Documente Academic
Documente Profesional
Documente Cultură
Smart Cards
ABSTRACT In this seminar, is giving some basic concepts about smart cards. The physical and logical structure of the smart card and the corresponding security access control has been discussed in this seminar. It is believed that smart cards offer more security and confidentiality than the other kinds of information or transaction storage. Moreover, applications applied with smart card technologies are illustrated which demonstrate smart card is one of the best solutions to provide and enhance their system with security and integrity. The seminar also covers the contactless type smart card briefly. Different kinds of scheme to organise and access of multiple application smart card are discussed. The first and second schemes are practical and workable on these days, and there is real applications developed using those models. For the third one, multiple independent applications in a single card, there is still a long way to go to make it becomes feasible because of several reasons. At the end of the paper, an overview of the attack techniques on the smart card is discussed as well. Having those attacks does not mean that smart card is unsecure. It is important to realise that attacks against any secure systems are nothing new or unique. Any systems or technologies claiming 100% secure are irresponsible. The main consideration of determining whether a system is secure or not depends on whether the level of security can meet the requirement of the system.
www.seminarsonly.com
Seminar Report
Smart Cards
Table of contents
Sl No 1 2 3 4 5 6 7 8 9 10 Contents Introduction Physical Structure and Life Cycle Page No
Introduction
www.seminarsonly.com
Seminar Report
Smart Cards
The smart card is one of the latest additions to the world of information technology. Similar in size to today's plastic payment card, the smart card has a microprocessor or memory chip embedded in it that, when coupled with a reader, has the processing power to serve many different applications. As an access-control device, smart cards make personal and business data available only to the appropriate users. Another application provides users with the ability to make a purchase or exchange value. Smart cards provide data portability, security and convenience. Smart cards come in two varieties: memory and microprocessor. Memory cards simply store data and can be viewed as a small floppy disk with optional security. A microprocessor card, on the other hand, can add, delete and manipulate information in its memory on the card. Similar to a miniature computer, a microprocessor card has an input/output port operating system and hard disk with built-in security features. On a fundamental level, microprocessor cards are similar to desktop computers. They have operating systems, they store data and applications, they compute and process information and they can be protected with sophisticated security tools. The self-containment of smart card makes it resistant to attack as it does not need to depend upon potentially vulnerable external resources. Because of this characteristic, smart cards are often used in different applications, which require strong security protection and authentication.
For examples, smart card can act as an identification card, which is used to prove the identity of the card holder. It also can be a medical card, which stores the medical history of a person. Furthermore, the smart card can be used as a credit/debit bank card which allows off-line transactions. All of these applications require sensitive data to be stored in the card, such as biometrics information of the card owner, personal medical history, and cryptographic keys for authentication, etc. In the near future, the traditional magnetic strip card will be replaced and integrated together into a single card by using the multi-application smart card, which is known as an electronic purse or wallet in the smart card industry. The smart card is becoming more and more significant and will play an important role in our daily life. It will be used to carry a lot of sensitive and critical data about the consumers ever more than before
www.seminarsonly.com
Seminar Report
Smart Cards
Figure 1: Physical structure of a smart card The printed circuit conforms to ISO standard 7816/3 which provides five connection points for power and data. It is hermetically fixed in the recess provided on the card and is burned onto the circuit chip, filled with a conductive material, and sealed with contacts protruding. The printed circuit protects the circuit chip from mechanical stress and static electricity. Communication with the chip is accomplished through contacts that overlay the printed circuit. The capability of a smart card is defined by its integrated circuit chip. Typically, an integrated circuit chip consists of a microprocessor, read only memory (ROM), no static random access memory (RAM) and electrically erasable programmable read only memory (EEPROM) which will
www.seminarsonly.com
Seminar Report
Smart Cards
retain its state when the power is removed. The current circuit chip is made from silicon which is not flexible and particularly easy to break. Therefore, in order to avoid breakage when the card is bent, the chip is restricted to only a few millimeters in size. Furthermore, the physical interface which allows data exchange between the integrated circuit chip and the card acceptor device (CAD) is limited to 9600 bits per second. The communication line is a bi-directional serial transmission line which conforms to ISO standard 7816/3. All the data exchanges are under the control of the central processing unit in the integrated circuit chip. Card commands and input data are sent to the chip which responses with status words and output data upon the receipt of these commands and data. Information is sent in half duplex mode, which means transmission of data is in one direction at a time. This protocol together with the restriction of the bit rate prevent massive data attack on the card. In general, the size, the thickness and bend requirements for the smart card are designed to protect the card from being spoiled physically. However, this also limits the memory and processing resources that may be placed on the card. As a result, the smart card always has to incorporate with other external peripherals to operate. For example, it may require a device to provide and supply user input and output, time and date information, power and so on. These limitations may degrade the security of the smart card in some circumstances, as the external elements are untrusted and precarious.
1. Life Cycle of a Smart Card There is an operating system inside each smart card which may contain a manufacturer identification number (ID), type of component, serial number, profile information, and so on. More important, the system area may contain different security keys, such as manufacturer key or fabrication key (KF), and personalization key (KP). All of this information should be kept secret and not be revealed by others. Hence, from the manufacturer to the application provider, then the card holder, the production of a smart card is divided into different phases. Limitation on transfer and access of data is incremental
www.seminarsonly.com
Seminar Report
Smart Cards
at different phases in order to protect different areas in the smart card. There are five main phases for a typical smart card life cycle. We will discuss each of them below.
3.1Fabrication Phase
This phase is carried out by the chip manufacturers. The silicon integrated circuit chip is created and tested in this phase. A fabrication key (KF) is added to protect the chip from fraudulent modification until it is assembled into the plastic card support. The KF of each chip is unique and is derived from a master manufacturer key. Other fabrication data will be written to the circuit chip at the end of this phase. Then the chip is ready to deliver to the card manufacturer with the protection of the key KF.
3.1.2.Personalisation Phase
This phase is conducted by the card issuers. It completes the creation of logical data structures. Data files contents and application data are written to the card. Information of card holder identity, PIN, and unblocking PIN will be stored as well. At the end, a utilization lock VUTIL will be written to indicate the card is in the utilization phase.
www.seminarsonly.com
Seminar Report
Smart Cards
This is the phase for the normal use of the card by the cardholder. The application system, logical file access controls, and others are activated. Access of information on the card will be limited by the security policies set by the application. This will be discussed in detail in the next section.
www.seminarsonly.com
8 cycle
Figure 2: Logical file structure of smart card In smart card terminology, the root or master file (MF), besides the header part which consists of itself, the body part contains the headers of all of the dedicated files and elementary files which
www.seminarsonly.com
Seminar Report
Smart Cards
contain the MF in their parental hierarchy. The dedicated file (DF) is a functional grouping of files consisting of itself and all the files which are immediate childs of the DF. The elementary file (EF) simply consists of its header and the body which stores the data. The ways that the data is managed within a file differ and are dependent on different operating systems. Some of them may manage the data simply by offset and length, while the others may organise data in fixed or variable lengths of records such as Global System for Mobile Communication (GSM) system. In any cases, the file must be selected before performing any operations. This is equivalent to opening a file. The logical access and selection mechanisms are activated after the power is supplied to the card while the master file is selected automatically. The selection operation allows movement around the tree. It can be descending by selecting an EF or a DF, or it can be ascending by selecting a MF or DF. Horizontal movement can be done by selecting an EF from another EF as well. After the success of selection, the header of the file can be retrieved, which stores the information about the file such as identification number, description, types, size, and so on. Particularly, it stores the attribute of the file which states the access conditions and current status. Access of the data in the file depends on whether those conditions can be fulfilled or not. This will be described in the following section. In short, the file structure of the smart card operating system is similar to other common operating systems such as MS-DOS and UNIX. However, in order to provide greater security control, the attribute of each file is enhanced by adding accessing conditions and file status fields in the file header. Moreover, file lock is also provided to prevent the file being accessed. These security mechanisms and algorithms provide a logical protection of the smart card.
www.seminarsonly.com
Seminar Report
Smart Cards
10
Smart Cards
11
In this state, all the operations require PIN presentation and even the PIN presentation instruction itself is blocked. Unblock PIN instruction has to be carried out. If correct unblocking PIN is presented, the PIN counter will be reset to the maximum number of tries and backed to the first state. However, if invalid unblocking PIN is presented, the unblock PIN counter will be decremented by one and when this counter reaches zero, the PIN can never be unblocked again. Summing up the file structure and access control the smart card provided, data stored on the card can be protected either individually by setting access conditions in the header of each file or hierarchically by grouping files together under a single dedicated file (DF) with access conditions set on it. Furthermore, the irreversible blockage gives maximum protection to the card so that enormous intrusions are impossible.
3. Procedural Protection
After an overview of the physical and logical protection given by the smart card, its time to look at how we can make use of the smart card to protect and secure our systems in the real life. Because of the on-board computing power of the smart card, it is possible to achieve off-line transactions and verifications. For instance, a smart card and a card acceptor device (CAD) can identify each other by using the mutual active authentication method. Moreover, data and codes stored on the card are encrypted by the chip manufacturer by using computational scrambling encryption, which makes the circuit chip almost impossible to be forged. All of these features together with the protected access control are discussed in the previous section. Today, smart cards are being used in different areas because they can be used together with other technologies, such as asymmetric cryptographic algorithms and biometrics identification, to provide highly assured and trusted applications. This section discusses three particular areas where demonstrated how different systems can make use of the smart card to enhance their securities.
Seminar Report
Smart Cards
12
accessed and owned, as a result high quality fraudulent documents can be produced easily. This makes the inspection of documents more and more difficult. The smart card probably is the best solution to solve this problem. Printed information and photographs can be digitised and stored into the card. By setting up the access condition and password on files, only authorised persons or authorities, such as government departments, are allowed to access the information. Moreover, together with the biometrics technology, biometrics information of the card holder can be placed on the card, so that the smart card can corporate with biometrics scanner to identify or verify whether the card is owned by the card holder or not. This significantly improves the reliability of the document the smart card carries. The operation procedures could be similar to the traditional paper based identification system. However, instead of verifying the documents by observation of an inspection officer, a card acceptor device will be used. The device which contains the authorised code and PIN can unlock the file and retrieve the owners information for verification. In the case when biometrics is used, the user can be authenticated by placing the required portion of his/her body onto a biometrics reader, the data collected by the reader can be used to compare with the one in the card. Nowadays, many organisations or governments in different countries already have research on this issues. For example, many airlines intend to develop their electronic tickets by using smart cards which co-operate with the baggage handling system in some airports. The smart card typically stores the passengers flight details such as name, seat number, flight number, baggage details and so on. This helps to verify correct passenger checked-in and identify the owner of baggage in case of lost or unclaimed baggages. More importantly the system may help to identify criminals and terrorists. In summary, it is anticipated that using the smart card as an identification document will be the future trend replacing traditional paper-based certificates. Information stored on the card about the owner will be increasing and becoming more and more sensitive. Therefore, the current access control system based on PIN presentation may not be secure enough. It is suggested that the card operating system may have to co-operate with some kind of authentication algorithms to protect all the files or even the whole system.
www.seminarsonly.com
12
Seminar Report
Smart Cards
13
Figure 3: Kerberos authentication protocol Having this protocol, the server can be assured offering services to the correct client who is entitled to have access. This is because Kerberos assumed that only the correct user can use the credential as others do not have the password to decrypt it. And also because of this, a user can actually request the credential of others. That is, the user is not authenticated at the beginning stage.
www.seminarsonly.com
13
Seminar Report
Smart Cards
14
In this way, an attacker can obtain the credential of another user, and perform off-line attack by using a password guessing approach as the ticket is sealed by password only. The whole idea is to enhance the security of Kerberos authentication by authenticating the user directly at the beginning and before the granting of the initial ticket, so that one user cannot have the ticket of another. And, the use of smart card requires user logging into the system not only recall a password, but also to be in possession of a token.
www.seminarsonly.com
14
Seminar Report
Smart Cards
15
The smart card can also store the checksum of critical data and executable programs. It is effective against virus by validating files integrity rather than scan for known virus signatures. In general, the use of smart card here enhanced the security of the computer by utilising the inherent secure storage and processing capabilities.
Seminar Report
Smart Cards
16
these standards are intelligent, read/ write devices capable of storing different kinds of data and operating at different ranges. Standards-based contactless smart cards can authenticate a persons identity, determine the appropriate level of access, and admit the cardholder to a facility, all from data stored on the card. These cards can include additional authentication factors (such as biometric templates or PINs) and other card technologies, including a contact smart card chip, to satisfy the requirements of legacy applications or applications for which a different technology is more appropriate. Contactless smart card technologies offer security professionals features that can enhance systems designed to control physical or logical access (i.e., access to networks or other online resources). Contactless cards differ from traditional contact smart cards by not requiring physical connectivity to the card reader. The card is simply presented in close enough proximity to the reader and uses radio frequencies (RF) to exchange information. The use of contactless technologies is particularly attractive for secure physical access, where the ID credential and reader must work in harsh operating conditions, with a high volume of use or with a high degree of user convenience. For example, consider the use of a contactless card to control access to public transportation. The card can be presented to the reader without having to be removed from a wallet or purse. The fare is automatically deducted from the card and access is granted. Adding funds through appropriate machines at transit centers or banks then refreshes the card. The process is simple, safe, and accurate.
www.seminarsonly.com
16
Seminar Report
Smart Cards
17
protect their contents. System-level methods can be used to encrypt and decrypt the information stored on the card. Wired logic cards have a special purpose electronic circuit designed on the chip and use a fixed method to authenticate themselves to readers, verify that readers are trusted, and encrypt communications. Wired logic cards lack the ability to be modified after manufacturing or programming. MCU cards implement authentication/encryption methods in software or firmware. Contactless smart cards with an embedded MCU have more sophisticated security capabilities, such as the ability to perform their own on-card security functions (e.g., encryption, hardware and softwarebased tamper resistance features to protect card contents, biometric verification and digital signatures) and interact intelligently with the card reader. Contactless MCU cards also have greater memory capability and run card operating systems (for example, JavaCard or MULTOS). Both hybrid and dual-interface contactless cards are becoming available. On a hybrid card,
multiple independent technologies share the common plastic card body but do not communicate or interact with each other. For example, one card could carry a magnetic stripe, bar code, 125 kHz technology, picture ID, contact smart card module and either ISO/IEC 14443 or ISO/IEC 15693 contactless smart card technology. The advantage of a hybrid card is that existing installed systems can be supported, while new features and functionality can also be offered through smart card technologies. A dual-interface card includes a single chip with both contact and contactless capabilities. Contact and contactless technologies can therefore be implemented on one card, each addressing the application requirements most suited to its capabilities and sharing the same data. Hybrid and dual-interface technologies are complementary and, with thoughtful implementation, transparent to the end user. With current technologies, security system designers can implement an architecture that includes multiple ID credential technologies. This creates a significant opportunity for more efficient credential management, improved user convenience, and easier administration of multiple security policies and procedures. Through the use of the appropriate card technology, cryptography, and digital signatures, logical access control can be incorporated into networks and
www.seminarsonly.com
17
Seminar Report
Smart Cards
18
databases. And because the credential is a plastic card, it also supports the use of pictures, logos, visual inspection information, holograms, digital watermarks, microprinting, and other security markings to deter counterfeiting and impersonation. A single card is also more efficient for the user, simplifying coordination for changes, reducing memorization for complicated passwords or personal identification numbers (PINs), and decreasing the time for authentication.
www.seminarsonly.com
18
Seminar Report
Smart Cards
19
Reduced maintenance costs for card readers (as compared to magnetic stripe and contact card readers) Reduced vandalism of readers More durable and reliable cards (no external parts that can wear out or be contaminated) Well-suited to accommodate local security staffing, training and implementation Established international standards (ISO/IEC)
www.seminarsonly.com
19
Seminar Report
Smart Cards
20
applications which co-operate with a dominant application. The second one will be the integration of multiple applications under a single specification. At last, multiple independent applications installed on a single card will be taken into an account.
www.seminarsonly.com
20
Seminar Report
Smart Cards
21
operation plans or marketing strategies which depends on whether minor applications come with the dominant application or minor applications are acted as an upgrade of services.
Figure 2: Logical view of applications in this model Technically, this can be done by placing minor applications under different sub-directories or functional groups which are below the dominant application directory. Dedicated files (DFs) can be used to separate and organise applications. Figure 3 displays the structure and organisation of memory spaces inside the smart card.
Seminar Report
Smart Cards
22
www.seminarsonly.com
22
Seminar Report
Smart Cards
23
The integration between remote banking application and the dominant GSM application system shows a good example of multiple application smart card system as described above. Furthermore, under this system, new applications can be downloaded or updated over the air with the enhanced short message service provided by GSM system.
www.seminarsonly.com
23
Seminar Report
Smart Cards
24
specification and standard from a certain authority, it is recommended to assign the corresponding authority to establish the system and distribute the card. The card can either belong to that authority or the end user can purchase it depending on the nature of services provided by those applications. Management of those applications should be made upon the request of the card holder when he or she can provide positive identification that he or she is the correct owner. On the other hand, when an organisation which establishes the card system provides applications for its own card, that particular organisation can have both of the ownership and management of the card.
www.seminarsonly.com
24
Seminar Report
Smart Cards
25
cryptographic and security mechanisms implemented by the central authority can be shared and used by different applications. Applications which are going to be united should agree and conform to the specification from the corresponding central authority. However, accessing individual applications should be protected by the system security module. This can be done by identifying the source of request and the destinated application. For example, when application A is activated by the user, A will issue a request, with both of the source and destination of A, to the shared common security module for authentication. If it is positive, a ticket of accessing A will be returned to the source, it will be A in this example. When A received the ticket and discover the ticket of access is A, then it will unlock itself and allow for access. Figure 6 illustrates this mechanism.
Figure 6: Authentication of an application When there is a need of sharing data, applications involved should implement a second security module. For example, when application A request access of application B, A issues a request, with the source of A and destination of B, to the shared common security module. When the security module realises the source is different from the destination, it then pass the request to B. B will activate its own security module upon the receive of the request. After successful acknowledgment, B unlock itself for the access of A. All the rest of transactions and communications between applications should have the source and destination specified in order to protect the access of correct applications. Figure 7 shows this model.
www.seminarsonly.com
25
Seminar Report
Smart Cards
26
www.seminarsonly.com
26
Seminar Report
Smart Cards
27
All the different identification cards and licenses issued from the government, such as citizen identification card, driving license, fishing or hunting license, passport, councils library card, and etc, can be integrated together under the system discussed here, because they all conform to a single specification from the government and act as identification purposes. Another example is the multiple merchant incentives which allow card holders to store "points" for frequent purchaser programs across multiple merchants. This is workable as most of those programs require only basic information of the card holder and lower level of security, therefore those information can be shared together in order to verify the owner. In summary, applications integrated together under this scheme can reduce the repetitive of resources and facilitate the management of different applications.
Figure 8: Multiple independent applications in a single smart card However, in order to build this kind of multiple application smart card, which has to be sophisticated and generic enough to accommodate different kinds of applications without transgressing any existing applications or weakening any existing security mechanisms, we need to break through a lot of different barriers which have always been a source of controversy.
www.seminarsonly.com
27
Seminar Report
Smart Cards
28
In this section, we try to propose a feasible model in the terms of data ownership and management, directory configuration and partitioning, security and data sharing, application invocation and authentication, etc. However, before we carry on to discuss those issues, we are assumed that there is a standard smart card operating system and a standard specification to specify how applications operate and interface with each others and the outside world.
www.seminarsonly.com
28
Seminar Report
Smart Cards
29
Figure 10: Conceptual view of the security module According to the application requirements, the identification module can activate one of the available biometric modules. A response will be received from the dedicated biometric module. As different applications may require a more flexible decision process, it is assumed that the result is a standardised number which representing the measurement of the level of matching. The use of biometric identification here is because it seems to provide a promising result as it uses basic characteristics of the individual and does not require any artificial link between the card holder. Consequently, applications can assign its dedicated identification scheme and the matching www.seminarsonly.com 29
Seminar Report
Smart Cards
30
level for acceptance, so that the same measurement can lead one application to accept the transaction and the another one refuse. For the communication and data sharing between each applications, it is required each of them to activate their own identification process. If the result leads one of the application not to be initiated, other applications must receive an alarm. This common evaluation of the risk by all the applications can be implemented by creating a common index of confidence. For the details of the scheme described above, please refer to the references of Cordonnier & Watson, 1996.
Seminar Report
Smart Cards
31
Businesses, the government and healthcare organizations continue to move towards storing and releasing information via networks, Intranets, extranets and the Internet. These organizations are turning to smart cards to make this information readily available to those who need it, while at the same time protecting the privacy of individuals and keeping their informational assets safe from hacking and other unwanted intrusions. In this capacity, smart cards enable: Secure logon and authentication of users to PCs and networks Secure B2B and B2C e-commerce Storage of digital certificates, credentials and passwords Encryption of sensitive data
www.seminarsonly.com
31
Seminar Report Access control Stored value Identification Ticketing Parking and toll collection
Smart Cards
32
Seminar Report
Smart Cards
33
to the microcontroller. It can see several examples of attacking the smart card microcontroller by adjusting the voltage are provided. For example, a widely known attack of PIC16C84 microcontroller is that the security bit of the controller can be clear with erasing the memory by raising the voltage VCC to VPP - 0.5V. An attack on DS5000 security processor is another example. A short voltage drop can release the security lock without erasing the secret data sometimes. Low voltage can facilitate other attacks as well, such as an analogue random generator used to create cryptographic keys will produce an output of almost all 1s when the supply voltage is lowered slightly. For these reasons, some security processors implemented sensors which will cause an alarm when there is any environmental changes. However, these kinds of sensors always causes false alarm due to the occurrence of fluctuations when the card is powered up and the circuit is stabilising. Therefore this scheme is not commonly used.
www.seminarsonly.com
33
Seminar Report
Smart Cards
34
Conclusion
It is believed that smart cards offer more security and confidentiality than the other kinds of information or transaction storage. Moreover, applications applied with smart card technologies are illustrated which demonstrate smart card is one of the best solutions to provide and enhance their system with security and integrity. Finally, it is concluded that the smart card is an intrinsically secure device. It is a safe place to store valuable information such as private keys, account numbers, and valuable personal data such as biometrics information. The smart card is also a secure place to perform off-line processes such as public or private key encryption and decryption. The smart card can be an element of solution to a security problem in the modern world.
References
Electronics Today 07/2004 www.smartcardforum.org www.gemplus.com www.seminarsonly.com
www.seminarsonly.com
34