5.1 Memory chips (including serial protected memory chips)
Memory-only smartcards are functionally similar to magnetic stripe cards and store only data. They depend on the card reader (also known as the card-accepting device) for their processing and are suitable for uses where the card system performs a fixed operation.
Compared with magnetic stripe cards:
• memory cards have a far higher data capacity (typically up to 16 thousand bits (Kbits) compared with 80 bytes per track across usually no more than three tracks on a conventional card); and
• serial-protected memory chip cards have an additional security feature – they can contain a hardwired memory that cannot be overwritten.
An example of a memory card is a photocopier card.
ROM-mask cards have a fixed set of rudimentary computing functions built into a special-purpose chip: they are not programmable after manufacture. These cards provide a static file system supporting multiple applications implemented external to the smartcard; memory contents may be encrypted depending on the design of the chip. Their file systems and command set can be changed only by redesigning the logic of the chip and manufacturing a new batch of cards. ROM-mask cards are cheaper than multi-programmable smartcards when produced in large numbers, and are simpler to support.
Examples of ROM-mask cards include pre-paid telephone cards and special-purpose ticketing and tolling cards (such as the MIFARE standard).
5.3 Micro-controller cards
Micro-controller cards contain a computer-on-a-chip, with operating system, and read/write memory that can be updated many times. Micro-controller cards contain and execute logic and calculations, and store data in accordance with their operating system. They are like a miniature PC one can carry in a wallet. All they need to operate is power and a communication terminal.
Contact, contactless and dual-interface micro-controller integrated circuits are available. Unlike memory-only products, these micro-controller integrated circuits have been designed (and can be verified) to meet security targets, such as Common Criteria.
A multi-programmable card may serve as an identity authentication token and may also provide the cardholder with additional capabilities, such as digital signing for email, message encryption, payment using an electronic purse, physical access to controlled buildings, logical access to computer systems, and (limited) data storage of, for example, medical information for use by authorised personnel. Both contact and contactless smartcards can be multi-programmable.
When using a multi-programmable card, each application may be managed by a different group within an agency or even by an external application provider (for example, a third-party electronic purse for cafeteria use). While requiring more complex organisational coordination, implementation of multiple applications can enhance the business case supporting the adoption of smartcards.
6 Smartcard interfaces: contact
There are two primary types of chip card interfaces – contact and contactless. The terms contact and contactless describe the means by which electrical power is supplied to the integrated circuit card and data is transferred from the card to an interface (or card-accepting) device (reader).
• Contact smartcards require insertion into a smartcard reader so the reader can establish a direct electrical contact with the chip. Contact cards are generally used for a wide variety of applications, including financial transactions and logical access control.
• Contactless smartcards contain a chip and an antenna sandwiched between two layers of plastic. Contactless smartcards only have to be close to the reader (generally within 10 cm) for data exchange to take place. The contactless data exchange takes place over radio frequency waves. The device that facilitates communication between the card and the reader is a radio frequency antenna internal to both the card and the reader.
Contactless chips are typically used for functions that require rapid user throughput, such as high-volume transit automated fare collection systems or office building access. Wear and tear on card readers is reduced, which is a significant practical consideration in facilities security and management. Contactless chips have become increasingly accepted as the token of choice for controlling physical access. The contact interface tends to be preferred when smartcards are implemented for logical access control (computer logon) because positive and tangible contact must be reliably maintained for long periods, especially when digital signatures are in use. A drawback of contactless cards in logical access control is that other cards may be in the field without the user being aware of it. Furthermore, contactless cards are, in principle, more vulnerable to eavesdropping and to denial-of-service attacks3.
Cards may offer both contact and contactless interfaces in the same package, via two differing design strategies:
• Hybrid smartcards contain two chips, one supporting a contact interface and one supporting a contactless interface. The chips on hybrid smartcards are generally not connected to each other. These products allow organisations to use a single credential to satisfy both contactless physical access control applications and applications requiring a contact interface, such as logical access to computers and networks.
• Dual-interface smartcards contain a single chip that supports both contact and contactless interfaces. These dual-interface cards provide the functionality of both contact and contactless cards in a single physical package, with designs able to allow the same information to be accessed via contact or contactless readers.
Contact, contactless and dual interface smartcards can support multiple applications, offering advantages to both the organisation issuing the card and the cardholder.
A card containing several types of read/write media is generally called a multi-technology card. For example, the user may want a newly issued smartcard to interface directly with an existing physical access control system that uses legacy technology. To accommodate this, the new card can be produced with contact or contactless smart chip technology, magnetic stripe, barcode, optical stripe and/or a 125 kHz proximity antenna.
While multi-technology cards may provide solutions for accommodating legacy access control systems, organisations should carefully consider the added complexity of implementing and maintaining multiple technologies.
7 Smartcard readers
Smartcard readers interface cards to computers, allowing them to communicate with one another and hence, at the card edge level, to ‘interoperate’. Very broadly, there are two families of smartcard readers, following the two types of communications interface discussed above. However, additional characteristics become important at the reader level and in respect of the reader-to-computer interface.
In particular, smartcard readers feature a range of security mechanisms at different price points. The simplest smartcard reader does little more than bring out the raw signals from the card and present them to a computer’s input/output port. In these cases, not only are there vulnerabilities to interception by attackers at the edge but more subtly, critical security information, especially PINs and passwords, can be intercepted by keystroke loggers within the computer application when the regular keyboard is invoked.
It is possible to classify smartcard readers in several ways:
• Contact versus contactless. Obviously the different communications methods necessitate different physical arrangements for readers to interface to smartcards through contact or through wireless. Note too that within the contactless group, different readers may be needed to handle different range protocols (although superficially all contactless readers may appear as fundamentally similarly plain plastic boxes near which a smartcard is passed).
• Slide contact versus landed contact. For contact cards, the reader may make physical contact with the card terminal pads either by sliding the card into position against what are typically leaf springs, or by a motorised arrangement which brings the reader connections into more active contact with the pads. In the latter case, the reader will often capture the card inside the mechanism, by a tractor arrangement, as is typically the case in Automatic Teller Machines. Readers that capture the card are more expensive, but they prevent ‘tearing’ where a card is removed for whatever reason in the midst of a transaction. Furthermore, they are far more resistant to attempts by criminals to insert mocked-up cards, because the capture mechanism can make sure the card conforms to ISO 7816 physical specification (and that it is in fact a card and not a long flat probe); such readers can, for example, include knives to cut off any wires that should not be inserted into the reader.
• Dumb readers versus intelligent readers. A so-called dumb reader basically passes signals straight through between the smartcard and the host computer. In contrast, intelligent readers take on a greater share of the host–card interactions and the human–card interactions. For instance, because PIN entry from a regular host PC may be vulnerable to keyboard sniffing, a more secure solution is for the PIN to be entered into a special purpose keypad built into the reader and controlled by dedicated firmware rather than the PC operating system. Naturally there is a cost–benefit trade-off in these more sophisticated types of readers.
• Readers with security access modules. These readers are required to accommodate external authentication functionality, that is, they securely store keys to access containers on the card.
• Hand-held readers. These will be a major infrastructure component for deployments such as smartcard driver licences, particularly for police roadside use.
Many environments mandate physically secure PIN pads integrated with the smartcard reader. Additional electronic security enforcing functions can be engineered into readers to make them resistant to tampering. Notably in the banking sector, peripheral equipment standards such as AS 2805 Electronic funds transfer – Requirements for interfaces (and industry association or even legislative mandates) have long governed the quality and tamper resistance of card readers; Security Access Modules (SAMS) tend to be standard in EFTPOS terminal equipment under banking standards of this type. Of course, wrapped around the issue of standards compliance is independent conformance testing and accreditation.
Another layer of security that may apply at the card reader edge is mutual authentication, in particular, authentication by the card of the reader and authentication of the card by the reader before establishing a session. This mechanism allows smartcards to detect rogue terminal equipment and shut down operations to avoid hacking. In particular, banking smartcards can detect the presence of non-accredited or unapproved terminal equipment.
Some smartcard deployments use special-purpose readers, put in the hands of specially authorised parties. For example, the Taiwan National Health Insurance smartcard has been configured to fully interoperate only with special medical sector devices, as a (rather strict) way of controlling function creep and eventual privacy compromises. Elsewhere, some policy makers have foreshadowed special terminals being used in hospital emergency rooms which might – provided the smartcards themselves are so designed – allow operators to override the usual user PIN protections in order to access information when the user is not competent, for example, in emergency situations.
Finally, customised cut-down readers have also been deployed to make use of smartcard functions for special applications. For example, EMV smartcards have basic cryptographic commands built into them so they can encrypt input data and return a result. These basic commands can be put to use in a simple challenge–response calculator into which an EMV card is slipped to provide the necessary computing and cryptographic keys; in effect the smartcard is transformed into a regular two-factor authentication token. Such customised readers make EMV cards valuable for online authentication, without the need for a traditional smartcard reader to be connected to a PC.
8 Smartcard security
This section explores the logical security features of smartcards, especially those safeguards that are afforded by the processing capabilities of the embedded chip, operating on its own and/or in concert with other sub-systems.
The field of plastic card technology overlaps with smartcards, and includes a whole spectrum of other security measures such as holograms, security overlays, guilloche printing, micro-printing, optically variable printing, etc. This is a rich and complex area, not peculiar to smartcards. It is, however, very relevant to smartcards, particularly when human-readable security features are required.