Smart Card Overview

A smart card, typically a type of chip card, is a plastic card that contains an
embedded computer chipeither a memory or microprocessor typethat stores
and transacts data. This data is usually associated with either value, information,
or both and is stored and processed within the card's chip. The card data is
transacted via a reader that is part of a computing system. Systems that are
enhanced with smart cards are in use today throughout several key applications,
including healthcare, banking, entertainment, and transportation. All applications
can benefit from the added features and security that smart cards provide.
According to Eurosmart, worldwide smart card shipments will grow 10% in 2010
to 5.455 billion cards. Markets that have been traditionally served by other
machine readable card technologies, such as barcode and magnetic stripe, are
converting to smart cards as the calculated return on investment is revisited by
each card issuer year after year.

Applications

First introduced in Europe nearly three decades ago, smart cards debuted as a
stored value tool for payphones to reduce theft. As smart cards and other chip-
based cards advanced, people found new ways to use them, including charge
cards for credit purchases and for record keeping in place of paper.

In the U.S., consumers have been using chip cards for everything from visiting
libraries to buying groceries to attending movies, firmly integrating them into our
everyday lives. Several U.S. states have chip card programs in progress for
government applications ranging from the Department of Motor Vehicles to
Electronic Benefit Transfers (EBTs). Many industries have implemented the power
of smart cards in their products, such as the GSM digital cellular phones as well
as TV-satellite decoders.

Why Smart Cards

Smart cards improve the convenience and security of any transaction. They
provide tamper-proof storage of user and account identity. Smart card systems
have proven to be more reliable than other machine-readable cards, like
magnetic stripe and barcode, with many studies showing card read life and
reader life improvements demonstrating much lower cost of system
maintenance. Smart cards also provide vital components of system security for
the exchange of data throughout virtually any type of network. They protect
against a full range of security threats, from careless storage of user passwords
to sophisticated system hacks. The costs to manage password resets for an
organization or enterprise are very high, thus making smart cards a cost-
effective solution in these environments. Multifunction cards can also be used
to manage network system access and store value and other data. Worldwide,
people are now using smart cards for a wide variety of daily tasks, which include:

SIM Cards and Telecommunication

The most prominent application of smart card technology is in Subscriber
Identity Modules (SIM), required for all phone systems under the Global System
for Mobile Communication (GSM) standard. Each phone utilizes the unique
identifier, stored in the SIM, to manage the rights and privileges of each
subscriber on various networks. This use case represents over half of all smart
cards consumed each year. The Universal Subscriber Identification Modules
(USIM) is also being used to bridge the identity gap as phones transition between
GSM, UTMS, and 3G network operators.

Loyalty and Stored Value

Another use of smart cards is stored value, particularly loyalty programs, that
track and provide incentives to repeat customers. Stored value is more
convenient and safer than cash. For issuers, float is realized on unspent balances
and residuals on balances that are never used.

For multi-chain retailers that administer loyalty programs across many different
businesses and POS systems, smart cards can centrally locate and track all data.
The applications are numerous, such as transportation, parking, laundry, gaming,
retail, and entertainment.

Securing Digital Content and Physical Assets

In addition to information security, smart cards can ensure greater security of

services and equipment by restricting access to only authorized user(s).

Information and entertainment is being delivered via satellite or cable to the

home DVR player or cable box or cable-enabled PC. Home delivery of service
is encrypted and decrypted via the smart card per subscriber access. Digital
video broadcast systems have already adopted smart cards as electronic keys for
protection./p>

Smart cards can also act as keys to machine settings for sensitive laboratory
equipment and dispensers for drugs, tools, library cards, health club equipment
etc. In some environments, smart card enabled- SD and microSD cards are
protecting digital content as it is being delivered to the mobile hand-sets/phones.

E-Commerce

Smart cards make it easy for consumers to securely store information and cash
for purchasing. The advantages they offer consumers are:

The card can carry personal account, credit and buying preference
information that can be accessed with a mouse click instead of filling out
forms.

Cards can manage and control expenditures with automatic limits and
reporting.
 Internet loyalty programs can be deployed across multiple vendors with
disparate POS systems and the card acts as a secure central depository for
points or rewards.

Micro Payments - paying nominal costs without transaction fees associated

with credit cards, or for amounts too small for cash, like reprint charges.

Bank Issued Smart Cards

Around the globe, bank controlled co-ops (Visa, MasterCard, Discover, and
American Express) have rolled out millions of smart cards under
the EMV (Europay, MasterCard, VISA) standard. Often referred to as chip and
PIN cards; these are the de facto types of cards for bank issuance in most
countries except the U.S. As Canada has just recently started its regulatory shift
to EMV cards, the U.S. will be the sole island in North America that has not yet
made the adoption, which is being driven by the increased types of fraud with
both credit and debit cards. Smart cards have been proven to secure
transactions with regularity, so much so that the EMV standard has become the
norm.

As banks enter competition in newly opened markets such as investment

brokerages, they are securing transactions via smart cards at an increased rate.
This means:

Smart cards increase trust through improved security. Two-Factor

Authentication insures protection of data and value across the internet.
Threats such as the "Man in the middle" and "Trojan Horses" that replay a
user name and password are eliminated

This is improving customer service. Customers can use secure smart cards
for fast, 24-hour electronic funds transfers over the internet

Costs are reduced: transactions that normally would require a bank

employee's time and paperwork can be managed electronically by the
customer with a smart card

Healthcare Informatics

The explosion of health care data introduces new challenges in maintaining the
efficiency of patient care and privacy safeguards. Smart cards address both of
these challenges with secure, mobile storage and distribution of patient
information, from emergency data to benefits status. Many socialized countries
have already adopted smart cards as credentials for their health networks and
as a means of carrying an immediately retrievable Electronic Health Record
(EHR). Smart card benefits in healthcare include:

Rapid, accurate identification of patients; improved treatment

Reducing fraud through authentication of provider/patient visits and

insurance eligibility
 A convenient way to carry data between systems or to sites without
systems

Reducing record maintenance costs

Embedded Medical Device Control

For years, embedded controllers have been in many types of machines,

governing the quality and precision of their function. In Healthcare, embedded
smart cards ensure the best and safest delivery of care in devices such as
dialysis machines, blood analyzers and laser eye surgery equipment.

Enterprise and Network Security

Microsoft Windows, Sun Microsystems (a subsidiary of Oracle Corporation) and

all new versions of Linux have built-in software hooks to deploy smart cards as a
replacement for user name and passwords. Microsoft has built a complete
credential platform around the Scard DLL and Crypto Service Provider (CSP).
With enterprises realizing that Public Key Infrastructure (PKI)-enhanced security
is what is needed for widely deployed employees, a smart card badge is the new
standard. Business-to-business Intranets and Virtual Private Networks (VPNs) are
enhanced by the use of smart cards. Users can be authenticated and authorized
to have access to specific information based on preset privileges. Additional
applications range from secure email to electronic commerce.

Physical Access

Businesses and universities of all types need simple identity cards for all
employees and students. Most of these individuals are also granted access to
certain data, equipment, and departments according to their status.
Multifunction, microprocessor-based smart cards incorporate identity with
access privileges and can also store value for use in various locations, such as
cafeterias and stores. Many hotels have also adopted ISO 7816 type card
readers to secure staff-only rooms and facilities.

All U.S. government and many corporations have now incorporated a contactless
reader as an access point to their facilities. Some companies have incorporated
a biometric component to this credential as well. The older systems deploy a
simple proximity card system as the gate keeper. But as the security
requirements have become stronger and the cost of ISO 14443 standard
systems have become lower, the world is rapidly adopting this new standard.
This market shift is partially driven by the US governments adoption of the
mandated Personal Identity Verification (PIV) standard. There is a rich ecosystem
of suppliers and integrators for this standard.

ypes of Smart Card

Smart cards are defined according to 1). How the card data is read and written 2). The type of
chip implanted within the card and its capabilities. There is a wide range of options to choose
from when designing your system.

Card Construction
Mostly all chip cards are built from layers of differing materials, or substrates, that when
brought together properly gives the card a specific life and functionality. The typical card today
is made from PVC, Polyester or Polycarbonate. The card layers are printed first and then
laminated in a large press. The next step in construction is the blanking or die cutting. This is
followed by embedding a chip and then adding data to the card. In all, there may be up to 30
steps in constructing a card. The total components, including software and plastics, may be as
many as 12 separate items; all this in a unified package that appears to the user as a simple
device.
Contact Cards
These are the most common type of smart card. Electrical contacts located on the outside of
the card connect to a card reader when the card is inserted. This connector is bonded to the
encapsulated chip in the card.
Increased levels of processing power, flexibility and memory will add cost. Single function cards
are usually the most cost-effective solution. Choose the right type of smart card for your
application by determining your required level of security and evaluating cost versus
functionality in relation to the cost of the other hardware elements found in a typical workflow.
All of these variables should be weighted against the expected lifecycle of the card. On
average the cards typically comprise only 10 to 15 percent of the total system cost with the
infrastructure, issuance, software, readers, training and advertising making up the other 85
percent. The following chart demonstrates some general rules of thumb:

Card Function Trade-Offs

Memory Cards
Memory cards cannot manage files and have no processing power for data management. All
memory cards communicate to readers through synchronous protocols. In all memory cards
you read and write to a fixed address on the card. There are three primary types of memory
cards: Straight, Protected, and Stored Value. Before designing in these cards into a proposed
system the issuer should check to see if the readers and/or terminals support the
communication protocols of the chip. Most contactless cards are variants on the protected
memory/segmented memory card idiom.

Straight Memory Cards

These cards just store data and have no data processing capabilities. Often made with I2C or
serial flash semiconductors, these cards were traditionally the lowest cost per bit for user
memory. This has now changed with the larger quantities of processors being built for the GSM
market. This has dramatically cut into the advantage of these types of devices. They should be
regarded as floppy disks of varying sizes without the lock mechanism. These cards cannot
identify themselves to the reader, so your host system has to know what type of card is being
inserted into a reader. These cards are easily duplicated and cannot be tracked by on-card
identifiers.

Protected / Segmented Memory Cards

These cards have built-in logic to control the access to the memory of the card. Sometimes
referred to as Intelligent Memory cards, these devices can be set to write- protect some or the
entire memory array. Some of these cards can be configured to restrict access to both reading
and writing. This is usually done through a password or system key. Segmented memory cards
can be divided into logical sections for planned multi-functionality. These cards are not easily
duplicated but can possibly be impersonated by hackers. They typically can be tracked by an
on-card identifier.

Stored Value Memory Cards

These cards are designed for the specific purpose of storing value or tokens. The cards are
either disposable or rechargeable. Most cards of this type incorporate permanent security
measures at the point of manufacture. These measures can include password keys and logic
that are hard-coded into the chip by the manufacturer. The memory arrays on these devices
are set-up as decrements or counters. There is little or no memory left for any other function.
For simple applications such as a telephone card, the chip has 60 or 12 memory cells, one for
each telephone unit. A memory cell is cleared each time a telephone unit is used. Once all the
memory units are used, the card becomes useless and is thrown away. This process can be
reversed in the case of rechargeable cards.

CPU/MPU Microprocessor Multifunction Cards

These cards have on-card dynamic data processing capabilities. Multifunction smart cards
allocate card memory into independent sections or files assigned to a specific function or
application. Within the card is a microprocessor or microcontroller chip that manages this
memory allocation and file access. This type of chip is similar to those found inside all personal
computers and when implanted in a smart card, manages data in organized file structures, via
a card operating system (COS). Unlike other operating systems, this software controls access
to the on-card user memory. This capability permits different and multiple functions and/or
different applications to reside on the card, allowing businesses to issue and maintain a
diversity of products through the card. One example of this is a debit card that also enables
building access on a college campus. Multifunction cards benefit issuers by enabling them to
market their products and services via state-of-the-art transaction and encryption technology.
Specifically, the technology enables secure identification of users and permits information
updates without replacement of the installed base of cards, simplifying program changes and
reducing costs. For the card user, multifunction means greater convenience and security, and
ultimately, consolidation of multiple cards down to a select few that serve many purposes.

There are many configurations of chips in this category, including chips that support
cryptographic Public Key Infrastructure (PKI) functions with on-board math co-processors
or JavaCard with virtual machine hardware blocks. As a rule of thumb - the more functions,
the higher the cost.

Contactless Cards
These are smart cards that employ a radio frequency (RFID) between card and reader without
physical insertion of the card. Instead, the card is passed along the exterior of the reader and
read. Types include proximity cards which are implemented as a read-only technology for
building access. These cards function with a very limited memory and communicate at 125
MHz. Another type of limited card is the Gen 2 UHF Card that operates at 860 MHz to 960
MHz.
True read and write contactless cards were first used in transportation applications for quick
decrementing and reloading of fare values where their lower security was not an issue. They
communicate at 13.56 MHz and conform to the ISO 14443 standard. These cards are often
protected memory types. They are also gaining popularity in retail stored value since they can
speed up transactions without lowering transaction processing revenues (i.e. Visa and
MasterCard), unlike traditional smart cards.

Variations of the ISO14443 specification include A, B, and C, which specify chips from either
specific or various manufacturers. A=NXP-(Philips) B=Everybody else and C=Sony only chips.
Contactless card drawbacks include the limits of cryptographic functions and user memory,
versus microprocessor cards and the limited distance between card and reader required for
operation.

Multi-mode Communication Cards

These cards have multiple methods of communications, including ISO7816, ISO14443 and
UHF gen 2. How the card is made determines if it is a Hybrid or dual interface card. The term
can also include cards that have a magnetic-stripe and or bar-code as well.

Hybrid Cards
Hybrid cards have multiple chips in the same card. These are typically attached to each
interface separately, such as a MIFARE chip and antenna with a contact 7816 chip in the same
card.

Dual Interface Card

These cards have one chip controlling the communication interfaces. The chip may be
attached to the embedded antenna through a hard connection, inductive method or with a
flexible bump mechanism.

Multi-component Cards
These types of cards are for a specific market solution. For example, there are cards where the
fingerprint sensor is built on the card. Or one company has built a card that generates a one-
time password and displays the data for use with an online banking application. Vault cards
have rewriteable magnetic stripes. Each of these technologies is specific to a particular vendor
and is typically patented.

Smart Card Form Factors

The expected shape for cards is often referred to as CR80. Banking and ID cards are governed
by the ISO 7810 specification. But this shape is not the only form factor that cards are deployed
in. Specialty shaped cutouts of cards with modules and/or antennas are being used around the
world. The most common shapes are SIM. SD and MicroSD cards can now be deployed with
the strength of smart card chips. USB flash drive tokens are also available that leverage the
same technology of a card in a different form factor.
Integrated Circuits and Card Operating Systems
The two primary types of smart card operating systems are (1) fixed file structure and
(2) dynamic application system. As with all smartcard types, the selection of a card operating
system depends on the application that the card is intended for. The other defining difference
lies in the encryption capabilities of the operating system and the chip. The types of encryption
are Symmetric Key and Asymmetric Key (Public Key).

The chip selection for these functions is vast and supported by many semiconductor
manufacturers. What separates a smart card chip from other microcontrollers is often referred
to as trusted silicon. The device itself is designed to securely store data withstanding outside
electrical tampering or hacking. These additional security features include a long list of
mechanisms such as no test points, special protection metal masks and irregular layouts of the
silicon gate structures. The trusted silicon semiconductor vendor list below is current for 2010:

Atmel
EM Systems
Infineon
Microchip
NXP
Renesas Electronics
Samsung
Sharp
Sony
ST Microelectronics

Many of the features that users have come to expect, such as specific encryption algorithms,
have been incorporated into the hardware and software libraries of the chip architectures. This
can often result in a card manufacturer not future-proofing their design by having their card
operating systems only ported to a specific device. Care should be taken in choosing the card
vendor that can support your project over time as card operating system-only vendors come in
and out of the market. The tools and middleware that support card operating systems are as
important as the chip itself. The tools to implement your project should be easy to use and give
you the power to deploy your project rapidly.

Please see the security section on this website for more information regarding PKI.

Fixed File Structure Card Operating System

This type treats the card as a secure computing and storage device. Files and permissions are
set in advance by the issuer. These specific parameters are ideal and economical for a fixed
type of card structure and functions that will not change in the near future. Many secure stored
value and healthcare applications are utilizing this type of card. An example of this kind of card
is a low-cost employee multi-function badge or credential. Contrary to some biased articles,
these style cards can be used very effectively with a stored biometric component and reader.
Globally, these types of microprocessor cards are the most common.

Dynamic Application Card Operating System

This type of operating system, which includes the JavaCard and proprietary MULTOS card
varieties, enables developers to build, test, and deploy different on card applications securely.
Because the card operating systems and applications are more separate, updates can be
made. An example card is a SIM card for mobile GSM where updates and security are
downloaded to the phone and dynamically changed. This type of card deployment assumes
that the applications in the field will change in a very short time frame, thus necessitating the
need for dynamic expansion of the card as a computing platform. The costs to change
applications in the field are high, due to the ecosystem requirements of security for key
exchange with each credential. This is a variable that should be scrutinized carefully in the card
system design phase.

Smart Card Readers & Terminals

Readers and terminals operate with smart cards to obtain card information and perform a
transaction.

Generally, a reader interfaces with a PC for the majority of its processing requirements. A
terminal is a self-contained processing device. Both readers and terminals read and write to
smart cards.

Readers

Contact

This type of reader requires a physical connection to the cards, made by inserting the card into
the reader. This is the most common reader type for applications such as ID and Stored Value.
The card-to-reader communications is often ISO 7816 T=0 only. This communication has the
advantage of direct coupling to the reader and is considered more secure. The other
advantage is speed. The typical PTS Protocol Type Selection (ISO7816-3) negotiated speed
can be up to 115 kilo baud. This interface enables larger data transport without the overhead of
anti-collision and wireless breakdown issues that are a result from the card moving in and out
of the reader antenna range.

Contactless

This type of reader works with a radio frequency that communicates when the card comes
close to the reader. Many contactless readers are designed specifically for Payment, Physical
Access Control and Transportation applications. The dominant protocol under the ISO 14443 is
MIFARE, followed by the EMV standards.
Interface

A contact reader is primarily defined by the method of it's interface to a PC. These methods
include RS232 serial ports, USB ports, PCMCIA slots, floppy disk slots, parallel ports, infrared
IRDA ports and keyboards and keyboard wedge readers. Some readers support more than one
type of card such as the tri mode insert readers from MagTek. These readers support magnetic
stripe-contact and contactless read operations all in one device.

Reader & Terminal to Card Communication

All cards and readers that follow ISO 7816-3 standards have a standardized set of commands
that enable communication for CPU cards.

These commands, called APDUs (Application Protocol Data Units) can be executed at a very
low level, or they can be scripted into APIs which enable the user to send commands from an
application to a reader.

The reader communicates with the card where the response to the request takes place.

From a technical perspective, the key is the APIs that are chosen. These layers of software can
enable effective application communication with smart cards and readers from more than one
manufacturer. Most terminal SDKs come with a customized API for that platform. They are
typically in some form of C, C++ or C # and will have the header files included. Many smart
card readers have specific drivers/APIs for memory cards. For ISO7816 processor cards the
PC/SC interface is often employed, but it has limitations. This is especially important if you
have both memory and microprocessor cards that can are used in the same system. Some
APIs give the software designer the ability to select readers from multiple vendors.

The following are some of the function calls provided for transporting APDUs and their
functions:

Reader Select
Reader Connect
Reader Disconnect
Card Connect
Card Disconnect
Proprietary Commands for specific readers and cards
Allow ISO Commands to be passed to cards using standard ISO format
 Allow ISO Commands to be sent to cards using a simplified or shortcut format (As in the
CardLogix Winplex API)

Applications Development

The development of PC applications for readers has been simplified by the Personal
Computer/Smart Card (PC/SC) standard. This standard is supported by all major operating
systems. The problem with the PC/SC method is that it does not support all of the reader
functions offered by each manufacturer such as LED control and card latching/locking. When
just using the drivers for each reader manufacturer there is no connection the functions of the
card.

The better choice is Application Programming Interfaces (API's) that are part of readily
available in Software Design Kits (SDKs) that support specific manufacturer's card families.
Check these kits for a variety of reader manufacture supported. M.O.S. T. and Smart Toolz
from CardLogix is a good example of a well rounded Smart Card SDK.

Terminals
Unlike readers, terminals are more similar to a self contained PC, with most featuring operating
systems and development tools. Terminals are often specific to the use case such as Security,
health informatics or POS (Point of sale). Connectivity in the terminals is typically via
Transmission Control Protocol/Internet Protocol (TCP-IP) or GSM network. Many terminals
today feature regular OS's making deployment easier such as Datastrip with windows CE or
Exadigm with Linux.

Smart Card Standards

Primarily, smart card standards govern physical properties, communication characteristics, and
application identifiers of the embedded chip and data. Almost all standards refer to the ISO
7816-1,2 & 3 as a base reference.

International Organization for Standardization (ISO)

The ISO facilitates the creation of voluntary standards through a process that is open to all
parties. ISO 7816 is the international standard for integrated-circuit cards (commonly known as
smart cards) that use electrical contacts on the card, as well as cards that communicate with
readers and terminals without contacts, as with radio frequency (RF/Contactless) technology.
Anyone interested in obtaining a technical understanding of smart cards needs to become
familiar with what ISO 7816 and 14443 does NOT cover as well as what it does. Copies of
these standards can be purchased through the American National Standards
Institute (ANSI). Copies of ISO standards are for sale on the ISO website.

Application-specific properties are being debated with many large organizations and groups
proposing their standards. Open system card interoperability should apply at several levels: 1).
To the card itself, 2). The card's access terminals (readers), 3). The networks and 4). The card
issuers' own systems. Open system card interoperability will only be achieved by conformance
to international standards.
This site's sponsors are committed to compliance with ISO and ITSEC security standards as
well as industry initiatives such as EMV, MULTOS, the Open Card Framework and PC/SC
specifications.

This site's sponsors are committed to compliance with ISO and ITSEC security standards as
well as industry initiatives such as EMV, the Global Platform and PC/SC specifications.

These organizations are active in smart card standardization: The following standards and the
organizations that maintain them are the most prevalent in the smart card industry:

ISO/IEC is one of the worldwide standard-setting bodies for technology, including plastic cards.
The primary standards for smart cards are ISO/IEC 7816, ISO/IEC 14443, ISO/IEC
15693 and ISO/IEC 7501.

ISO/IEC 7816

ISO/IEC 7816 is a multi-part international standard broken into fourteen parts. ISO/IEC 7816
Parts 1, 2 and 3 deal only with contact smart cards and define the various aspects of the card
and its interfaces, including the cards physical dimensions, the electrical interface and the
communications protocols. ISO/IEC 7816 Parts 4, 5, 6, 8, 9, 11, 13 and 15 are relevant to all
types of smart cards (contact as well as contactless). They define the card logical structure
(files and data elements), various commands used by the application programming interface for
basic use, application management, biometric verification, cryptographic services and
application naming. ISO/IEC 7816 Part 10 is used by memory cards for applications such as
pre-paid telephone cards or vending machines. ISO/IEC 7816 Part 7 defines a secure
relational database approach for smart cards based on the SQL interfaces (SCQL).

ISO/IEC 14443

ISO/IEC 14443 is an international standard that defines the interfaces to a "close proximity"
contactless smart card, including the radio frequency (RF) interface, the electrical interface,
and the communications and anti-collision protocols. ISO/IEC 14443 compliant cards operate
at 13.56 MHz and have an operational range of up to 10 centimeters (3.94 inches). ISO/IEC
14443 is the primary contactless smart card standard being used for transit, financial, and
access control applications. It is also used in electronic passports and in the FIPS 201 PIV
card.

ISO/IEC 15693

ISO/IEC 15693 describes standards for "vicinity" cards. Specifically, it establishes standards for
the physical characteristics, radio frequency power and signal interface, and anti-collision and
transmission protocol for vicinity cards that operate to a maximum of 1 meter (approximately
3.3 feet).

ISO/IEC 7501 describes standards for machine-readable travel documents and has made a
clear recommendation on smart card topology.

International Civil Aviation Organization (ICAO)

ICAO issues guidance on the standardization and specifications for Machine Readable Travel
Documents (MRTD) such as passports, visas, and travel documents. ICAO has published the
specification for electronic passports using a contactless smart chip to securely store traveler
data.

Federal Information Processing Standards (FIPS)

FIPS, developed by the Computer Security Division within the National Institute of Standards
and Technology (NIST). FIPS standards are designed to protect federal assets, including
computer and telecommunications systems. The following FIPS standards apply to smart card
technology and pertain to digital signature standards, advanced encryption standards, and
security requirements for cryptographic modules.

FIPS 140 (1-3)

The security requirements contained in FIPS 140 (1-3) pertain to areas related to the secure
design and implementation of a cryptographic module, specifically: cryptographic module
specification; cryptographic module ports and interfaces; roles, services, and authentication;
finite state model; physical security; operational environment; cryptographic key management;
electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design
assurance; and mitigation of other attacks.

FIPS 201

This specification covers all aspects of multifunction cards used in identity management
systems throughout the U.S. government.

Europay, MasterCard, and Visa (EMV)

Europay, MasterCard, and Visa formed EMV Company, LLC and created the "Integrated Circuit
Card Specifications for Payment Systems". These specifications are related to ISO7816 and
create a common technical basis for card and system implementation of a stored value system.
Integrated Circuit Card Specifications for Payment Systems can be obtained from a Visa,
MasterCard or Europay member bank.

PC/SC
A globally implemented standard for cards and readers, called the PC/SC specification. This
standard only applies to CPU contact cards. Version 2.0 also dictates PIN pad to card
communications. Apple, Oracle-Sun, Linux and Microsoft all support this standard.

Microsoft has built PC/SC into their smart card services as a framework that supports many
security mechanisms for cards and systems. PC/SC is now a fairly common middleware
interface for PC logon applications. The standard is a highly abstracted set of middleware
components that allow for the most common reader card interactions.

Comit Europen de Normalisation (CEN) and European

Telecommunications Standards Institute (ETSI)
CEN and ETSI focus on telecommunications, as with the GSM SIM for cellular telephones.
GSM 11.11 and ETSI300045. CEN can be contacted at Rue de Stassart, 36 B-1050 Brussels,
Belgium, attention to the Central Secretariat.

The Health Insurance Portability and Accountability Act

(HIPAA)
HIPAA adopts national standards for implementing a secure electronic health transaction
system in the U.S. Example transactions affected by this include claims, enrollment, eligibility,
payment and coordination of benefits. Smart cards are governed by the requirements of HIPAA
pertaining to data security and patient privacy.

IC Communications Standards
The IC Communications Standards existed for non-volatile memories before the chips were
adopted for smart card use. This specifically applies to the I2C and SPI EEPROM interfaces.

Global System for Mobile Communication (GSM)

The GSM standard is dominant in the cell phone industry and uses smart cards called
Subscriber Identification Modules (SIMs) that are configured with information essential to
authenticating a GSM-compliant mobile phone, thus allowing a phone to receive service
whenever the phone is within coverage of a suitable network. This standard is managed by the
European Telecommunication Standards Institute. The two most common standards for cards
are 11.11 and 11.14.

OpenCardT Framework
The OpenCardT framework is an obsolete standard. The following data is for informative
purposes only.

The OpenCard framework was a set of guidelines announced by IBM, Netscape, NCI, and Sun
Microsystems for integrating smart cards with network computers. The guidelines were based
on open standards and provided an architecture and a set of application program interfaces
(APIs) that enable application developers and service providers to build and deploy smart card
solutions on any OpenCard-compliant network computer. Through the use of a smart card, an
OpenCard-compliant system should have enabled access to personalized data and services
from any network computer and dynamically download from the Internet all device drivers that
are necessary to communicate with the smart card. By providing a high-level interface which
can support multiple smart card types, the OpenCard Framework was intended to enable
vendor-independent card interoperability. The system incorporated Public Key Cryptography
Standard (PKCS) - 11 and was supposed to be expandable to include other public key
mechanisms.

GlobalPlatform (GP)
GlobalPlatform is an international, non-profit association. Its mission is to establish, maintain
and drive adoption of standards to enable an open and interoperable infrastructure for smart
cards, devices and systems that simplifies and accelerates development, deployment and
management of applications across industries. The GP standard has been adopted by virtually
all the banks worldwide for JavaCard-based loading of cryptographic data. The standard
establishes mechanisms and policies that enable secure channel communications with a
credential.

Common Criteria (CC)

Common Criteria is an internationally approved security evaluation framework providing a clear
and reliable evaluation of the security capabilities of IT products, including secure ICs, smart
card operating systems, and application software. CC provides an independent assessment of
a product's ability to meet security standards. Security-conscious customers, such as national
governments, are increasingly requiring CC certification in making purchasing decisions. Since
the requirements for certification are clearly established, vendors can target very specific
security needs while providing broad product offerings.

Biometric Standards
Many new secure ID system implementations are using both biometrics and smart cards to
improve the security and privacy of an ID system.

ANSI-INCITS 358-2002

ANSI-INCITS 358-2002, BioAPI Specification - (ISO/IEC 19784-1). BioAPI is intended to

provide a high-level generic biometric authentication model-one suited for any form of biometric
technology. It covers the basic functions of enrollment, verification, and identification, and
includes a database interface to allow a biometric service provider (BSP) to manage the
technology device and identification population for optimum performance. It also provides
primitives that allow the application to separately manage the capture of samples on a client
workstation, and the enrollment, verification, and identification functions on a server. The
BioAPI framework has been ported to Win32, Linux, UNIX, and WinCE. Note that BioAPI is not
optimum for a microcontroller environment such as might be embedded within a door access
control reader unit or within a smart card processor. BioAPI is more suitable when there is a
general-purpose computer available.

ANSI-INCITS 398

ANSI-INCITS 398, Common Biometric Exchange Formats Framework (CBEFF) - (ISO/IEC

19785-1). The Common Biometric Exchange Formats Framework (CBEFF) describes a set of
data elements necessary to support biometric technologies and exchange data in a common
way. These data can be placed in a single file used to exchange biometric information between
different system components or between systems. The result promotes interoperability of
biometric-based application programs and systems developed by different vendors by allowing
biometric data interchange. This specification is a revised (and augmented) version of the
original CBEFF, the Common Biometric Exchange File Format, originally published as NISTIR
6529.

ANSI-INCITS
ANSI-INCITS Biometric Data Format Interchange Standards. ANSI-INCITS has created a
series of standards specifying the interchange format for the exchange of biometric data.
These standards specify a data record interchange format for storing, recording, and
transmitting the information from a biometric sample within a CBEFF data structure. The ANSI-
INCITS published data interchange standards are shown below. There are ISO equivalents to
each standard listed here.

ANSI-INCITS 377-2004

Finger Pattern Based Interchange Format

ANSI-INCITS 378-2004

Finger Minutiae Format for Data Interchange

ANSI-INCITS 379-2004

Iris Interchange Format

ANSI-INCITS 381-2004

Finger Image Based Interchange Format

ANSI-INCITS 385-2004

Face Recognition Format for Data Interchange

ANSI-INCITS 395-2005

Signature/Sign Image Based Interchange Format

ANSI-INCITS 396-2004

Hand Geometry Interchange Format

ISO/IEC 19794

ISO/IEC 19794 series on biometric data interchange formats. Part 1 is the framework, Part 2
defines the finger minutiae data, Part 3 defines the finger pattern spectral data, Part 4 defines
the finger image data, Part 5 defines the face image data, Part 6 defines the iris image data,
and still in development, Part 7 will define the signature/sign time series data, Part 8 will define
the finger pattern skeletal data and Part 8 will define the vascular image data.

Smart Card Planning & Deployment

Smart card system design requires advance planning to be successful and to avoid problems.
It is highly recommended that you graphically diagram the flow of information for your new
system. The first question to consider is 'will the card and system transact information, or value,
or both?' If it stores keys or value (i.e.; gift certificates or sports tickets), greater design detail is
required than in data-only systems. When you combine information types on a single card,
other issues arise. The key to success is not to overrun the system with features that can
confuse users and cause problems in management. It is recommended that you phase-in each
feature set as each one is working. To properly implement a functional smart card system, you
should be able to answer the following questions.

NOTE: These are only general guidelines, provided as a basis for your individual planning.
Many other steps may be involved and are not mentioned here. For more extensive planning
information regarding identity management and national IDs we recommend that you review
the GSA Smart Card Handbook.

Basic Setup
1. Is there a clear business case? Including financial and consumer behavior factors?
2. Will the system be single or multi-application?
3. What type of information do I want to store in the cards (ie; data or value)?
4. How much memory is required for each application?
5. If multi-application, how will I separate different types of data?
6. Will card data be obtained from a database? Or loaded every time?
7. Will this data concurrently reside on a database?
8. How many cards will be needed?
9. Are card/infrastructure vendors identified? What are the lead times?

Security Planning
1. What are the security requirements?

2. Does all, or only some of the data need to be secure?

3. Who will have access to this information?
4. Who will be allowed to change this information?
5. In what manner shall I secure this data i.e. encryption, Host passwords, card
passwords/PINs or all of these?
6. Should the keys/PINs be customer or system-activated?
7. What form of version control do I want?

Value Applications
1. Should the value in the cards be re-loadable or will the cards be disposable?
2. How will I distribute the cards?
3. How will cards be activated and loaded with value?
4. What type of card traceability should I implement?
5. What is the minimum and maximum value to store on each card?
6. Will there be a refund policy?

General Issuance
1. How many types of artwork will be included in the issuance?
2. Who will do the artwork?
3. What is needed on the card? For example signature panels, magnetic stripe, embossing
etc.
Multi-Application Card Systems
It is highly recommended that you graphically diagram the flow of information as shown below.

(Click image for larger version.)

Large distributed multifunction systems require lots of advance planning to make them
effective. Smart cards often act as the glue between disparate software applications and use
cases. Below is an example of a multifunction card that is issued by a large enterprise or
government. Everywhere you see a CD is a separate and distinct software application that
interacts with the data and service from the card.

The critical first step in this type of planning is to understand the data requirements on the card
as it relates to each disparate software application that your project will deploy.

Building a smart card system that stores value i.e. gift certificates, show tickets, redemption
points or cash equivalents requires an attention to detail not necessary in other information
management systems. The most important detail of a successful stored value card is that the
card and program are perceived by users as being compelling, justifying the switch from other
payment options.

User information and system wide training should be part of your budget. It is recommended
that you phase-in each feature set after the first one is working. Here is a list of some questions
that are pertinent to these systems in addition to the above questions.
Deployment
As the minimum steps in deploying a stored value or multi-application system, establish clear
achievable program objectives:

1. Make sure the organization has a stake in the project's success and that management
buys into the project
2. Set a budget
3. Name a project manager
4. Assemble a project team and create a team vision
5. Graphically create an information - card and funds-flow diagram
6. Assess the card and reader options
7. Write a detailed specification for the system
8. Set a realistic schedule with inch-stones and mile-stones
9. Establish the security parameters for both people and the system
10. Phase-in each system element, testing as you deploy
11. Reassess for security leaks
12. Deploy the first phase of cards and test, test
13. Train the key employees responsible for each area
14. Set-up a system user manual
15. Check the reporting structures
16. Have contingency plans should problems arise
17. Deploy and announce
18. Advertise and market your system

Smart Card Security

Smart cards provide computing and business systems the enormous benefit of portable and
secure storage of data and value. At the same time, the integration of smart cards into your
system introduces its own security management issues, as people access card data far and
wide in a variety of applications.

The following is a basic discussion of system security and smart cards, designed to familiarize
you with the terminology and concepts you need in order to start your security planning.

What Is Security?
Smart cards provide computing and business systems the enormous benefit of portable and
secure storage of data and value. At the same time, the integration of smart cards into your
system introduces its own security management issues, as people access card data far and
wide in a variety of applications.

The following is a basic discussion of system security and smart cards, designed to familiarize
you with the terminology and concepts you need in order to start your security planning.

Security is basically the protection of something valuable to ensure that it is not stolen, lost, or
altered. The term "data security" governs an extremely wide range of applications and touches
everyone's daily life. Concerns over data security are at an all-time high, due to the rapid
advancement of technology into virtually every transaction, from parking meters to national
defense.
Data is created, updated, exchanged and stored via networks. A network is any computing
system where users are highly interactive and interdependent and by definition, not all in the
same physical place. In any network, diversity abounds, certainly in terms of types of data, but
also types of users. For that reason, a system of security is essential to maintain computing
and network functions, keep sensitive data secret, or simply maintain worker safety. Any one
company might provide an example of these multiple security concerns: Take, for instance, a
pharmaceutical manufacturer:

Type of Data

Drug Formula

Accounting, Regulatory

Personnel Files

Employee ID

Facilities

Building safety, emergency response

What Is Information Security?

Information security is the application of measures to ensure the safety and privacy of data by
managing its storage and distribution. Information security has both technical and social
implications. The first simply deals with the 'how' and 'how much' question of applying secure
measures at a reasonable cost. The second grapples with issues of individual freedom, public
concerns, legal standards and how the need for privacy intersects them. This discussion
covers a range of options open to business managers, system planners and programmers that
will contribute to your ultimate security strategy. The eventual choice rests with the system
designer and issuer.

The Elements of Data Security

In implementing a security system, all data networks deal with the following main elements:

1. Hardware, including servers, redundant mass storage devices, communication channels

and lines, hardware tokens (smart cards) and remotely located devices (e.g., thin
clients or Internet appliances) serving as interfaces between users and computers
2. Software, including operating systems, database management systems, communication
and security application programs
3. Data, including databases containing customer - related information.
4. Personnel, to act as originators and/or users of the data; professional personnel, clerical
staff, administrative personnel, and computer staf
The Mechanisms of Data Security
Working with the above elements, an effective data security system works with the following
key mechanisms to answer:

1. Has My Data Arrived Intact? (Data Integrity) This mechanism ensures that data was
not lost or corrupted when it was sent to you
2. Is The Data Correct And Does It Come From The Right Person? (Authentication) This
proves user or system identities
3. Can I Confirm Receipt Of The Data And Sender Identity Back To The Sender? (Non-
Repudiation)
4. Can I Keep This Data Private? (Confidentiality) - Ensures only senders and receivers
access the data. This is typically done by employing one or more encryption techniques to
secure your data
5. Can I Safely Share This Data If I Choose? (Authorization and Delegation) You can set
and manage access privileges for additional users and groups
6. Can I Verify The That The System Is Working? (Auditing and Logging) Provides a
constant monitor and troubleshooting of security system function
7. Can I Actively Manage The System? (Management) Allows administration of your
security system

Smart Card Security, Part 2

Data Integrity
This is the function that verifies the characteristics of a document and a transaction.
Characteristics of both are inspected and confirmed for content and correct authorization. Data
Integrity is achieved with electronic cryptography that assigns a unique identity to data like a
fingerprint. Any attempt to change this identity signals the change and flags any tampering.

Authentication
This inspects, then confirms, the proper identity of people involved in a transaction of data or
value. In authentication systems, authentication is measured by assessing the mechanisms
strength and how many factors are used to confirm the identity. In a PKI system a Digital
Signature verifies data at its origination by producing an identity that can be mutually verified by
all parties involved in the transaction. A cryptographic hash algorithm produces a Digital
Signature.

Non-Repudiation
This eliminates the possibility of a transaction being repudiated, or invalidated by incorporating
a Digital Signature that a third party can verify as correct. Similar in concept to registered mail,
the recipient of data re-hashes it, verifies the Digital Signature, and compares the two to see
that they match.

Authorization and Delegation

Authorization is the processes of allowing access to specific data within a system. Delegation is
the utilization of a third party to manage and certify each of the users of your system.
(Certificate Authorities).

Authorization and Trust Model

 (Click image for larger version.)

Auditing and Logging

This is the independent examination and recording of records and activities to ensure
compliance with established controls, policy, and operational procedures, and to recommend
any indicated changes in controls, policy, or procedures.

Management
Is the oversight and design of the elements and mechanisms discussed above and below. Card
management also requires the management of card issuance, replacement and retirement as
well as polices that govern a system.

Cryptography / Confidentiality
Confidentiality is the use of encryption to protect information from unauthorized disclosure.
Plain text is turned into cipher text via an algorithm, then decrypted back into plain text using
the same method.

Cryptography is the method of converting data from a human readable form to a modified form,
and then back to its original readable form, to make unauthorized access difficult. Cryptography
is used in the following ways:

Ensure data privacy, by encrypting data

Ensures data integrity, by recognizing if data has been manipulated in an unauthorized
way
Ensures data uniqueness by checking that data is "original", and not a "copy" of the
"original". The sender attaches a unique identifier to the "original" data. This unique
identifier is then checked by the receiver of the data.
The original data may be in a human-readable form, such as a text file, or it may be in a
computer-readable form, such as a database, spreadsheet or graphics file. The original data is
called unencrypted data or plain text.The modified data is called encrypted data or cipher text.
The process of converting the unencrypted data is called encryption. The process of converting
encrypted data to unencrypted data is called decryption.

Data Security Mechanisms and their Respective

Algorithms

(Click image for larger version.)

In order to convert the data, you need to have an encryption algorithm and a key. If the same
key is used for both encryption and decryption that key is called a secret key and the algorithm
is called a symmetric algorithm. The most well-known symmetric algorithm is DES (Data
Encryption Standard).
The Data Encryption Standard (DES) was invented by the IBM Corporation in the 1970's.
During the process of becoming a standard algorithm, it was modified according to
recommendations from the National Security Agency (NSA). The algorithm has been studied
by cryptographers for nearly 20 years. During this time, no methods have been published that
describe a way to break the algorithm, except for brute-force techniques. DES has a 56-bit key,
which offers 256 or 7 x 1016 possible variations. There are a very small numbers of weak keys,
but it is easy to test for these keys and they are easy to avoid.

Triple-DES is a method of using DES to provide additional security. Triple-DES can be done
with two or with three keys. Since the algorithm performs an encrypt-decrypt-encrypt sequence,
this is sometimes called the EDE mode. This diagram shows Triple-DES three-key mode used
for encryption:

If different keys are used for encryption and decryption, the algorithm is called an asymmetric
algorithm. The most well-known asymmetric algorithm is RSA, named after its three inventors
(Rivest, Shamir, and Adleman). This algorithm uses two keys, called the private key. These
keys are mathematically linked. Here is a diagram that illustrates an asymmetric algorithm:
Asymmetric algorithms involve extremely complex mathematics typically involving the factoring
of large prime numbers. Asymmetric algorithms are typically stronger than a short key length
symmetric algorithm. But because of their complexity they are used in signing a message or a
certificate. They not ordinarily used for data transmission encryption.

Smart Card Security, Part 3

As the card issuer, you must define all of the parameters for card and data security. There are
two methods of using cards for data system security, host-based and card-based. The safest
systems employ both methodologies.

Host-Based System Security

A host-based system treats a card as a simple data carrier. Because of this, straight memory
cards can be used very cost-effectively for many systems. All protection of the data is done
from the host computer. The card data may be encrypted but the transmission to the host can
be vulnerable to attack. A common method of increasing the security is to write in the clear (not
encrypted) a key that usually contains a date and/or time along with a secret reference to a set
of keys on the host. Each time the card is re-written the host can write a reference to the keys.
This way each transmission is different. But parts of the keys are in the clear for hackers to
analyze. This security can be increased by the use of smart memory cards that employ a
password mechanism to prevent unauthorized reading of the data. Unfortunately the
passwords can be sniffed in the clear. Access is then possible to the main memory. These
methodologies are often used when a network can batch up the data regularly and compare
values and card usage and generate a problem card list.

Card-Based System Security

These systems are typically microprocessor card-based. A card, or token-based system
treats a card as an active computing device. The Interaction between the host and the card can
be a series of steps to determine if the card is authorized to be used in the system. The
process also checks if the user can be identified, authenticated and if the card will present the
appropriate credentials to conduct a transaction. The card itself can also demand the same
from the host before proceeding with a transaction. The access to specific information in the
card is controlled by (1) the card's internal Operating System and (2) the preset permissions
set by the card issuer regarding the files conditions. The card can be in a standard CR80 form
factor or be in a USB dongle or it could be a GSM SIM Card.

Threats to Cards and Data Security

Effective security system planning takes into account the need for authorized users to access
data reasonably easily, while considering the many threats that this access presents to the
integrity and safety of the information. There are basic steps to follow to secure all smart card
systems, regardless of type or size.

Analysis: Types of data to secure; users, points of contact, transmission. Relative

risk/impact of data loss
Deployment of your proposed system
Road Test: Attempt to hack your system; learn about weak spots, etc.
Synthesis: Incorporate road test data, re-deploy
Auditing: Periodic security monitoring, checks of system, fine-tuning

When analyzing the threats to your data an organization should look closely at two specific
areas: Internal attacks and external attacks. The first and most common compromise of data
comes from disgruntled employees. Knowing this, a good system manager separates all back-
up data and back-up systems into a separately partitioned and secured space. The introduction
of viruses and the attempted formatting of network drives is a typical internal attack behavior.
By deploying employee cards that log an employee into the system and record the time, date
and machine that the employee is on, a company automatically discourages these type of
attacks.

(Click image for larger version.)

External attacks are typically aimed at the weakest link in a company's security armor. The first
place an external hacker looks at is where they can intercept the transmission of your data. In a
smart card-enhanced system this starts with the card.

(Click image for larger version.)

The following sets of questions are relevant to your analysis. Is the data on the card
transmitted in the clear or is it encrypted? If the transmission is sniffed, is each session secured
with a different key? Does the data move from the card reader to the PC in the clear? Does
the PC or client transmit the data in the clear? If the packet is sniffed, is each session secured
with a different key? Does the operating system have a back door? Is there a mechanism to
upload and down load functioning code? How secure is this system? Does the OS provider
have a good security track record? Does the card manufacturer have precautions in place to
secure your data? Do they understand the liabilities? Can they provide other security measures
that can be implemented on the card and or module? When the card is subjected to Differential
Power attacks and Differential Thermal attacks does the OS reveal any secrets? Will the
semiconductor utilized meet this scrutiny? Do your suppliers understand these questions?

Other types of problems that can be a threat to your assets include:

Improperly secured passwords (writing them down, sharing)

Assigned PINs and the replacement mechanisms
Delegated Authentication Services
Poor data segmentation
Physical Security (the physical removal or destruction of your computing hardware)

Security Architectures
When designing a system a planner should look at the total cost of ownership this includes:

Analysis
Installation and Deployment
Delegated Services
Training
Management
Audits and Upgrades
Infrastructure Costs (Software and Hardware)

Over 99% of all U.S.- based financial networks are secured with a Private Key Infrastructure.
This is changing over time, based on the sheer volume of transactions managed daily and the
hassles that come with private key management. Private Key-based systems make good
sense if your expected user base is less than 500,000 participants.

Public Key Systems are typically cost effective only in large volumes or where the value of data
is so high that its worth the higher costs associated with this type of deployment. What most
people don t realize is that Public Key systems still rely heavily on Private Key encryption for all
transmission of data. The Public Key encryption algorithms are only used for non-repudiation
and to secure data integrity. Public Key infrastructures as a rule employ every mechanism of
data security in a nested and coordinated fashion to insure the highest level of security
available today.

PKI Public Key Infrastructure

The following images illustrate a typical PKI-based system:

(Click images for larger versions.)

Conclusions
Smart cards can add convenience and safety to any transaction of value and data; but the
choices facing today's managers can be daunting. We hope this site has adequately presented
the options and given you enough information to make informed evaluations of performance,
cost and security that will produce a smart card system that fits today's needs and those of
tomorrow. It is our sincere belief that informed users make better choices, which leads to better
business for everybody.