Smart Card
Smart Card
1. INTRODUCTION
Welcome to Smart Card Basics. This is a sponsored site brought
to you by a number of leading manufacturers in the smart card
industry. We have tried to make this site informative with out a
single perspective or a marketing pitch. It is our belief that
informed users make better choices, which in turn leads to a
stronger market for all. Smart Card or Chip card technology is fast
becoming commonplace in our culture and daily lives. We hope that
this site will bring you a little closer in your understanding of
this exciting technology and the benefits it can bring to your
applications2. WHAT IS SMART CARD
If you have A smart card, a type of chip card, is a plastic card
embedded with a computer chip that stores and transacts data
between users. This data is associated with either value or
information or both and is stored and processed within the cards
chip, either a memory or microprocessor. The card data is
transacted via a reader that is part of a computing system. Smart
card-enhanced systems are in use today throughout several key
applications, including healthcare, banking, entertainmAccording to
Eurosmart, worldwide smart card shipments will grow 10% in 2010 to
5.455 billion cards. Markets that have been traditionally served by
other machine readable card technologies such as bar-code and
magnetic stripe are converting as the calculated return on
investment is revisited by the each card issuer year after year.
First introduced in Europe nearly three decades ago, smart cards
debuted as a stored value tool for pay phones to reduce theft. As
smart cards and other chip-based cards advanced, people found new
ways to use them, including charge cards for credit purchases and
for record keeping in place of paper.ent and
transportation.specific questions regard. Why Smart Cards
Smart cards greatly the convenience and security of any
transaction. They provide tamper-proof storage of user and account
identity. Smart card systems have proven to be more reliable than
other machine-readable cards, such as magnetic-stripe and bar-code,
with many studies showing card read life and reader life
improvements demonstrating much lower cost of system maintenance.
Smart cards also provide vital components of system security for
the exchange of data throughout virtually any type of network. They
protect against a full range of security threats, from careless
storage of user passwords to sophisticated system hacks. The costs
to manage password resets for an organization or enterprise are
very high, thus making smart cards a cost-effective solution
in these environments. Multifunction cards can also serve as
network system access and store value and other data. Worldwide,
people are now using smart cards for a wide variety of daily tasks.
These include:ing a specific.Securing Digital Content and Physical
Assets
In addition to information security, smart cards achieve greater
security of services and equipment, because the card restricts
access to all but the authorized user(s). Information and
entertainment is being delivered via satellite or cable to the home
DVR player or cable box or cable-enabled PC. Home delivery of
service is encrypted and decrypted via the smart card per
subscriber access. Digital video broadcast systems have already
adopted smart cards as electronic keys for protection. Smart cards
can also act as keys to machine settings for sensitive laboratory
equipment and dispensers for drugs, tools, library cards, health
club equipment etc. In some environments, smart card enabled- SD
and microSD cards are protecting digital content as it is being
delivered to the mobile hand-sets/ phones.
E-Commerce
Smart cards make it easy for consumers to securely store
information and cash for purchasing. The advantages they offer
consumers are:
The card can carry personal account, credit and buying
preference information that can be accessed with a mouse click
instead of filling out forms.
Cards can manage and control expenditures with automatic limits
and reporting.
Internet loyalty programs can be deployed across multiple
vendors with disparate POS systems and the card Act
Bank Issued Cards
Around the globe the bank controlled Co-ops (Visa, MasterCard,
Discover, and American Express) have rolled out millions of smart
cards under the EMV (Europay, MasterCard, VISA) standard. Often
referred to as chip and PIN cards; these are the de facto type of
cards for bank issuance in most countries except the U.S. As Canada
has just recently started its regulatory shift of EMV cards the
U.S. will be the sole island in North America that has not yet made
the adoption. This adoption is being driven by the increased types
of fraud for both credit nd debit cards.Smart cards have been
proven to secure a transaction with regularity, so much so that the
EMV standard has become the norm.
As banks enter competition in newly opened markets such as
investment brokerages, they are securing transactions via smart
cards at an increased rate. This means:
Smart cards increase trust through improved security. Two-Factor
Authentication insures protection of data and value across the
internet. Threats such as the Man in the middle and Trojan Horses
that replay a user name and password are eliminated
This is improving customer service. Customers can use secure
smart cards for fast, 24-hour electronic funds transfers over the
internet
Costs are reduced: transactions that normally would require a
bank employees time and paperwork can be managed electronically by
the customer with a smart cards as a secure central depository for
points or rewards.
Healthcare Informatics
The explosion of health care data brings up new challenges to
the efficiency of patient care and privacy safeguards. Smart cards
solve both challenges with secure, mobile storage and distribution
of everything from emergency data to benefits status. Many
socialized countries have already adopted smart cards as
credentials for their health networks and as a means of carrying an
immediately retrievable Electronic Health Record (EHR). Benefits
include: Rapid, accurate identification of patients; improved
treatment
Reduction of fraud with authentication of provider/patient
visits and insurance eligibility
A convenient way to carry data between systems or to sites
without systems
Reduction of records mPhysical Access
Businesses and universities of all types need simple identity
cards for all employees and students. Most of these people are also
granted access to certain data, equipment and departments according
to their status. Multifunction, microprocessor-based smart cards
incorporate identity with access privileges and can also store
value for use in various locations, such as cafeterias and stores.
Many hotels have also adopted ISO7816 type card readers into the
hotel rooms for use by the staff.
All U.S. government and many corporations have now incorporated
a contactless reader as an access point to their facilities. Some
companies have incorporated a biometric component to this
credential as well. The older systems deploy a simple proximity
card system as the gate keeper. But as the security requirements
have become stronger and the cost of ISO14443 standard systems have
become cheaper, the world is rapidly adopting this new standard.
This market shift is partially driven by the US governments
adoption of the mandated Personal Identity Verification (PIV)
standard. There is a rich ecosystem of suppliers and integrators
for this standard.aintenance costs
3. TYPES OF CHIP CARDSSmart cards are defined according to 1).
How the card data is read and written and 2). The type of chip
implanted within the card and its capabilities. There is a wide
range of options to choose from when designing your system.
Figure 3-1: TypES OF CHIPCard ConstructionMostly all chip cards
are built from layers of differing materials, or substrates, that
when brought together properly gives the card a specific life and
functionality. The typical card today is made from PVC, Polyester
or Polycarbonate.
The card layers are printed first and then laminated in a large
press. The next step in construction is the blanking or die
cutting. This is followed by embedding a chip and then adding data
to the card. In all, there may be up to 30 steps in constructing a
card. The total components, including software and plastics, may be
as many as 12 separate items; all this in a unified package that
appears to the user as a simple DEVICE.
Contact Cards
These are the most common type of smart card. Electrical
contacts located on the outside of the card connect to a card
reader when the card is inserted. This connector is bonded to the
encapsulated chip in the card.Memory Cards
Memory cards cannot manage files and have no processing power
for data management. All memory cards communicate to readers
through synchronous protocols. In all memory cards you read and
write to a fixed address on the card. There are three primary types
of memory cards: 1). Straight, 2). Protected, and 3). Stored Value.
Before designing in these cards into a proposed system the issuer
should check to see if the readers and/or terminals support the
communication protocols of the chip. Most contactless cards are
variants on the protected memory/ segmented memory card idiom.1)
Straight Memory Cards
These cards just store data and have no data processing
capabilities. Often made with I2C or serial flash semiconductors,
these cards were traditionally the lowest cost per bit for user
memory. This has now changed with the larger quantities of
processors being built for the GSM market. This has dramatically
cut into the advantage of these types of devices. They should be
regarded as floppy disks of varying sizes without the lock
mechanism. These cards cannot identify themselves to the reader, so
your host system has to know what type of card is being inserted
into a reader. These cards are easily duplicated and cannot be
tracked by on-card
Identifiers2) Protected / Segmented Memory Cards
These cards have built-in logic to control the access to the
memory of the card. Sometimes referred to as Intelligent Memory
cards, these devices can be set to write protect some or the entire
memory array. Some of these cards can be configured to restrict
access to both reading and writing. This is usually done through a
password or system key. Segmented memory cards can be divided into
logical sections for planned multifunctionality. These cards are
not easily duplicated but can possibly be impersonated by hackers.
They typically can be tracked by an on-card identifier.3) Stored
Value Memory Cards
These cards are designed for the specific purpose of storing
value or tokens. The cards are either disposable or rechargeable.
Most cards of this type incorporate permanent security measures at
the point of manufacture. These measures can include password keys
and logic that are hard-coded into the chip by the manufacturer.
The memory arrays on these devices are set-up as decrements or
counters. There is little or no memory left for any other function.
For simple applications such as a telephone card, the chip has 60
or 12 memory cells, one for each telephone unit. A memory cell is
cleared each time a telephone unit is used. Once all the memory
units are used, the card becomes useless and is thrown away. This
process can be reversed in the case of
rechargeable cards.
4. CPU/MPU MICROPROCESSOR MULTIFUNCTION
CPU/MPU Microprocessor Multifunction Cards
These cards have on-card dynamic data processing capabilities.
Multifunction smart cards allocate card memory into independent
sections or files assigned to a specific function or application.
Within the card is a microprocessor or microcontroller chip that
manages this memory allocation and file access. This type of chip
is similar to those found inside all personal computers and when
implanted in a smart card, manages data in organized file
structures, via a card operating system (COS). Unlike other
operating systems, this software controls access to the on-card
user memory. This capability permits different and multiple
functions and/or different applications to reside on the card,
allowing businesses to issue and maintain a diversity of products
through the card. One example of this is a debit card that also
enables building access on a college campus. Multifunction cards
benefit issuers by enabling them to market their products and
services via state-of-the-art transaction and encryption
technology. Specifically, the technology enables secure
identification of users and permits information updates without
replacement of the installed base of cards, simplifying program
changes and reducing costs. For the card user, multifunction means
greater convenience and security, and ultimately, consolidation of
multiple cards down to a select few that serve many purposes.
Contactless Cards
These are smart cards that employ a radio frequency (RFID)
between card and reader without physical insertion of the card.
Instead, the card is passed along the exterior of the reader and
read. Types include proximity cards which are implemented as a
read-only technology for building access. These cards function with
a very limited memory and communicate at 125 MHz. Another type of
limited card is the Gen 2 UHF Card that operates at 860 MHz to 960
MHz True read and write contactless cards were first used in
transportation for quick decrementing and reloading of fare values
where their lower security was not an issue. They communicate at
13.56 MHz, and conform to the ISO14443 standard. These cards are
often protected memory types. They are also gaining popularity in
retail stored value, since they can speed-up transactions and not
lower transaction processing revenues (i.e. VISA and MasterCard),
like traditional smart cards.
Multi-mode Communication Cards
These cards have multiple methods of communications, including
ISO7816, ISO14443 and UHF gen 2. How the card is made determines if
it is a Hybrid or dual interface card.
The term can also include cards that have a magnetic-stripe and
or bar-code as well.
Hybrid Cards
Hybrid cards have multiple chips in the same card. These are
typically attached to each interface separately, such as a MIFARE
chip and antenna with a contact 7816 chip in the same card.
Dual Interface Cards
These cards have one chip controlling the communication
interfaces. The chip may be attached to the embedded antenna
through a hard connection, inductive method or with a flexible bump
mechanism.
Multi-component Cards
These types of cards are for a specific market solution. For
example, there are cards where the fingerprint sensor is built on
the card. Or one company has built a card that generates a one-time
password and displays the data for use with an online banking
application. Vault cards have rewriteable magnetic stripes. Each of
these technologies is specific to a particular vendor and is
typically patented.
Smart Card Form Factors
The expected shape for cards is often referred to as CR80.
Banking and ID cards are governed by the ISO 7810 specification.
But this shape is not the only form factor that cards are deployed
in. Specialty shaped cutouts of cards with modules and/or antennas
are being used around the world. The most common shapes are SIM. SD
and MicroSD cards can now be deployed with the strength of smart
card chips. USB flash drive tokens are also available that leverage
the same technology of a card in a different form factor.
Smart Card Readers/Terminals
Readers and terminals operate with smart cards to obtain card
information and perform a transaction.
Generally, a reader interfaces with a PC for the majority of its
processing requirements. A terminal is a self-contained processing
device. Both readers and terminals read and write to smart
cards.
Readers
Contact
This type of reader requires a physical connection to the cards,
made by inserting the card into the reader. This is the most common
reader type for applications such as ID and Stored Value. The
card-to-reader communications is often ISO 7816 T=0 only. This
communication has the advantage of direct coupling to the reader
and is considered more secure. The other advantage is speed. The
typical PTS Protocal Type Selection (ISO7816-3) negotiated speed
can be up to 115 kilo baud. This interface enables larger data
transport without the overhead of anti-collision and wireless
breakdown issues that are a result from the card moving in and out
of the reader antenna range.
Contactless
This type of reader works with a radio frequency that
communicates when the card comes close to the reader. Many
contactless readers are designed specifically for Payment, Physical
Access Control and Transportation applications. The dominant
protocol under the ISO 14443 is MIFARE, followed by the EMV
standards.
Interface
A contact reader is primarily defined by the method of its
interface to a PC. These methods include RS232 serial ports, USB
ports, PCMCIA slots, floppy disk slots, parallel ports, infrared
IRDA ports and keyboards and keyboard wedge readers. Some readers
support more than one type of card such as the tri mode insert
readers from MagTek. These readers support magnetic stripe-contact
and contactless read operations all in one device.
Reader & Terminal to Card Communication
All cards and readers that follow ISO 7816-3 standards have a
standardized set of commands that enable communication for CPU
cards.
These commands, called APDUs (Application Protocol Data Units)
can be executed at a very low level, or they can be scripted into
APIs which enable the user to send commands from an application to
a reader.5. APPLICATIONS DEVELOPMENTThe development of PC
applications for readers has been simplified by the Personal
Computer/Smart Card (PC/ SC) standard. This standard is supported
by all major operating systems. The problem with the PC/SC method
is that it does not support all of the reader functions offered by
each manufacturer, such as LED control and card latching/locking.
When just using the drivers for each reader manufacturer, there is
no connection to the functions of the card. The better choice is
Application Programming Interfaces (APIs) that are part of readily
available in Software Development Kits (SDKs) that support specific
manufacturers card families.Smart Card Standards
Primarily, smart card standards govern physical properties,
communication characteristics, and application identifiers of the
embedded chip and data
Application-specific properties are being debated with many
large organizations and groups proposing their standards. Open
system card interoperability should apply at several levels: 1). To
the card itself, 2). The cards access terminals (readers), 3). The
networks and 4). The card issuers own systems. Open system card
interoperability willonly be achieved by conformance to
international standards.
Global System for Mobile Communication (GSM)
The GSM standard is dominant in the cell phone industry and uses
smart cards called Subscriber Identification Modules (SIMs) that
are configured with information essential to authenticating a
GSM-compliant mobile phone, thus allowing a phone to receive
service whenever the phone is within coverage of a suitable
network. This standard is managed by the European Telecommunication
Standards Institute. The two most common standards for cards are
11.11 and 11.14.
Common Criteria
Common Criteria (CC) is an internationally approved security
evaluation framework providing a clear and reliable evaluation of
the security capabilities of IT products, including secure ICs,
smart card operating systems, and application software. CC provides
an independent assessment of a products ability to meet security
standards. Security-conscious customers, such as national
governments, are increasingly requiring CC certification in making
purchasing decisions. Since the requirements for certification are
clearly established, vendors can target very specific security
needs while providing broad product offerings.
System Planning & Deployment
Smart card system design requires advance planning to be
successful and to avoid problems. It is highly recommended that you
graphically diagram the flow of information for your new system.
The first question to consider is will the card and system transact
information, or value, or both? If it stores keys or value (i.e.
gift certificates or sports tickets), greater design detail is
required than in data-only systems. When you combine information
types on a single card, other issues arise. The key to success is
not to overrun the system with features that can confuse users and
cause problems in management. It is recommended that you phase-in
each feature set as each one is working. To properly implement a
functional smart card system, you should be able to answer the
following questions. NOTE: These are only general guidelines,
provided as a basis for your individual planning. Many other steps
may be involved and are not mentioned here. For more extensive
planning information regarding identity management and national
IDs, we recommend that you review the GSA Smart Card Handbook.
Smart Card Security (Section 1)
Smart cards provide computing and business systems the enormous
benefit of portable and secure storage of data and value. At the
same time, the integration of smart cards into your system
introduces its own security management issues, as people access
card data far and wide in a variety of applications.The following
is a basic discussion of system security and smart cards, designed
to familiarize you with the terminology and concepts you need in
order to start your security planning. 6. WHAT IS SECURITYSecurity
is basically the protection of something valuable to ensure that it
is not stolen, lost, or altered. The term data security governs an
extremely wide range of applications and touches everyones daily
life. Concerns over data security are at an all-time high, due to
the rapid advancement of technology into virtually every
transaction, from parking meters to national defense. Data is
created, updated, exchanged and stored via networks. A network is
any computing system where users are highly interactive and
interdependent and by definition, not all in the same physical
place. In any network, diversity abounds, certainly in terms of
types of data, but also types of users. For that reason, a system
of security is essential to maintain computing and network
functions, keep sensitive data secret, or simply maintain worker
safety. Any one company might provide an example of these multiple
security concerns: Take, for instance, a pharmaceutical
manufacturer:
What is Information Security?
Information security is the application of measures to ensure
the safety and privacy of data by managing its storage and
distribution. Information security has both technical and social
implications. The first simply deals with the how and how much
question of applying secure measures at a reasonable cost. The
second grapples with issues of individual freedom, public concerns,
legal standards and how the need for privacy intersects them. This
discussion covers a range of options open to business managers,
system planners and programmers that will contribute to your
ultimate security strategy. The eventual choice rests with the
system designer and issuer.Smart Card Security (Section 2)
Data Integrity
This is the function that verifies the characteristics of a
document and a transaction. Characteristics of both are inspected
and confirmed for content and correct authorization. Data Integrity
is achieved with electronic cryptography that assigns a unique
identity to data like a fingerprint. Any attempt to change this
identity signals the change and flags any tampering.
Authentication
This inspects, then confirms, the proper identity of people
involved in a transaction of data or value. In authentication
systems, authentication is measured by assessing the mechanisms
strength and how many factors are used to confirm the identity. In
a PKI system a Digital Signature verifies data at its origination
by producing an identity that can be mutually verified by all
parties involved in the transaction. A cryptographic hash algorithm
produces a Digital Signature.a Security Conrn Type of Access
Card-Based System Security
These systems are typically microprocessor card-based. A card or
token-based system treats a card as an active computing device. The
interaction between the host and the card can be a series of steps
to determine if the card is authorized to be used in the system.
The process also checks if the user can be identified,
authenticated and if the card will present the appropriate
credentials to conduct a transaction. The card itself can also
demand the same from the host before proceeding with a transaction.
The access to specific information in the card is controlled by
A). The cards internal Operating System and B). The preset
permissions set by the card issuer regarding the files condition.
The card can be in a standard CR80 form factor or be in a USB
dongle or it could be a GSM SIM Card.
7. ADVANTAGES It is generally safe and secure.
It is used for identity purposes.
It can be reconfigured and reusable, it allows secure
transaction off-line.
8. APPLICATIONS
Smart Cards provide a secure, portable platform for "any time,
anywhere" computing that can carry and manipulate substantial
amounts of data, especially an individual's personal digital
identity. It allows Smart Cards to become a general-purpose
computing platform and creates a potentially huge market for
application software and development. Whether this market will
diversify in the way personal computing has remains to be seen.
smart Cards and Java Card technology include: Government,
Healthcare, Information Technology, Mobile Communication, Banking,
Loyalty Programs, Mass Transit, Driving Licensing, Electronic Toll
Collection, Telephone Cards, etc.9. FUTURE SCOPE
The future of Smart Cards is looking bright. The many existing
and potential benefits smart card has to offer both the public and
the private sectors of the industry Reducing fraud, reducing time
to complete redundant paperwork, and having the potential to have
one card to access diverse networks and applications.10.
CONCLUSIONSmart cards can add convenience and safety to any
transaction of value and data; but the choices facing todays
managers can be daunting. We hope this site has adequately
presented the options and given you enough information to make
informed evaluations of performance, cost and security that will
produce a smart card system that fits todays needs and those of
tomorrow. It is our sincere belief that informed users make better
choices, which leads to better business for everybody.
11. REFERENCE Articles about Smart Card Technology and
Applications SCIA (SmartCard Industry Association) Knowledge Base
Webpage Java Rings' ReferencesVijay College of Engineering for
WomenPage 20
117E1A0470