Smart card technology

INTRODUCTION

Smart cards are similar in size and shape to the familiar magnetic stripe cards used
for credit and debit transactions, but smart cards contain an embedded integrated
circuit(chip) that interfaces with terminals (which activate the chip’s power).The chip
contains microprocessor and storage or memory. The memory contains a chip
operating system (COS) for the microprocessor, communications software, and can
contain encryption algorithms, applications software and data. When used with the
appropriate applications, smart cards can provide enhanced security and the ability
to record, store and update data. When implemented properly they can provide
interoperability across services, and allow multiple application or uses, via one card
Applications can access data directly form the chip, and smart cards can contain
Portable, personal and secure databases. Applications using smart cards as a data
Storage medium can save time and expense since access to a central database
each time a transaction occurs is not necessary. Smart cards can not replace central
records storage, such as a medical records file or bank account. Rather, they can be
viewed as” keys” to different databases and can contain an extract of critical data
contained in those databases. Unlike magnetic stripe cards – which carry limited
information, can be easily duplicated, and are limited to use as a key to on-line
functions – smart cards can provide diverse off-line and on-line functionality and
read-write capability.

DEPT OF E&C NHCE 1

Smart card technology

HISTORY

 1968
German inventor Jorgen Dethloff along with Helmet Grotrupp filed a patent for
using plastic as a carrier for microchips.

 1970
Dr. Kunitaka Arimura of Japan filed the first and only patent on the smart card
concept

 1974
Roland Moreno of France files the original patent for the IC card, later dubbed
the “smart card.”

 1977
Three commercial manufacturers, Bull CP8, SGS Thomson, and Schlumberger
began developing the IC card product.

 1979
Motorola developed first single chip Microcontroller for French Banking

 1982
World's first major IC card testing

 1992
Nationwide prepaid card project started in Denmark

 1999
Federal Government began Federal employee smart card identification

DEPT OF E&C NHCE 2

Smart card technology

INSIGHT

Types of Chip Cards

Smart cards are defined according to the type of chip implanted in the card
and its capabilities. There is a wide range of options to choose from
when designing your system

DEPT OF E&C NHCE 3

Smart card technology

Increased levels of processing power, flexibility and memory add cost.

Single function cards are often the most cost-effective solution. Choose the
right type of smart card for your application by evaluating cost versus
functionality and determine your required level of security. The following
chart demonstrates the general rules of thumb.

Memory Cards

Memory cards have no sophisticated processing power and cannot manage

files dynamically. All memories communicate to readers through
synchronous protocols. There are three primary types’ memory cards:

DEPT OF E&C NHCE 4

Smart card technology

Straight Memory Cards

These cards just store data and have no data processing capabilities.
These cards are the lowest cost per bit for user memory. They should be
regarded as floppy disks of varying sizes without the lock mechanism.
These cards cannot identify themselves to the reader, so your host system
has to know what type of card is being inserted into a reader.

Protected / Segmented Memory Cards

These cards have built-in logic to control the access to the memory of the
card. Sometimes referred to as Intelligent Memory cards these devices can
be set to write protect some or the entire memory array. Some of these
cards can be configured to restrict access to both reading and writing. This
is usually done through a password or system key. Segmented memory
cards can be divided into logical sections for planned multi-functionality

Stored Value Memory Cards

These cards are designed for the specific purpose of storing value or
tokens. The cards are either disposable or rechargeable. Most cards of this
type incorporate permanent security measures at the point of manufacture.
These measures can include password keys and logic that are hard-coded
into the chip by the manufacturer. The memory arrays on these devices are
set-up as decrements or counters. There is little or no memory left for any
other function. For simple applications such as a telephone card the chip
has 60 or 12 memory cells, one for each telephone unit. A memory cell is
cleared each time a telephone unit is used. Once all the memory units are
used, the card becomes useless and is thrown away. This process can be
reversed in the case of rechargeable cards.

DEPT OF E&C NHCE 5

Smart card technology

CPU/MPU Microprocessor Multifunction Cards

These cards have on-card dynamic data processing capabilities.

Multifunction smart cards allocate card memory into independent sections
assigned to a specific function or application. Within the card is a
microprocessor or microcontroller chip that manages this memory allocation
and file access. This type of chip is similar to those found inside all personal
computers and when implanted in a smart card, manages data in organized
file structures, via a card operating system (COS). Unlike other operating
systems, this software controls access to the on-card user memory. This
capability permits different and multiple functions and/or different
applications to reside on the card, allowing businesses to issue and
maintain a diversity of ‘products’ through the card. One example of this is a
debit card that also enables building access on a college campus.
Multifunction cards benefit issuers by enabling them to market their
products and services via state-of-the-art transaction technology.

DEPT OF E&C NHCE 6

Smart card technology

THE MICROPROCESSOR CHIP

A microprocessor chip has:

• An 8K to 64K byte (or more) CPU, Read Only Memory (ROM) that contains the
Chip’s operating system;
• Random Access Memory (RAM) that serves as a temporary register for data;
and
• Electrically Erasable Programmable Read Only Memory (EEPROM) that is
used for the storage of user data.
EEPROM can contain between 1K byte and 64K bytes or more of memory. To
highlight the functions of a smart card it is helpful to divide (conceptually) the
chip’s memory functions into three areas

• ROM. Read-Only Memory containing the chip’s operating system. The

operating System or command set controls all communication between the chip
and the outside World. The ROM is masked or written during production by the
semiconductor manufacturer and once written, cannot be altered.

• EEPROM. Electronically Erasable Programmable Read-Only Memory is the

Read/write memory for the storage of data.6 Access to the EEPROM memory is
Controlled by the chip’s operating system, and may contain data such as a PIN
that can only be accessed by the operating system. Other data, for example, a
card’s Serial number can be written to EEPROM during card manufacture. Most
of the EEPROM memory is used to store user data such as a biometric, purse
balance, Demographic information, and transaction records and can be rewritten
to Approximately 10,000 times.

DEPT OF E&C NHCE 7

Smart card technology

RAM. Random Access Memory, which is volatile, is used as a temporary

storage Register by the chip’s microprocessor. For example, when a PIN is being
verified, the PIN sent by the terminal/PIN pad is temporarily stored in RAM.
The following example will further explain the functions of the memory areas
listed above. A commonly used microprocessor chip card would have its
operating system Stored in ROM. The operating system or command set would
respond to commands, such as “read a record,” “write a record,” and “verifies
PIN,” sent to the card by a terminal. Information such as fund balances, card
serial number, and demographic information Are stored in EEPROM. The CPU
performs all processing functions, such as encryption, while RAM serves as a
temporary register for information. During PIN verification, the PIN is temporarily
stored in RAM. Since RAM memory is volatile, as soon as a card is powered off,
all information stored in RAM is lost. When evaluating card types for a particular
application, the amount of memory in various components is important. The
EEPROM capacity of a card is Critical because a larger capacity EEPROM can
store a greater number of Application records and transaction files. The amount
of ROM is also important because a larger capacity ROM contains amore
sophisticated operating system, which facilitates complex card and system
operations. There is also a relationship Between ROM and EEPROM in some
cards because several vendors allow custom code extending the ROM’s
operating system to be written in EEPROM. While this technique increases the
card's functionality, it decreases the amount of EEPROM available for application
and transaction storage.

DEPT OF E&C NHCE 8

Smart card technology

CONTACTLESS MEMORY CARDS

A contact less smart card includes an embedded smart card secure

microcontroller or equivalent intelligence, internal memory and a
small antenna and communicates with a reader through a contact
less radio frequency (RF) interface. Contact less smart card
technology is used in applications that need to protect personal
information and/or deliver fast, secure transactions, such as transit
fare payment cards, government and corporate Identification cards,
documents such as electronic passports and visas, and financial
payment cards. Contact less smart card have the ability to securely
manage, store and provide access to data on the card, perform on-
card functions (e.g., encryption) and interact intelligently with a
contact less smart card reader. While offering similar capabilities to
contact less smart card, contact smart cards require physical
contact with the reading mechanism rather than using a contact
less interface. The contact less interface provides users with the
convenience of allowing the contact less card to be read at short
distances with Fast transfer of data.

DEPT OF E&C NHCE 9

Smart card technology

Contact less Smart card technology is available in a variety of forms

– in plastic cards, watches, key fobs, documents and other handheld
devices (e.g., built into mobile phones). For the purpose of this
document, “card” is as the used generic term to describe any
device in which smart card is used.

Contact less smart card systems are closely related to contact smart
card systems. Like contact smart card a system, information is
stored on a chip embedded within the contact less smart card.
However, unlike the contact smart card, the power supplied to the
card as well as the data exchanged between the card and the
reader are achieved without the use of contacts, using Magnetic or
electromagnetic fields to both powers the card as well as to
exchange data with the reader.
The contact less smart card contains an antenna embedded within
the plastic body of the card (or within a key fob, watch or other
document). When the card is brought into the electromagnetic field
of the reader, the chip in the card is powered on. Once the chip is
powered on, a wireless communication protocol is initiated and
established between the card and the reader for data
Transfer. The following four functions describe at a high level the
sequence of events that happen when a contact less smart card is
brought near a card reader:

Energy transfer to the card for powering the integrated circuit

(chip)
Clock signal transfer
Data transfer to the contact less smart card
Data transfer from the contact less smart card

DEPT OF E&C NHCE 10

Smart card technology

Hence, once the card is brought within range of an electromagnetic

field of the required frequency, the card will be powered up, ready
to communicate with the reader. Since the contact less smart cards
described in this FAQ are based on the ISO/IEC 14443 standard, this
frequency is 13.56 MHz and a reader that complies with the
standard would have an activation field (range) of about 4 inches
(approximately 10 centimeters).
In other words the card needs to be within 10 centimeters of a
reader for it to be effectively powered; however, the effective range
for communications for the card to be read will depend on a number
of factors like the power of the reader, the antenna of the reader
and the antenna of the card.

Applications that need strong information and communications

security use contact less smartcard technology based on an
international standard (ISO/IEC 14443) that limits the ability to read
the contact less device to approximately 4 inches (10 centimeters).
The contact less smart card must be positioned in a target area
extremely close to the reader to function, thus reducing any Chance
for it to be “read” without the user’s knowledge. Additionally, the
information stored on the card is typically protected against theft
with secure encryption and communication between the card and
the reader is secure and authenticated.

Applications using contact less smart cards can protect stored data
in a number of ways. First, in order to access the data from a
contact less smart card, the application may require knowledge of
specific secret keys. In general, without knowledge of these secret
keys, the card’s microcontroller and circuitry will block any attempts
to access the data on the chip. Second, information stored on cards
or documents using contact less smart card technology can be
encrypted. In addition, communications between the contact less

DEPT OF E&C NHCE 11

Smart card technology

smart card and the reader can be encrypted to prevent

eavesdropping. Secure applications also typically require “mutual
authentication,” where the contact less smart card first verifies that
the reader is authentic and then proves its own authenticity to the
reader before starting any further communications. The Ability of a
contact less smart card application to verify the authority of the
information requestor and provide strong chip and data security
make it an excellent guardian of personal information And individual
privacy.

Today’s contact less smart cards use advanced chips that

incorporate a microcontroller or Equivalent intelligence, as well as
internal memory, and have the primary goal of securing data on The
chip. Typically, a contact less smart card that targets banking,
transport, and ID applications will operate at short range (less than
4 inches or 10 centimeters). This short distance ensures that the
user performs a conscious action to transact, avoiding accidental or
fraudulent transactions.

Contact less smart cards may also support separate keys for
reading and for writing. Thus, being able to read data from a smart
card does not enable you to write or update the data, unless the
application provider planned it to be so.
Contact less smart cards can also support a variety of encryption
algorithms for increased security. This is essential for highly
demanding applications such as banking, transport, and secure ID
because it provides the highest security level possible. RFID tags do
not support encryption.

Contact less smart card by their nature protects the information that
resides in their memory.Contactless smart card chips have built-in
tamper-resistance, with both hardware and software capabilities

DEPT OF E&C NHCE 12

Smart card technology

that detect and react to tampering attempts. Information stored on

cards or documents using contact less smart card technology can be
encrypted and communication between the contact less smart card
and the reader can also be encrypted to prevent eavesdropping.
Plus, a contact less smart card application can verify that the reader
is authentic and can prove its own authenticity to the reader before
starting a secure transaction. It is important to note, however, that
information privacy and security must be designed into an
application at the system level by the organization issuing the
contact less device, card or Document. Card issuers will usually
have a stated privacy policy that describes to cardholder show
personal information is used and protected. Card issuers will also
typically implement information security requirements throughout a
system that will disallow the use of data fraudulently obtained.
Given sufficient technology, time, resources and expertise any
technology may be compromised.
However contact less smart cards is significantly more costly and
Complex to compromise than other solutions. Furthermore, in
general, the security inherent to contact less smart card-enabled
applications and systems are such that system-level application
countermeasures may be deployed faster than attackers can use
the vulnerability created on any Individual card.

Information (data) can only be written into the contact less smart
card memory if authority to do so is provided. Authority is given by
the card issuer or application provider who is the only entity that
knows the secret keys and that knows how to write data to the card.
Plus, the card would need to be within close proximity (4 inches or
10 centimeters for ISO/IEC 14443-compliant cards) of a specific
contact less reader. It is important to note that the write protection
of the data on the new U.S. electronic passport is very strong and no

DEPT OF E&C NHCE 13

Smart card technology

data can be added, deleted or modified in the passport’s contact

less smartcard chip once it has been issued to the citizen.

Contacts less smart card are passive cards (they do not carry any
source of energy) and they do not have any radiation of any kind.
Only the RF reader emits energy in the reading process, but it is a
tiny fraction of what a cellular phone emits and poses no health risk.
No. Contact less smart card has no capabilities to provide physical
location information. They have an extremely limited range of
response and do not support any capabilities to identify Physical
location (unlike the cellular phone system and global positioning
system (GPS) technology).
Contact less smart card is a secure means of storing and carrying
information. In general, contacts less smart cards are more secure
and more reliable, have higher data storage capacity, and have a
longer expected life than most of the other available options (e.g.,
magnetic stripe cards or tickets, paper documents). For example,
because of the high security, reliability and Convenience of fast
transactions, all smart card applications in mass transportation are
implemented using contact less smart card technology.

Contact less smart card technology only works when a low power
radio frequency signal of 13.56 MHz is applied within a few inches
(centimeters) of the passport. The passport chip, having no
batteries or power source of its own, relies on getting its power from
the reader’s RF signal to operate. Contact less smartcard technology
uses very complex microcontroller-based technology that has a
sophisticated operating system and many security techniques at its
disposal for ensuring the integrity, confidentiality and privacy of
information stored and transmitted. The contact less smart card
technology in the new passport uses ISO/IEC standards (ISO/IEC
7816-1,-2,-3,-4 and ISO/IEC14443) to securely communicate

DEPT OF E&C NHCE 14

Smart card technology

information in a random access manner, using defined protocols, to

external authenticated reading equipment. Contact less smart card
technology is capable of ensuring reading equipment is
authenticated as well as proving its own authenticity to the readers.
Communication between the contact less smart card chip and the
external reading equipment can be encrypted to counter
eavesdropping. Access to any information can also be protected by
personal identification number (PIN), password or biometric
authentication to Counter skimming effect.

The minimum level of protection, as specified by International Civil

Aviation Organization (ICAO), would allow the electronic data to be
read from the passport providing the reading device can get within
a few inches or centimeters (within about 4 inches or 10
centimeters) of the document and is able to maintain this position
for several seconds. Beyond this range, the ISO/IEC 14443-
compliant reader’s RF field is significantly reduced, making it unable
to power and communicate with the passport. To power the device
from a greater distance requires a very high power RF signal from a
non-compliant reader; the very large RF signal required for the
reader to power the device from a greater distance effectively
disables the reader from “hearing” the weak signal that is produced
by the card and that is required to establish normal communication
between the card and the reader.ICAO has specified additional
optional levels of security that could be implemented

MICROPROCESSOR CARD AND COMBI /HYBRID CARD

DEPT OF E&C NHCE 15

Smart card technology

Cards that contain two distinct places for data storage (with at least one of these
a chip) and each storage area with its own type of interface access are called
Hybrid cards.

Thus hybrid cards can contain both a magnetic stripe and a chip. These Cards are
likely to continue using the magnetic stripe for routine banking and POS Transactions
while also is having the capability of introducing chip applications such as stored

DEPT OF E&C NHCE 16

Smart card technology

value, secure database access or information storage. Other applications can be

added as they become available.

In the transportation industry, the term “hybrid card” has a different meaning than in
the Payment sector. A transportation hybrid card contains both contact and contact
less Capability. They have two independent chips and systems on one card. The
contact and contact less chips cannot communicate with in the card.

Finally, a hybrid card can contain a contact chip and a laser strip. Laser strips use the
same technology as a CD-ROM and have a high memory capacity at a reasonable
cost. However, the read/write devices that support laser strip technology are
expensive and cards have a limited use, primarily for storage of personal medical
records.

Cards can be multi-technology—combining various different technologies that are

used for different purposes. For example, in the figure below, the chip can be
used for data storage, the magnetic stripe can be used for physical access
control, and the bar code can be used for property asset management.

A combi-card (sometimes known as a dual-interface card), on the other hand,

Incorporates contact and contact less capability into a single chip. Contact and

DEPT OF E&C NHCE 17

Smart card technology

Contact less communications can interface with the same memory within the
card; hence a single processor supports multiple interfaces. The combi-card chip
is conceptualized in the following figure:

MULTI FUNCTION CARD

DEPT OF E&C NHCE 18

Smart card technology

A card that contains several applications (or uses) is referred to as a multi-

application card. For example, a multi-application card may serve as a debit and
credit card and may also contain a file on the chip that allows the cardholder to
complete health insurance forms automatically, contain basic medical information
for use in emergency situations, serve as a means to track frequent flyer miles
and allow the cardholder access to a secure parking facility. It may perform these
functions through one type of interface (such as only through direct contact) or
may be a combi-card. In this example, it is evident that the card would have to
ultimately work within the parameters of an open system so that the card could
be used at many, unrelated commercial endpoints.
Another example of a multi-application card is the campus card. A student uses
the card as a basic ID, to check out books from the library, and to decrement
value for the meal plan and campus vending machines. The student might also
use it for secure access certain buildings and to the university’s computer
system. While this is also a multiplication card, it is equally evident that the card
need not operate in an open system, because this is a closed system
environment with primarily closed applications.

The figure below provides an overview of potential uses for multi

application cards

STANDARDS

DEPT OF E&C NHCE 19

Smart card technology

 ISO - International Standards Organization

 ISO 7816-1 to ISO 7816-11

 FIPS (Federal Information Processing

Standards)
 FIPS 140 (1-3)
 FIPS 201

 CEN (Committee' Europe'en de Normalization)

DEPT OF E&C NHCE 20

Smart card technology

SECURITY

Data security mechanism and their respective algorithms

• The system generates the symmetric session key to encrypt

the file.
• The system sends the session key and file.
• The smart card first encrypts the data using key.
• The recipient decrypts the session key and file using same
key.
• Here we used the shared key for both encryption and
decryption

DEPT OF E&C NHCE 21

Smart card technology

• The system generates the symmetric session key to encrypt

the file
• Then system sends the session key and file
• Here we use the double encryption method
• In encryption method we first encrypt the file then we
decrypt the file again we encrypt the file
• In decryption method we first decrypt the file then we encrypt
the file again we decrypt the file

DEPT OF E&C NHCE 22

Smart card technology

• Here the smart card locks the box with public key
• Recipient unlocks the box using private key
• It is widely used in e-commerce applications

DEPT OF E&C NHCE 23

Smart card technology

Smart card uses

 Commercial Applications
• Financial Applications
• Employee Identification
• Ticketing
• Parking and toll collection
• Universities use smart cards for ID purposes and at the
library, vending machines, copy machines, and other
services on campus.

 Mobile Telecommunications
• SIM cards used on cell phones
• Over 300,000,000 GSM phones with smart cards
• Contains mobile phone security, subscription
information, and phone number on the network, billing
information, and frequently called numbers.
 Information Technology
• Secure logon and authentication of users to PCs and
networks
• Encryption of sensitive data

 Other Applications
• Over 4 million small dish TV satellite receivers in the US
use a smart card as its removable security element and
subscription information.
• Pre-paid, reload able telephone cards
• Health Care, stores the history of a patient

DEPT OF E&C NHCE 24

Smart card technology

• Fast ticketing in public transport, parking, and road

tolling in many countries
• e-log software with smart card technology uses to
store the information related to employ clock in and
clock out

Manufacturers of smart cards

 Advanced Card Systems Ltd (ACS)

 Axalto

 CardLogix

 Gem plus

 IBM

 ID TECH

 I'M Technologies

 Sharp

 Siemens

 Telesec

 PRISM

 TechCard

DEPT OF E&C NHCE 25

Smart card technology

Smart about smart cards

In comparison to its predecessor, the magnetic strip card, smart

cards have many advantages including:

• Life of a smart card is longer

• A single smart card can house multiple applications. Just one
card can be used as your license, passport, credit card, ATM
card, ID card, etc.
• Smart cards cannot be easily replicated and are, as a general
rule much more secure than magnetic stripe cards
• Data on a smart card can be protected against unauthorized
viewing. As a result of this confidential data, Pins and
passwords can be stored on a smart card. This means,
merchants do not have to go online every time to
authenticate a transaction

• chip is tamper-resistant
- information stored on the card can be PIN code and/or read-
write protected
- capable of performing encryption
- each smart card has its own, unique serial number
• capable of processing, not just storing information
- Smart cards can communicate with computing devices

DEPT OF E&C NHCE 26

Smart card technology

through a smart card reader

- information and applications on a card can be updated
without having to issue new cards
• A smart card carries more information than can be
accommodated on a magnetic stripe card. It can make a
decision, as it has relatively powerful processing capabilities
that allow it to do more than a magnetic stripe card (e.g., data
encryption )

Disadvantages

+ NOT tamper proof

+ Can be lost/stolen
+ Lack of user mobility – only possible if user has smart card
reader everywhere he goes
+ Has to use the same reader technology
+ Can be expensive
+ Working from PC – software based token will be better
+ No benefits to using a token on multiple PCs to using a
smart card
+ Still working on bugs

DEPT OF E&C NHCE 27

Smart card technology

Conclusion

INFORMAON

Access

ASSURANCE

Comfort confidentiality
Convenience Integrity
Customization Accountability
Independence Availability
Privacy Restoration

DEPT OF E&C NHCE 28

Smart card technology

References

International Standards Organization,

http://www.iso.org
CardLogix Corporation - Smart Tools Development Kit Handbook
http://www.cardlogix.com
National Institute of Standards and Technology
http://www.nist.gov
Trends-Loyalty Programs 12/03 CIO Insight by Margaret L Young
And Marcia Stepanek
http://www.cioinsight.com
Smart card
From Wikipedia, the free encyclopedia
http://www.wikipedia.com

DEPT OF E&C NHCE 29