SHAILESH GUPTACSE B1081088

1968German inventor Jurgen Dethloff along with Helmet Grotrupp filed a patent for using plastic as a carrier for microchips.

1970Dr. Kunitaka Arimura of Japan filed the first and only patent on the smart card concept

1974Roland Moreno of France files the original patent for the IC card, later dubbed the “smart card.”

1977Three commercial manufacturers, Bull CP8, SGS Thomson, and Schlumberger began developing the IC card product.

1979Motorola developed first single chip Microcontroller for French Banking

1982World's first major IC card testing

1992Nationwide prepaid card project started in Denmark

1999 Federal Government began a Federal employee smart card identification

Aim of this project Aim of this project • To define a standard set of commands for

smart cards for use in Indian applications.

• To provide a reference implementation of this standard.

• Transport Applications (Driving License and Vehicle Registration Certificate) were the pilot projects.

• Hence the OS standard is named SCOSTA.

• SCOSTA is defined by IIT Kanpur along with a technical subcommittee of SCAFI (Smart Card Forum of India).

• The OS is not really restricted to the transport applications and can be used in any ID application

A smart card contains a "chip" with memory and is typically used to hold customer account information and a "balance" of money similar to a checking account. The card is inserted into a device that can read and write to it updating information appropriately.

The standard definition of a a smart card, or integrated circuit card (ICC), is any pocket sized card with embedded integrated circuits.

Loosely defined , a smart card is any card with a capability to relate information to a particular application such as: Magnetic Stripe Cards Optical Cards Memory Cards Microprocessor Cards

Smart cards are also classified on the basis of their Operating System. There are many Smart Card Operating Systems available in the market, the main ones being:

1. MultOS 2. JavaCard3. Cyberflex4. StarCOS5. MFC

Smart Card Operating Systems or SCOS as they are commonly called, are placed on the ROM and usually occupy lesser than 16 KB. SCOS handle:

• File Handling and Manipulation.• Memory Management• Data Transmission Protocols.

Standard technology for bank cards, driver’s licenses, library cards, and so on……

Uses a laser to read and write the card

CANPASS Contains: Photo ID Fingerprint

Can store: Financial Info Personal Info Specialized Info

Cannot process Info

Has an integrated circuit chip

Has the ability to: Store

information Carry out local

processing Perform Complex

Calculations

Hybrid Card Has two chips: contact and contactless

interface. The two chips are not connected.

Combi Card Has a single chip with a contact and

contactless interface. Can access the same chip via a contact

or contactless interface, with a very high level of security.

• Contact vs. Contactless

o Contact smart card Contact smart card are inserted in a smart card

reader making physical contact with the reader

o Contactless smart cards smart cards that employ a radio frequency

(RFID) between card and reader without physical

insertion of the card

o Combi card combines the two features

ClassificationClassification

• Memory vs. Microprocessoro Memory cards

simply store data read and write to a fixed address on the card Straight Memory Cards Protected Cards: configured to restrict access through a

password Stored Value Memory Cards: such as a telephone card,

the chip has memory cells, one for each telephone unit. A memory cell is cleared each time a telephone unit is used.

o Microprocessor cards Miniature Computer with microprocessor chip,

input/output port, OS, ROM, EEPROM, RAM Add, delete, manipulate information in its

memory Built-in security features multiple functions and/or different applications

reside on the card

ClassificationClassification

• Fabrication phase

• Pre-personalisation Phase

• Personalisation Phase

• Utilisation Phase

• End-of-Life Phase

Life CycleLife Cycle

What’s in a Card?What’s in a Card?

VccRSTCL

KRFU

VppI/O

GND

RFU

• 256 bytes to 4KB RAM.

• 8KB to 32KB ROM.

• 1KB to 32KB EEPROM.

• Crypto-coprocessors (implementing 3DES, RSA etc., in hardware) are optional.

• 8-bit to 16-bit CPU. 8051 based designs are common.

Card is inserted in the terminal Card gets power. OS boots

up. Sends ATR (Answer to reset)

ATR negotiations take place to set up data transfer speeds, capability negotiations etc.Terminal sends first command to select MF

Card responds with an error (because MF selection is only on password presentation)Terminal prompts the user to

provide passwordTerminal sends password for verification

Card verifies P2. Stores a status “P2 Verified”. Responds “OK”Terminal sends command to

select MF againTerminal sends command to read EF1 Card supplies personal data and

responds “OK”

Card responds “OK”

Personal information, including the card serial number, date of issue and cardholder’s name, gender, date of birth, ID number, and picture.

Information relating to cardholder status, remarks for catastrophic diseases, number of visits and admissions, accumulated medical expenditure records and amount of cost-sharing.

Medical service information, including drug allergy history and long-term prescriptions of ambulatory care and certain medical treatments.

Public health administration information

Computer based readers Connect through USB or

COM (Serial) ports

Dedicated terminalsUsually with a small screen, keypad, printer, often alsohave biometric devices such as thumb print scanner.

In comparison to it’s predecessor, the magnetic strip card, smart

cards have many advantages including:

Life of a smart card is longer A single smart card can house multiple applications. Just

one card can be used as your license, passport, credit card, ATM card, ID Card, etc.

Smart cards cannot be easily replicated and are, as a general rule much more secure than magnetic stripe cards

Data on a smart card can be protected against unauthorized viewing. As a result of this confidential data, PINs and passwords can be stored on a smart card. This means, merchants do not have to go online every time to authenticate a transaction.

• chip is tamper-resistant- information stored on the card can be PIN code and/or read-write protected- capable of performing encryption- each smart card has its own, unique serial number

• capable of processing, not just storing information- Smart cards can communicate with computing devices through a smart card reader- information and applications on a card can be updated without having to issue new cards

• A smart card carries more information than can be accommodated on a magnetic stripe card. It can make a decision, as it has relatively powerful processing capabilities that allow it to do more than a magnetic stripe card (e.g., data encryption).

+ NOT tamper proof + Can be lost/stolen+ Lack of user mobility – only possible if user has

smart card reader every he goes+ Has to use the same reader technology+ Can be expensive+ Working from PC – software based token will be

better+ No benefits to using a token on multiple PCs to

using a smart card+ Still working on bugs

Commercial Applications Banking/payment Identification Ticketing Parking and toll collection Universities use smart cards for ID

purposes and at the the library, vending machines, copy machines, and other services on campus.

Mobile Telecommunications SIM cards used on cell phones Over 300,000,000 GSM phones with smart

cards Contains mobile phone security,

subscription information, phone number on the network, billing information, and frequently called numbers.

Information Technology Secure logon and authentication of users to PCs and

networks Encryption of sensitive data

Other Applications Over 4 million small dish TV satellite receivers in the US

use a smart card as its removable security element and subscription information.

Pre-paid, reloadable telephone cards Health Care, stores the history of a patient Fast ticketing in public transport, parking, and road

tolling in many countries

Passwordo Card holder’s protection

Cryptographic challenge Responseo Entity authentication

Biometric informationo Person’s identification

A combination of one or more

• Terminal asks the user to provide a password.

• Password is sent to Card for verification.

• Scheme can be used to permit user authentication.

• Not a person identification scheme

• Terminal verify card (INTERNAL AUTH)o Terminal sends a random number

to card to be hashed or encrypted using a key.

o Card provides the hash or cyphertext.

• Terminal can know that the card is authentic.

• Card needs to verify (EXTERNAL AUTH)o Terminal asks for a challenge and

sends the response to card to verify

o Card thus know that terminal is authentic.

• Primarily for the “Entity Authentication”

• Finger print identification.o Features of finger prints can

be kept on the card (even verified on the card)

• Photograph/IRIS pattern etc.o Such information is to be

verified by a person. The information can be stored in the card securely.

Smart cards can be used for identification, authentication, and data storage

Smart card can provide strong Smart card can provide strong authentication for authentication for single sign- on or  or enterprise single sign-on to to computers , , laptops, data with encryption, , data with encryption, enterprise resource planning platforms enterprise resource planning platforms such as SAP, etcsuch as SAP, etc

http://sec.isi.salford.ac.uk/download/smart.pdf

http://www.smart.gov

http://www.gemplus.com

http://www.smartcardalliance.org/industry_info/smart_cards_primer.cfm

http://www.axalto.com/Company/Governance/pdf/Annual%20Report%202004.pdf

http://www.smartcard.co.uk/tutorials/sct-itsc.pdf