Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Daud
12
Smart Card Technology: Past, Present, and Future
Smart cards help businesses evolve and characteristics the first draft proposal was
expand their products and services in a registered in 1983. A long discussion
changing global marketplace. The scope of resulted in the standardization of the contact
uses for a smart card has expanded each year location. Next was the standardization of
to include applications in a variety of signals and protocols which resulted in
markets and disciplines. In recent years, the standards ISO/IEC 7816/1-4. Logical
information age has introduced an array of security came next, as it was clear from the
security and privacy issues that have called beginning that there was a need for
for advanced smart card security cryptographic capabilities, though this was a
applications. bit difficult due to the limited computing
power and the few bytes of RAM available
The rest of the paper is organized as at that time (Quisquater, 1997). Nowadays,
follows; the next section briefly discusses the smart cards are used in several applications.
history of smart card development and the
current and future market analysis. Section A survey completed by Card
three looks into some application areas, their Technology Magazine (http://www.
limitations and strengths. This section cardtechnology.com) indicated that the
addresses the future directions of smart card industry had shipped more than 1.5 billion
technology giving more emphasis to security smart cards worldwide in 1999. Over the
consideration and memory management next five years, the industry will experience
among others. The section also discusses steady growth, particularly in cards and
some areas that need further studies in order devices to conduct electronic commerce and
to improve the current state of smart cards so to enable secure access to computer
that they can fit into the future needs. Like networks. A study by Dataquest in March,
smart cards, biometric is also an approach 2000, predicts almost 28 million smart card
used in identification protocol. Section four shipments (microprocessor and memory) in
deals with comparison between the two the U.S. According to this study, an annual
schemes. Finally, the paper concludes in growth rate of 60% is expected for U.S.
section five. smart card shipments between 1998 and
2003. Smart Card Forum Consumer
Research, published in early 1999, provides
additional insights into consumer attitudes
2. Historical Perspective towards application and use of smart cards.
The market of smart card is growing rapidly
Smart card was invented at the end of due to its wide range of applications. The
the seventies by Michel Ugon (Guillou, worldwide smart cards market forecast in
1992). The French group of bankcards CB millions of dollars and millions of units as
(Carte Bancaire) was created in 1985 and has shown in figure 1:
allowed the diffusion of 24 million devices
(Fancher, 1997). For the physical
International Journal of The Computer, the Internet and Management Vol. 12#1 (January – April, 2004) pp 12 - 22
13
L. A Mohammed, Abdul Rahman Ramli, V. Prakash, Mohamed B. Daud
14
Smart Card Technology: Past, Present, and Future
alternative non-volatile memory for future many applications. Malaysia’s national ID,
smart cards. Currently Philips is leaning for instance, is a multipurpose smart card
toward magnetic RAM as an alternative to with a fingerprint biometric. The card is first
EEPROM. of its kind in the world as it combines many
applications such as driving licence,
Another important application that passport, healthcare, and non-government
requires memory management is the applications such as an e-purse. (See
application of biometrics. The use of http://www.jpn.gov.my/ or www.iris.com.my
biometrics within the card itself will mean for details). Table 2 below gives the required
that biometric features (fingerprint, retina, bytes for various biometrics. Additional
voice etc) can reliably identify a person. information about biometric technology and
With enhancement in memory system, it will standards can be found from the following
soon be possible to authorize the use of organisations: The Biometric Consortium
electronic information in smart card using a (www.biometrics.org), International
spoken word. The use of some of these Biometric Industry Association (www.ibia.
features has already been implemented in rg), or BioAPI Consortium (www.iapi com).
International Journal of The Computer, the Internet and Management Vol. 12#1 (January – April, 2004) pp 12 - 22
15
L. A Mohammed, Abdul Rahman Ramli, V. Prakash, Mohamed B. Daud
smart card authentication and identification • No single vendor will specify the
protocols. For this reason, Gobioff (1996) standards for the operating system
proposes that smart cards be equipped with and the card’s use.
“additional I/O channels” such as buttons
to alleviate these shortcomings. Further, • The cards will support a high-level
there are numerous intrusion techniques application programming language
able to tamper with smart cards and (e.g., Java, C++) so issuers can
other similar temper-resistant devices as supply and support their own
presented in (Anderson, 1997). This also applications as well as applications
indicates the need for effective intrusion from many other vendors.
detection/prevention techniques.
• Applications can be written and will
operate on different vendor’s multi-
3.3 Open Architecture application smart cards with the same
API (Application Programming
Existing smart card standards leave Interface).
vendors too much room for interpretation. To
achieve wider implementation, there is need To overcome the problem of lack of
for an open standard that provides for inter- standardization, U.S. organizations have
operable smart cards solutions across many developed an add-on piece of smart card
hardware and software platforms. Open software meant to overcome communication
Platform, as defined by GlobalPlatform problems between chip cards and readers
(www.GlobalPlatform.org) is a compre- from different vendors. They would like to
hensive system architecture that enables the see this technology, which they call a "card
fast and easy development of globally capabilities container," used worldwide,
interoperable smart card systems. It making it an industry standard that would
comprises three elements; card, terminal and allow U.S. agencies to buy cards and readers
systems, each of which may include from many vendors, sure that they would
specifications, software and/or chip card work together (Cathy, 2002). Another move
technology. Together these components is the development of a new organization
define a secure, flexible, easy to use smart called Smart Card Alliance, formed by Smart
card environment. Development environ- Card Industry Association (SCIA) and Smart
ment in use today include; Java, Visual C, Card Forum (SCF) to act as a single voice
Visual Basic, C++, and the like. for the US smart card industries.
The development of standards like Even in biometrics, each vendor has its
GSM, EMV, CEPS, PC/SC, OCF, ITSO and own methods for enrolling individuals and
IATA 791 represents an opportunity for later checking someone’s identity against the
manufacturers to produce products on an stored image. However, there are efforts
economic scale and give stability to systems underway to create biometric standards,
designers. According to a report by largely driven by the U.S. government. In a
DatacardGroup (White paper version 1.0), major step, the American National Standards
True ‘open’ smart cards will have the Institute approved BioAPI as a standard way
following characteristics: for biometric devices to exchange data with
• They will run a non-proprietary ID applications. ANSI now is preparing to
operating system widely propose BioAPI to ISO for adoption as an
implemented and supported. international standard (Donald, 2002).
16
Smart Card Technology: Past, Present, and Future
International Journal of The Computer, the Internet and Management Vol. 12#1 (January – April, 2004) pp 12 - 22
17
L. A Mohammed, Abdul Rahman Ramli, V. Prakash, Mohamed B. Daud
Magnetic Interface
Interface
Driver
Power Generator
Stator
Processor
Rotor
Battery Memory
Power Regulator
18
Smart Card Technology: Past, Present, and Future
two card slots and Wireless Access Protocol The primary advantage of biometric
(WAP) connection to the Internet. The SIM authentication methods over other methods
smart card handles identification and handset of user authentication is that they use real
features, while a second slot can support a human physiological or behavioural
multi-application smart card that delivers characteristics to authenticate users. These
payment and loyalty application functions. biometric characteristics are (more or less)
permanent and not changeable. It is also not
Going beyond current GSM mobile- easy (although in some cases not principally
phone and banking markets, the smart-card impossible) to change one’s fingerprint, iris
industry is now casting an eye on the home or other biometric characteristics. Further,
entertainment market: “digital rights most biometric techniques are based on
management, home entertainment, something that cannot be lost or forgotten.
multimedia applications, 3G mobile This is an advantage for users as well as for
messaging, Wi-Fi with smart card security, system administrators because the problems
electronic legal signature and digital and costs associated with lost, reissued or
authentication" as logical places to extend temporarily issued tokens/cards/passwords
the reach of smart cards. can be avoided, thus saving some costs of the
system management.
International Journal of The Computer, the Internet and Management Vol. 12#1 (January – April, 2004) pp 12 - 22
19
L. A Mohammed, Abdul Rahman Ramli, V. Prakash, Mohamed B. Daud
techniques. Some biometric sensors methods are based on something the user
(particularly those having contact with users) knows or has, biometric systems can
also have a limited lifetime. While a sometimes link all user actions to a single
magnetic card reader may be used for years identity.
(or even decades), the optical fingerprint
reader (if heavily used) must be regularly Furthermore, biometric systems can
cleaned and even then the lifetime need not potentially be quite troublesome for some
exceed one year. users. These users find some biometric
systems intrusive or personally invasive. In
Biometric data are not considered to be some countries people do not like to touch
secret and security of a biometric system something that has already been touched
cannot be based on the secrecy of user’s many times (e.g., biometric sensor), while in
biometric characteristics. The server cannot some countries people do not like to be
authenticate the user just after receiving photographed or their faces are completely
his/her correct biometric characteristics. The covered. Lack of standards may also poses a
user authentication can be successful only serious problem. Two similar biometric
when user’s characteristics are fresh and systems from two different vendors are not
have been collected from the user being likely to interoperate at present.
authenticated. This implies that the biometric
input device must be trusted. Its authenticity Although good for user authentication,
should be verified (unless the device and the biometrics cannot be used to authenticate
link are physically secure) and user’s computers or messages. Biometric
likeness would be checked. The input device characteristics are not secret and therefore
also should be under human supervision or they cannot be used to sign messages or
tamper-resistant. The fact that biometric encrypt documents and the like. On the other
characteristics are not secret brings some hand, smart cards provide tamper-resistant
issues that traditional authentication systems storage for protecting private keys, account
need not deal with. Many of the current numbers, passwords, and other forms of
biometric systems are not aware of this fact personal information. Smart cards can also
and therefore the security level they offer is serve to isolate security-critical computations
limited. involving authentication, digital signatures,
and key exchange from other parts of the
User’s privacy may be violated by system that do not have a "need to know." In
biometric schemes. Biometric characteristics addition, smart cards provide a level of
are sensitive data that may contain a lot of portability for securely moving private
personal information. The DNA (being the information between systems at work, home,
typical example) contains (among others) the or on the road.
user’s preposition to diseases. This may be a
very interesting piece of information for an A better approach for the usage of
insurance company. The body odour can biometrics is to combine biometrics with
provide information about user’s recent smartcards. The advantages of this may
activities. It is also mentioned in (Jain, 1999) include: all attributes of the smartcards will
that people with asymmetric fingerprints are be maintained, counterfeiting attempts are
more likely to be homosexually oriented, etc. reduced due to enrolment process that
Use of biometric systems may also imply verifies identity and captures biometrics. It
loss of anonymity. While one can have will be extremely secure and provide
multiple identities when authentication excellent user-to-card authentication.
20
Smart Card Technology: Past, Present, and Future
International Journal of The Computer, the Internet and Management Vol. 12#1 (January – April, 2004) pp 12 - 22
21
L. A Mohammed, Abdul Rahman Ramli, V. Prakash, Mohamed B. Daud
8. Gobioff et al. (1996), Smart cards in 16. Schneier B., and A. Shostack (1999),
hostile environments. In Proceedings of Breaking Up Is Hard to Do: Modeling
The Second USENIX Workshop on Security Threats for Smart Cards,
Electronic Commerce, Oakland, CA. USENIX Workshop on Smart Card
Technology, USENIX Press, pp. 175-
9. Guillou L. C., et al. (1992), The smart 185.
Card: A Standardized Security Device
Dedicated to Public cryptology, in G.J. 17. Secure Personal Identification System:
Simmons (Ed.), Contemporary Crypto- Policy, Process and Technology
logy. The Science of Information Choices for a privacy – Sensitive
Integrity, IEEE Press, pp. 561-613. Solution, available online
www.smartcardalliance.org [8/9/02]
10. Jain A, Bolle R. and Pankanti S.
BIOMETRICS: Personal Identification in 18. Urien P.(2000), Internet Card, a Smart
Networked Society. Kluwer Academic card as a true Internet node, Computer
Publishers, 1999. Communication, 23, pp. 1655-1666.
11. Jurgensen T., and Scott Guthery, Smart 19. What’s so smart about smart cards?
Cards: The developer’s toolkit, Prentice Available at www.gemplus.com
Hall PTR Upper Saddle River, NJ. 2002. [2/12/02]
22