A smart card looks like a credit card, but works very differently. Instead of just having a magnetic stripe, it contains an embedded microprocessor, which makes them more secure. Although they are more popular in Europe and Asia, their popularity is growing rapidly in other areas of the world.
In our paper, we will discuss the history, physical structures, security features, vulnerabilities, and current and future uses. In addition, a brief description on the workings along with the overview of the need for developing the smart cards will be included.
In the early 1950’s, Diner’s Club issued the first all-plastic card to be used for purchases. This synthetic PVC-based card produced a more durable card than the previous conventional paper-based cards that it replaced. By the end of the fifties, two other corporations joined the movement: American Express and Carte Blanche. Bank of America issued the first credit card, which later on became VISA. MasterCard was launched by Interbank not long afterwards. Unfortunately, these cards were only capable of showing identification items, such as names, numbers, and some codes, which were embossed onto the cards. There were no security features built into these cards at all. Credit card fraud was very unsophisticated.
Eventually, the cost of fraud and tampering pressured the development of a more secure card. The magnetic stripe was developed by International Air Transportation Association (IATA) in the 1970’s. The stripes had a capacity of 210 bits per inch, which translates to about 80 alphanumeric 7-bit characters. Even though the magnetic stripe technology made fraud more challenging, it could still be done. With an appropriate device, anyone can read, re-write, or delete the data on the stripes. Therefore, magnetic stripe cards were not the most suitable medium for storing sensitive information, and required an extensive online system for verification and processing.
History of Smart Cards
Two main ideas led to the development of smart cards. The first was by Dr. Kunitaka Arimura from Japan who came up with the design of integrating data storage and arithmetic logic onto a single piece of silicon. He filed the patent for the idea in 1970. The second design was by German inventors named Jurgen Dethloff and Helmut Grotrupp. They filed the patent in 1968 for the idea of incorporating integrated circuits (IC) into an identification card.
To help fuel the development, the first computer-on-a-chip was fabricated in 1971 by Intel. As a consequence, in 1974, Roland Moreno, a French independent inventor, mounted the chip onto a plastic card and filed a patent for the invention and the device that reads it. It was later dubbed the “Smart Card.” In the process, Moreno founded the company Innovatron to set out to sell his ideas. Partly because of this invention, Moreno is known as the “Father of Microchip.” Moreno’s main selling idea to the bankers was to load currency onto the cards to allow the user to spend it with merchants who have the necessary electronic payment systems.
By 1977, three commercial manufacturers, Bull CP8, SGS Thomson, and Schlumberger, began developing the smart card products. In 1979, Schlumberger bought fifteen percent of Innovatron to start the research and development of the smart card. Later, that share was increased to thirty-four percent. However, in March of 1979, Michel Ugon of Bull Corporation was the first to design the operational microprocessor card, which was known as the Bull CP8. It holds 1KB of programmable memory, and a 6805 microprocessor core produced by Motorola. These were considered to be the first in intelligent cards. Combining the powers of the microprocessor and the memory, it was capable of making decisions based on the user’s need to modify, append, retrieve, or delete the data stored. The card was a two-chip design in which the memory and the microprocessor were two separate units, which proved to be an insecure solution. But, it was not until the technological advances in the 1980’s that allowed the integration of all the circuits into one chip. Although, the original card was produced in the US by Motorola, interests in smart cards for the Americans never took off.
As the rate of fraud and vandalism increased for the coin-operated public phones in Europe in 1983, the telecommunications community demanded a better pay phone system. The smart card pay phone was chosen. Schlumberger began installing thousands of smart card pay phones throughout the continent. By the end of the year, they installed approximately 160,000 phones. Then, in 1984, one of the largest implementations of the smart card took place in France. The French banking industry decided to make smart cards the standard for credit and debit cards. As a result, the Carte Bleue was born – 16 million smart cards were produced and put to use. By the following year, France Telecom put into action seven million smart card-based pay phones. While the use of smart cards in Europe had already exploded, the first widespread use in the US had just begun. In 1986, 14,000 smart cards were issued to clients of the Bank of Virginia and the Maryland National Bank. In several other US cities smart card trials were deployed. However, consumer America was accustomed to magnetic striped cards and was not ready for the transition. The smart card failed to win consumer confidence. Today’s widest application of smart cards started in 1995 – the SIM cards for mobile telephones.
There are two main architectures of smart cards, which depend on the type of chip embedded in the card: integrated circuit (IC) microprocessor cards and integrated circuit (IC) memory cards.
Typical components in an IC microprocessor card include a Central Processing Unit (CPU), Random Access Memory (RAM), Read Only Memory (ROM), and Electronic Erasable Programmable Read Only Memory (EEPROM). The CPU typically comes in 8, 16, or 32 bit architectures, with an RISC processor running at speeds of 25 to 32 MHz. ROM is where the instructions are stored and written during the fabrication process. These instructions are then used by the Chip Operating System (COS). The typical ROM size is about 16KB. RAM is used as the temporary volatile working memory of the CPU, with sizes of about 512 bytes. EEPROM is used to store data since it is rewritable, erasable, and non-volatile. This permanent storage has sizes from 16KB to 128KB.
IC microprocessor cards with a full-fledged embedded microprocessor can function as a processor that is capable of executing multiple functions. These functions include encryption, advanced security mechanism, local data processing, complex calculations, and other interactive processes. Only these processor cards are smart enough to offer the high degree of security needed for currency cards, identification cards, and sensitive information.
IC memory cards can usually hold up to 16KB of data and have no embedded CPU, thus requiring the card reader to process the information. For that reason, they are much less expensive and much less functional than IC microprocessor cards. They contain EEPROM and ROM, as well as some security logic. The security logic is used to prevent writing and erasing secured data. In a more complex design, the logic could be used to restrict the read access. Because of their characteristics, they are most suitable for fixed operations such as pre-paid telephone cards and health insurance cards. They are a popular alternative to magnetic-stripe cards because of their higher security.
There are two communication methods between the media and the reader: contact and contact-less.
The chip and the contacts are embedded into the card body as shown in the figure below. The card’s body size, which is the same as a credit card (85.6 x 54 x 0.76 mm), is defined in International Standards Organization (ISO) 7816-2 along with other specifications such as module position and pads.
An insertion into the card reader is required in order to transfer information. When the contacts on the card come into contact with the sensors of the card reader, commands from the chip are executed, and information processing starts taking place. This category of card interface is the more common. A diagram and a table describing each contact are displayed below.
Power connection through which operating power is supplied to the microprocessor chip in the card
Reset line through which the IFD can signal to the smart card's microprocessor chip to initiate its reset sequence of instructions
Clock signal line through which a clock signal can be provided to the microprocessor chip. This line controls the operation speed and provides a common framework for data communication between the IFD and the ICC
Reserved for future use
Ground line providing common electrical ground between the IFD and the ICC
Programming power connection used to program EEPROM of first generation ICCs.
Input/output line that provides a half-duplex communication channel between the reader and the smart card
Reserved for future use
Contact-less Interface: Although the reliability of the contacts have improved dramatically over the years, contacts are one of the biggest failure points for smart cards. They are usually exposed to dirt, wear, and moisture. Contact-less cards solve this problem, and also provide engineers with new and interesting possibilities for various applications. Cards are not required to be inserted into the reader, but need to be put in close proximity (four to six inches) for the reader to access the data wirelessly through the antenna inside the card. The increase in convenience would improve the acceptance of the card.
Since the chip contacts are not embedded on the surface of the cards, there is more design freedom. In spite of everything, contact-less cards are unable to capture the kind of market that it is capable of. This is due to the high cost of cards. Nonetheless, this elegant wireless solution has potential down the road.
Hybrid interface is a combination of the two interfaces – contact and contact-less. The card has two separate ICs not connected to each other. Each chip has its own interface, either contact or contact-less. Some are also fitted with the conventional magnetic stripe, which allow the users to use the card as credit or for debit, but also capable of providing smart card capabilities. Hybrid cards are typically used for applications that require a lot of computational power. For example, having one processor performing encryption computations, while the other carries out other types of computations.
Current uses of smart cards
Some of the main current uses of smart card technology are employee identification and authentication, physical security, building security, biometric information storage, secure access to the Internet, and secure transactions over the Internet. Smart cards are already being used in many common commercial applications, such as banking, payments, identification, ticketing and parking or toll collection. Recently, the information age and the increased popularity of the Internet has presented many security issues that have developed the need for advanced smart card security applications, such as secure logon/authentication of users to PC, storage of digital certificates, passwords, encryption of protected data, wireless communication subscriber authentication.
Although smart cards are more common in Europe and Asia at the moment, their popularity is growing worldwide. Banks in Europe and selected places in South Africa are using the smart card, people in Germany can use the card when they visit their doctor, people in Sweden can use their smart cards to vote, and most satellite dishes in the United States use smart cards. In addition, many cellular phones are now using smart card technology in their SIM cards.
Smart cards can be used in a wide variety of fields because they can be used with other technologies to provide authenticated and trusted applications. They can be used to make identification cards, licenses, and passports more reliable. To prevent illegal duplication of these items, printed information and photographs can be digitized and stored on the card. Only authorized personnel can access this information through access conditions and passwords. To further ensure security, this can be combined with biometrics technology so that the biometric information of the smart card owner will be stored on the card. In this way, biometric scanners will be able to verify the authenticity of the identification with its owner by comparing the desired body part of the person with the biometric data stored on the card.
Incorporating a biometric sensor into a smart card reader is a useful way to combine the two applications in one device. Fingerprint sensors in smart card readers increase security by matching a biologically inherent attribute from the user with one corresponding on the smart card. This procedure is called match on card (MOC).
Future uses of smart cards
Smart card technology is growing rapidly and is being used in more applications. They are increasingly being used in network computing, especially in Internet data exchange and transactions. In the near future, smart cards will be replacing all magnetic stripes on credit cards. They are increasingly being used for money handling, transfer of funds, and salary crediting. In the future, smart cards will also replace all magnetic swipe cards for payphones. This way, call charges are deducted from a prepaid balance contained in the chip. Similarly, applications requiring coins can be replaced with smart cards prepaid for by the user. The charges will be taken from the balance on the card until it reaches zero. Medical care organizations will be using smart card technology in health cards. It will be used to hold the patient’s medical information, which can be accessed by doctors. For example, it can contain prescription information that can be looked at by pharmacists.
Future development of smart card technology will be in the area of contact-less smart cards. Smart cards can be used in security tagging for objects and people. For example, it can be used to tag personal property such as jewelry with information about the user. The cards can also be used as electronic purses so that a user can purchase items without the need to carry money.
Security mechanisms of smart cards
A smart card and a card accepting device (CAD) communicate using small data packets called Application Protocol Data Units (APDUs). This communication makes it difficult for outside sources to attack because it uses a small bit rate (9600 bits per second) using a serial bi-directional transmission line, the flow of data only travels in one direction at a time, and the interaction follows a highly complicated protocol.
The smart card and the CAD use a complex protocol to be able to communicate with one another. The card generates a random number and sends it to the CAD. The CAD then encrypts this number with a shared encryption key and sends it back to the smart card. Once it receives the encrypted number, it compares it with the result of its own encryption. The smart card and the CAD can also establish this communication the other way around. After this communication is established, each message sent is confirmed by a message authentication code. This number is calculated from the actual message, the encryption key, and a randomly generated number. The most frequently used encryption techniques are symmetric DES (Date Encryption Standard), 3DES (triple DES), and public key RSA.
The data on smart cards is structured in a tree hierarchy, similar to how data is structured in MS-DOS. There is one master file which has many elementary and dedicated files. The headers of each of them contain security features. Moreover, any application can move through the hierarchy if it has the proper authorization.
Smart cards contain five basic levels of access privileges to the elementary and dedicated files. These levels are always, card holder verification 1, card holder verification 2, administrative, and never. Always means that there are no restraints on access to the files. Card holder verification 1 indicates that access is granted if the proper verification 1 value is given. Similarly, card holder verification 2 indicates that access is granted if the proper verification 2 value is given. These are distinct values that correspond to the two security PINs stored in the card. One of the PINs is a user PIN and the other is an unblocking PIN. Administrative means that the administration has the authority to decide what restraints will be placed on the files. Never means there is no access to the files.
The PINs mentioned above are stored in different elementary files. The operating system determines the number of times an incorrect PIN can be entered successively before it blocks the card. When the card is blocked, it can only be unblocked using the unblocking PIN pre-stored in the smart card. The unblocking PIN can also become blocked in the same way that the user PIN can be blocked.
Known attacks on smart cards
Although smart cards provide a higher level of security and authentication, their vulnerabilities are known, as are methodologies to attack their security. Attackers target the cryptographic algorithms and the access control inside the card. All the critical information of a smart card is stored in the EEPROM (electrically erasable programmable read only memory). Data and passwords stored on a smart card can be modified by drastically changing the voltage supply. Raising the voltage supply to a level unusual to the microcontroller clears or erases the security bit stored.
Another known attack is on a security processor. A voltage drop can remove the security lock without erasing the secret data sometimes. Dropping the voltage can also be used in other attacks as well. It can affect the generator that creates the cryptographic keys and will output a key of almost all 1’s. As a result of these attacks, some processors contain sensors that sense changes in the surroundings. This technique is not commonly used because there is voltage flux when power is initially given to the card and it is not easy to find the right level to sense the voltage change from an undesired source.
Not only can someone undermine the security of smart cards by trying to attack the cryptographic algorithms, but one can also physically alter the cards. The chip can be removed from the card by cutting it open and removing the plastic surrounding it. Techniques have been developed to be able to reverse engineer the chip. Also, there are methods to be able to observe the operation of the chip to obtain the secrets of how it operates. Easier said than done, this not possible for the average person to be able to do in their homes.
Using smart cards is a very clever solution to increasing the security of sensitive information. Their reliability entirely depends on the small bit rate, half duplex data flow, and highly complicated protocol used in the communication between the card and the reader. Although consumers in the US are too accustomed to the old magnetic cards as well as its well-developed infrastructure, the benefits of using smart cards will motivate the transition to utilizing this more secure technology. However, this transition will have to be gradual. In addition, a reduction in price for the smart cards and equipment will greatly increase its acceptance and usage. Clearly, as we have shown, the implementation of smart cards is very broad and the possibilities infinite.