication method. Moreover, data and codes
stored on the card are encrypted by the chip manufacturer by using computational scrambling
encryption, which makes the circuit chip almost impossible to be forged. All of these features
together with the protected access control are discussed in the previous section.
Today, smart cards are being used in different areas because they can be used together with other
technologies, such as asymmetric cryptographic algorithms and biometrics identification, to
provide highly assured and trusted applications. This section discusses three particular areas
where demonstrated how different systems can make use of the smart card to enhance their
5.1 Identification of Documents
Traditional document based identifications, such as identification card, licenses, passport/visa,
and so on, are always considered unreliable. All of them are easy to be forged and copied.
Particularly with today’s technologies, high quality colour photocopies, printers, and scanners
are easily accessed and owned, as a result high quality fraudulent documents can be produced
easily. This makes the inspection of documents more and more difficult.
The smart card probably is the best solution to solve this problem. Printed information and
photographs can be digitised and stored into the card. By setting up the access condition and
password on files, only authorised persons or authorities, such as government departments, are
allowed to access the information. Moreover, together with the biometrics technology,
biometrics information of the card holder can be placed on the card, so that the smart card can
corporate with biometrics scanner to identify or verify whether the card is owned by the card
holder or not. This significantly improves the reliability of the document the smart card carries.
The operation procedures could be similar to the traditional paper based identification system.
However, instead of verifying the documents by observation of an inspection officer, a card
acceptor device will be used. The device which contains the authorised code and PIN can unlock
the file and retrieve the owner’s information for verification. In the case when biometrics is used,
the user can be authenticated by placing the required portion of his/her body onto a biometrics
reader, the data collected by the reader can be used to compare with the one in the card.
Nowadays, many organisations or governments in different countries already have research on
this issues. For example, many airlines intend to develop their electronic tickets by using smart
cards which co-operate with the baggage handling system in some airports. The smart card
typically stores the passenger’s flight details such as name, seat number, flight number, baggage
details and so on. This helps to verify correct passenger checked-in and identify the owner of
baggage in case of lost or unclaimed baggages. More importantly the system may help to identify
criminals and terrorists.
In summary, it is anticipated that using the smart card as an identification document will be the
future trend replacing traditional paper-based certificates. Information stored on the card about
the owner will be increasing and becoming more and more sensitive. Therefore, the current
access control system based on PIN presentation may not be secure enough. It is suggested that
the card operating system may have to co-operate with some kind of authentication algorithms to
protect all the files or even the whole system.
5.2 Authentication in Kerberos
In an open distributed computing environment (DCE), a workstation cannot be trusted to identify
its users because the workstation may not be located in a well controlled environment and may
be far away from the central server. A user can be an intruder who may try to attack the system
or pretend to be someone else to extract information from the system which he/she is not entitled
to. In order to protect a system from being attacked by remote network hosts, a certain kind of
authentication must be taken into account.
Kerberos is one of the systems which provides trusted third-party authentication services to
authenticate users on a distributed network environment. Basically, when a user or client
requests an access to a particular service from the server, he/she has to obtain a ticket or
credential from the Kerberos authentication server (AS). The user then presents that credential to
the ticket granting server (TGS) and obtains a service ticket. Hence, the user can request for
service by submitting the service ticket to the desired server. Figure 3 shows this authentication

Figure 3: Kerberos authentication protocol

Having this protocol, the server can be assured offering services to the correct client who is
entitled to have access. This is because Kerberos assumed that only the correct user can use the
credential as others do not have the password to decrypt it. And also because of this, a user can
actually request the credential of others. That is, the user is not authenticated at the beginning
In this way, an attacker can obtain the credential of another user, and perform off-line attack by
using a password guessing approach as the ticket is sealed by password only. The whole idea is
to enhance the security of Kerberos authentication by authenticating the user directly at the
beginning and before the granting of the initial ticket, so that one user cannot have the ticket of
another. And, the use of smart card requires user logging into the system not only recall a
password, but also to be in possession of a token.
5.3 Access Control On Operating System
Access control is one of the important usages of the smart card technology. It is also the
motivation behind the development of smart card. In this section, we discuss how to control the
access of an operating system in a personal computer by using the smart card. The single-user
nature of personal computers is lack of security protection on their system, especially the system
areas such as the boot sector of a hard disk or floppy. They are allowed to be modified by anyone
without any protection; this causes the possibility of infection by computer virus. In the present
days, a personal computer is powerful enough to take the place of mini-computers to act as a
network server, but its single-user nature has not changed and this has caused the problem to
become more serious.
A boot integrity token system (BITS) is introduced which make use of smart card technology to
protect the operating system. The basic idea is that the host computer is booted actually from a
smart card or it requires critical information from the card to complete the boot sequence. So that
even if an attacker can gain physical access to the hardware, it is impossible to guarantee system
The smart card is configured to require user authentication prior to the data access. During
system startup, two authentications have to be performed before the completion of boot
sequence. At first, the user is authenticated to the smart card by means of a password. And then
the host authenticates the card by reading the shared secret from the card. After both of them are
matched, host reads boot section information from the smart card and completes the boot
sequence. Then the PC operates as normal.
The smart card can also store the checksum of critical data and executable programs. It is
effective against virus by validating files integrity rather than scan for known virus signatures. In
general, the use of smart card here enhanced the security of the computer by utilising the
inherent secure storage and processing capabilities.

6. Contact less smart cards

Smart cards have two different types of interfaces: contact and contactless. Contact smart cards
are inserted into a smart card reader, making physical contact with the reader. However,
contactless smart cards have an antenna embedded inside the card that enables communication
with the reader without physical contact. Recently, card manufacturers have developed "combi"
cards, which offer the functionality of both contact and contactless technology. A combi card
combines the two features with a very high level of security.
Contactless smart cards offer advantages to both the organization issuing the card and the
cardholder. The issuing organization can support multiple applications on a single card,
consolidating an appropriate mix of technologies and supporting a variety of security policies for
different situations. Applications such as logical access to computer networks, electronic
payment, electronic ticketing and transit can be combined with physical access to offer a multi-
application and multi-technology ID credential. The issuer can also record and update
appropriate privileges from a single central location. The organization as a whole incurs lower
maintenance costs over the system life, due to the elimination of mechanical components and
reader resistance to vandalism and harsh environmental conditions. With hybrid and dual-
interface cards, issuers can also implement systems that benefit from multiple card technologies.
6.1.Contactless Technologies Support Physical Access Control Applications
There are three primary contactless technologies considered for physical access control
applications: 125 kHz, ISO/IEC 14443, and ISO/IEC 15693 technologies. 125 kHz read-only
technology is used by the majority of today’s RFID access control systems and is based on de
facto industry standards rather than international standards. 125 kHz technology allows for a
secure, uniquely coded number to be transmitted and processed by a back-end system. The back-
end system then determines the rights and privileges associated with that card. Cards that comply
with these standards are intelligent, read/ write devices capable of storing different kinds of data
and operating at different ranges. Standards-based contactless smart cards can authenticate a
person’s identity, determine the appropriate level of access, and admit the cardholder to a
facility, all from data stored on the card. These cards can include additional authentication
factors (such as biometric templates or PINs) and other card technologies, including a contact
smart card chip, to satisfy the requirements of legacy applications or applications for which a
different technology is more appropriate.

Contactless smart card technologies offer security professionals features that can enhance
systems designed to control physical or logical access (i.e., access to networks or other online
resources). Contactless cards differ from traditional contact smart cards by not requiring physical
connectivity to the card reader. The card is simply presented in close enough proximity to the
reader and uses radio frequencies (RF) to exchange information. The use of contactless
technologies is particularly attractive for secure physical access, where the ID credential and
reader must work in harsh operating conditions, with a high volume of use or with a high degree
of user convenience. For example, consider the use of a contactless card to control access to
public transportation. The card can be presented to the reader without having to be removed from
a wallet or purse. The fare is automatically deducted from the card and access is granted. Adding
funds through appropriate machines at transit centers or banks then refreshes the card. The
process is simple, safe, and accurate.
6.2.Types of Contactless Cards
There are three types of contactless credentials (cards or tokens):
• Memory
• Wired logic
• Microcontroller (MCU)
Memory cards use a chip or other electronic device to store authentication information. In their
most secure form, memory cards store a unique serial number and include the ability to
permanently lock sections of memory or allow write access only through password-protected
mechanisms. Other than these basic mechanisms, memory cards employ no additional security to
protect their contents. System-level methods can be used to encrypt and decrypt the information
stored on the card.
Wired logic cards have a special purpose electronic circuit designed on the chip and use a fixed
method to authenticate themselves to readers, verify that readers are trusted, and encrypt
communications. Wired logic cards lack the ability to be modified after manufacturing or
MCU cards implement authentication/encryption methods in software or firmware. Contactless
smart cards with an embedded MCU have more sophisticated security capabilities, such as the
ability to perform their own on-card security functions (e.g., encryption, hardware and software-
based tamper resistance features to protect card contents, biometric verification and digital
signatures) and interact intelligently with the card reader. Contactless MCU cards also have
greater memory capability and run card operating systems (for example, JavaCard or MULTOS).

Both hybrid and dual-interface contactless cards are becoming available. On a hybrid card,
multiple independent technologies share the common plastic card body but do not communicate
or interact with each other. For example, one card could carry a magnetic stripe, bar code, 125
kHz technology, picture ID, contact smart card module and either ISO/IEC 14443 or ISO/IEC
15693 contactless smart card technology. The advantage of a hybrid card is that existing installed
systems can be supported, while new features and functionality can also be offered through smart
card technologies. A dual-interface card includes a single chip with both contact and contactless
capabilities. Contact and contactless technologies can therefore be implemented on one card,
each addressing the application requirements most suited to its capabilities and sharing the same
Hybrid and dual-interface technologies are complementary and, with thoughtful implementation,
transparent to the end user. With current technologies, security system designers can implement
an architecture that includes multiple ID credential technologies. This creates a significant
opportunity for more efficient credential management, improved user convenience, and easier
administration of multiple security policies and procedures. Through the use of the appropriate
card technology, cryptography, and digital signatures, logical access control can be incorporated
into networks and databases. And because the credential is a plastic card, it also supports the use
of pictures, logos, visual inspection information, holograms, digital watermarks, microprinting,
and other security markings to deter counterfeiting and impersonation. A single card is also more
efficient for the user, simplifying coordination for changes, reducing memorization for
complicated passwords or personal identification numbers (PINs), and decreasing the time for
6.3.Benefits of Contactless Smart Card Technology
Contactless smart card technology is ideal for physical access control applications. Because ID
credentials and readers are typically exposed to the elements and have high usage, sealed
contactless technology prevents damage when cards and readers are exposed to dirt, water, cold,
and other harsh environmental conditions. With no mechanical reader heads or moving parts,
maintenance costs are minimized. Finally, with read ranges that can extend to many inches,
contactless technology offers the user the convenience of “hands free” access. The key benefits
of using contactless smart card technology for physical access are summarized below.
• High speed of access and high throughput
• Useable in harsh or dirty environments
• User friendly
– Less intrusive
– Does not require insertion of the card into the reader
– No issues with orientation of the card
– May be kept in wallet or purse for personal security during use
• Same high level of security as contact smart cards (e.g., digital signatures)
• Protected storage of data on the card
• Flexibility to incorporate multiple applications with different modes
– Contactless only card
– Dual interface contact/contactless card
– Hybrid card that includes 125 kHz technology, 13.56 MHz technology, magnetic stripe,
barcode, hologram, photo, and other card security features.
– Dual interface contact/contactless card that includes 13.56 MHz technology, magnetic stripe,
barcode, hologram, photo, and other card security features
• Reduced maintenance costs for card readers (as compared to magnetic stripe and contact card
• Reduced vandalism of readers
• More durable and reliable cards (no external parts that can wear out or be contaminated)
• Well-suited to accommodate local security staffing, training and implementation
• Established international standards (ISO/IEC)

7. Multiple Application Smart Card Systems

Most of the smart card systems in use today serve one purpose and are related to just one
process. For example, the smart telephone card which makes public telephones convenient,
electronic money which replaces coins and bank notes, the medical card which stores medical
history and insurance information, and the electronic identification card which control access to
data and facilities, etc. All of these applications are stored in different smart card systems
separately, and lead to the same situation and problem as with the traditional magnetic stripe card
system which require users to carry multiple cards for multiple applications.
In fact, as mentioned above, the smart card has the capability to integrate those applications
together to form a multiple application card by utilising its embedded microprocessor and
memory storage spaces. However, this kind of integration is always limited by some of the
external logical elements rather than technical issues. For instance, in single application card
system, data stored in the card or even the card itself always belongs to the card issuer. In the
case of more than one application residing in a single card, this becomes impractical.
Moreover, we also have to consider how to partition the memory spaces for different
applications, and manage the rights and privileges of data accessing. This also relates to data
directory configuration and securities between each of them. Furthermore, the ability for
applications to communicate or share data between each others is another important concern
which may affect the whole design of the system and its operability.
Therefore, based on the natures and purposes of different applications, we discuss three different
kinds of infrastructure of multiple application smart card systems. The first one is minor
applications which co-operate with a dominant application. The second one will be the
integration of multiple applications under a single specification. At last, multiple independent
applications installed on a single card will be taken into an account.

7.1.Minor Applications Co-operate With Dominant Application

While most of the existing smart card applications do not fully utilise both of the memory
storage and processing power of the card, it is feasible to integrate other minor applications
which make use of the existing resources and functionalities of the dominant system together.
This kind of system always requires co-operation between application providers. Figure 1 shows
an overview of this system.

Figure 1: Minor applications co-operate with dominant Application

7.1.1.Data Ownership and Management

Ownership and management of data can be made under the corresponding co-operative contracts
and schemes. However, in most of the cases, management of minor applications will fall on the
dominant application as they rely on the existing system resources such as cryptographic
algorithm and authentication processing. In addition, minor applications may need to make use
of part of the dominant application to perform their jobs, consequently all of the applications
under this kind of integration have to be considered as a whole system and managed together in
order to achieve and provide multiple functions and services. Distribution of the card can be
made under the co-operation plans or marketing strategies which depends on whether minor
applications come with the dominant application or minor applications are acted as an upgrade of
7.1.2.Data Directory Configuration and Partitioning
As the minor applications reside under the existing dominant application and co-operate with it,
they should be acted as a subset under the dominant application logically. Figure 2 below shows
the logical view and relationship between applications.

Figure 2: Logical view of applications in this model

Technically, this can be done by placing minor applications under different sub-directories or
functional groups which are below the dominant application directory. Dedicated files (DFs) can
be used to separate and organise applications. Figure 3 displays the structure and organisation of
memory spaces inside the smart card.
Figure 3: Structure and organisation inside the smart card
7.1.3 Security and Data Sharing
From the view of dominant application, minor applications are treated as trusted applications
because they are implemented according to the compromised co-operation plan, and this is why
minor applications are allowed to make use of the dominant application system resources to
perform their services. Therefore data communication between them should be regarded as safe
and secure. However the relationships between each minor applications should be treated as
untrusted entities. Hence transfer of data between minor and dominant application should be
made under a exclusive channel in order to prevent wire tapping. The data sharing between
minor applications should be accomplished by establishing another exclusive channels under
another co-operative scheme.
7.1.4 Application Invocation and Authentication
Minor applications should be invoked by the dominant application as they are a subset of it. A
service index file which stores identification numbers or dedicated file Ids of available services
should be implemented by the dominant application system. An only the dominant application
system has the access right on it. An invocation algorithm between end-user, dominant and
minor applications have to be provided as well, so that different applications can be executed
when requested. Authentication of them should rely on the provided mechanism from the
dominant application system as they co-operate with each others, therefore each application does
not need to implement its own security algorithm. Nevertheless, an additional or second
authentication can be done by individual applications when there is a need.
7.1.5 Application Expansion
Whenever there is a new application added to the card, that application must be implemented
under a compromised co-operation program with the dominant application provider. From that
program, service Id, dedicated file Id to be used, and the way to co-operate with each others can
be determined without contradiction. Card holders can have the new application added through
the particular authentication procedure which is designed for adding new applications.
The integration between remote banking application and the dominant GSM application system
shows a good example of multiple application smart card system as described above.
Furthermore, under this system, new applications can be downloaded or updated over the air
with the enhanced short message service provided by GSM system.

7.2 Multiple Applications Under Single Specification

In the present days, many card applications serve similar purposes or make use of similar
resources to perform their services, such as different kinds of identification cards or licenses,
different sort of merchant incentive card which stores "points" for frequent purchaser programs,
and credit/debit cards from different financial institutes, etc. These applications are suitable and
feasible to integrate together in order to increase functionality of the card and decrease the
resources spending by sharing common required information such as card holder’s information.
One of the conditions for applications to be united in this system is that they have to be governed
by a single specification or standard under a certain authority. Figure 4 illustrates this model.

Figure 4: Multiple applications under single specification

7.2.1 Data Ownership and Management
Ownership and management of the card and data becomes a bit complicated because applications
come from different institutes or organisations. However, as all the applications follow the same
specification and standard from a certain authority, it is recommended to assign the
corresponding authority to establish the system and distribute the card. The card can either
belong to that authority or the end user can purchase it depending on the nature of services
provided by those applications. Management of those applications should be made upon the
request of the card holder when he or she can provide positive identification that he or she is the
correct owner. On the other hand, when an organisation which establishes the card system
provides applications for its own card, that particular organisation can have both of the
ownership and management of the card.
7.2..2 Data Directory Configuration and Partitioning
Before implementing or providing a new application, application provider has to request an
unique identification number from the corresponding authority, and that unique number may
serves as a dedicated file (DF) number so that the new application can be stored under the
assigned functional group without conflict with others. In addition, a particular identification
number is reserved for the common criteria application which is developed by the central
authority and will be installed during the issue of the card. That application is used to handle the
common requirements of all the integrated applications such as user identification and
information. Figure 5 shows a general view of the directory structure.

Figure 5: General view of directory structure

7.2.3 Security and Data Sharing
All the applications integrated into this system should provide and achieve similar services and
functions, so that they will have similar requirements on the level of security. As a result,
cryptographic and security mechanisms implemented by the central authority can be shared and
used by different applications. Applications which are going to be united should agree and
conform to the specification from the corresponding central authority.
However, accessing individual applications should be protected by the system security module.
This can be done by identifying the source of request and the destinated application. For
example, when application A is activated by the user, A will issue a request, with both of the
source and destination of A, to the shared common security module for authentication. If it is
positive, a ticket of accessing A will be returned to the source, it will be A in this example. When
A received the ticket and discover the ticket of access is A, then it will unlock itself and allow for
access. Figure 6 illustrates this mechanism.

Figure 6: Authentication of an application

When there is a need of sharing data, applications involved should implement a second security
module. For example, when application A request access of application B, A issues a request,
with the source of A and destination of B, to the shared common security module. When the
security module realises the source is different from the destination, it then pass the request to B.
B will activate its own security module upon the receive of the request. After successful
acknowledgment, B unlock itself for the access of A. All the rest of transactions and
communications between applications should have the source and destination specified in order
to protect the access of correct applications. Figure 7 shows this model.
Figure 7: Data sharing between applications
7.2..4 Application Invocation and Authentication
A service index file, which contains information about the available applications and links to
corresponding dedicated files, should be updated whenever there is a new application added.
This file should be allowed to read by anyone, but writable by the central authority only. The
user should invoke the application through the index file or invoke it directly in case when the
dedicated file Id is known. The application should be activated and a request of authentication
sent to the shared common security module with the source and destination as described above in
section 4.3. Details are shown on figure 6. The way of authentication should follow the standard
specification under the corresponding authority which may differ from each others.
7.2.5 Application Expansion
All the new applications which are going to be integrated should be registered to the respective
authority in order to obtain a unique identification number. Card holders can have the new
application added upon the request of updating. Authentication through the shared common
security module can be considered as secure because the new application should always conform
to the standard specification from the respective authority which specified the level of security
the system is going to achieve. After the application is added, the corresponding service index
file should be updated as well.
7.2.6 Examples and Summary
All the different identification cards and licenses issued from the government, such as citizen
identification card, driving license, fishing or hunting license, passport, council’s library card,
and etc, can be integrated together under the system discussed here, because they all conform to
a single specification from the government and act as identification purposes. Another example
is the multiple merchant incentives which allow card holders to store "points" for frequent
purchaser programs across multiple merchants. This is workable as most of those programs
require only basic information of the card holder and lower level of security, therefore those
information can be shared together in order to verify the owner. In summary, applications
integrated together under this scheme can reduce the repetitive of resources and facilitate the
management of different applications.

7.3 Multiple Independent Applications In A Single Card

The major trend of the next generation smart card is the mergence of multiple independent
applications into a single card which enables card holder to accomplish different unrelated tasks
with more ease and convenience. This kind of multiple application smart card is always referred
as electronic purse or wallet. Figure 8 presents this model.

Figure 8: Multiple independent applications in a single smart card

However, in order to build this kind of multiple application smart card, which has to be
sophisticated and generic enough to accommodate different kinds of applications without
transgressing any existing applications or weakening any existing security mechanisms, we need
to break through a lot of different barriers which have always been a source of controversy.
In this section, we try to propose a feasible model in the terms of data ownership and
management, directory configuration and partitioning, security and data sharing, application
invocation and authentication, etc. However, before we carry on to discuss those issues, we are
assumed that there is a standard smart card operating system and a standard specification to
specify how applications operate and interface with each others and the outside world.
7.3.1 Data Ownership and Management
Ownership of the card or data should not be the application provider as a single card contains
more than one applications. Card provider claims to be the owner is also impractical as there
may not a relationship between the card provider and application providers. Therefore it is
recommended the card holder to be the owner. Whenever a person who wants to have services
from application providers, he or she can purchase a smart card from one of the card providers
and have the application added on it.
The smart card provider can be an agency of different application providers, so that customers
can have applications installed on the card when they purchase it. This kind of scheme can be
achieved by having an agency which is similar to the post offices in Australia where they are
agencies of different organisation such as banks, telecom company, and electricity board, etc.
Management and maintenance of the applications on the card can be done by the card provider as
they are authorised by different application providers. For the concerns of security, it will be
discussed in the following section.
7.3.2 Data Directory Configuration and Partitioning
As there is not a central authority to organise and assign identification numbers for applications,
duplicated file Id may be used by different applications. Therefore, it is proposed to assign file
Ids to applications sequentially and maintained by an index file. When there is a new application,
it will be allocated to the next available file Id. The index file would be accessible by anyone
without protection, this should not cause the system to become unsecured since there is not any
identity or authentication information inside the file. Figure 9 shows an overview of the file
Figure 9: File structure overview
7.3.3 Security and Data Sharing
It is likely that each embedded applications will have their specific security requirements, so it is
difficult to design a multi-application smart card that allows applications sharing the hardware
and operating system but keeping different security schemes for individuals. An unique
identification module will be created and make available for each existing or future applications.
It must be flexible enough to fit with any security policies and to drive any biometric processes.
It will supervise various biometric tools and directly communicate with them. This module will
act as a component of the card operating system. Figure 10 shows a conceptual view of it.

Figure 10: Conceptual view of the security module

According to the application requirements, the identification module can activate one of the
available biometric modules. A response will be received from the dedicated biometric module.
As different applications may require a more flexible decision process, it is assumed that the
result is a standardised number which representing the measurement of the level of matching.
The use of biometric identification here is because it seems to provide a promising result as it
uses basic characteristics of the individual and does not require any artificial link between the
card holder. Consequently, applications can assign its dedicated identification scheme and the
matching level for acceptance, so that the same measurement can lead one application to accept
the transaction and the another one refuse.
For the communication and data sharing between each applications, it is required each of them to
activate their own identification process. If the result leads one of the application not to be
initiated, other applications must receive an alarm. This common evaluation of the risk by all the
applications can be implemented by creating a common index of confidence.
For the details of the scheme described above, please refer to the references of Cordonnier &
Watson, 1996.
7.3.4 Application Invocation and Authentication
Applications can be accessed through the index file. However, a search on the file is required in
order to select a correct application. Authentication can be made by installing a digital signature
scheme on the card, and made use of public and private cryptographic algorithm to protect the
access of index file. For the authentication of using applications, the proposed scheme which
described in section 5.3 will be used.
7.3.5 Application Expansion
Apart from the memory size of the smart card, application expansion is not limited under this
system. Whenever application providers create new applications which conformed with the
standard smart card application programming interface (API), they can distribute their products
through the smart card provider or agency.

8. Major application of smart cards

Smart cards help businesses evolve and expand their products and services in a changing global
marketplace. The scope of uses for a smart card has expanded each year to include applications
in a variety of markets and disciplines. In recent years, the information age has introduced an
array of security and privacy issues that have called for advanced smart card security
8.1 Information Technology
Businesses, the government and healthcare organizations continue to move towards storing and
releasing information via networks, Intranets, extranets and the Internet. These organizations are
turning to smart cards to make this information readily available to those who need it, while at
the same time protecting the privacy of individuals and keeping their informational assets safe
from hacking and other unwanted intrusions. In this capacity, smart cards enable:
• Secure logon and authentication of users to PCs and networks
• Secure B2B and B2C e-commerce
• Storage of digital certificates, credentials and passwords
• Encryption of sensitive data
8.2 Wireless Communications
People using the Global System for Mobile communications (GSM) standard for mobile phones
use smart card technology. The smart card is inserted or integrated into the mobile handset. The
card stores personal subscriber information and preferences that can be PIN code protected and
transported from phone to phone. The smart cards enable:
• Secure subscriber authentication
• Roaming across networks
• Secure mobile value added services
Wireless providers benefit from reduced fraud thanks to the security offered by smart cards.
With the advent of mobile services such as mobile commerce, web browsing, and information
services, wireless providers rely on smart cards to act as the security mechanism to protect those
services. As a result, smart cards are beginning to move beyond GSM to secure mobile services
for other wireless standards as well.
8.3 Commercial Applications
Smart cards also provide benefits for a host of commercial applications in both B2B and B2C
environments. The smart card’s portability and ability to be updated make it a technology well
suited for connecting the virtual and physical worlds, as well as multi-partner card programs. The
cards store information, money, and/or applications that can be used for:
• Banking/payment
• Loyalty and promotions
• Access control
• Stored value
• Identification
• Ticketing
• Parking and toll collection

8.4 Multiple applications

Multiple application smart card which referenced as electronic wallet by the card industry can
adapt or integrate a wide range of applications. It can be a credit or debit card, citizen
identification card, driver’s license, gas card, and student card, etc. In summary, for a truly
multiple application smart card, there should not a limit on what kind of applications are installed
on it while the security inside the card is maintained.

9. Attacks on Smart Card

As discussed in all above, the smart card seems to be a superior tool for enhancing system
security and provides a place for secure storage. One of the security features provided by most of
the smart card operating systems, is the cryptographic facilities. They provide encryption and
decryption of data for the card; some of them can even be used to generate cryptographic keys.
The secret of the cryptographic algorithm, the keys stored, and the access control inside the
smart card become the targets of attackers. Nowadays many companies and cryptographers
claime to be able to break the smart card and its microcontroller. Some of them perform logical
non-invasive attacks, some of them attack the card physically while others just prove their
success by mathematical theorems.
The first two briefly and examine how the attacks are achieved. For the third one, since their
attacks are theoretical and relate to a lot of complicated mathematical calculations and formulas
is not discussed here.
9.1 Logical Attacks
As all the key material of a smart card is stored in the electrically erasable programmable read
only memory (EEPROM), and due to the fact that EEPROM write operations can be affected by
unusual voltages and temperatures, information can be trapped by raising or dropping the
supplied voltage to the microcontroller. It can see several examples of attacking the smart card
microcontroller by adjusting the voltage are provided.
For example, a widely known attack of PIC16C84 microcontroller is that the security bit of the
controller can be clear with erasing the memory by raising the voltage VCC to VPP - 0.5V. An
attack on DS5000 security processor is another example. A short voltage drop can release the
security lock without erasing the secret data sometimes. Low voltage can facilitate other attacks
as well, such as an analogue random generator used to create cryptographic keys will produce an
output of almost all 1’s when the supply voltage is lowered slightly.
For these reasons, some security processors implemented sensors which will cause an alarm
when there is any environmental changes. However, these kinds of sensors always causes false
alarm due to the occurrence of fluctuations when the card is powered up and the circuit is
stabilising. Therefore this scheme is not commonly used.
9.2 Physical Attacks
Invasive physical attacks are typical. Before this kind of attack can be performed, the circuit chip
has to be removed from the plastic card. This can be done by simply using a sharp knife to cut
away the plastic behind the chip module until the epoxy resin becomes visible. And then the
resin can be dissolved by adding a few drops of fuming nitric acid (>98% HNO3). The acid and
resin can be washed away by shaking the card in acetone until the silicon surface is fully
exposed. Ultimately the chip can be examined and attacked directly.
There are many different ways to perform physical attacks. For instance, erasing the security
lock bit by focusing UV light on the EPROM, probing the operation of the circuit by using
microprobing needles, or using laser cutter microscopes to explore the chip, and so on. However,
these kinds of attacks are only available for well funded laboratories as the costs associated are
considerably high. As the technology advances quickly, manufacturers update and enhance their
products constantly. Therefore, as soon as the hackers find ways of hacking the system, the
problems could be solved by the new generation of technology


It is believed that smart cards offer more security and confidentiality than the other kinds of
information or transaction storage. Moreover, applications applied with smart card technologies
are illustrated which demonstrate smart card is one of the best solutions to provide and enhance
their system with security and integrity.
Finally, it is concluded that the smart card is an intrinsically secure device. It is a safe place to
store valuable information such as private keys, account numbers, and valuable personal data
such as biometrics information. The smart card is also a secure place to perform off-line
processes such as public or private key encryption and decryption. The smart card can be an
element of solution to a security problem in the modern world.
Electronics Today 07/2004