SHAILESH GUPTA CSE B1 081088

1968 German inventor Jurgen Dethloff along with Helmet Grotrupp filed a patent for using plastic as a carrier for microchips. 1970 Dr. Kunitaka Arimura of Japan filed the first and only patent on the smart card concept 1974 Roland Moreno of France files the original patent for the IC card, later dubbed the smart card. 1977 Three commercial manufacturers, Bull CP8, SGS Thomson, and Schlumberger began developing

1979 Motorola developed first single chip Microcontroller for French Banking 1982 World's first major IC card testing 1992 Nationwide prepaid card project started in Denmark 1999 Federal Government began a Federal employee smart card identification

Aim of this project

To define a standard set of commands for smart cards for use in Indian applications. To provide a reference implementation of this standard. Transport Applications (Driving License and Vehicle Registration Certificate) were the pilot projects. Hence the OS standard is named SCOSTA. SCOSTA is defined by IIT Kanpur along with a technical subcommittee of SCAFI (Smart Card Forum of India).

A smart card contains a "chip" with memory and is typically used to hold customer account information and a "balance" of money similar to a checking account. The card is inserted into a device that can read and write to it updating information appropriately.

The standard definition of a a smart card, or integrated circuit card (ICC), is any pocket sized card with embedded integrated circuits. Loosely defined , a smart card is any card with a capability to relate information to a particular application such as:
Magnetic Stripe Cards Optical Cards Memory Cards Microprocessor Cards

Smart cards are also classified on the basis of their Operating System. There are many Smart Card Operating Systems available in the market, the main ones being: 1. 2. 3. 4. 5. MultOS JavaCard Cyberflex StarCOS MFC

Smart Card Operating Systems or SCOS as they are commonly called, are placed on the ROM and usually occupy lesser than 16 KB. SCOS handle: File Handling and Manipulation. Memory Management Data Transmission Protocols.

Standard technology for bank cards, drivers licenses, library cards, and so on

Uses a laser to read and write the card CANPASS Contains:

Photo ID Fingerprint

Can store: Financial Info Personal Info Specialized Info Cannot process Info

Has an integrated circuit chip Has the ability to: Store information Carry out local processing Perform Complex Calculations

Hybrid Card
Has

two chips: contact and contactless interface. The two chips are not connected.

Combi Card
Has

a single chip with a contact and contactless interface. Can access the same chip via a contact or contactless interface, with a very high level of security.

Classification

Contact vs. Contactless

o

Contact smart card

Contact smart card are inserted in a smart card reader making physical contact with the reader

Contactless smart cards

smart cards that employ a radio frequency (RFID) between card and reader without physical insertion of the card

Combi card

combines the two features

Classification

Memory vs. Microprocessor

o

Memory cards simply store data read and write to a fixed address on the card

Straight Memory Cards Protected Cards: configured to restrict access through a password Stored Value Memory Cards: such as a telephone card, the chip has memory cells, one for each telephone unit. A memory cell is cleared each time a telephone unit is used.

Microprocessor cards Miniature Computer with microprocessor chip, input/output port, OS, ROM, EEPROM, RAM Add, delete, manipulate information in its memory Built-in security features

Life Cycle

Fabrication phase Pre-personalisation Phase Personalisation Phase Utilisation Phase End-of-Life Phase

Whats in a Card?

RFU GND RFU

CL K

RST Vcc

Vpp I/O

256 bytes to 4KB RAM. 8KB to 32KB ROM. 1KB to 32KB EEPROM. Crypto-coprocessors (implementing 3DES, RSA etc., in hardware) are optional. 8-bit to 16-bit CPU. 8051 based designs are common.

Card is inserted in the terminal ATR negotiations take place to set up data transfer speeds, capability Terminal sends first command negotiations etc. to select MF Terminal prompts the user to provide password Terminal sends password for verification

Card gets power. OS boots up. Sends ATR (Answer to reset)

Card responds with an error (because MF selection is only on password presentation) Card verifies P2. Stores a status P2 Verified. Responds OK

Terminal sends command to Card responds OK select MF again Terminal sends command to read EF1 Card supplies personal data and responds OK

Personal information, including the card serial number, date of issue and cardholders name, gender, date of birth, ID number, and picture. Information relating to cardholder status, remarks for catastrophic diseases, number of visits and admissions, accumulated medical expenditure records and amount of cost-sharing. Medical service information, including drug allergy history and long-term prescriptions of ambulatory care and certain medical treatments.

 Computer based readers Connect through USB or COM (Serial) ports

Dedicated terminals Usually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner.

In comparison to its predecessor, the magnetic strip card, smart cards have many advantages including:
Life of a smart card is longer A single smart card can house multiple applications. Just one card can be used as your license, passport, credit card, ATM card, ID Card, etc. Smart cards cannot be easily replicated and are, as a general rule much more secure than magnetic stripe cards Data on a smart card can be protected against

chip is tamper-resistant - information stored on the card can be PIN code and/or read-write protected - capable of performing encryption - each smart card has its own, unique serial number capable of processing, not just storing information - Smart cards can communicate with computing devices through a smart card reader - information and applications on a card can be updated without having to issue

NOT tamper proof + Can be lost/stolen + Lack of user mobility only possible if user has smart card reader every he goes + Has to use the same reader technology + Can be expensive + Working from PC software based token will be better + No benefits to using a token on multiple PCs to using a smart card
+

Commercial Applications Banking/payment Identification Ticketing Parking and toll collection Universities use smart cards for ID purposes and at the the library, vending machines, copy machines, and other services on campus. Mobile Telecommunications SIM cards used on cell phones Over 300,000,000 GSM phones with smart cards Contains mobile phone security, subscription information, phone number on the network, billing

Information Technology Secure logon and authentication of users to PCs and networks Encryption of sensitive data Other Applications Over 4 million small dish TV satellite receivers in the US use a smart card as its removable security element and subscription information. Pre-paid, reloadable telephone cards Health Care, stores the history of a patient Fast ticketing in public transport, parking, and road tolling in many countries

Password
o

Card holders protection

Cryptographic challenge Response

o

Entity authentication

Biometric information
o

Persons identification

A combination of one or more

Terminal asks the user to provide a password. Password is sent to Card for verification. Scheme can be used to permit user authentication.
Not a person identification

Terminal verify card (INTERNAL AUTH)

o

Terminal sends a random number to card to be hashed or encrypted using a key. Card provides the hash or cyphertext.

Terminal can know that the card is authentic. Card needs to verify (EXTERNAL

Finger print identification.

o Features

of finger prints can be kept on the card (even verified on the card) information is to be verified by a person. The information can be stored in the card securely.

Photograph/IRIS pattern etc.

o Such

Smart cards can be used for identification, authentication, and data storage Smart card can provide strong authentication forsingle sign- on orenterprise single sign-on to computers , laptops, data with encryption, enterprise resource planning

http://sec.isi.salford.ac.uk/download/smart.pdf http://www.smart.gov http://www.gemplus.com

http://www.smartcardalliance.org/industry_info/smart_

http://www.axalto.com/Company/Governance/pdf/Ann http://www.smartcard.co.uk/tutorials/sct-itsc.pdf