11

Smart Card Technology UpdateSmart Card Technology UpdateSeminarSeminar

Dr LM ChengCity University of Hong KongCity University of Hong Kong

HKPC Seminar6 March 1998

Content

uu Basic Smart Card TechnologyBasic Smart Card Technology

uu Smart Card ApplicationsSmart Card Applications

uu

u Standard MethodsStandard Methods

u EncryptionEncryption

uu

u Advanced MethodsAdvanced Methods

u Industry StandardsIndustry Standards

uu

22

BASICS SMART CARDTECHNOLOGY

uu Magnetic CardMagnetic Card

uu Smart CardSmart Card memory memory

MPUIC MPUIC

crypto-processorcrypto-processor

contact & contactlesscontact & contactless

Magnetic Card

uu composed of a layer of magneticcomposed of a layer of magneticmaterial for storing informationmaterial for storing information

uu easy to carryeasy to carry

uu can be use for authenticationcan be use for authentication

uu what is its principles?what is its principles?

33

Information on Magnetic Card

uu the stripe isthe stripe is

8.5cm X 1.2cm 8.5cm X 1.2cm

uu data is constructeddata is constructedbased on ISObased on ISO7811/27811/2

uu maximum 3 stripesmaximum 3 stripes

uu can store around 1Kcan store around 1Kbitsbits

Smart Card

uu Integrated Circuit -Integrated Circuit -chipchip

uu originated fromoriginated fromFranceFrance

uu invented in 70 andinvented in 70 andmatured in 90matured in 90

uu Magnetic CardMagnetic Cardreplacementreplacement

44

Types of Smart Card

uu Memory CardMemory Card

uu MPU IC cardMPU IC card

uu Crypto-Crypto-

processor card processor card

uu Contactless cardContactless card

Memory CardMemory Card

uu Primitive typePrimitive type

uu composed ofcomposed ofEEPROM/PROMEEPROM/PROM

uu simple functionsimple function

uu as prepay cardas prepay card

55

Crypto-processor IC CardsCrypto-processor IC Cards

uu composed ofcomposed ofcrypto-processorcrypto-processor& PROM& PROM

uu a powerful MPUa powerful MPU

uu can recognizecan recognizeillegal signal andillegal signal andsecurity featuressecurity features

MPU IC Smart CardMPU IC Smart Card

uu Composed ofComposed ofMCU/MPCMCU/MPC

uu software drivensoftware driven

uu have flexibilityhave flexibilityand primitiveand primitiveintelligenceintelligence

uu some securitysome securityfeaturesfeatures

66

Contactless Smart CardContactless Smart Card

uu similar to contactsimilar to contactsmart cardsmart card

uu with RFwith RFtransceiver totransceiver toincreaseincreaserobustness androbustness andsecuritysecurity

SMART CARDAPPLICATIONS

uu AdvantagesAdvantages

uu TelecommunicationsTelecommunications

uu Access/Personal IDAccess/Personal ID

uu TransportationTransportation

uu FinancialFinancial

uu MedicalMedical

uu RetailRetail

uu AirlineAirline

77

Advantages of Smart Card

uu Large storage capacityLarge storage capacity

uu more security featuresmore security features

uu multiple functionsmultiple functions

uu flexibility in use - intelligent, lower powerflexibility in use - intelligent, lower powerconsumption, effective packagingconsumption, effective packaging

uu as access card, electronic purse, debit/creditas access card, electronic purse, debit/creditcards, ID card etc. - particular off-linecards, ID card etc. - particular off-lineapplicationsapplications

Telecommunications

uu Networks AccessNetworks Access

uu EDIEDI

uu Mobile phoneMobile phone

uu Market Size - 228 million cards by 2000Market Size - 228 million cards by 2000

88

Security

uu Access ControlAccess Control

uu Identity CardIdentity Card

uu Driving LicenseDriving License

uu Estimated market - 10 millions cards byEstimated market - 10 millions cards by20002000

Transportation

uu Driver ID/authorizationDriver ID/authorization

uu transit controltransit control

uu toll roadtoll road

uu parkingparking

uu public transportpublic transport

uu market size - over 200 million by 2000market size - over 200 million by 2000

99

Financial

uu Credit cardCredit card

uu Debit CardDebit Card

uu Electronic purseElectronic purse

uu Market size - 10 million by 2000Market size - 10 million by 2000

Medical

uu Medical recordMedical record

uu HistoryHistory

uu DrugDrug

uu X-ray, CT scans etcX-ray, CT scans etc

uu estimated market - 200 million by 2000estimated market - 200 million by 2000

1010

Retail

uu VIP cardVIP card

uu Debit or ID cardDebit or ID card

uu market size - 60 million cards by 2000market size - 60 million cards by 2000

Airline

uu As ticketsAs tickets

uu as passportas passport

uu estimated market - 10 million cards by 2000estimated market - 10 million cards by 2000

1111

Summary

Applications Market Size (millions)

Telecommunications 228

Access/IDAccess/ID 10

Transportation 200

Financial 10

Medical 200

Retail 60

Airline 10

TotalTotal 718

Standard Visual Security Methods

MR. B 12/95 VISB

IN GOD WE TRUST

Authorized Signature

Logo

Hologram

Magnetic Stripe

Bar Code

Computer Chip

Signatures

Fine Printings

Photo ID

1212

STANDARD VISUALSECURITY METHODS

uu HologramHologram

a Laser Generated Film to provide 3D Image a Laser Generated Film to provide 3D Image

uu Bar CodeBar Code

a Binary line pattern to provide coded information a Binary line pattern to provide coded information

uu Printed & Embossed DataPrinted & Embossed Data

card Holder information card Holder information

uu Fine PrintFine Print

very small pattern to avoid duplicationvery small pattern to avoid duplication

uu Photo IDPhoto ID

picture of card holderpicture of card holder

uu SignaturesSignatures

signed print of card holdersigned print of card holder

1313

TRADITIONAL CARDSECURITY TECHNIQUES

uu PINPIN

uu EncryptionEncryption

uu Secret CodesSecret Codes

uu Unique SignaturesUnique Signatures

uu Key ManagementKey Management

uu BiometricsBiometrics

uu PINPIN

Personal Identification Number (PIN) is used toPersonal Identification Number (PIN) is used toprovide access control for bank transaction throughprovide access control for bank transaction throughPOS/ATM terminals. PINs are encrypted and stored onPOS/ATM terminals. PINs are encrypted and stored onthe card but this approach has limitation in atathe card but this approach has limitation in atainterchange’ due to the prime key location.interchange’ due to the prime key location.

uu EncryptionEncryption

Encryption will modify data into irregular form forEncryption will modify data into irregular form forsecurity storage and transmission. The reconstruction issecurity storage and transmission. The reconstruction isachieved by using a set of relevant achieved by using a set of relevant Keys.Keys.

1414

Two cryptosystems are currently being used, i.e.Two cryptosystems are currently being used, i.e.symmetric symmetric (DES/FEAL) (DES/FEAL) andand asymmetric (RSA) asymmetric (RSA)..Symmetric cryptosystem requires only one commonSymmetric cryptosystem requires only one commonkey for encryption and decryption whereas asymmetrickey for encryption and decryption whereas asymmetricsystem requires two keys, i.e. private/user key andsystem requires two keys, i.e. private/user key andpublic/system key.public/system key.

uu Secret CodesSecret Codes

secret codes are used to protect the card access or assecret codes are used to protect the card access or askeys for encryption. Simple access control is achievedkeys for encryption. Simple access control is achievedby using hardwire logic whereas complicated methodsby using hardwire logic whereas complicated methodsare implemented using inbuilt microprocessor.are implemented using inbuilt microprocessor.

uu Unique SignaturesUnique Signatures

unique signatures can be generated by physical means.unique signatures can be generated by physical means.In smart card, unique signatures are pre-defined by theIn smart card, unique signatures are pre-defined by thechip manufacturer such as RFID or serial numberchip manufacturer such as RFID or serial number

uu Key ManagementKey Management

Key management is a critical issue for ensuringKey management is a critical issue for ensuringinformation security. Traditionally the prime key isinformation security. Traditionally the prime key isembedded in the POS/ATM terminals and use toembedded in the POS/ATM terminals and use toencrypted other keys such as PIN and Bankencrypted other keys such as PIN and BankAuthentication Keys.Authentication Keys.

1515

uu BiometricBiometric

using human biological information as anusing human biological information as anidentification, such as finger print, palm layout, retinalidentification, such as finger print, palm layout, retinalscan, head dimension, voice, image, signature andscan, head dimension, voice, image, signature andDNA. Complexity arises from feature extraction andDNA. Complexity arises from feature extraction andclassification algorithms, speed of operation andclassification algorithms, speed of operation andhardware.hardware.

Smart Card EncryptionTechniques

uu Smart cards are usually protected by a number of secretSmart cards are usually protected by a number of secretcodes.codes.

uu One or several encryption algorithms are also stored inOne or several encryption algorithms are also stored inprotected areas.protected areas.

uu Secret keys or prime keys for encryption algorithm areSecret keys or prime keys for encryption algorithm arestored by the manufacturer or by selected issuers.stored by the manufacturer or by selected issuers.

uu Manufacturer keys will identify type of cards andManufacturer keys will identify type of cards andcustomers and to protect the issuer keyscustomers and to protect the issuer keys

uu Issuer keys will be used to protect the sensitive informationIssuer keys will be used to protect the sensitive information

1616

DESuu Three algorithms will be introducedThree algorithms will be introduced

DESDES

RSARSA

ECCECC

uu DESDES

the most well-known symmetric system being used by the most well-known symmetric system being used bybanking sector and computer security.banking sector and computer security.

the technique was originated from IBM and certified bythe technique was originated from IBM and certified byNational Bureau of Standards in 1977.National Bureau of Standards in 1977.

an official unclassified data encryption method.an official unclassified data encryption method.

widely been used by Banking sectorswidely been used by Banking sectors

64 Bit Plaintext

Initial Permutation

32 Bit L0 32 Bit R0

F(R0,K1)+

32 Bit L1 32 Bit R1

32 Bit L15 32 Bit R15

F(R15,K16)+

32 Bit L16 32 Bit R16

Final Permutation

64 Bit Ciphertext

Encryption ProcessDES System

64 Bit Key

Permutation Choice 1

56 Bit Key

28 Bit C0 28 Bit D0

Left Shift Right Shift

C1 D1

BuildingBlock

PermutedChoice 2

K1(48 bits)

C16 D16

PermutedChoice 2

Key Schedule

1717

Li-1

32 bitsRi-1 32 bits

ExpansionPermutation 48 bits

S-BoxSubstitution

choice 32 bits

P-box Permutation

Li

32 bitsRi

32 bits

56 bits KeyPermuted Choice

48 bits

Function f

RSA

uu RSARSA

developed by 3 researchers at MIT (Rivet, Shamir,developed by 3 researchers at MIT (Rivet, Shamir,Adleman) in 1977Adleman) in 1977

based on two prime numbers (p & q) to generate thebased on two prime numbers (p & q) to generate thekeyskeys

most popular is RSA 129 where p x q gives a 129 bitmost popular is RSA 129 where p x q gives a 129 bitnumbernumber

highly security and has once been proposed to replacehighly security and has once been proposed to replaceDES in banking applicationDES in banking application

report cipheranalysed by a group of 600 specialist inreport cipheranalysed by a group of 600 specialist inMay 1994 through internetMay 1994 through internet

1818

RSA

uu Select two large prime p& qSelect two large prime p& q

uu Generate n = pqGenerate n = pq

uu Generate f(n) = (p-1)(q-1)Generate f(n) = (p-1)(q-1)

uu Select e (encryption/public key) and dSelect e (encryption/public key) and d(decryption/secret) as(decryption/secret) as

ed = 1 (mod(f(n))ed = 1 (mod(f(n))

uu Encryption by C =(MEncryption by C =(Mee, mod n) where M is the, mod n) where M is themessagemessage

uu Decrypt by M =(CDecrypt by M =(Cdd, mod n), mod n)

ECC

uu ECCECC

a new elliptic curve cryptosystem method for publica new elliptic curve cryptosystem method for publickey applicationskey applications

developed by Neil Koblitz (Washington University) developed by Neil Koblitz (Washington University)and Victor Miller (IBM, Yorktown Heights) in 1985and Victor Miller (IBM, Yorktown Heights) in 1985

using points in the elliptic curve as the elements forusing points in the elliptic curve as the elements forencryptionencryption

will become IEEE standard in 1997/8will become IEEE standard in 1997/8

1919

ECC - key generation

uu Select an elliptic curveSelect an elliptic curve

uu Generate the coordinate pairs which satisfyGenerate the coordinate pairs which satisfythe conditions of modulo n and selectthe conditions of modulo n and selectstarting point Pstarting point P

uu Key generation:Key generation:select a random integer d (secret key) in theselect a random integer d (secret key) in theinterval [2, n-2]interval [2, n-2]

compute point Q = dPcompute point Q = dP

make Q publicmake Q public

ECC Encryption

uu EncryptionEncryptionselect a random integer k in the interval [2, n-select a random integer k in the interval [2, n-2]2]

compute (xcompute (x11,y,y11) = kP and (x) = kP and (x22,y,y22))

generate a mask Y from secret as f(xgenerate a mask Y from secret as f(x22) and) andcompute C = Ycompute C = Y⊕⊕M where M is the messageM where M is the message

send the encrypted ciphertext EM assend the encrypted ciphertext EM asconcatenated concatenated [x[x11, y, y11, C], C]

2020

ECC Decryption

uu DecryptionDecryptionextract (xextract (x11,y,y11) from ciphertext EM) from ciphertext EM

compute (xcompute (x22,y,y22) from d(x) from d(x11,y,y11))

compute mask Y as f(xcompute mask Y as f(x22))

recover message by M = Crecover message by M = C⊕⊕YY

KEY MANAGEMENT

uu Key Management in Microprocessor based Smart CardKey Management in Microprocessor based Smart Card

all features in Combine Logic card plus e.g. using keyall features in Combine Logic card plus e.g. using keyimages e.g. 1010 = 1111images e.g. 1010 = 1111⊕⊕ 0100 0100 ⊕⊕ 0001 0001

access control to access control to selective selective vital datavital data

activated by validating handshaking protocolactivated by validating handshaking protocol

protected by multi-level access codesprotected by multi-level access codes

monitors activities in multiple application databasesmonitors activities in multiple application databases

generates random digital signaturesgenerates random digital signatures

tailored to special applications such as Securetailored to special applications such as SecureApplication Modules (SAM), dynamic logic/rulesApplication Modules (SAM), dynamic logic/rules

2121

uu Security in ISO 7816/4Security in ISO 7816/4

divided into two parts : card security and messagedivided into two parts : card security and messagesecuritysecurity

card security involves the actions and structurescard security involves the actions and structuresdesigned to protect the information stored in the cardsdesigned to protect the information stored in the cards

message security involves data communications frommessage security involves data communications fromcard to host transaction devicescard to host transaction devices

most items in 7816/4 follows the discussion givenmost items in 7816/4 follows the discussion givenaboveabove

uu Multi-function Card SecurityMulti-function Card Security

in principle multi-function card should allowin principle multi-function card should allowintersector sector communicationsintersector sector communications to enhance the to enhance thetransaction data interchange between different functiontransaction data interchange between different functionsectorssectors

concepts:concepts: mean of share data and unique identifiers for mean of share data and unique identifiers forall companies involved in the transactionall companies involved in the transaction

no appropriate solution at current stage : workingno appropriate solution at current stage : workinggroups in technical committee CEN/TC224 is preparinggroups in technical committee CEN/TC224 is preparingthe standards on inter-sector data and communicationsthe standards on inter-sector data and communications

2222

BIOMETRICS

uu Signature padsSignature pads

uu ImagesImages

uu Digital Watermarking - hire the crucial dataDigital Watermarking - hire the crucial datain a common imagein a common image

uu DNADNA

uu Iris measurementIris measurement

uu FingerprintFingerprint

Smart Card Software

uu Intelligent Chip Operating System -COSIntelligent Chip Operating System -COS

uu Encryption techniques - RSA & DESEncryption techniques - RSA & DES

uu Multiple Application OS (MAOS)Multiple Application OS (MAOS)Mondex, EMV, GSM, LoyaltyMondex, EMV, GSM, Loyalty

uu New requirementsNew requirementshot list, trust key managementhot list, trust key management

2323

New Technologies Required

uu Data Storage Management - informationData Storage Management - informationprotectionprotection

uu authentication process -authentication process -biometrics: fingerprint, facial features, irisbiometrics: fingerprint, facial features, irisidentification, dynamic signature recognition,identification, dynamic signature recognition,speech recognitionspeech recognition

uu encryption methods -encryption methods -Elliptic Curve Cryptography, chaoticElliptic Curve Cryptography, chaotictechniquestechniques

INDUSTRIAL STANDARDS

uu Industrial Standards are set by InternationalIndustrial Standards are set by InternationalOrganization of Standardization (ISO),Organization of Standardization (ISO),National Institute of Standards andNational Institute of Standards andTechnology (NIST) and IEEETechnology (NIST) and IEEE

uu ISO 7811-13: ID card:recording techniques,ISO 7811-13: ID card:recording techniques,identification of issuers and Financialidentification of issuers and FinancialTransaction cardsTransaction cards

2424

uu ISO7816 - ID card:IC cards with contact,ISO7816 - ID card:IC cards with contact,Parts:Parts:

F 1 - Physical Characteristics

F 2 - dimension and location of contacts

F 3 - electrical signal and transmission protocol

F 4 - interindustry commands for interchange

F 5 - numbering system and registration procedure

F 6 - interindustry data elements for interchange

F 7 - additional commands

F 8 - security

uu ISO9992:Financial Transaction CardsISO9992:Financial Transaction CardsParts Parts 1 - concepts and structures

2 - functions, messages, data elements and structure

uu ISO10202:Financial Transaction Cards -ISO10202:Financial Transaction Cards -securitysecurity

PartsParts1 - card life cycle

2 - transaction process

3 - cryptographic key relationships

4 - secure application modules

5 - use of algorithms

6 - cardholder verification

7 - key management

8 - general principal and overview

2525

uu ISO10536: ID cards - contactless IC cardsISO10536: ID cards - contactless IC cards

u Parts:1 - physical characteristics

2 - dimensions and location of coupling areas

3 - electrical characteristic of the contactless interface

NIST Standards

uu Digital Signature Standard, ACM Vol.. 35,Digital Signature Standard, ACM Vol.. 35,No 7, pp. 36-40No 7, pp. 36-40

uu Escrowed Encryption Standards, FIPSEscrowed Encryption Standards, FIPS(Federal Information Processing Standards)(Federal Information Processing Standards)Publications I85Publications I85

uu Public Key Infrastructure (PKI) TechnicalPublic Key Infrastructure (PKI) TechnicalSpecifications (Draft)Specifications (Draft)

2626

IEEE P1363 Working Draft

uu Public key Cryptography StandardsPublic key Cryptography Standardsdiscrete logarithmdiscrete logarithm

elliptic curveelliptic curve

integer factorization systemsinteger factorization systems

Some Global Policies

uu In USA, Regulation E applies to smart cardIn USA, Regulation E applies to smart cardwith stored valueswith stored values

value less than US$100 and off-linevalue less than US$100 and off-lineunaccountable store value systems do not needunaccountable store value systems do not needfor authorizationfor authorization

offline store value systems and EFT systemsoffline store value systems and EFT systemsneeds authorizationneeds authorization

propose all issuers should register (FinCEN)propose all issuers should register (FinCEN)than just self regulatorythan just self regulatory

2727

HK Policies

uu In HK, Monetary Authority has regulatoryIn HK, Monetary Authority has regulatoryFramework for smart cardsFramework for smart cards

licensed bank allowedlicensed bank allowed

non bank only allowed to issue limited purposenon bank only allowed to issue limited purposecardscards

HKMA can exempt a multi-purpose cardsHKMA can exempt a multi-purpose cards

single purpose do not need authorizationsingle purpose do not need authorization

Conclusion

uu Smart Card is an evolutionary productSmart Card is an evolutionary product

uu Trends of use is Trends of use is irreversibleirreversible

uu needs more technology needs more technology breakthroughbreakthrough to tomake them really smartmake them really smart

uu needs some framework to protectneeds some framework to protectconsumersconsumers