hk science museum "technology behind magnetic card"
DESCRIPTION
HK Science Museum "Technology behind Magnetic Card"TRANSCRIPT
11
Smart Card Technology UpdateSmart Card Technology UpdateSeminarSeminar
Dr LM ChengCity University of Hong KongCity University of Hong Kong
HKPC Seminar6 March 1998
Content
uu Basic Smart Card TechnologyBasic Smart Card Technology
uu Smart Card ApplicationsSmart Card Applications
uu
u Standard MethodsStandard Methods
u EncryptionEncryption
uu
u Advanced MethodsAdvanced Methods
u Industry StandardsIndustry Standards
uu
22
BASICS SMART CARDTECHNOLOGY
uu Magnetic CardMagnetic Card
uu Smart CardSmart Card memory memory
MPUIC MPUIC
crypto-processorcrypto-processor
contact & contactlesscontact & contactless
Magnetic Card
uu composed of a layer of magneticcomposed of a layer of magneticmaterial for storing informationmaterial for storing information
uu easy to carryeasy to carry
uu can be use for authenticationcan be use for authentication
uu what is its principles?what is its principles?
33
Information on Magnetic Card
uu the stripe isthe stripe is
8.5cm X 1.2cm 8.5cm X 1.2cm
uu data is constructeddata is constructedbased on ISObased on ISO7811/27811/2
uu maximum 3 stripesmaximum 3 stripes
uu can store around 1Kcan store around 1Kbitsbits
Smart Card
uu Integrated Circuit -Integrated Circuit -chipchip
uu originated fromoriginated fromFranceFrance
uu invented in 70 andinvented in 70 andmatured in 90matured in 90
uu Magnetic CardMagnetic Cardreplacementreplacement
44
Types of Smart Card
uu Memory CardMemory Card
uu MPU IC cardMPU IC card
uu Crypto-Crypto-
processor card processor card
uu Contactless cardContactless card
Memory CardMemory Card
uu Primitive typePrimitive type
uu composed ofcomposed ofEEPROM/PROMEEPROM/PROM
uu simple functionsimple function
uu as prepay cardas prepay card
55
Crypto-processor IC CardsCrypto-processor IC Cards
uu composed ofcomposed ofcrypto-processorcrypto-processor& PROM& PROM
uu a powerful MPUa powerful MPU
uu can recognizecan recognizeillegal signal andillegal signal andsecurity featuressecurity features
MPU IC Smart CardMPU IC Smart Card
uu Composed ofComposed ofMCU/MPCMCU/MPC
uu software drivensoftware driven
uu have flexibilityhave flexibilityand primitiveand primitiveintelligenceintelligence
uu some securitysome securityfeaturesfeatures
66
Contactless Smart CardContactless Smart Card
uu similar to contactsimilar to contactsmart cardsmart card
uu with RFwith RFtransceiver totransceiver toincreaseincreaserobustness androbustness andsecuritysecurity
SMART CARDAPPLICATIONS
uu AdvantagesAdvantages
uu TelecommunicationsTelecommunications
uu Access/Personal IDAccess/Personal ID
uu TransportationTransportation
uu FinancialFinancial
uu MedicalMedical
uu RetailRetail
uu AirlineAirline
77
Advantages of Smart Card
uu Large storage capacityLarge storage capacity
uu more security featuresmore security features
uu multiple functionsmultiple functions
uu flexibility in use - intelligent, lower powerflexibility in use - intelligent, lower powerconsumption, effective packagingconsumption, effective packaging
uu as access card, electronic purse, debit/creditas access card, electronic purse, debit/creditcards, ID card etc. - particular off-linecards, ID card etc. - particular off-lineapplicationsapplications
Telecommunications
uu Networks AccessNetworks Access
uu EDIEDI
uu Mobile phoneMobile phone
uu Market Size - 228 million cards by 2000Market Size - 228 million cards by 2000
88
Security
uu Access ControlAccess Control
uu Identity CardIdentity Card
uu Driving LicenseDriving License
uu Estimated market - 10 millions cards byEstimated market - 10 millions cards by20002000
Transportation
uu Driver ID/authorizationDriver ID/authorization
uu transit controltransit control
uu toll roadtoll road
uu parkingparking
uu public transportpublic transport
uu market size - over 200 million by 2000market size - over 200 million by 2000
99
Financial
uu Credit cardCredit card
uu Debit CardDebit Card
uu Electronic purseElectronic purse
uu Market size - 10 million by 2000Market size - 10 million by 2000
Medical
uu Medical recordMedical record
uu HistoryHistory
uu DrugDrug
uu X-ray, CT scans etcX-ray, CT scans etc
uu estimated market - 200 million by 2000estimated market - 200 million by 2000
1010
Retail
uu VIP cardVIP card
uu Debit or ID cardDebit or ID card
uu market size - 60 million cards by 2000market size - 60 million cards by 2000
Airline
uu As ticketsAs tickets
uu as passportas passport
uu estimated market - 10 million cards by 2000estimated market - 10 million cards by 2000
1111
Summary
Applications Market Size (millions)
Telecommunications 228
Access/IDAccess/ID 10
Transportation 200
Financial 10
Medical 200
Retail 60
Airline 10
TotalTotal 718
Standard Visual Security Methods
MR. B 12/95 VISB
IN GOD WE TRUST
Authorized Signature
Logo
Hologram
Magnetic Stripe
Bar Code
Computer Chip
Signatures
Fine Printings
Photo ID
1212
STANDARD VISUALSECURITY METHODS
uu HologramHologram
a Laser Generated Film to provide 3D Image a Laser Generated Film to provide 3D Image
uu Bar CodeBar Code
a Binary line pattern to provide coded information a Binary line pattern to provide coded information
uu Printed & Embossed DataPrinted & Embossed Data
card Holder information card Holder information
uu Fine PrintFine Print
very small pattern to avoid duplicationvery small pattern to avoid duplication
uu Photo IDPhoto ID
picture of card holderpicture of card holder
uu SignaturesSignatures
signed print of card holdersigned print of card holder
1313
TRADITIONAL CARDSECURITY TECHNIQUES
uu PINPIN
uu EncryptionEncryption
uu Secret CodesSecret Codes
uu Unique SignaturesUnique Signatures
uu Key ManagementKey Management
uu BiometricsBiometrics
uu PINPIN
Personal Identification Number (PIN) is used toPersonal Identification Number (PIN) is used toprovide access control for bank transaction throughprovide access control for bank transaction throughPOS/ATM terminals. PINs are encrypted and stored onPOS/ATM terminals. PINs are encrypted and stored onthe card but this approach has limitation in atathe card but this approach has limitation in atainterchange’ due to the prime key location.interchange’ due to the prime key location.
uu EncryptionEncryption
Encryption will modify data into irregular form forEncryption will modify data into irregular form forsecurity storage and transmission. The reconstruction issecurity storage and transmission. The reconstruction isachieved by using a set of relevant achieved by using a set of relevant Keys.Keys.
1414
Two cryptosystems are currently being used, i.e.Two cryptosystems are currently being used, i.e.symmetric symmetric (DES/FEAL) (DES/FEAL) andand asymmetric (RSA) asymmetric (RSA)..Symmetric cryptosystem requires only one commonSymmetric cryptosystem requires only one commonkey for encryption and decryption whereas asymmetrickey for encryption and decryption whereas asymmetricsystem requires two keys, i.e. private/user key andsystem requires two keys, i.e. private/user key andpublic/system key.public/system key.
uu Secret CodesSecret Codes
secret codes are used to protect the card access or assecret codes are used to protect the card access or askeys for encryption. Simple access control is achievedkeys for encryption. Simple access control is achievedby using hardwire logic whereas complicated methodsby using hardwire logic whereas complicated methodsare implemented using inbuilt microprocessor.are implemented using inbuilt microprocessor.
uu Unique SignaturesUnique Signatures
unique signatures can be generated by physical means.unique signatures can be generated by physical means.In smart card, unique signatures are pre-defined by theIn smart card, unique signatures are pre-defined by thechip manufacturer such as RFID or serial numberchip manufacturer such as RFID or serial number
uu Key ManagementKey Management
Key management is a critical issue for ensuringKey management is a critical issue for ensuringinformation security. Traditionally the prime key isinformation security. Traditionally the prime key isembedded in the POS/ATM terminals and use toembedded in the POS/ATM terminals and use toencrypted other keys such as PIN and Bankencrypted other keys such as PIN and BankAuthentication Keys.Authentication Keys.
1515
uu BiometricBiometric
using human biological information as anusing human biological information as anidentification, such as finger print, palm layout, retinalidentification, such as finger print, palm layout, retinalscan, head dimension, voice, image, signature andscan, head dimension, voice, image, signature andDNA. Complexity arises from feature extraction andDNA. Complexity arises from feature extraction andclassification algorithms, speed of operation andclassification algorithms, speed of operation andhardware.hardware.
Smart Card EncryptionTechniques
uu Smart cards are usually protected by a number of secretSmart cards are usually protected by a number of secretcodes.codes.
uu One or several encryption algorithms are also stored inOne or several encryption algorithms are also stored inprotected areas.protected areas.
uu Secret keys or prime keys for encryption algorithm areSecret keys or prime keys for encryption algorithm arestored by the manufacturer or by selected issuers.stored by the manufacturer or by selected issuers.
uu Manufacturer keys will identify type of cards andManufacturer keys will identify type of cards andcustomers and to protect the issuer keyscustomers and to protect the issuer keys
uu Issuer keys will be used to protect the sensitive informationIssuer keys will be used to protect the sensitive information
1616
DESuu Three algorithms will be introducedThree algorithms will be introduced
DESDES
RSARSA
ECCECC
uu DESDES
the most well-known symmetric system being used by the most well-known symmetric system being used bybanking sector and computer security.banking sector and computer security.
the technique was originated from IBM and certified bythe technique was originated from IBM and certified byNational Bureau of Standards in 1977.National Bureau of Standards in 1977.
an official unclassified data encryption method.an official unclassified data encryption method.
widely been used by Banking sectorswidely been used by Banking sectors
64 Bit Plaintext
Initial Permutation
32 Bit L0 32 Bit R0
F(R0,K1)+
32 Bit L1 32 Bit R1
32 Bit L15 32 Bit R15
F(R15,K16)+
32 Bit L16 32 Bit R16
Final Permutation
64 Bit Ciphertext
Encryption ProcessDES System
64 Bit Key
Permutation Choice 1
56 Bit Key
28 Bit C0 28 Bit D0
Left Shift Right Shift
C1 D1
BuildingBlock
PermutedChoice 2
K1(48 bits)
C16 D16
PermutedChoice 2
Key Schedule
1717
Li-1
32 bitsRi-1 32 bits
ExpansionPermutation 48 bits
S-BoxSubstitution
choice 32 bits
P-box Permutation
Li
32 bitsRi
32 bits
56 bits KeyPermuted Choice
48 bits
Function f
RSA
uu RSARSA
developed by 3 researchers at MIT (Rivet, Shamir,developed by 3 researchers at MIT (Rivet, Shamir,Adleman) in 1977Adleman) in 1977
based on two prime numbers (p & q) to generate thebased on two prime numbers (p & q) to generate thekeyskeys
most popular is RSA 129 where p x q gives a 129 bitmost popular is RSA 129 where p x q gives a 129 bitnumbernumber
highly security and has once been proposed to replacehighly security and has once been proposed to replaceDES in banking applicationDES in banking application
report cipheranalysed by a group of 600 specialist inreport cipheranalysed by a group of 600 specialist inMay 1994 through internetMay 1994 through internet
1818
RSA
uu Select two large prime p& qSelect two large prime p& q
uu Generate n = pqGenerate n = pq
uu Generate f(n) = (p-1)(q-1)Generate f(n) = (p-1)(q-1)
uu Select e (encryption/public key) and dSelect e (encryption/public key) and d(decryption/secret) as(decryption/secret) as
ed = 1 (mod(f(n))ed = 1 (mod(f(n))
uu Encryption by C =(MEncryption by C =(Mee, mod n) where M is the, mod n) where M is themessagemessage
uu Decrypt by M =(CDecrypt by M =(Cdd, mod n), mod n)
ECC
uu ECCECC
a new elliptic curve cryptosystem method for publica new elliptic curve cryptosystem method for publickey applicationskey applications
developed by Neil Koblitz (Washington University) developed by Neil Koblitz (Washington University)and Victor Miller (IBM, Yorktown Heights) in 1985and Victor Miller (IBM, Yorktown Heights) in 1985
using points in the elliptic curve as the elements forusing points in the elliptic curve as the elements forencryptionencryption
will become IEEE standard in 1997/8will become IEEE standard in 1997/8
1919
ECC - key generation
uu Select an elliptic curveSelect an elliptic curve
uu Generate the coordinate pairs which satisfyGenerate the coordinate pairs which satisfythe conditions of modulo n and selectthe conditions of modulo n and selectstarting point Pstarting point P
uu Key generation:Key generation:select a random integer d (secret key) in theselect a random integer d (secret key) in theinterval [2, n-2]interval [2, n-2]
compute point Q = dPcompute point Q = dP
make Q publicmake Q public
ECC Encryption
uu EncryptionEncryptionselect a random integer k in the interval [2, n-select a random integer k in the interval [2, n-2]2]
compute (xcompute (x11,y,y11) = kP and (x) = kP and (x22,y,y22))
generate a mask Y from secret as f(xgenerate a mask Y from secret as f(x22) and) andcompute C = Ycompute C = Y⊕⊕M where M is the messageM where M is the message
send the encrypted ciphertext EM assend the encrypted ciphertext EM asconcatenated concatenated [x[x11, y, y11, C], C]
2020
ECC Decryption
uu DecryptionDecryptionextract (xextract (x11,y,y11) from ciphertext EM) from ciphertext EM
compute (xcompute (x22,y,y22) from d(x) from d(x11,y,y11))
compute mask Y as f(xcompute mask Y as f(x22))
recover message by M = Crecover message by M = C⊕⊕YY
KEY MANAGEMENT
uu Key Management in Microprocessor based Smart CardKey Management in Microprocessor based Smart Card
all features in Combine Logic card plus e.g. using keyall features in Combine Logic card plus e.g. using keyimages e.g. 1010 = 1111images e.g. 1010 = 1111⊕⊕ 0100 0100 ⊕⊕ 0001 0001
access control to access control to selective selective vital datavital data
activated by validating handshaking protocolactivated by validating handshaking protocol
protected by multi-level access codesprotected by multi-level access codes
monitors activities in multiple application databasesmonitors activities in multiple application databases
generates random digital signaturesgenerates random digital signatures
tailored to special applications such as Securetailored to special applications such as SecureApplication Modules (SAM), dynamic logic/rulesApplication Modules (SAM), dynamic logic/rules
2121
uu Security in ISO 7816/4Security in ISO 7816/4
divided into two parts : card security and messagedivided into two parts : card security and messagesecuritysecurity
card security involves the actions and structurescard security involves the actions and structuresdesigned to protect the information stored in the cardsdesigned to protect the information stored in the cards
message security involves data communications frommessage security involves data communications fromcard to host transaction devicescard to host transaction devices
most items in 7816/4 follows the discussion givenmost items in 7816/4 follows the discussion givenaboveabove
uu Multi-function Card SecurityMulti-function Card Security
in principle multi-function card should allowin principle multi-function card should allowintersector sector communicationsintersector sector communications to enhance the to enhance thetransaction data interchange between different functiontransaction data interchange between different functionsectorssectors
concepts:concepts: mean of share data and unique identifiers for mean of share data and unique identifiers forall companies involved in the transactionall companies involved in the transaction
no appropriate solution at current stage : workingno appropriate solution at current stage : workinggroups in technical committee CEN/TC224 is preparinggroups in technical committee CEN/TC224 is preparingthe standards on inter-sector data and communicationsthe standards on inter-sector data and communications
2222
BIOMETRICS
uu Signature padsSignature pads
uu ImagesImages
uu Digital Watermarking - hire the crucial dataDigital Watermarking - hire the crucial datain a common imagein a common image
uu DNADNA
uu Iris measurementIris measurement
uu FingerprintFingerprint
Smart Card Software
uu Intelligent Chip Operating System -COSIntelligent Chip Operating System -COS
uu Encryption techniques - RSA & DESEncryption techniques - RSA & DES
uu Multiple Application OS (MAOS)Multiple Application OS (MAOS)Mondex, EMV, GSM, LoyaltyMondex, EMV, GSM, Loyalty
uu New requirementsNew requirementshot list, trust key managementhot list, trust key management
2323
New Technologies Required
uu Data Storage Management - informationData Storage Management - informationprotectionprotection
uu authentication process -authentication process -biometrics: fingerprint, facial features, irisbiometrics: fingerprint, facial features, irisidentification, dynamic signature recognition,identification, dynamic signature recognition,speech recognitionspeech recognition
uu encryption methods -encryption methods -Elliptic Curve Cryptography, chaoticElliptic Curve Cryptography, chaotictechniquestechniques
INDUSTRIAL STANDARDS
uu Industrial Standards are set by InternationalIndustrial Standards are set by InternationalOrganization of Standardization (ISO),Organization of Standardization (ISO),National Institute of Standards andNational Institute of Standards andTechnology (NIST) and IEEETechnology (NIST) and IEEE
uu ISO 7811-13: ID card:recording techniques,ISO 7811-13: ID card:recording techniques,identification of issuers and Financialidentification of issuers and FinancialTransaction cardsTransaction cards
2424
uu ISO7816 - ID card:IC cards with contact,ISO7816 - ID card:IC cards with contact,Parts:Parts:
F 1 - Physical Characteristics
F 2 - dimension and location of contacts
F 3 - electrical signal and transmission protocol
F 4 - interindustry commands for interchange
F 5 - numbering system and registration procedure
F 6 - interindustry data elements for interchange
F 7 - additional commands
F 8 - security
uu ISO9992:Financial Transaction CardsISO9992:Financial Transaction CardsParts Parts 1 - concepts and structures
2 - functions, messages, data elements and structure
uu ISO10202:Financial Transaction Cards -ISO10202:Financial Transaction Cards -securitysecurity
PartsParts1 - card life cycle
2 - transaction process
3 - cryptographic key relationships
4 - secure application modules
5 - use of algorithms
6 - cardholder verification
7 - key management
8 - general principal and overview
2525
uu ISO10536: ID cards - contactless IC cardsISO10536: ID cards - contactless IC cards
u Parts:1 - physical characteristics
2 - dimensions and location of coupling areas
3 - electrical characteristic of the contactless interface
NIST Standards
uu Digital Signature Standard, ACM Vol.. 35,Digital Signature Standard, ACM Vol.. 35,No 7, pp. 36-40No 7, pp. 36-40
uu Escrowed Encryption Standards, FIPSEscrowed Encryption Standards, FIPS(Federal Information Processing Standards)(Federal Information Processing Standards)Publications I85Publications I85
uu Public Key Infrastructure (PKI) TechnicalPublic Key Infrastructure (PKI) TechnicalSpecifications (Draft)Specifications (Draft)
2626
IEEE P1363 Working Draft
uu Public key Cryptography StandardsPublic key Cryptography Standardsdiscrete logarithmdiscrete logarithm
elliptic curveelliptic curve
integer factorization systemsinteger factorization systems
Some Global Policies
uu In USA, Regulation E applies to smart cardIn USA, Regulation E applies to smart cardwith stored valueswith stored values
value less than US$100 and off-linevalue less than US$100 and off-lineunaccountable store value systems do not needunaccountable store value systems do not needfor authorizationfor authorization
offline store value systems and EFT systemsoffline store value systems and EFT systemsneeds authorizationneeds authorization
propose all issuers should register (FinCEN)propose all issuers should register (FinCEN)than just self regulatorythan just self regulatory
2727
HK Policies
uu In HK, Monetary Authority has regulatoryIn HK, Monetary Authority has regulatoryFramework for smart cardsFramework for smart cards
licensed bank allowedlicensed bank allowed
non bank only allowed to issue limited purposenon bank only allowed to issue limited purposecardscards
HKMA can exempt a multi-purpose cardsHKMA can exempt a multi-purpose cards
single purpose do not need authorizationsingle purpose do not need authorization
Conclusion
uu Smart Card is an evolutionary productSmart Card is an evolutionary product
uu Trends of use is Trends of use is irreversibleirreversible
uu needs more technology needs more technology breakthroughbreakthrough to tomake them really smartmake them really smart
uu needs some framework to protectneeds some framework to protectconsumersconsumers