You are on page 1of 56

SMART CARD TECHNOLOGY

CHAPTER 1
INTRODUCTION
Even the name Smart Card captures the imagination, however such a term is ambiguous and
is used in many different ways. ISO uses the term, Integrated Circuit Card (ICC) to
encompass all those devices where an integrated circuit is contained within an ISO 1
identification card piece of plastic. The card is 85.6mm x 53.98mm x 0.76mm and is the same
as the ubiquitous bank card with its magnetic stripe that is used as the payment instrument for
numerous financial schemes.
Integrated Circuit Cards come in two forms, contact and contactless. The former is easy to
identify because of its gold connector plate (fig 1). Although the ISO Standard (7816-2)
defined eight contacts, only 6 are actually used to communicate with the outside World. The
Contactless card may contain its own battery, particulary in the case of a "Super Smart Card"
which has an integrated keyboard and LCD display. In general however the operating power
is supplied to the contactless card electronics by an inductive loop using low frequency
electronic magnetic radiation. The communications signal may be transmitted in a similar
way or can use capacitive coupling or even an optical connection.

Figure 1.1: ISO ID 1Card


The Contact Card is the most commonly seen ICC to date largely because of its use in France
and now other parts of Europe as a telephone prepayment card.. Most contact cards contain a
simple integrated circuit although various experiments have taken place using two chips. The
chip itself varies considerably between different manufacturers and for a whole gambit of
applications. Let us consider first the purpose for the 6 contacts used by the ICC9(Fig 2).

DEPT OF ECE,MIST

PAGE 1

SMART CARD TECHNOLOGY

Figure 1.2: ISO 7816-2 Connector


Vcc is the supply voltage that drives the chips and is generally 5 volts. It should be noted
however that in the future we are likely to see a move towards 3 volts taking advantage of
advanced semiconductor technology and allowing much lower current levels to be consumed
by the integrated circuit. Vss is the substrate or ground reference voltage against which the
Vcc potential is measured. Reset is the signal line that is used to initiate the state of the
integrated circuit after power on.This is in itself an integral and complex process that we shall
describe later in more detail.
The clock signal is used drive the logic of the IC and is also used as the reference for the
serial communications link. There are two commonly used clock speeds 3.57 MHZ and 4.92
MHZ. The lower speed is most commonly used to date in Europe but this may change in the
future. One may be tempted to ask why these strange frequencies were chosen, why not just a
straight 5 MHZ. The reason lies in the availability of cheap crystals to form the clock
oscillator circuits. Both of these frequencies are used in the television world for the colour
sub carrier frequency. The PAL system operates using 4.92 MHZ whilst the 3.57 MHZ is
used by the American NTSC standard. The the Vpp connector is used for the high voltage
signal that is necessary to program the EPROM memory. Last, but by no means least is the
serial input/output (SIO) connector. This is the signal line by which the chip receives
commands and interchanges data with the outside world. This is also a fairly complex
operation and will be the subject of a more detailed discussion where symbols such as T0 and
T1 will be fully explained.
So what does the chip contain, well the primary use of the IC card is for the portable storage
and retrieval of data. Hence the fundamental component of the IC is a memory module. The
following list represents the more commonly used memory types,

DEPT OF ECE,MIST

PAGE 2

SMART CARD TECHNOLOGY

ROM Read only memory (mask ROM)


PROM Programmable read only memory
EPROM Erasable programmable ROM
EEPROM Electrically erasable PROM
RAM Random access memory
A particular chip may have one or more of these memory types. These memory types have
particular characteristics that control their method of use. The ROM type of memory is fixed
and can not be changed once manufactured by the semiconductor company. This is a low cost
memory, in that, it occupies minimum space on the silicon substrate. The use of the silicon is
often referred to as real estate because clearly one wants to get as much as possible into the
smallest possible space. The snag however is that it can not be changed and takes several
months to be produced by the semiconductor company. There is also effectively a minimum
order quantity in order to achieve this low cost.
In order of increasing real estate the PROM comes next. This memory is programmable by
the user through the use of fusible links. However high voltage and currents are required for
the programming cycle and such devices are not normally used in Integrated Circuit Cards.
The EPROM has been widely used in the past but the name for this application is something
of a misnomer. Whilst the memory is erasable, by means of ultra violet light, the necessary
quartz window is never available in the ICC and the memory is really used in one time
programmable mode (OTP). Getting pretty heavy in real estate terms is the EEPROM. This
memory is indeed erasable by the user and can be rewritten many times (between 10,000 and
1,000,000 in a typical implementation) All of these memories describe so far are non volatile.
In other words when the power is removed they still retain their contents. The random access
memory (RAM) is a different kettle of fish, this is volatile memory and as soon as the power
is removed the data contents is lost.
In order to pursue our studies further we must note that the cost of the IC at saturation (i.e
when development costs have been recouped) is proportional to the square area of silicon
used (assuming constant yield). The ISO connector is so designed to constrain the silicon die
size to about 25mm2 (although it is possible to handle 35mm2 or more). However the
important point is more concerned with reliability where clearly the larger die will be more
prone to mechanical fracture. There is another bi- product that we will consider later where
the cost of testing and personalisation are considerable altered by the complexity of the
particular chip. It is clear however that we should attempt to minimise the contents of the
chip on both cost and reliability grounds commensurate with the particular application .
Well of course you can't have something for nothing and although a telephone card may
operate with a little EEPROM memory (128 - 512 bytes) and the memory control logic, more
sophisticated applications will demand ROM, EEPROM, RAM and a CPU (Central

DEPT OF ECE,MIST

PAGE 3

SMART CARD TECHNOLOGY

Processing Unit) to achieve the necessary business. It is the addition of the CPU or microcontroller that really leads to the term "Smart" although we will not be rigorous in our use of
the term.
The control logic should not be overlooked as this is necessary not only for communication
protocols but also to offer some protection of the memory against fraudulent use. The ICC is
probably the security man's dream because unlike most electronic storage and processing
devices it has security intrinsically built in. The ICC really does provide a tamper resistant
domain that is difficult to match with the some what larger security boxes that handle
cryptographic processes.
So now we can differentiate the different types of ICC by their content,

Memory only
Memory with security logic
Memory with CPU

The security logic can be used to control access to the memory for authorized use only. This
is usually accomplished by some form of access code which may be quite large (64 bits or
more). Clearly the use of EEPROM memory must be strictly controlled where fraudsters can
obtain a financial advantage by unauthorized use. This applies as much to telephone cards as
applications using ICC for cryptographic key carriers. The security advantage of the CPU
device is of course more significant because the CPU is capable of implementing
cryptographic algorithms in its own right, but we will discuss this in more detail in due
course.
In the Smart Card world the term application is widely used to describe the software or
programs that the IC implements. In the simplest case the application may be just a file
manager for organising the storage and retrieval of data. Such an application may be totally
implemented in the logic of the chip. Similarly the chip must contain the communications
logic by which it accepts commands from the card acceptance device (CAD) and through
which it receives and transmits the application data. The ICC which contains a CPU can
handle more sophisticated applications and even multi applications since the CPU is also
capable of processing the data and taking decisions upon the various actions that may be
invoked. The subject of mult applications and particulary the implementation of security
segregation is another subject for more detailed discussion in subsequent parts.
Smart cards are a key component of the public-key infrastructure that Microsoft is integrating
into the Windows platform because smart cards enhance software-only solutions, such as
client authentication, logon, and secure e-mail. Smart cards are essentially a point of
convergence for public-key certificates and associated keys because they:
provide tamper-resistant storage for protecting private keys and other forms of personal
information.

DEPT OF ECE,MIST

PAGE 4

SMART CARD TECHNOLOGY

Isolate security-critical computations, involving authentication, digital signatures, and key


exchange from other parts of the system that do not have a need to know.
Enable portability of credentials and other private information between computers at
work, at home, or on the road.

The smart card will become an integral part of the Windows platform because smart cards
provide new and desirable features as revolutionary to the computer industry as the
introduction of the mouse or CD.
Incompatibility of applications, cards, and readers has been a major reason for the slow
adoption of smart cards outside of Europe. Interoperability among different vendors products
is a necessary requirement to enable broad consumer acceptance of smart cards and for
corporations to deploy smart cards for use within the enterprise.
ISO 7816, EMV, and GSM
To promote interoperability among smart cards and readers, the International Standards
Organization (ISO) developed the ISO 7816 standards for integrated circuit cards with
contacts. These specifications focused on interoperability at the physical, electrical, and datalink protocol levels. In 1996, Europay, MasterCard, and VISA (EMV) defined an industryspecific smart card specification that adopted the ISO 7816 standards and defined some
additional data types and encoding rules for use by the financial services industry. The
European telecommunications industry also embraced the ISO 7816 standards for their
Global System for Mobile Communications (GSM) smart card specification to enable
identification and authentication of mobile phone users.
While all of these specifications (ISO 7816, EMV, and GSM) were a step in the right
direction, each was either too low-level or application-specific to gain broad industry support.
Application interoperability issues, such as device-independent APIs, developer tools, and
resource sharing were not addressed by any of these specifications.
PC/SC Workgroup
The PC/SC (Personal Computer/Smart Card) Workgroup was formed in May 1996 in
partnership with major computer and smart card companies: Groupe Bull, Hewlett-Packard,
Microsoft, Schlumberger, and Siemens Nixdorf. The main focus of the workgroup has been to
develop specifications that solve these interoperability problems. In December 1997, the
workgroup released the first version of the specifications at http://www.smartcardsys.com/.
The PC/SC specifications are based on the ISO 7816 standards and are compatible with both
the EMV and GSM specifications. There is broad industry support for the specifications and a
strong desire to move them toward becoming independent standards in the future.
Since its founding and initial publication of the specifications, additional members have
joined the PC/SC Workgroup. New members include Gemplus, IBM, Sun Microsystems,
Toshiba, and Verifone.
Microsoft Approach
The Microsoft approach is simple and consists of the following:
A standard model for interfacing smart-card readers and cards with computers.
Device-independent APIs for enabling smart-card-aware applications.
DEPT OF ECE,MIST

PAGE 5

SMART CARD TECHNOLOGY

Familiar tools for software development.


Integration with all Windows platforms.

Having a standard model for how readers and cards interface with a computer enforces
interoperability among cards and readers from different manufacturers. Device-independent
APIs insulate application developers from differences between current and future
implementations. Device-independence also reduces software development costs by avoiding
application obsolescence due to underlying hardware changes.
Smart Card Operating System
The core of a smart card is its operating system. This is the code that handles the file
systems, the security, the I/O, the handling of the different applications, etc. It is similar to the
operating systems of PCs, except that it is limited to a few thousand bytes. There are several
companies that develop and market operating systems; IBM has been a pioneer in the area,
since 1984. In 1990 IBM introduced the MultiFunction Card (MFC) operating system. Since
then, many new versions of the MFC operating system have been developed. A unique
version of the MFC was done for Zentraler Kreditausschuess (ZKA), the central committee of
the Germany bank group, for payment systems standards. This development provided the
platform for the GeldKarte, the smart card application with the most number of cards in the
world.
Smart Card Operating Systems on the Market
Besides IBMs MFC, there are many smart card offerings currently available. Smart card
vendors have their own versions of smart card operating systems. The following is a list of
operating systems offered by various smart card vendors. This is not a complete list. Bull:
SmarTB, CC, Odyssey I (JavaCard), etc.
DeLaRue: DS, DX, DXPLUS, CC, Mondex Card, JavaCard, etc.
Gemplus: PCOS, MPCOS, GemVersion, GemXpresso(JavaCard), etc.
Giesecke & Devrient: Starcos S, Starcos PK, Starcos X, etc.
ODS: ODS-COS, etc.
ORGA: ICC, etc.
Schlumberger: ME2000, PayFlex, Multiflex, Cryptoflex, Cyberflex(JavaCard), etc.
Siemens: Card OS
Sometimes smart card vendors license smart card operating system from other manufacturers,
and extend and modify commands and applications for different purposes. For example, both
Gemplus and Schlumberger license IBMs MFC.
Smart Card Types
Since there is no official definition of the term smart card, many different cards are being
called smart cards as long as they have some kind of intelligent circuitry on the cards, such as
a microprocessor.

DEPT OF ECE,MIST

PAGE 6

SMART CARD TECHNOLOGY

Smart Card Standards


There are many standards, specifications and recommendations for smart cards. Some of
them come from recognized international bodies such as ISO. Some come from industry
organizations such as financial institutions; some come from companies that want their
products set the norms; some are de facto standards. We can categorize the standards in the
following groups based on the standard organizations:
The International Organization for Standardization (ISO) standards:
ISO 7810: plastic ID cards, dimensions
ISO 7811 Parts 1-6: ID cards
ISO 7816 Parts 1-8: contact integrated circuit (IC) cards
ISO 10536 Parts 1-4: close coupling cards
ISO 14443 Parts 1-4: remote coupling cards
The country and/or industry standards. Some of them are not smart card standards, but are
used by applications running in smart cards.
CCITT X.509: Directory for certificates
EN726 Parts 1-7: for telecommunications IC cards and terminals
ANSI (US Standard body) X9 series: for digital signature, secure hash, RSA, and data
encryption algorithms
US Government standards:
- FIPS-46: Data Encryption Standards
- FIPS-81: DES Modes of Operation
- FIPS-180-1: Secure Hash Standards (SHA-1)
- FIPS-186: Digital Signature Standards (DSS)
GSM 11.11-11.12: European digital cellular telecommunications system
Europay, MasterCard, and Visa (EMV) Parts 1-3: IC card specification for payment
systems International Airline Transportation Association (IATA) Resolution 791: using
smart card
for electronic ticketing
PC/SC: specification for connection of smart card readers to PCs running Windows
operating systems
G7: International health organization for health card
OpenCard Framework: architecture specification framework for terminals and cards
JavaCard: Specification for JAVA virtual machine

DEPT OF ECE,MIST

PAGE 7

SMART CARD TECHNOLOGY

Common Data Security Architecture: architecture for security plug-ins.


Smart Card Security
There are many reasons to use a smart card, but as we said earlier one of the main reasons is
the built-in security features of a smart card. The microprocessor of the smart card has
encryption keys and encryption algorithms built-in for performing ciphering/deciphering of
data inside the card. The operating system file structure prevents the secret keys from being
read from outside the smart card. If multiple applications reside on the same smart card, they
are protected from each other by a firewall between them. In addition to the smart card itself,
a smart card solution needs to address total system security, which includes readers,
terminals, network, and back-end processing systems. In other words, to ensure overall
security it is necessary to do a total system design, which covers all the subjects that can be
attacked by criminals. During the design process we must evaluate the risks involved versus
the rewards of establishing strong security features, the expenses of implementing the
solution against the exposure of suffering a security breach. This design process is probably
best performed by a consultant who has no personal interest in a given product, than by
vendors who may have high skills regarding a product but lack the overall system security
knowledge.
Smart Card Terminals/Readers
There are many different kinds of smart card readers, also known as card acceptance devices
or IFDs (interface device). The term reader can be misleading since these devices can also
write to the cards. Some kind of intelligence is usually present in the card terminal, since the
reader and the card must authenticate each other.
There are many ways of classifying the smart card readers:
Type of card: contact or contactless
Functionality: from simple to complex in functions
Stand alone vs online
Final product or an OEM to be integrated in another machine, such as ATM, kiosks, vending
machines, etc.
PC attachment: PCMCIA, RS232, etc.
Price: below US$ 100 for some RS232 readers to several thousand dollars for cash loading
machines.
Smart Card Development Toolkits
Coding applications for a smart card requires a very rare set of skills. The programmer must
know not only the programming language and the platform where the code is developed, but
also the smart card operating system, the smart card reader, the communication protocol
between the smart card and the reader, the smart card file structure, etc. This situation has
been recognized by the industry and most of the smart card vendors provide development

DEPT OF ECE,MIST

PAGE 8

SMART CARD TECHNOLOGY

tools for their customers. IBMs Smart Card ToolKit thus far is one of the most complete and
powerful tools for smart card application development. Using IBMs ToolKit, an application
developer does not need to know the smart card operating system internals and details.

Smart Card Solution


An end-to-end smart card solution not only consists of many hardware and software
components, but also requires network connectivity, consulting, application development, and
system integration services from a technical perspective. On the business side, you also need
a feasibility analysis and business case to justify re-engineering using a smart card. As shown
in Figure 4 on page 9, the hardware components are cards, terminals with or without
workstations, mainframe host computers, servers, etc. The connectivity may be direct, over
the phone line, on private network, or public network. Of course, some smart card terminals
or Card Acceptance Devices (CAD) such as vending machines and copy machines may be
just offline without online connectivity. At the back end of a solution system there are hosts
and servers for databases and transaction processes.

Figure 1.3. Smart Card Solution Components

Smart Card Card Management

DEPT OF ECE,MIST

PAGE 9

SMART CARD TECHNOLOGY

The smart card has a life cycle, from its manufacture to its destruction, including the
personalization, the distribution to the user, the replacement, etc. The managing of the card
life cycle is called Card Management System (CMS). CMS must address the following stages
and participants in the life of a smart card:
Chip manufacture
Module manufacture
Plastic card manufacture
Card issuance service bureau
Software and system integration company for providing smart card initialization and
personalization software
Card issuer
Card application provider
Card renewal/modification/revocation
Some companies can provide multiple functions in the process of smart card production and
issuance. But in practice, companies usually team up in alliances because each technology
(such as chip, mask, modules, plastic, and personalization) requires special skills and tools.
Investment in each area can be very extensive and expensive.
To issue a smart card to a cardholder, there are usually two steps: initialization and
personalization. During the initialization step, the file structure and some keys are loaded.
During the personalization step, individual data unique to the cardholder, such as name,
address, account, etc., plus some more encryption keys are loaded into the chip. Part of this
information is also printed on the plastic and encoded into the magnetic stripe, if the card has
one.

Future of the Smart Cards


The industry analysts and the specialized press forecast a brilliant future for the smart cards.
Billions of cards are predicted to be circulating in a few years. We stay away from these
forecasts in this book, but agree that the use of smart cards will grow significantly.
But the industry analysts and the specialized media also agree that the smart cards have yet
to penetrate one of the most interesting markets in the world: the USA.
There are several reasons for this:
No large centralized government applications (such as health care) which require the
citizens to use smart cards
No smart card infrastructure: many stores in Europe have some kind of card reader

DEPT OF ECE,MIST

PAGE 10

SMART CARD TECHNOLOGY

USA customers and merchants are more ready to accept the cost of using credit cards than
its European counterparts
Cellular phones in USA do not follow the GSM standard (Groupe Spciale Mobile, see 3.3,
GSM on page 30), which uses a smart card inside the phone. In Europe the phones use the
GSM standard. These phones use smart cards with a special operating system and its size is
even smaller than credit card size.
Another reason given for this situation is that in USA communications, over either direct or
switched lines, are less expensive than in the rest of the world. What does this have to do with
smart card usage? Many cards applications require an online transaction, for example a credit
card may require to check the validity of the card. The beauty of the smart card is that allows
the merchant to avoid this online checking, allowing an offline authentication and thus saving
a phone call; France has credit and debit cards that use smart cards for this purpose.
An example of an offline application is the electronic purse. The user loads the smart card
purse with money and goes shopping with it. When the user hands the smart card to the
merchant, there is no need to require the approval from a credit organization, as the money
is already in the card.
The merchant avoids the cost of a phone call and also gets the money right away.
Why are communications less expensive in the USA than in most of other countries? The
usual answer is that outside the USA communications are a monopoly of the governmentowned PTT. But this situation is changing; many PTTs are going private
. It is necessary the discovery of an killer application in the USA in order to increase the
penetration of smart cards in this market. Of course, we do not know which this killer
application(s) may be. As we said before, the most important features of a smart card, from
our point of view, are security and mobility. This killer application should exploit these
features.
There is a situation in the IT business that may help the usage of smart cards: the fear of
hackers attacking sensitive information from the Internet. Another is to protect assets,
denying access to premises that contain valuable information. In this book we emphasize
these types of applications: digital signature, biometrics, access control, etc. These
application will not generate the zillions of cards predicted in some forecasts, but they will
require the help of consultants and integrators, to whom this book is addressed.
In summary, for the future we think that:
In North America the use of smart cards for authentication will probably be one of the main
drivers in the increase of usage of cards
In the emerging countries where telecommunications still has to catch up with the USAs
standards and prices, the use of smart cards for offline transactions will be the main factor in
increasing smart card usage.

DEPT OF ECE,MIST

PAGE 11

SMART CARD TECHNOLOGY

In Europe the goverment usage of smart cards for health and other federal prgrams will be a
decisive factor in expanding the smart card market.

CHAPTER 2
HISTORY
Invention
In 1968 and 1969 Helmut Grttrup and Jrgen Dethloff jointly filed patents for the automated
chip card. Roland Moreno patented the memory card concept in 1974. An important patent
for smart cards with a microprocessor and memory as used today was filed by Jrgen
Dethloff in 1976 and granted as USP 4105156 in 1978. In 1977, Michel
Ugon from Honeywell Bull invented the first microprocessor smart card with two chips: one
microprocessor and one memory, and in 1978, he has patented the self-programmable onechip microcomputer (SPOM) that defines the necessary architecture to program the chip.
Three years later, Motorola used this patent in its "CP8". At that time, Bull had 1,200 patents
related to smart cards. In 2001, Bull sold its CP8 division together with its patents to
Schlumberger, who subsequently combined its own internal smart card department and CP8
to create Axalto. In 2006, Axalto and Gemplus, at the time the world's top two smart card
manufacturers, merged and became Gemalto. In 2008Dexa Systems spun off
from Schlumberger and acquired Enterprise Security Services business, which included the
smart card solutions division responsible for deploying the first large scale public key
infrastructure (PKI) based smart card management systems.
The first mass use of the cards was as a telephone card for payment in French pay phones,
starting in 1983.

DEPT OF ECE,MIST

PAGE 12

SMART CARD TECHNOLOGY

Carte Bleue
After the Tlcarte, microchips were integrated into all French Carte Bleue debit cards in
1992. Customers inserted the card into the merchant's point of sale (POS) terminal, then
typed the personal identification number (PIN), before the transaction was accepted. Only
very limited transactions (such as paying small highway tolls) are processed without a PIN.
Smart-card-based "electronic purse" systems store funds on the card so that readers do not
need network connectivity. They entered European service in the mid-1990s. They have been
common in Germany (Geldkarte), Austria (Quick Wertkarte), Belgium (Proton), France
(Moneo), the Netherlands (Chipknip Chipper (decommissioned in 2001)), Switzerland
("Cash"), Norway ("Mondex"), Sweden ("Cash", decommissioned in 2004), Finland
("Avant"), UK ("Mondex"), Denmark ("Danmnt") and Portugal ("Porta-moedas
Multibanco").
Since the 1990s, smart-cards have been the Subscriber Identity Modules (SIMs) used
in European GSM mobile phone equipment. Mobile phones are widely used in Europe, so
smart cards have become very common.

EMV
Europay MasterCard Visa (EMV)-compliant cards and equipment are widespread. The
United States started using the EMV technology in 2014. Typically, a country's national
payment
association,
in
coordination
with MasterCard International, Visa International, American
Express and Japan
Credit
Bureau (JCB), jointly plan and implement EMV systems.
Historically, in 1993 several international payment companies agreed to develop smart-card
specifications for debit and credit cards. The original brands were MasterCard, Visa,
and Europay. The first version of the EMV system was released in 1994. In 1998 the
specifications became stable.
EMVCo maintains these specifications. EMVco's purpose is to assure the various financial
institutions and retailers that the specifications retain backward compatibility with the 1998
version. EMVco upgraded the specifications in 2000 and 2004.

DEPT OF ECE,MIST

PAGE 13

SMART CARD TECHNOLOGY

FIGURE 2.1: EMV


EMV compliant cards were accepted into the United States in 2014. MasterCard was the first
company that has been allowed to use the technology in the United States. The United States
has felt pushed to use the technology because of the increase in identity theft. The credit card
information stolen from Target in late 2013 was one of the largest indicators that American
credit card information is not safe. Target has made the decision on April 30, 2014 that they
are going to try and implement the smart chip technology in order to protect themselves from
future credit card identity theft.
Before 2014, the consensus in America was that there was enough security measures to avoid
credit card theft and that the smart chip was not necessary. The cost of the smart chip
technology was significant, which was why most of the corporations did not want to pay for
it in the United States. The debate came when online credit theft was insecure enough for the
United States to invest in the technology. The adaptation of EMV's increased significantly in
2015 when the liability shifts occurred in October by the credit card companies.

DEPT OF ECE,MIST

PAGE 14

SMART CARD TECHNOLOGY

Development of contactless systems


Contactless smart cards do not require physical contact between a card and reader. They are
becoming more popular for payment and ticketing. Typical uses include mass transit and
motorway tolls. Visa and MasterCard implemented a version deployed in 20042006 in the
U.S. Most contactless fare collection systems are incompatible, though theMIFARE Standard
card from NXP Semiconductors has a considerable market share in the US and Europe.
Smart cards are also being introduced for identification and entitlement by regional, national,
and international organizations. These uses include citizen cards, drivers licenses, and patient
cards. In Malaysia, the compulsory national ID MyKad enables eight applications and has 18
million users. Contactless smart cards are part of ICAO biometric passports to enhance
security for international travel.

FIGURE 2.2:CONTACTLESS SYSTEM

CHAPTER 3

DEPT OF ECE,MIST

PAGE 15

SMART CARD TECHNOLOGY

CONSTRUCTION
How the smart card is made?
The manufacture of a smart card involves a large number of processes of which the
embedding of the chip into the plastic card is key in achieving an overall quality product.
This latter process is usually referred to as card fabrication. The whole operation starts with
the application requirements specification. From the requirements individual specifications
can be prepared for the chip, card, mask ROM software and the application software.
The ROM software is provided to the semiconductor supplier who manufactures the chips.
The card fabricator embeds the chip in the plastic card. It is also quite normal for the
fabricator to load the application software and personalisation data. Security is a fundamental
aspect in the manufacture of a smart card and is intrinsic to the total process. However we
will consider security separately in subsequent articles in this series. We will look at each of
the stages in the manufacture of the smart card as shown in figure.3.

DEPT OF ECE,MIST

PAGE 16

SMART CARD TECHNOLOGY

Figure 3.1: Stages in the manufacture of a Smart Card

DEPT OF ECE,MIST

PAGE 17

SMART CARD TECHNOLOGY

Chip specification
There are a number of factors to be decided in the specification of the integrated circuit for
the smart card. For the purpose of this discussion we will consider a CPU based card
although the manufacture of a memory card is substantially a subset of that described here.
The key parameters for the chip specification are as follows,
Microcontroller type (e.g 6805,8051)
Mask ROM size
RAM size
Non volatile memory type (e.g EPROM, EEPROM)
Non volatile memory size
Clock speed (external, and optionally internal)
Electrical parameters (voltage and current)
Communications parameters (asynchronous, synchronous, byte, block)
Reset mechanism
Sleep mode (low current standby operation)
Co-processor (e.g for public key cryptography)
In practice the semiconductor manufacturers have a range of products for which the above
parameters are pre-defined. The task of the designer is therefore concerned with choosing the
appropriate product for the particular application. As mentioned previously security may be
an important issue for the application and accordingly there may be extra requirements on the
physical and logical security offered by the particular chip. Conformance to ISO standards is
also likely to be a requirement and in this area ISO 7816 - 3 (Electronic signals and
transmission protocols) is the principle standard to be considered. It should be noted however
that ETSI (European Telecommunications Standard Institute) are currently developing new
standards for the CEN TC224 committee. These standards are more stringent than that
described by the ISO standards. For example the ISO 7816-3 allows a card current supply of
up to 200 mA. ETSI have recommended 20mA for normal use and 10mA for applications
such as portable phones.
Card specification
The specification of a card involves parameters that are common to many existing
applications using the ISO ID-1 card. The following list defines the main parameters that
should be defined,
Card dimensions
Chip location (contact card)
DEPT OF ECE,MIST

PAGE 18

SMART CARD TECHNOLOGY

Card material (e.g PVC, ABS)


Printing requirements
Magnetic stripe (optional)
Signature strip (optional)
Hologram or photo (optional)
Embossing (optional)
Environmental parameters
The characteristics of the smart card are part of the ISO 7816 part 1 (physical) and 2 (contact
location) standards. The choice of chip location has been a difficult subject due largely to the
use of magnetic stripes. The early French cards put the IC module further off the longitudinal
axis of the card than the standard eventually agreed by ISO.
This was preferable because of the residual risk of chip damage due to bending. The French
Transac tracks were lower on the card which also made this position preferable. The now
agreed ISO standards for magnetic stripes resulted in the French chip position and the
magnetic stripe being coincident. Hence the now agreed lower location which does of course
result in higher bending stress on the chip.
The ISO 7816-2 standard does however allow the position of the contacts to be either side of
the card. More recently there have been moves to remove this option with the front (opposite
to the side containing the magnetic stripe) being the preferred position for the IC connector.
The choice of card material effects the environmental properties of the finished product. PVC
was traditionally used in the manufacture of cards and enabled a higher printing resolution.
Such cards are laminated as three layers with transparent overlays on the front and back.
More recently ABS has been used which allows the card to be produced by an injection
moulding process.
It is even proposed that the chip micromodule could be inserted in one step as part of the
moulding process. Temperature stability is clearly important for some applications and ETSI
are particulary concerned here, such that their higher temperature requirement will need the
use of polycarbonate materials.

Mask ROM Specification


The mask ROM contains the operating system of the smart card. It is largely concerned with
the management of data files but it may optionally involve additional features such as
cryptographic algorithms (e.g DES). In some ways this is still a relatively immature part of
the smart card standards since the early applications used the smart card largely as a data
store with some simple security features such as PIN checking. The relevant part of the ISO
standard is 7816-4 (commands). There is a school of thought that envisages substantial
changes in this area to account for the needs of multi-application cards where it is essential to

DEPT OF ECE,MIST

PAGE 19

SMART CARD TECHNOLOGY

provide the necessary security segregation. The developed code is given to the supplier who
incorporates this data as part of the chip manufacturing process.

Application Software Specification


This part of the card development process is clearly specific to the particular application. The
application code could be designed as part of the mask ROM code but the more modern
approach is to design the application software to operate from the PROM non volatile
memory. This allows a far more flexible approach since the application can be loaded into the
chip after manufacture.
More over by the use of EEPROM it is possible to change this code in an development
environment. The manufacturer of a chip with the users ROM code takes on average three
months. Application code can be loaded into the PROM memory in minutes with no further
reference to the chip manufacturer.

Chip Fabrication
The fabrication of the card involves a number of processes as shown in fig. 7. The first part of
the process is to manufacture a substrate which contains the chip. This is often called a COB
(Chip On Board) and consists of a glass epoxy connector board on which the chip is bonded
to the connectors. There are three technologies available for this process, wire bonding, flip
chip processing and tape automated bonding (TAB).
In each case the semiconductor wafer manufactured by the semiconductor supplier is diced
into individual chips . This may be done by scribing with a diamond tipped point and then
pressure rolling the wafers so that it fractures along the scribe lines. More commonly the die
are separated from the wafer by the use of a diamond saw. A mylar sheet is stuck to the back
of the wafer so that following separation the dice remain attached to the mylar film.

DEPT OF ECE,MIST

PAGE 20

SMART CARD TECHNOLOGY

FIGURE 3.2:SMART CARD FABRICATION PROCESS


Wire bonding is the most commonly used technique in the manufacture of smart cards. Here
a 25uM gold or aluminium wire is bonded to the pads on the chip using ultrasonic or thermo
compression bonding. Thermo compression bonding requires the substrate to be maintained
at between 150C and 200C. The temperature atthe bonding interface can reach 350C. To
alleviate these problems thermo sonic bonding is often used which is a combination of the
two processes but which operate at lower temperatures.

DEPT OF ECE,MIST

PAGE 21

SMART CARD TECHNOLOGY

The die mounting and wire bonding processes involve a large number of operations and are
therefore quite expensive. Because in general only 5 or 6 wires are bonded for smart card
applications this approach is acceptable. However in the semiconductor industry generally
two other techniques are used, the flip chip process and tape automated bonding. In both
cases gold bumps are formed on the die. In flip chip processing the dice are placed face down
on the substrate and bonding is effected by solder reflow. With tape automated bonding the
dice are attached by thermocompression to copper leads supported on a flexible tape similar
to a 35mm film.
The finished substrate is hermetically sealed with an inert material such as epoxy resin. The
complete micromodule is then glued into the card which contains the appropriately sized
hole.
The fabrication of a contactless card is somewhat different since it always involves a
laminated card as shown in fig. 8. The ICs and their interconnections as well as the aerial
circuits are prepared on a flexible polyimide substrate.

Figure 3.3:Contactless card limitations


Application load
Assuming the application is to be placed in the PROM memory of the IC then the next stage
in the process is to load the code into the memory.
This is accomplished by using the basic commands contained in the operating system in the
mask ROM. These commands allow the reading and writing of the PROM memory.

Card Personalisation

DEPT OF ECE,MIST

PAGE 22

SMART CARD TECHNOLOGY

The card is personalised to the particular user by loading data into files in the PROM memory
in the same way that the application code is loaded into memory. At this stage the security
keys will probably be loaded into the PROM memory but as mentioned previously we will
explore this in more detail later.

Application Activation
The final operation in the manufacturing process is to enable the application for operation.
This will involve the setting of flags in the PROM memory that will inhibit any further
changes to be made to the PROM memory except under direct control of the application.
Again this is an integral part of the overall security process.

DEPT OF ECE,MIST

PAGE 23

SMART CARD TECHNOLOGY

CHAPTER 4
CHARACTERISTICS OF SMART CARD
Physical characteristics of the Contact Card
Many observers have commented that the widespread use of smart cards is being impeded by
the lack of standards. Interoperability is of course the name of the game and is the primary
purpose of standards. The problems of interoperability start at the bottom, in other words with
the physical dimensions of the card and the location of the contacts.
These standards are well established and as we shall show in subsequent parts so are the more
important characteristics of a smart card that form the basis of the existing and emerging
standards. As you move higher in the architecture towards the specification of the application
then the problems of interoperability are less relevant since it is not generally necessary to
have compatibility between the applications themselves. The biggest hole in the current
standards work is the lack of agreement in the security domain which one might argue is
fundamental to the application platform. We will discuss this area however in more detail in a
subsequent part of this series.
The physical characteristics of an IC card are defined in ISO 7816 part 1. This standard
applies to the ID - 1 identification card specified in ISO 7810 and includes cards which may
have embossing or magnetic stripes. Whilst we are all familiar with the use of imprinters to
obtain a printed version of the embossed characters on some paper voucher, their viability on
an IC card must be questionable. The IC module in a smart card is like any other electronic
component and is not normally expected to be hit with a hammer at regular intervals. Even
the embossing process itself is mechanically stressful and must raise serious doubts over the
appropriate migration strategy.
The physical properties of the contact IC card are referenced against earlier card standards
and we will look at each of them in turn.
ISO 7810 Identification cards - Physical characteristics (1985)
This standard specifies the physical characteristics of identification cards including card
material, construction, characteristics and nominal dimensions for three sizes of cards (ID -1,
ID -2 and ID -3). It is the ID -1 card that forms the basis of ISO 7816 -1.
The principal parameters of ISO 7810 are the dimensions of the ID -1 card which are defined
to be, 85.6mm x 53.98mm x 0.76mm

DEPT OF ECE,MIST

PAGE 24

SMART CARD TECHNOLOGY

ISO 7811 Identification cards - recording techniques (1985)


This standard is in five parts and covers the specification of the magnetic stripe and the card
embossing.
Part 1 Embossing
This part specifies the requirements for embossed characters on identification cards for the
transfer of data by imprinters or by visual or machine reading.
Part 2 Magnetic stripe
This part specifies characteristics for a magnetic stripe, the encoding technique and coded
character sets which are intended for machine reading.
Part 3 Location of embossed characters on ID -1 cards.
As the title implies this part of the standard specifies the location of embossed characters on
an ID -1 card for which two areas are assigned. Area 1 is for the number identifying both the
card issuer and the card holder. Area 2 is provided for the cardholder identification data such
as his name and address.
Part 4 Location of magnetic read only tracks - tracks 1 and 2
This standard specifies the location of the magnetic material, the location of the encoded data
tracks and the beginning and end of the encoding.
Part 5 Location of read - write magnetic track - track 3
This standard has the same scope as part 4 except that it defines the read - write track 3. ISO
7812 Identification cards- numbering system and registration procedure for issuer identifers
(1987)
This standard relates to the card identification number or PAN (Primary Account Number)
which consists of three parts, the issuer identifer number (IIN), the individual account
identifier and the check digit.
ISO 7813 Identification cards - Financial transaction cards (1987)
This standard defines the requirements for cards to be used in financial transactions. It
specifies the physical characteristics, layout, recording techniques, numbering system and
registration procedures. It is defined by reference to ISO 7810, ISO 7811 and ISO 7812.
In particular the standard defines more precisely the physical dimensions of the card as
follows,
Width 85.47mm - 85.72mm
Height 53.92mm - 54.03mm
Thickness 0.76mm + 0.08mm

DEPT OF ECE,MIST

PAGE 25

SMART CARD TECHNOLOGY

The thickness of the card is particularly important for smart card readers because of the
mechanical construction of the card connector mechanism.

Figure 4.1:Bending test


This device often consists of a movable carriage that positions the card under the connector
head whilst applying the necessary wiping and pressure action. Variation in thickness or even
slight warping of the card can cause communications failure.
ISO 7816 Design and use of identification cards having integrated circuits with contacts
(1987)
This standard in its many parts is probably the most important specification for the lower
layers of the IC card. The first 3 parts in particular are well established and allow total

DEPT OF ECE,MIST

PAGE 26

SMART CARD TECHNOLOGY

physical and electrical interoperability as well as defining the communication protocol


between the IC card and the CAD (Card Acceptor Device).

The physical dimensions of the IC card are defined as that specified in ISO 7813. It should be
noted that the thickness dimension does not include any allowance for embossing. More
particulary the slot for a card may include an extra indentation for the embossed area of the
card. In effect it acts as a polarisation key and may be used to aid the correct insertion
orientation of the card. This is an additional characteristic to the magnetic field sensor which
operates off the magnetic stripe and is used to open a mechanical gate on devices such as
ATM's where some vandal proofing techniques are required.
The part 1 standard also defines additional characteristics that should be met in the
manufacturer of an IC card. These characteristics fall into the following categories:
Ultra violet light
X - rays
Surface profile of contacts
Mechanical strength (of cards and contacts)
Electrical resistance (of contacts)
Electromagnetic interference (between magnetic stripe and integrated circuit)
Electromagnetic field
Static electricity
Heat dissipation
It has to be said that this part of the standard could be improved and there is currently some
work taking place in ISO on this very subject. The three most widely used tests applied by
fabricators are specified in the annex to the standard,
A1 Bending properties
A2 Torsion properties
A3 Static electricity

DEPT OF ECE,MIST

PAGE 27

SMART CARD TECHNOLOGY

Figure 4.2:Torsion test


Whilst this is certainly one way of comparing cards fabricated by different companies,
whether it bears any relationship to the use of IC cards in the field seems debatable.
The bending properties are tested by deflecting the card on each axis as shown in fig. 1. With
a periodicity of 30 bendings per minute the card is deflected to 2 cm at its centre from the
long axis and 1 cm from the short axis. The recommended test requires the card to withstand
250 bendings in each of the four possible orientations (i.e 1000 bendings in total).
The torsion properties of the card are tested by displacing the card + 15o about the long axis
at a periodicity of 30 torsions per minute (fig 2). The standard requires the card to withstand
1000 torsions without chip failure or visible cracking of the card.
The resistance of the card to static electricity is defined by a test set up as shown in fig 3.
The test voltage is defined to be 1.5KVolts. The specification requires this voltage to be
discharged across each of the contacts in both normal and reverse polarity. The IC should
still be operational at the end of the test.
One of the issues surrounding the use of the IC card relates to the temperature range for
operational use. ISO 7810 defines that the ID-1 card should be structurally reliable and usable
between -35 o C and +50 o C. The draft CEN standard on requirements for IC cards and
terminals for telecommunications use, part 2 application independent card requirements (EN
726-2) defines more stringent requirements for operational use as -25 o C to +65 o C with
DEPT OF ECE,MIST

PAGE 28

SMART CARD TECHNOLOGY

occasional peaks up to +70 o C. In addition the draft identifies multiapplication cards for
portable battery operated equipment to be used between -25 o C and +70 o C with occasional
peaks of up to +85 o C. The word occasional is defined to mean not more than 4 hours each
time and not over 100 times during the life of the card.

Figure 4.3:ESD test


ISO 7816 Part 2 - Contact Locations and Minimum Size
This part of the standard has taken a lot of effort in order to reach agreement. Early
applications of smart cards emanated in France where the Transac magnetic stripes were
more central on the card than that eventually defined by ISO 7811. Unfortunately the French
chip position overlaps the ISO magnetic stripe definition. As a result it was eventually agreed
that after a transitional period (to the end of 1990) the position for the IC connector would be
as shown in fig 4. This position is much closer to the longitudinal axis of the card. We might
like to conjecture on which is the better position for the chip in terms of mechanical stress but
perhaps we should just settle for agreement.

DEPT OF ECE,MIST

PAGE 29

SMART CARD TECHNOLOGY

Figure 4.4:Contact location


Further problems arose in deciding on which face of the card the connector should be located.
In order to avoid further delay in publishing the standard, two options were allowed to
include both the front and back of the card. This anomaly has been a source of irritation and
it is now widely agreed that the IC connector should be on the front of the card. For this
purpose the back is defined to be the side with the magnetic stripe. The embossing is defined
to be on the front of the card and therefore on the same side as the IC connector.

DEPT OF ECE,MIST

PAGE 30

SMART CARD TECHNOLOGY

CHAPTER 5
TYPES OF SMART CARDS
A smart card may have the following generic characteristics:

Dimensions similar to those of a credit card. ID-1 of the ISO/IEC 7810 standard
defines cards as nominally 85.60 by 53.98 millimetres (3.370 in 2.125 in). Another
popular size is ID-000 which is nominally 25 by 15 millimetres (0.984 in 0.591 in)
(commonly used in SIM cards). Both are 0.76 millimetres (0.030 in) thick.

Contains a tamper-resistant security system (for example a secure cryptoprocessor and


a secure file system) and provides security services (e.g., protects in-memory
information).

Managed by an administration system which securely interchanges information and


configuration settings with the card, controlling card blacklisting and application-data
updates.

Communicates with external services via card-reading devices, such as ticket


readers, ATMs, DIP reader, etcThe smart cards are divided into following types according
to their design as shown in the following figure

DEPT OF ECE,MIST

PAGE 31

SMART CARD TECHNOLOGY

Figure 5.1:Types of smart cards


Contact Cards
These are the most common type of smart card. Electrical contacts located on the
outside of the card connect to a card reader when the card is inserted. This connector is
bonded to the encapsulated chip in the card.

DEPT OF ECE,MIST

PAGE 32

SMART CARD TECHNOLOGY

Figure 5.2:Contact card


Increased levels of processing power, flexibility and memory will add cost. Single
function cards are usually the most cost-effective solution. Choose the right type of
smart card for your application by determining your required level of security and
evaluating cost versus functionality in relation to the cost of the other hardware
elements found in a typical workflow. All of these variables should be weighted against
the expected lifecycle of the card. On average the cards typically comprise only 10 to
15 percent of the total system cost with the infrastructure, issuance, software, readers,
training and advertising making up the other 85 percent. The following chart
demonstrates some general rules of thumb:

DEPT OF ECE,MIST

PAGE 33

SMART CARD TECHNOLOGY

Figure 5.3: Card Function Trade-Offs


Memory Cards
Memory cards cannot manage files and have no processing power for data
management. All memory cards communicate to readers through synchronous
protocols. In all memory cards you read and write to a fixed address on the card. There
are three primary types of memory cards: Straight, Protected, and Stored Value. Before
designing in these cards into a proposed system the issuer should check to see if the
readers and/or terminals support the communication protocols of the chip. Most
contactless cards are variants on the protected memory/segmented memory card idiom.
Straight Memory Cards
These cards just store data and have no data processing capabilities. Often made with
I2C or serial flash semiconductors, these cards were traditionally the lowest cost per bit
for user memory. This has now changed with the larger quantities of processors being
built for the GSM market. This has dramatically cut into the advantage of these types
of devices. They should be regarded as floppy disks of varying sizes without the lock

DEPT OF ECE,MIST

PAGE 34

SMART CARD TECHNOLOGY

mechanism. These cards cannot identify themselves to the reader, so your host system
has to know what type of card is being inserted into a reader. These cards are easily
duplicated and cannot be tracked by on-card identifiers.
Protected / Segmented Memory Cards
These cards have built-in logic to control the access to the memory of the card.
Sometimes referred to as Intelligent Memory cards, these devices can be set to writeprotect some or the entire memory array. Some of these cards can be configured to
restrict access to both reading and writing. This is usually done through a password or
system key. Segmented memory cards can be divided into logical sections for planned
multi-functionality. These cards are not easily duplicated but can possibly be
impersonated by hackers. They typically can be tracked by an on-card identifier.
Stored Value Memory Cards
These cards are designed for the specific purpose of storing value or tokens. The cards
are either disposable or rechargeable. Most cards of this type incorporate permanent
security measures at the point of manufacture. These measures can include password
keys and logic that are hard-coded into the chip by the manufacturer. The memory
arrays on these devices are set-up as decrements or counters. There is little or no
memory left for any other function. For simple applications such as a telephone card,
the chip has 60 or 12 memory cells, one for each telephone unit. A memory cell is
cleared each time a telephone unit is used. Once all the memory units are used, the card
becomes useless and is thrown away. This process can be reversed in the case of
rechargeable cards.
CPU/MPU Microprocessor Multifunction Cards
These cards have on-card dynamic data processing capabilities. Multifunction smart
cards allocate card memory into independent sections or files assigned to a specific
function or application. Within the card is a microprocessor or microcontroller chip that
manages this memory allocation and file access. This type of chip is similar to those
found inside all personal computers and when implanted in a smart card, manages data
in organized file structures, via a card operating system (COS). Unlike other operating
systems, this software controls access to the on-card user memory. This capability
permits different and multiple functions and/or different applications to reside on the
card, allowing businesses to issue and maintain a diversity of products through the
card. One example of this is a debit card that also enables building access on a college
campus. Multifunction cards benefit issuers by enabling them to market their products
and services via state-of-the-art transaction and encryption technology. Specifically, the
technology enables secure identification of users and permits information updates
without replacement of the installed base of cards, simplifying program changes and
reducing costs. For the card user, multifunction means greater convenience and

DEPT OF ECE,MIST

PAGE 35

SMART CARD TECHNOLOGY

security, and ultimately, consolidation of multiple cards down to a select few that serve
many purposes.
There are many configurations of chips in this category, including chips that support
cryptographic Public Key Infrastructure (PKI) functions with on-board math coprocessors or JavaCard with virtual machine hardware blocks. As a rule of thumb - the
more functions, the higher the cost.

Contactless Cards
These are smart cards that employ a radio frequency (RFID) between card and reader
without physical insertion of the card. Instead, the card is passed along the exterior of
the reader and read. Types include proximity cards which are implemented as a readonly technology for building access. These cards function with a very limited memory
and communicate at 125 MHz. Another type of limited card is the Gen 2 UHF Card
that operates at 860 MHz to 960 MHz.

Figure 5.4:Contactless smart card


True read and write contactless cards were first used in transportation applications for
quick decrementing and reloading of fare values where their lower security was not an
issue. They communicate at 13.56 MHz and conform to the ISO 14443 standard. These
cards are often protected memory types. They are also gaining popularity in retail
stored value since they can speed up transactions without lowering transaction
processing revenues (i.e. Visa and MasterCard), unlike traditional smart cards.
Variations of the ISO14443 specification include A, B, and C, which specify chips from
either specific or various manufacturers. A=NXP-(Philips) B=Everybody else and
C=Sony only chips. Contactless card drawbacks include the limits of cryptographic
functions and user memory, versus microprocessor cards and the limited distance
between card and reader required for operation.

DEPT OF ECE,MIST

PAGE 36

SMART CARD TECHNOLOGY

Multi-mode Communication Cards


These cards have multiple methods of communications, including ISO7816, ISO14443
and UHF gen 2. How the card is made determines if it is a Hybrid or dual interface
card. The term can also include cards that have a magnetic-stripe and or bar-code as
well.
Hybrid Cards
Hybrid cards have multiple chips in the same card. These are typically attached to each
interface separately, such as a MIFARE chip and antenna with a contact 7816 chip in
the same card.
Dual Interface Card
These cards have one chip controlling the communication interfaces. The chip may be
attached to the embedded antenna through a hard connection, inductive method or with
a flexible bump mechanism.
Multi-component Cards
These types of cards are for a specific market solution. For example, there are cards
where the fingerprint sensor is built on the card. Or one company has built a card that
generates a one-time password and displays the data for use with an online banking
application. Vault cards have rewriteable magnetic stripes. Each of these technologies
is specific to a particular vendor and is typically patented.
Smart Card Form Factors
The expected shape for cards is often referred to as CR80. Banking and ID cards are
governed by the ISO 7810 specification. But this shape is not the only form factor that
cards are deployed in. Specialty shaped cutouts of cards with modules and/or antennas
are being used around the world. The most common shapes are SIM. SD and MicroSD
cards can now be deployed with the strength of smart card chips. USB flash drive
tokens are also available that leverage the same technology of a card in a different form
factor.
Integrated Circuits and Card Operating Systems
The two primary types of smart card operating systems are (1) fixed file structure and
(2) dynamic application system. As with all smartcard types, the selection of a card
operating system depends on the application that the card is intended for. The other
defining difference lies in the encryption capabilities of the operating system and the
chip. The types of encryption are Symmetric Key and Asymmetric Key (Public Key).

DEPT OF ECE,MIST

PAGE 37

SMART CARD TECHNOLOGY

The chip selection for these functions is vast and supported by many semiconductor
manufacturers. What separates a smart card chip from other microcontrollers is often
referred to as trusted silicon. The device itself is designed to securely store data
withstanding outside electrical tampering or hacking. These additional security features
include a long list of mechanisms such as no test points, special protection metal masks
and irregular layouts of the silicon gate structures. The trusted silicon semiconductor
vendor list below is current for 2010:

Atmel
EM Systems
Infineon
Microchip
NXP
Renesas Electronics
Samsung
Sharp
Sony
ST Microelectronics

Many of the features that users have come to expect, such as specific encryption
algorithms, have been incorporated into the hardware and software libraries of the chip
architectures. This can often result in a card manufacturer not future-proofing their
design by having their card operating systems only ported to a specific device. Care
should be taken in choosing the card vendor that can support your project over time as
card operating system-only vendors come in and out of the market. The tools and
middleware that support card operating systems are as important as the chip itself.

DEPT OF ECE,MIST

PAGE 38

SMART CARD TECHNOLOGY

CHAPTER 6
SMART CARD READERS
Smart card readers and terminals
Readers and terminals operate with smart cards to obtain card information and
perform a transaction.
Generally, a reader interfaces with a PC for the majority of its processing requirements.
A terminal is a self-contained processing device. Both readers and terminals read and
write to smart cards.

DEPT OF ECE,MIST

PAGE 39

SMART CARD TECHNOLOGY

Readers
Contact
This type of reader requires a physical connection to the cards, made by inserting the
card into the reader. This is the most common reader type for applications such as ID
and Stored Value. The card-to-reader communications is often ISO 7816 T=0 only. This
communication has the advantage of direct coupling to the reader and is considered
more secure. The other advantage is speed. The typical PTS Protocol Type Selection
(ISO7816-3) negotiated speed can be up to 115 kilo baud. This interface enables larger
data transport without the overhead of anti-collision and wireless breakdown issues that
are a result from the card moving in and out of the reader antenna range.

Figure 6.1:Contact smart card reader


Contactless
This type of reader works with a radio frequency that communicates when the card
comes close to the reader. Many contactless readers are designed specifically for
Payment, Physical Access Control and Transportation applications. The dominant
protocol under the ISO 14443 is MIFARE, followed by the EMV standards.

Figure 6.2:Contactless smartcard reader

DEPT OF ECE,MIST

PAGE 40

SMART CARD TECHNOLOGY

Interface
A contact reader is primarily defined by the method of it's interface to a PC. These
methods include RS232 serial ports, USB ports, PCMCIA slots, floppy disk slots,
parallel ports, infrared IRDA ports and keyboards and keyboard wedge readers. Some
readers support more than one type of card such as the tri mode insert readers from
MagTek. These readers support magnetic stripe-contact and contactless read operations
all in one device.
Reader & Terminal to Card Communication
All cards and readers that follow ISO 7816-3 standards have a standardized set of
commands that enable communication for CPU cards.
These commands, called APDUs (Application Protocol Data Units) can be executed at
a very low level, or they can be scripted into APIs which enable the user to send
commands from an application to a reader.
The reader communicates with the card where the response to the request takes place.
From a technical perspective, the key is the APIs that are chosen. These layers of
software can enable effective application communication with smart cards and readers
from more than one manufacturer. Most terminal SDKs come with a customized API
for that platform. They are typically in some form of C, C++ or C # and will have the
header files included. Many smart card readers have specific drivers/APIs for memory
cards. For ISO7816 processor cards the PC/SC interface is often employed, but it has
limitations. This is especially important if you have both memory and microprocessor
cards that can are used in the same system. Some APIs give the software designer the
ability to select readers from multiple vendors.
The following are some of the function calls provided for transporting APDUs and
their functions:

Reader Select
Reader Connect
Reader Disconnect
Card Connect
Card Disconnect
Proprietary Commands for specific readers and cards
Allow ISO Commands to be passed to cards using standard ISO format
Allow ISO Commands to be sent to cards using a simplified or shortcut format
(As in the CardLogix Winplex API)

DEPT OF ECE,MIST

PAGE 41

SMART CARD TECHNOLOGY

Applications Development
The development of PC applications for readers has been simplified by the Personal
Computer/Smart Card (PC/SC) standard. This standard is supported by all major
operating systems. The problem with the PC/SC method is that it does not support all
of the reader functions offered by each manufacturer such as LED control and card
latching/locking. When just using the drivers for each reader manufacturer there is no
connection the functions of the card.
The better choice is Application Programming Interfaces (API's) that are part of readily
available in Software Design Kits (SDKs) that support specific manufacturer's card
families. Check these kits for a variety of reader manufacture supported. M.O.S. T. and
Smart Toolz from CardLogix is a good example of a well rounded Smart Card SDK.
Terminals
Unlike readers, terminals are more similar to a self contained PC, with most featuring
operating systems and development tools. Terminals are often specific to the use case
such as Security, health informatics or POS (Point of sale). Connectivity in the
terminals is typically via Transmission Control Protocol/Internet Protocol (TCP-IP) or
GSM network. Many terminals today feature regular OS's making deployment easier
such as Datastrip with windows CE or Exadigm with Linux.

CHAPTER 7
SECURITY
DEPT OF ECE,MIST

PAGE 42

SMART CARD TECHNOLOGY

Smart Card Security


Smart cards provide computing and business systems the enormous benefit of portable
and secure storage of data and value. At the same time, the integration of smart cards
into your system introduces its own security management issues, as people access card
data far and wide in a variety of applications. The following is a basic discussion of
system security and smart cards, designed to familiarize you with the terminology and
concepts you need in order to start your security planning.
What Is Security?
Security is basically the protection of something valuable to ensure that it is not stolen,
lost, or altered. The term data security governs an extremely wide range of
applications and touches everyones daily life. Data is created, updated, exchanged and
stored via networks. A network is any computing system where users are highly
interactive and interdependent and by definition, not all in the same physical place. In
any network, diversity abounds, certainly in terms of types of data, but also types of
users. For that reason, a system of security is essential to maintain computing and
network functions, keep sensitive data secret, or simply maintain worker safety. Any
one company might provide an example of these multiple security concerns: Take, for
instance, a pharmaceutical manufacturer:
Type of Data

Security Concern

Type of Access

Drug Formula

Formula
basis
business
income.Competitor
spying

Accounting, Regulatory

Required by law

Relevant
executives
and departments

Personnel Files

Employee piracy

Relevant
executives
and departments

Employee ID

Non-employee access.
Inaccurate
payroll,
benefits assignment

Relevant
executives
and departments

Building
safety,
emergency response

All employees

Outside
response

of

Highly selective list of


executives

emergency

Table 7.1:Smart card security in pharmaceutical manufacturer

DEPT OF ECE,MIST

PAGE 43

SMART CARD TECHNOLOGY

Type of Data Security Concern Type of Access Drug Formula Basis of business
income. Competitor spying Highly selective list of executives Accounting, Regulatory
Required by law Relevant executives and departments Personnel Files Employee
piracy Relevant executives and departments Employee ID Non-employee access.
Inaccurate payroll, benefits assignment Relevant executives and departments Facilities
Access Authorization Individuals per function and clearance such as customers,
visitors, or vendors Building safety, emergency response All employees Outside
emergency response
What Is Information Security?
Information security is the application of measures to ensure the safety and privacy of
data by managing its storage and distribution. Information security has both technical
and social implications. The first simply deals with the how and how much question
of applying secure measures at a reasonable cost. The second grapples with issues of
individual freedom, public concerns, legal standards and how the need for privacy
intersects them. This discussion covers a range of options open to business managers,
system planners and programmers that will contribute to your ultimate security
strategy. The eventual choice rests with the system designer and issuer.
The Elements Of Data Security
In implementing a security system, all data networks deal with the following main
elements:
1) Hardware, including servers, redundant mass storage devices, communication
channels and lines, hardware tokens (smart cards) and remotely located devices (e.g.,
thin clients or Internet appliances) serving as interfaces between users and computers
2) Software, including operating systems, database
communication and security application programs

management

systems,

3) Data, including databases containing customer - related information.


The Mechanisms Of Data Security
Working with the above elements, an effective data security system works with the
following key mechanisms to answer:
1) Has My Data Arrived Intact? (Data Integrity) This mechanism ensures that data was
not lost or corrupted when it was sent to you
2) Is The Data Correct And Does It Come From The Right Person? (Authentication)
This proves user or system identities

DEPT OF ECE,MIST

PAGE 44

SMART CARD TECHNOLOGY

3) Can I Confirm Receipt Of The Data And Sender Identity Back To The Sender?
(Non-Repudiation)
4) Can I Keep This Data Private? (Confidentiality) - Ensures only senders and receivers
access the data. This is typically done by employing one or more encryption techniques
to secure your data
5) Can I Safely Share This Data If I Choose? (Authorization and Delegation) You can
set and manage access privileges for additional users and groups
6) Can I Verify The That The System Is Working? (Auditing and Logging) Provides a
constant monitor and troubleshooting of security system function
7) Can I Actively Manage The System? (Management) Allows administration of your
security system
Data Integrity
This is the function that verifies the characteristics of a document and a transaction.
Characteristics of both are inspected and confirmed for content and correct
authorization. Data Integrity is achieved with electronic cryptography that assigns a
unique identity to data like a fingerprint. Any attempt to change this identity signals the
change and flags any tampering.
Authentication
This inspects, then confirms, the proper identity of people involved in a transaction of
data or value. In authentication systems, authentication is measured by assessing the
mechanisms strength and how many factors are used to confirm the identity. In a PKI
system a Digital Signature verifies data at its origination by producing an identity that
can be mutually verified by all parties involved in the transaction. A cryptographic hash
algorithm produces a Digital Signature.
Non-Repudiation
This eliminates the possibility of a transaction being repudiated, or invalidated by
incorporating a Digital Signature that a third party can verify as correct. Similar in
concept to registered mail, the recipient of data re-hashes it, verifies the Digital
Signature, and compares the two to see that they match.
Authorization and Delegation
Authorization is the processes of allowing access to specific data within a system.
Delegation is the utilization of a third party to manage and certify each of the users of
your system. (Certificate Authorities).

DEPT OF ECE,MIST

PAGE 45

SMART CARD TECHNOLOGY

CHAPTER 8
ADVANTAGES OF SMART CARD
Smart cards work just as well as credit cards, yet may be safer and more secure. Learn more
about how these cards work and why it is taking so long for them to become more common.
The Advantages Of Using Smart Cards

The first main advantage of smart cards is their flexibility. Smart cards have multiple
functions which simultaneously can be an ID, a credit card, a stored-value cash card, and a
repository of personal information such as telephone numbers or medical history.
The card can be easily replaced if lost, and, the requirement for a PIN (or other form of
security) provides additional security from unauthorised access to information by others. At
the first attempt to use it illegally, the card would be deactivated by the card reader itself.
The second main advantage is security. Smart cards can be electronic key rings, giving the
bearer ability to access information and physical places without need for online connections.
They are encryption devices, so that the user can encrypt and decrypt information without
relying on unknown, and therefore potentially untrustworthy, appliances such as ATMs.
Smart cards are very flexible in providing authentication at different level of the bearer and
the counterpart. Finally, with the information about the user that smart cards can provide to
the other parties, they are useful devices for customizing products and services.
Other general benefits of smart cards are:

Portability

Increasing data storage capacity

Reliability that is virtually unaffected by electrical and magnetic fields.

More Secure

DEPT OF ECE,MIST

PAGE 46

SMART CARD TECHNOLOGY

This simple technology has revolutionized the payment card industry and increased the level
of card security. These cards use encryption and authentication technology which is more
secure than previous methods associated with payment cards.
The microprocessor chip embedded at the heart of the smart card requires contact to the card
reader and certain areas of the chip can be programmed for specific industries.

Safe to Transport
Another advantage to having a smart card is their use in the banking industry (and many other
sectors). These cards give the holder freedom to carry large sums of money around without
feeling anxious about having the money stolen.
In this regard, they are also safe because the cards can be easily replaced, and the person
would have to know the pin number to access its stored value. This takes care of the problem
with cash; once it is stolen it is nearly impossible to trace and recover it.
Double as an ID Card

A third advantage of using a smart card is that they can provide complete identification in
certain industries. There are numerous benefits of using smart cards for identification.
A driver's license that has been created using smart card technology can give the police the
ability to quickly identify someone whose been stopped for speeding or reckless driving.
These cards can be used by health professionals to identify someone who is brought in by an
ambulance but unconscious or unable to speak.
Prevents Fraud

Other benefits of using smart cards for identification can be used by governments to prevent
benefits and social welfare fraud to ensure the right person is receiving the welfare benefit.
Some countries are using the smart cards to identify temporary workers who have been given
work permits. This has the potential to reduce immigration fraud.
Smart cards are just as easy to use as a credit or debit card, but considerable more secure.
They are lightweight and easy to carry. This makes it easy to have one card to pay for
parking, access to the office, and for buying lunch at the office cafeteria.

DEPT OF ECE,MIST

PAGE 47

SMART CARD TECHNOLOGY

CHAPTER 9
DISADVANTAGES OF SMART CARD
The plastic card in which the chip is embedded is fairly flexible. The larger the chip, the
higher the probability that normal use could damage it. Cards are often carried in wallets or
pockets, a harsh environment for a chip. However, for large banking systems, failuremanagement costs can be more than offset by fraud reduction.
If the account holder's computer hosts malware, the smart card security model may be
broken. Malware can override the communication (both input via keyboard and output via
application screen) between the user and the application. Man-in-the-browser malware (e.g.,
the Trojan Silentbanker) could modify a transaction, unnoticed by the user.
Banks like Fortis and Belfius in Belgium and Rabobank ("random reader") in the Netherlands
combine a smart card with an unconnected card reader to avoid this problem. The customer
enters a challenge received from the bank's website, a PIN and the transaction amount into
the reader.

DEPT OF ECE,MIST

PAGE 48

SMART CARD TECHNOLOGY

The reader returns an 8-digit signature. This signature is manually entered into the personal
computer and verified by the bank, preventing point-of-sale-malware from changing the
transaction amount.
Smart cards have also been the targets of security attacks. These attacks range from physical
invasion of the card's electronics, to non-invasive attacks that exploit weaknesses in the card's
software or hardware. The usual goal is to expose private encryption keys and then read and
manipulate secure data such as funds.
Once an attacker develops a non-invasive attack for a particular smart card model, he is
typically able to perform the attack on other cards of that model in seconds, often using
equipment that can be disguised as a normal smart card reader. While manufacturers may
develop new card models with additional security, it may be costly or inconvenient for users
to upgrade vulnerable systems. Tamper-evident and audit features in a smart card system help
manage the risks of compromised cards.
Another problem is the lack of standards for functionality and security. To address this
problem, the Berlin Group launched the ERIDANE Project to propose "a new functional and
security framework for smart-card based Point of Interaction (POI) equipment".
Easily Lost
Like a credit card, smart cards are small, lightweight and can be easily lost if the person is
irresponsible. Unlike credit cards, smart cards can have multiple uses and so the loss may be
much more inconvenient. If you lose a card that doubles as a debit card, bus pass and key to
the office, you could be severely inconvenienced for a number of days.

Security
A second disadvantage of the using smart cards is their level of security. They are more
secure than swipe cards. However, they are not as secure as some in the general public would
believe. This creates a false sense of security and someone might not be as diligent as
protecting their card and the details it holds.

Slow Adoption
If used as a payment card, not every store or restaurant will have the hardware necessary to
use these cards. One of the reasons for this is since the technology is more secure, it is also
DEPT OF ECE,MIST

PAGE 49

SMART CARD TECHNOLOGY

more expensive to produce and use. Therefore, some stores may charge a basic minimum fee
for using smart cards for payment, rather than cash.

Possible Risk of Identify Theft


When used correctly for identification purposes, they make the jobs of law enforcement and
healthcare professionals easier. However, for criminals seeking a new identity, they are like
gold, based on the amount of information it can contain on an individual.

CHAPTER 10
APPLICATIONS
Mobile Payments

DEPT OF ECE,MIST

PAGE 50

SMART CARD TECHNOLOGY

Mobile phones are currently used for a limited number of electronic transactions. However,
the percentage seems likely to increase as mobile phone manufacturers enable the chip and
software in the phone for easier electronic commerce.
Consumers can use their mobile phone to pay for transactions in several ways. Consumers
may send an SMS message, transmit a PIN number, use WAP to make online payments, or
perform other segments of their transaction with the phone. As phones develop further,
consumers are likely to be able to use infrared, Bluetooth and other means more frequently to
transmit full account data in order to make payments securely and easily from their phone.
Additionally, merchants can obtain an authorization for a credit or debit card transaction by
attaching a device to their mobile phone. A consortium in the US also recently announced
PowerSwipe, for example, which physically connects to a Nextel phone, weighs 3.1 ounces,
and incorporates a magnetic stripe reader, infrared printing port, and pass-through connector
for charging the handset battery.
Biometric Payments
Electronic payments using biometrics are still largely in their infancy. Trials are underway in
the United States, Australia and a limited number of other countries. Most biometric
payments involve using fingerprints as the identification and access tool, though companies
like Visa International are piloting voice recognition technology and retina scans are also
under consideration. Essentially, a biometric identifier such as a fingerprint or voice could
replace the plastic card and more securely identifies the person undertaking the transaction.
The electronic payment is still charged to a credit card or other account, with the biometric
identifier replacing the card, check or other transaction mechanism.
Smart networking

DEPT OF ECE,MIST

PAGE 51

SMART CARD TECHNOLOGY

Smart card technologies provide strong security through encryption as well as access control,
based on identification

technologies such as biometrics.

Figure 10.1: Smart networking

National ID / Authentication
In the wake of 9/11 attack a need has been felt in many countries for tamperproof ID cards
and a secure authenticating device. Many countries all over the world are trying out, and
implementing, the smart card option as a national identity card.

University Identification
The traditional student ID card can be replaced by an all-purpose chip-based student ID card,
containing a variety of applications such as electronic purse for vending and laundry
machines), and for use as a library card, and meal card.

Financial Applications

DEPT OF ECE,MIST

PAGE 52

SMART CARD TECHNOLOGY

Smart cards are being used as an electronic purse, or epurse, to replace coins for small
purchases in vending machines and over-the counter transactions. This area is growing
rapidly in Europe and the U.S.
Retail and Loyalty
Smart cards are used to record the transactions of the customer, which are helpful in
implementation of loyalty programs. Consumer reward/redemption is tracked on a smart
loyalty card that is marketed to specific consumer profiles and linked to one or more specific
retailers serving that profile set.
Communication Applications
The chip-based cards help secure the initiation of calls and the identification of callers (for
billing purposes) on any Global System for Mobile Communications (GSM) phone
Transportation
Mass transit fare collection systems are using smart tickets, which are easy to load and
redeem for a fare.

DEPT OF ECE,MIST

PAGE 53

SMART CARD TECHNOLOGY

CHAPTER 11
CONCLUSION AND FUTUERE SCOPE
CONCLUSION
Smart cards can add convenience and safety to any transaction of value and data; but the
choices facing today's managers can be daunting. We hope this site has adequately presented
the options and given you enough information to make informed evaluations of performance,
cost and security that will produce a smart card system that fits today's needs and those of
tomorrow. It is our sincere belief that informed users make better choices, which leads to
better business for everybody.

FUTURE SCOPE
Compared to the conventional magnetic stripe cards, smart cards offer increase security,
convenience, and economic advantages. Reducing fraud, reducing time to complete
redundant paperwork, and having the potential to have one card to access diverse networks
and applications are just some of such examples. The discussion for the future of the smart
card across the global industries can be divided into public and private sectors and are
discussed below.
Public services

Health cards with multiple functions are issued to patients in France. The card can be
used to store information such as administrative, medical, biological, and
pharmaceutical records. The card simplifies the administrative process and enables
doctors to have access to a more complete and comprehensive healthcare information.
Multifunction ID cards are issued to students at university campuses and schools. The
card has the function of identifying the student and also acts as an electronic purse
and can be used purchase products from stores or tickets to public transportation.
Information such as those on a drivers license can be stored on the smart card, along
with an up-to-date driving records including fines and offenses. The new system can
help the government keep track of individuals records and have a higher successful
rate in collecting fines.

Private services

The limitations of the magnetic stripe and the problems with fraud and bad debt can
make smart cards a better choice. It not only can store 80 times more information than
the traditional card, it can also help banks to have better control over credit risks by
enabling banks to customize credit lines based on individual cardholders risk profiles
and alter the parameters dynamically as needed. Also, the financial institutes can also
offer more personalized products and services to fit cardholders lifestyles.

DEPT OF ECE,MIST

PAGE 54

SMART CARD TECHNOLOGY

The card can contain all necessary personal data for easier Web connection and
personalize networking. The card, with all personal information such as users ID, emails, settings for electronic appliances, and phone numbers stored on the card itself
instead of a remote device, will be able to allow network connection anywhere
globally as long as there is a phone or an information kiosk. As appliances become
generic tools, users will have the convenience of carrying the card alone to have a
personalized networking experience.
According to the Gartner Group, it is expected that Internet purchasing will grow to
$20 billion by 2000 worldwide, with security and portability in payment transaction
over the network continue to play an integral roles to the success of this marketplace.
SET protocol will provide a mean to transport customer data and payments
information securely over the Internet without having to be locked into using one PC.
Electronic cash stored on cards will enable consumers to make micropayments
(penny-payments) over the internet.

DEPT OF ECE,MIST

PAGE 55

SMART CARD TECHNOLOGY

CHAPTER 12
REFERENCES
[1] en.wikipedia.org/wiki/Smart_card
[2] http://www.smartcardbasics.com
[3] http://www.smartcardbasics.com/pdf/7100030_BKL_Smart-Card-Security-Basics.pdf
[4] http://www.smartcard.co.uk/tutorials/sct-itsc.pdf

DEPT OF ECE,MIST

PAGE 56

You might also like