Smart Card Technology

1
Smart Card Technology

• Its Applications and Usage
• - S.K.Sinha
• NIC

2
The History

• Plastic card made up of PVC is the first
  ancestor.
• Came into being in 1950s due to its low cost,
  robustness and longer life than simple paper or
  cardboard equivalent.
• First Payment Card was issued by Diners Club in
  1950.
• Was designed for an exclusive class of
  individuals and thus served as status symbol.
• Allowed the holder to pay with his Good Name
  rather than in cash.
• Acceptance was limited to only selected few
  Hotels and Restaurants.
• Entry of VISA and Master Card, led to a rapid
  proliferation of Plastic Money, first in USA and
  later in Europe and rest of the world

3
Initial Functionalities

• Served as Data Carriers protected against forgery
  and tampering
• Protection against forgery was provided through
  visual features, such as security printing,
  signature field etc.
• Data carried was of general nature such as
  Issuers Name, which was surface printed while
  card holder specific data were embossed e.g.
  Name, card number etc.

4
Initial Functionalities

• Security was not a huge problem as the cards were
  used by an exclusive club members.
• With increasing proliferation these security
  features no longer proved sufficient. Danger of
  organized crime was growing faster.
• Card issuers losses due to customers insolvency
  and fraud grew from year to year. And this
  necessitated to extend the security measures and
  card capabilities.

5
Second Generation of Cards

• The first improvement brought into the plastic
  card was the induction of a Magnetic Stripe into
  the main plastic body.
• This allowed the digitized data to be stored in
  machine-readable form, in addition to the
  visually stored data obtained through the
  printing and embossing.
• These were commonly known as Magnetic Stripe
  Cards and are still very common in Credit/Debit
  card usage.

6
Magnetic Strip Card

• Became very popular world wide due to ease of
  payment.
• Ease of carrying and using worldwide
• However this technology suffers from few crucial
  weaknesses.
• The data on the magnetic-stripe can be read,
  written and re-written at will by any one having
  appropriate read/write device.
• Due to this the issuer agencies using this
  technology have to use on-line connectivity to
  payment gateways for large transactions.
• This increases considerable cost in managing the
  gigantic size network.

7
Necessity of a better solution

• The crucial weaknesses of Magnetic stripe card
  gave rise to evolution of a better technology
  solution which can handle,
• Off-line transaction without any trade-off on
  security
• To bring down the overall cost of project
• To minimize the risk factors

8
Advent of the Hero The Smart Card

• 1970s witnessed the huge progress in
  microelectronics.
• It was made possible to integrate data storage
  with arithmetic logic on a single silicon chip
  measuring a few square millimeters.
• First patent for incorporating such an Integrated
  Circuit into a plastic card was filed by two
  Germans Jurgen Dethloff and Helmut Grotrupp
  in 1968.
• However the first real progress came with Roland
  Moreno a French filing his patent in France in
  1974.
• The great breakthrough was achieved in 1984, when
  French Postal and Telecommunication Services used
  this technology for a new application of
  Telephone Cards .
• Why this much more secure technology could not be
  used for payment cards at the first instance?
  (Any answers..?)

9
Cryptography the real partner

• Quantum jump in The field of Cryptographic
  Science coincided in the same period of evolution
  of Smart Card technology.
• Modern Hardware and Software permitted the
  implementation of complex mathematical
  algorithms, which was not possible earlier.
• Cryptographic algorithms were available in open
  domain with much higher level of security than
  the covert ones earlier used for Military
  Applications.
• Smart Cards proved themselves to be the ideal
  carrier/implementers of these Cryptographic
  Algorithms which also could securely store the
  Cryptographic Keys and related data with utmost
  security.

10
The Technology
11
Smart Card Technology

• Microprocessor Chip embedded into the plastic
  body
• Heart of the chip is a processor surrounded by
  four additional functional blocks
• The mask-ROM
• The E2PROM
• The RAM
• The I/O Port

12
Hardware Architecture
Processor
RAM
CPU
ROM
Working Memory
Operating System
I/O
CLK
EEPROM
RST
V
GND
Data Storage
13
Hardware Architecture

• Mask-ROM Contains the chip Operating System
  which is burnt during manufacture, can not be
  changed in the chip lifetime.
• EEPROM Chips Non Volatile Memory, to and from
  which data and program codes may be written and
  read, under the OS control.
• RAM Processors working Memory, Volatile and
  data is lost when chip voltage is off.
• Serial I/O Interface usually consists of a
  single register, through which the data is
  transferred bit-by-bit.

14
Smart Card File System

• Implemented over EEPROM
• A Hierarchical File System
• MF (Master File) at the top
• DF (Dedicated File), and EF (Elementary File) as
  various entities in the hierarchy
• Data elements are grouped and stored in EF, which
  is the bottom level entity
• Dedicated files (DF) are like directory files of
  conventional File Systems containing DFs and
  EFs.
• Dedicated Files are also the entities hosting all
  files related to one single application (viz.
  Driving License, Electoral ID Card, PAN Card
  etc), and therefore are also termed as
  Application Files.
• MF is top level Dedicated File.
• MF, DF and EF can be configured for their
  security parameters (conditions) for various
  operations (Read, Modify, Delete) on their
  headers.
• Definable security conditions may be PIN
  verification, Key Authentication etc.

15
Smart Card Security

• Smart cards are the most secure devices to store
  small piece of information.
• technologically makes it possible to impose
  desired security conditions/rules for accessing
  the required information.
• Following Security Mechanisms are provided by
  Smart Card.
• PIN Verification
• Key based Authentication

16
PIN Verification

• PIN is like password, which is securely stored in
  the Smart Card.
• Any specific Smart Card functionality (e.g.
  Performing Money Transaction, requesting for
  e-Service delivery) , can be bound with the
  successful PIN verification.
• If PIN verification fails, built-in mechanism on
  the Smart Card disallows the functionality to get
  invoked.
• After three or four unsuccessful attempts Smart
  Card OS blocks the PIN usage and thereby
  protecting the valuable Smart Card resources.

17
Key Based Authentication

• Key based authentication is the biggest security
  strength of Smart Card, due to which they are
  considered to be most secure devices as compared
  with other cards (Magnetic, Optical etc.).
• Keys are typically used for cryptographically
  securing data on Smart Card, with the help of
  strong on-chip encryption algorithms like 3DES or
  RSA.
• Through challenge-response mechanism and
  encryption and decryption through the
  corresponding keys, two secure devices (with one
  or both as Smart Cards) can negotiate to
  authenticate each other.
• This is also the methodology through which a
  person proves his identity, what he claims to be,
  by possessing one of the key, securely stored on
  his card.

18
Key Based Authentication

• The authentication process can be based on
  symmetric keys (Master Key-Derived Key) or
  asymmetric keys (Public Key-Private Key).
• Smart Card technology provides the security
  against direct access to keys, and makes it
  possible that all kinds of security operations
  are performed internally on the chip, without
  sending keys out of the card.
• This enhances the security to a great extent.
• Smart Card chip (Microprocessor), is strong
  enough to run various security related complex
  algorithms using keys internally.

19
Security Requirements
20
What kind of security is required ? The Security
Criteria

• Security means different in different context.
• In IT context, it is usually divided in five
  domains,
• Confidentiality
• Authentication
• Integrity
• Non repudiation
• Reliability

21
Confidentiality

• To ensure that data are accessible only to those
  authorized to receive it.
• Achieved through Encryption and Decryption using
  Smart Card Technology
• On-Card Encryption/Decryption, Key remains inside
  the Card memory.
• Can be Symmetric Key (3DES) or Asymmetric Key
  (RSA etc.)

22
Symmetric Key Encryption
Plain Text

• Two main Components
• Algorithm (3DES)
• Key (Symmetric Key)
• Same key for Encryption and Decryption

Encrypt
DES Key 1
Decrypt
DES Key 2
Encrypt
DES Key 1
Cipher text
23
Asymmetric Key Encryption
Plain Text
Encrypt
Public Key

• Two main Components
• Algorithm (RSA)
• Key Pair (Public Key-private Key)
• Public Key used for Encryption and Private key
  for Decryption

Cipher text
Cipher text
Decrypt
Private Key
Plain Text
24
Authentication

• Ensuring that each of the parties in an exchange
  is able to prove its identity to the other
  parties. Authentication can be applied to objects
  (Smart Card) or to the persons.
• Achieved through Challenge-Response Mechanism
• Can be based upon Symmetric or Asymmetric Key
  Algorithm

25
Challenge - Response
Key based Authentication
X
Y
Sends this as challenge to Y.
X generates a random no. Encrypts it using his
key 1
Y decrypts the challenge using his key 2
Y sends response to X
X matches the response with original random no on
his card. If matching is successful then Y is
authentic.
Yes!! We can do business!!!
26
Integrity

• Ensuring that the data (e.g. a message) has not
  been altered since its origination.
• Digital Signature is the answer
• Digital Signature is the term used in PKI while
  MAC (Message Authentication Code) is the term
  used for similar function using SKI.

27
Digital Signature and MAC
This is an Example This is an Example This is an
Example This is an Example This is an Example
This is an Example This is an Example This is an
Example This is an Example This is an Example
Digital Signature
Hash Algorithm
Private Key
Hash
RSA On Card
28
Non Repudiation

• It may be required often to prove that a
  particular transaction took place.
• Also a signer of the document must not repudiate
  afterwards.
• Digital Signatures are the certificates in
  themselves that Transaction did take place and
  the signatures were really made by the signer.

29
Impersonation

• Impersonation, or masquerade , is the risk that
  an unauthorized person can make use of the
  functions allowed by the card.
• Digital Certificates of the Identity of the
  person are the answer to this.
• Personal Identity details and Biometric Identity
  of the person is signed using PKI.
• This provided the absolute Identity Certificate
  of the person. i.e. He is the person what he
  claims to be.

30
Smart Card for proof of Identity

• Identity fraud is the growing problem world wide.
• It may be the question of secure border control.
• Or it may be the question of the delivery of
  citizen services to right person.
• Present for of Identity proof are not sufficient
  (Passport, Ration Card etc.)
• Almost everything which can be printed can be
  faked
• Terrorist commonly fake the identity by using
  illegal passports.

31
What is the answer ?

• Smart Cards with biometrics having digital
  signatures over it of issuer authority are the
  answer.
• This effectively provides the fool proof
  mechanism to prove the identity of a person what
  he claims to be.
• Using PKI on card, identity data of individual
  along with his biometrics data is digitally
  signed by the issuing authority, which itself is
  certified by a Trusted CA.

32
Proving Identity a two step process

• Card is authentic Authenticity of card is
  established through challenge-response between
  Private key stored in the card and the Public key
  available to the interface device (Hand Held
  Terminal) offline or on-line.
• Identity of card holder is authentic First the
  digital signatures of the Issuer Authority are
  verified off-line or online. Then the stored
  bio-metrics of the card holder are matched by
  taking a live scan and matching this with stored
  bio-metrics which are certified.

33
Smart Cards for efficient delivery of citizen
services

• Delivery of any citizen service (G2C) requires
  following three things,
• Proof of identity
• Entitlement details
• Authentic transaction history
• If these three things can be authentically
  provided at the field, services can be delivered
  with utmost efficiency.
• Using Smart Cards these three things can be
  provided at the field, which otherwise would
  require a very efficient data network.

34
Smart Cards for efficient delivery of citizen
services

• In Indian context the big benefit is that the
  authentic application specific data is provided
  at the place of delivery of Service from the
  individuals card, without having a costly data
  communication network.

35
Delivery of service through web

• Delivery of personalized information through web
  has become simple by publishing it over the web.
• This can also be used to deliver the services on
  Smart Card after performing on-line
  authentication and proving the identity.
• Delivered information can be safely written on
  the Smart Card.
• Examples are delivery of railway/airlines
  tickets, e-Vote casting over the web, filing
  on-line income tax returns, on-line payment of
  road tax and obtaining the receipt etc.

36
Smart Card technology for e-Purse and small
transactions

• Smart Card technology offers the most promising
  way of storing digital money and conveniently
  transacting it for small transactions.
• Current credit card based transactions require
  on-line verification before transaction. This
  hugely increases the operational cost.

37
The e-Purse

• Smart Card stores an actual balance of money, as
  secure data.
• E-Purse program on the card provides mechanism to
  credit or debit the balance.
• This is preceded by the mutual authentication
  process which is off line.
• Money can be credited on the sellers card and
  debited from the buyers card after the
  transaction is made.
• This is done with the help of an off-line Smart
  Card Terminal.
• Both the cards can load and unload balance
  to-from their Bank Account.
• This concept can be applied to any stored value
  card e.g. Prepaid Telephone card, Prepaid
  Electricity Meter Card, Milk Vending etc.