Smart Cards: The Ultimate Guide to Choosing

Brother

Brother

Professional
Messages
2,565
Reputation
3
Reaction score
362
Points
83
blog_500.jpg


Table of contents
1. What is a smart card? Operating systems of smart cards
2. Types of smart cards
3. Contact smart cards
3.1. Contact memory cards
3.2. Contact microprocessor (CPU / MPU) cards
3.3. Contact two interface cards
4. Contactless smart cards
4.1. Contactless smart memory cards
4.2. Contactless microprocessor (CPU / MPU) cards
4.3. Contactless Dual Interface Cards
5. Multipart Cards
6. What Makes a Smart Card Safe
7. Safe Integrated Circuits and Smart Cards
7.1. Protected memory chips
7.2. Protected microcontrollers
7.3. Goals of secure microcircuits
7.4. How is the safety of microcircuits achieved
7.5. Data security
8. Readers for smart cards
8.1. Organization of data transfer by contact method
8.2. Organization of data transfer in a contactless way
8.3. Types of smart card readers
9. Standards used in smart cards

Smart cards​

Some things have entered our life so firmly and have become so everyday that using them we do not think about how and why they work. We click a button, turn it on or off, take it out and apply it, and the brain does not even track the use of this thing, this is called household automatism. Well, okay, I just thought of "household automatism". In general, we will talk about smart cards. Which every person uses every day, but rarely does anyone know how it works and what it is all about inside this card.

There is no Russian standard that would define the term “smart cards”. However, there are several industry-established approaches to defining this term.
  • First, a smart card is any card that has a chip. Chip cards can be very different, with unprotected memory, with protected memory, or a microprocessor card.
  • The second is that a smart card is only a microprocessor card (a more complex family of chip cards). Which, as you might guess from the name, has a central processing unit (CPU), additional functional blocks: coprocessor, ROM, EEPROM, RAM, I / O port and others.

The first approach seems to me more voluminous and systemic, so everything that is written below will be written based on it.

What is a smart card?​

A smart card (from the English word smart - smart, intelligent) is a plastic card with a built-in chip. A chip typically consists of an integrated circuit (IC) with memory and an operating system that allows the card to be controlled, stored, transmitted, and processed.

The card is connected to the reader by means of:
  • Direct physical contact (contact readers)
  • Contactless radio frequency interface (RFID readers)

With an embedded microcontroller, some types of smart cards have the ability to store large amounts of data, as well as encrypt, authenticate, and intelligently interact with a smart card reader.

Smart cards are used today in healthcare, banking, entertainment, access control systems, transport, and cellular operators. The main advantages of smart card technology are low cost, high reliability and security.

Smart Card Operating Systems​

There are two main types of smart card operating systems:
  • Fixed file structure. This type treats the card as a secure storage device. The file structure and logic of the card are predefined by the issuer. These parameters and map functions are unchanged for this type of map structure. An example of this type of card would be cards that are used in access control systems.
  • Dynamic application system. An operating system of this type, which includes the JavaCard (JCOP) and MULTOS card flavors, allows developers to securely build, test, and deploy a variety of applications to the cards. Since the operating system of the card and the application are separate, the data on the card can be updated and overwritten. The most famous example of such a smart card is a SIM card, the data on the card is loaded into the phone and can be dynamically changed.

Types of smart cards​

Smart cards are made of plastic with one or more chips inside. It is the chip that makes an ordinary plastic "smart" card.

Most often, smart cards look like this:
  • CR-80 form factor cards (ID-1 format).
  • SIM card, micro SIM and nano SIM

However, simultaneously with smart cards, other media formats begin to appear inside which there is a chip, and which can have the same functionality as smart cards.

What follows will seem like an oxymoron to you, but smart cards can be made not only in card format.

A smart card may look like:
  • Bracelet where the chip is sealed in a rubber case
  • Keychain
  • Tags (can be in the form of a sticker or in the form of a bar of plastic)
  • Key "Touch Memory"
  • Smart keys with USB interface (Rutoken, eToken.)

In any case, regardless of the type, there is always a chip inside, this is what makes them "smart".

Chip Cards - types of smart cards Contact cards - contact cards based on the ISO 7816 standard. Contactless cards - contactless cards. Multi Component Cards - multicomponent cards. Memory Carda - memory cards. CPU / MPU Cards - microprocessor cards. Vault Cards - cards that protect against scrimming equipment. Fingerprint Cards - cards with a fingerprint sensor. One Time Password Display Cards - cards with a display for entering a password. Bio Assaying Fluids Sensor Cards - cards with a biological material analyzer.

Contact smart cards​

This is the most common type of smart card. Electrical contacts located on the outside of the card connect to the card reader when the card is inserted. This connector is connected to an encapsulated chip in the card. Pins used: VCC - power GND - ground CLK - clock, clock / clock transfer (sync) RST - reset, I / O reset - bus or data input / output (UART)

blog_502.jpg
  • Contact smart cards
  • Contact smart identifiers

Standard contact view of a smart card chip

Contact memory cards​

Memory cards cannot manage files and do not have the processing power to manage data. All memory cards communicate with readers using synchronous protocols. On memory cards, reading and writing data occurs at a fixed address. There are three types of memory cards:
  • straight
  • protected
  • memory card with saved value

Direct memory contact cards
These cards simply store data and do not have the ability to process it. They should be considered as floppy disks of different sizes without a locking mechanism. These cards cannot identify themselves to the reader, so the host must know what type of card is being inserted into the reader. These cards are easily duplicated and cannot be tracked by card ID. They can have from 1K to 1 Mbit EEPROM memory, connected via the SPI (Serial Peripheral Interface) interface - a serial synchronous standard for data transmission in full duplex mode.
  • Contact card with direct memory type

What are such simple unprotected cards for? These cards are often used as bonus cards or store loyalty cards.

Protected / Segmented Memory Contact Cards
These cards have built-in logic to control access to the card memory. Sometimes referred to as smart memory cards, these devices can be configured to write-protect part or all of the memory array. Some of these cards can be configured to restrict both read and write access. This is usually done with a password or system key. Segmented memory cards can be divided into logical partitions for planned versatility. These cards are tracked by an identifier on the card. In cards of this type, onboard there is from 3 Kbit to 64 Kbit of EEPROM memory.

Protected memory cards are used for secure storage and transfer of information. A common type of this type of card is the so-called ibutton (touch memory) or, together with the usb interface, etoken. These narrow-purpose devices are used for secure storage and use of key information, electronic signatures, for identification and authentication of users in the system, as a contact key (intercom). The same functions are available in the form of a standard CR-80 card, for example, a JaCarta card, however, to use the system, it is necessary to equip the system with special readers.
  • Ibutton keys
  • USB etoken
  • Jacarta smart cards

Contact memory cards with a stored value
These cards are designed to store a certain amount of money equivalent. Cards can be disposable or rechargeable. Cards of this type have security measures such as a system key or password and logic that are hard-coded into the chip by the manufacturer. Memory arrays on these devices are configured as decrements (an operation that decreases a numeric unit by 1) or counters. These are payphone cards or one-time travel tickets.

Contact microprocessor (CPU / MPU) cards​

A standard microprocessor for a smart card consists of:
  • CPU - central processing unit, it is an 8-, 16- or 32-bit RISC processor;
  • RAM from 256 bytes to 4 - 16 Kbytes;
  • storage device ROM with a volume of 16 to 256 KB;
  • non-volatile (None Volatile Memory) rewritable memory EEPROM with a volume of 2 - 72 KB and user memory (User Memory);
  • MMU (Memory Management Unit) - memory management module that provides CPU access to RAM, non-volatile and permanent memory;
  • Data Bus - the main bus;
  • UART (Universal Asinchronous Reciever Transmitter) - universal asynchronous serial I / O transceiver;
  • a clock frequency generator (Internal Timing Circuitry), cryptoprocessors (crypto), a random number generator (RNG), internal sensors and filters;
  • if the card is contactless, a radio transceiver is added for the contactless interface.

blog_503.jpg

Smart Card Microprocessor Smart

cards use None Volatile Memory (NVM) to retain data even after the power source is removed.
The cheapest type of non-volatile memory is ROM (Read Only Memory), also known as ROM (Read Only Memory). In it, a cell array is a set of conductors organized in a matrix structure. Writing data to ROM is done "by" burning the ROM mask, i. E. some of the conductors are destroyed, and some remain intact. The data loaded in ROM cannot be overwritten, the write operation is only possible once. Therefore, the operating system and some static applications (programs for maintaining the file system, providing communication, cryptographic operations) are recorded in ROM.

RAM (or random access memory) is also non-volatile and the most expensive memory in a smart card. It is used by the processor to store fragments of executable code and intermediate data during operations, since it is the fastest type of memory. The access time to RAM is several tens of nanoseconds.

Smart cards also use EPROM, EEPROM, FLASH and FRAM memory for data storage. About them in the section "Safe Integrated Circuits and Smart Cards".

blog_504.jpg

Comparative sizes of realizations on a chip of different types of 1-bit memory

Microprocessor cards have built-in dynamic data processing capabilities. Inside the card is a microprocessor or microcontroller that controls memory allocation and file access. This type of microcircuit is similar to the one found in personal computers. When implanted into a smart card, such a microprocessor, through the Card Operating System (COS), manages the data and file structure, as well as controls access to user memory on the card, this functionality allows the card to work with several different applications at the same time. Those. the companies that issued the card support several "products" on it at once. For example, a bonus system of the issuing bank, linked to the user's payment card. In the end, it would be nice to get by with just one card for payments, bonuses,
Microprocessor cards use encryption algorithms to protect data, for example, an 8-bit symmetric encryption algorithm, or, more reliable, 8, 16 and 32-bit asymmetric dynamic algorithms, in the second case, in addition to the main processor of the smart card, coprocessors are also used (more about encryption algorithms in section "data security").

The most famous microprocessor cards are, of course, bank cards, SIM cards, electronic identity cards or ID cards.

Contact dual interface cards​

Contact cards are dual-interface, i.e. in addition to the contact chip, the card is equipped with an additional chip, for example, for access control and management systems. Thus, a two-interface card can be used in several enterprise systems: as an access card, as a user ID in the system, as an ID card, as a payment card.
  • Line of two-interface cards
  • Smart card with a contact chip and an Em-Marine chip

Contactless Smart Cards​

These are smart cards that use radio frequency identification (RFID) to transfer data between the card and the reader without physically contacting the card chip and the reader.

At the heart of any contactless card is the same element as that of the simplest detector receiver - an oscillatory circuit, the basic components of which are a capacitor and an inductor.
The reader emits an alternating electromagnetic field of standard frequency, which excites an alternating electric current in the inductor and in the oscillatory circuit of the card. This current is converted into direct current and charges a sufficiently large capacitor that powers the chip. The exchange of information between the card and the reader is carried out through the same coil by modulating the oscillations of the device's electromagnetic field.

In the simplest case, the card cyclically continuously transmits only its unique number. In more complex systems, there is a two-way exchange of information on the basis of the request-response principle. Often, cards have a small flash memory and can store a certain amount of information, for example, change the state of the counter or store an arbitrary number.

Contactless Smart Memory Cards​

Smart Cards Operating at 125 kHz
Low frequency contactless cards operating at 125 - 134 kHz are among the most insecure and can be easily tampered with by intruders. Like contact memory cards, contactless cards do not have the capacity to process information, they are mainly used in access control systems to record an access profile. They are made in the form factors of a standard CR-80 card, or in the form of key chains or bracelets. Among the manufacturers issuing such cards are Em-Marine and HID.
  • Smart cards, frequency 125 - 134 kHz
  • Smart bracelets, frequency 125 - 134 kHz
  • Smart key fobs, frequency 125 - 134 kHz

Cards operating at a frequency of 13.56 MHz
Cards that communicate at a frequency of 13.56 MHz and comply with the ISO 14443 standard (an authentic translation of the ISO 14443 standard into Russian GOST R ISO / IEC 14443). Variations of the ISO 14443 specification include types A, B, and C, which identify microcircuits from specific manufacturers.

ISO 14443 Type A uses NXP or Philips chips, ISO 14443 Type B uses all others, and ISO 14443 Type C uses Sony chips only. These cards are more secure than low-frequency smart cards, therefore, in addition to being used in access control and management systems, they can be used as contactless payment cards in transport, ski passes, as electronic IDs, as identification cards, etc. Among the manufacturers, the company NXP can be distinguished.
  • Contactless smart cards frequency 13.56 MHz
  • Contactless keychains
  • Mifare non-contact silicone bracelets

High Frequency Smart Cards
These are the so called Ultra High Frequency Gen2 Cards or high frequency cards that operate at 433.075-434.790 MHz and 2400-2483.5 MHz. The EPC Gen2 standard (fully Electronic Product Code Class 1 Generation 2) was developed by the international organization GS1 EPC Global and complies with the ISO / IEC 18000-63 (C) standard .

High-frequency tags are used to track consignments, like a car pass, in trade, as tags on goods to protect against theft. Such a tag can transmit a signal within a radius of up to 10 m, which means that the reader can be installed at a sufficient distance, eliminating the need to manually scan the product or cargo. It is convenient to use at parking facilities or garage complexes, since the driver does not need to get out of the car to present an access card at the entrance. High-frequency tags are active and passive.

Active tags use an internal power supply and operate at 433 MHz - 2.4 GHz. And they can transmit their id permanently or be activated by a button.

There are tags, with a pocket for a proximity card, which can transmit 2 ids to the reader at the same time.
  • Active tags that transmit 2 id

There are tags that work in several bands at the same time, one tag can be used to pass the car and the driver.
  • Dual-band active tags

Passive tags operate at a frequency of 860 - 960 MHz and come in the form of stickers or plastic cards, or in a hard case. They do not have a power source and are activated when they enter the range of the reader.
  • Passive sticker labels
  • Passive high-frequency card tags
  • Passive tags in a hard case

Contactless microprocessor (CPU / MPU) cards​

The principle of operation of a contactless microprocessor card is similar to that of a contact microprocessor card, but with radio frequency data transmission. Due to the microprocessor architecture, the card has a high degree of security.

Since microprocessor cards are the most secure, their scope is anything that requires a high degree of protection, payments, personal identification, electronic passports, and so on.

HID has a line of iClass Seos smart cardswhich are more technologically advanced than a spaceship. HID Global's iCLASS Seos High Frequency Contactless Smart Card is a solution designed to enhance security, privacy and interoperability. With secure, standards-based authentication and identity management technology, this open-design card can be used to control physical and logical access, cashless payments, turnstile access, and more. It can also be issued in various forms - factors and used for installation, for example, in NFC smartphones (Near Field Communication) and other mobile devices.
  • HID iClass Seos with 8Kb or 16Kb memory

Contactless Dual Interface Cards​

These cards have multiple communication methods including ISO7816, ISO14443 and EPC gen 2, and multiple chips in one card.

These can be cards that combine several standards, for example, Mifare and Em-Marine, or HID iClass and HID Proximity... Such cards, in addition to the pass of the access control and management system, can carry the functions of a secure identifier for accessing the network or a cashless payment card. The price for such cards differs depending on the memory size of the chips. These can be combined key fobs, for example, Airtag, which have case protection and can be used in aggressive environments, on the street, in transport, etc. These can be passive UHF Nedap tags, which can be used as a pass for a car and a person at the same time.
  • Dual-format smart cards
  • Two-format keychains
  • Two-format passive tags

Multicomponent cards​

These types of cards are designed for a specific market solution. For example, there are cards that have a built-in fingerprint sensor. Or one company has created a card that generates a one-time password and displays data for use in an online banking application on an embedded display. Each of these technologies is specific and usually patented.

What makes a smart card secure​

The issue of smart card security begins at the level of the chip used. The choice of ICs for smart cards is huge and is supported by many semiconductor manufacturers. What sets the smart card chip apart from other microcontrollers is often referred to as Trusted Silicon. The microprocessor device itself is designed for secure data storage. These additional safety features include a long list of mechanisms such as missing checkpoints, special protective metal masks, and irregular silicon gate structures.

Safe Integrated Circuits and Smart Cards​

Integrated circuits (ICs) have many names: microcircuit, microchip, silicon chip, or simply a chip. An IC is a miniature electronic circuit that is fabricated on the surface of a thin semiconductor substrate material.

In a smart card, an IC provides the logic for executing applications specific to that card. The chips used in smart cards are “secure” chips, which means they have functionality that is used to protect data and enable secure transactions by applications on the smart card. These applications vary in complexity, memory requirements, and security required to protect the information stored and processed in the IC.
Protected / segmented memory cards use secure memory chips, which is why the security level of such cards is higher, including through the use of encryption algorithms. Protected microcontrollers are used in microprocessor smart cards.

Depending on the requirements, the chips used in smart cards are either:
  • protected memory chips
  • protected microcontrollers

Protected memory chips​

Memory chips are used when the application requires only data storage and minimal data protection requirements on the smart card. The data can be any information required by a specific smart card application, such as card issuer, card serial number, or other user information.

The smart card uses memory of the following types as user memory: erasable programmable read-only memory (EPROM) or electrically erasable programmable read-only memory (EEPROM). An EPROM unit is 4 times more expensive than a ROM unit and 4 times cheaper than a RAM unit.

EPROM data can only be written once. This type of memory is used in prepaid cards, such as telephone or disposable transit cards, which count down minutes or trips used and are then discarded. Electrically Erasable Programmable EEPROM has up to 500,000 rewrite cycles and built-in logic to update the rewrite counter, as well as another limitation on operation - this is speed, it usually takes 2 to 10 ms to erase and rewrite data into EEPROM memory.

User memory stores: authentication logic, error counter, data required for application operation, encryption keys. Application developers have options for several different memory map structures. Of the two types of secure microcircuits, memory and microcontroller, used in smart cards, the secure memory integrated circuit is the least secure. The simplest protected memory chips have logic that prevents data from being written or erased. More complex constructs also restrict read access from memory. The security of the memory card is ensured by symmetric cryptographic algorithms with a key length of up to 128 bits, which are used to encrypt data transmitted from the card.

Protected microcontrollers​

A rugged microcontroller is a more complex IC for smart cards. What microcontrollers consist of can be seen in Fig. 3. The integrated microcircuits of the protected microcontroller are programmed for dynamic execution of applications, and also have a cryptographic mechanism for the secure processing of asymmetric and / or symmetric encryption algorithms.

During the manufacturing process of a microcircuit, the operating system (OS) in which the applications are executed is written into the microcontroller's memory. In addition to ROM and RAM, the microcircuit of the protected microcontroller uses flash memory and ferroelectric random access memory (FRAM). Flash memory is a special type of EEPROM that is erased and programmed in large blocks. In addition, flash memory is faster than EEPROM and has no limit on data rewrite cycles. FRAM is a non-volatile memory technology that is similar in functionality to flash memory.

One of the main functions of a protected microcontroller is dynamic active protection. If the user or the system cannot successfully authenticate to the microcontroller, then the data stored on the card will not be available. The integrity of the stored data is protected by a set of countermeasures that are triggered when the microcontroller detects an attempted attack.

For example:
  • Monitoring of external clock frequency and voltage;
  • Memory access is controlled by the memory control and protection unit;
  • The active protection layer can detect scanning attempts and force internal protection components, for example, overwriting a memory area;
  • Random generation of the current noise on the bus, on which the data is transmitted, protects against intruders who analyze the bus;
  • The scrambling mechanism (this is the encryption mechanism of the data stream, as a result of which the data stream looks like a stream of random bits of information) in combination with a random number generator protects against synchronization attempts.

Purposes of secure microcircuits​

There is no absolute security, good security is when the cost of a successful attack is an order of magnitude higher than the potential profit. It makes sense, therefore, that advances in safety are a constant technology race. With enough time, effort, and money, any security solution can be hacked. The implemented security level must be appropriately balanced for the type of data that is processed and stored on the smart card.

Types of Attacks
Attacks are techniques used to compromise the security of a smart card by discovering what information it contains. Attacks can be classified as:
  • Crash attacks. Fault attacks alter the internal workings of an integrated circuit, causing an error. This erroneous operation gives out information about the chip. An IC has a set of sensors that control the overall operation of the IC as well as redundant logic operations. If these sensors detect manipulation of functioning outside the set parameters, then the IC goes into alarm mode and stops working.
  • Side channel attacks. Side-channel attacks are attacks based on information obtained from the physical implementation of the cryptosystem. For example, information about time, power consumption, electromagnetic leaks, or even sound can provide information that can be used to hack a system. Many side channel attacks require significant technical knowledge of the inner workings of the system in which the cryptography is implemented.
  • Invasive attacks. Invasive attacks, also known as hardware attacks, use means to access information on the IC, such as probing the IC with a microprobe or Focused Ion Beam (FIB).

How is chip safety achieved?​

The most complete IC security is multidimensional. No single security mechanism fully protects against a wide range of potential attacks. Therefore, the design of a secure integrated circuit and its use in the system must include hardware, software, and system countermeasures to protect data and transactions. Security should be an integral part of every smart card solution deployed.

Secure Microcontroller Architecture
To defend against attacks, an integrated circuit must have an architecture that allows the IC to withstand all known types of attacks. Each chip manufacturer incorporates its own features and security modules into its IC architecture. Below is a list of applied security solutions for integrated circuits.
  • Programmable active screen that covers the entire microcircuit and is provided with layers that allow detecting attempts to probe or force internal modules or signal lines;
  • Protected microcontrollers have built-in sensors to prevent failures or invasive attacks: low and high frequency sensors for the internal clock generator, sensors and filters for an external clock generator, high and low voltage sensors, temperature sensors, peak voltage sensors, fault sensors, light detection sensors on the surface of an integrated circuit;
  • Internal synchronization scheme is not available and is used for cryptographic operations;
  • The central processor has its own synchronization to make it difficult for an attacker to intercept the operations it performs;
  • The Memory Management Unit (MMU) is an add-on module that creates a true hardware firewall inside an integrated circuit, enhancing the security of the operating system. This is achieved by preventing applets from accessing important resources of microcircuits, which are controlled only by the operating system of the card.
  • The Memory and Processor Bus Encryption Module (ENCRPT) encrypts and decrypts data stored in ROM, RAM and NVM using special keys and a proprietary symmetric algorithm. In addition, the RAM bus (connecting the RAM to the processor) is also encrypted after every chip reset. These measures prevent an attacker from seeing any calculations inside the schema in cleartext;
  • Crypto processors (crypto) are additional processors that execute symmetric or asymmetric algorithms, such as DES or 3DES (Data Encryption Standard), AES (Advanced Encryption Standard), RSA (an abbreviation of the names Rivest, Shamir, Adleman - a public key cryptographic algorithm ) and elliptic curve cryptography (ECC). These mechanisms take the load off the CPU for more cryptographic processing. Thus, these countermeasures allow the chip to operate more efficiently;
  • The Cyclic Redundancy Check (CRC) module checks the data integrity for errors during data transmission, reading or writing. CRC calculations are standardized at the protocol level ISO 7816 for contact smart cards and ISO 14443 for contactless smart cards;
  • The Random Number Generator (RNG) is the basis of many cryptographic protocols and is also used in conjunction with DPA (DPA) and Simple Power Analysis (SPA) security software ... RNG can be used to create random false wait states that confuse an attacker when trying to analyze the power consumption of a chip. RNG also protects keys in mutual authentication and encryption. The random numbers are added to the key, encrypted, exchanged, and then used as the basis for the session keys that secure transactions. The random number is almost impossible to pick and, therefore, such an algorithm maximizes the strength of the cryptography used.
  • Another algorithm encrypts current consumption by performing bogus memory access operations. As a result of the current scrambling algorithm, the current consumption of the microcircuit is hidden. The use of this algorithm in combination with random waiting states becomes a powerful countermeasure against power analysis.

Secure microcontroller operating system A
secure microcontroller needs an operating system in order for it to run TSR applications. The operating system is "embedded" into the chip's memory during manufacturing. It not only controls the software operations of the IC applications, but also takes over the software security functions to counter software attacks.

Data security​

The security of stored data is achieved by observing the following conditions:
  • Data integrity. The integrity of data (information) means that the data has not been altered in any way during storage, transmission or display. Data integrity is achieved through electronic cryptography, which assigns a unique identity to the data (such as a hash sum).
  • Authentication. Authentication verifies and confirms the identity of the subject involved in any transaction with data on the card. This can be a digital signature, biometric component, or any other cryptographic authentication algorithm.
  • Reliability. Reliability excludes the possibility of transaction cancellation.
  • Authorization and Delegation. Authorization is the process of granting access to certain data in the system. Delegation is the use of a third party to certify each of the users of your system, such as certification authorities.
  • Auditing and logging. It is an independent review and recording of actions to ensure compliance with established controls, policies and procedures, and any specified changes to controls, policies or procedures.
  • Control. Management is the development of elements and mechanisms for all of the listed conditions, including the management of the issue, replacement and withdrawal of the card, as well as the system security policies.
  • Cryptography / Privacy. Cryptography is the use of encryption to protect information from unauthorized access. Plain text is converted to cipher text using an algorithm and then decrypted back to plain text by the same method.

Cryptography is used to: ensure data confidentiality, ensure data integrity, ensure data uniqueness.

In microprocessor cards, symmetric and asymmetric cryptographic algorithms are used to ensure the integrity and confidentiality of transmitted data, authenticate the source of information, and calculate cryptograms (digital signature of data consisting of card, terminal and transaction details). As a symmetric encryption algorithm, in the overwhelming majority of cases, the block algorithm Triple DES or 3DES is used, having a key length of 112 bits and encrypting blocks of 64 bits. As an asymmetric algorithm, the RSA algorithm is used with a public key modulus ranging from 1024 to 1984 bits.

The symmetric algorithm uses permutations, substitutions and nonlinear table transformations of individual elements of the encrypted data blocks. These are simple operations that can be accomplished in a reasonable amount of time using the standard instruction set of the card's CPU. For example, encrypting a 64-bit block using the DES algorithm (which is used three times in the 3DES algorithm) on an 8-bit processor with a clock frequency of 3.57 MHz takes about 10 ms and requires about 1 KB of ROM memory to store a program that implements this algorithm. In microcircuits, to increase the speed of cryptographic computations, special cryptoprocessors are used - crypto. They are designed to perform a reduced set of operations used in cryptoalgorithms. For example,

In the case of the RSA algorithm, its implementation time takes 100 times longer than the symmetric algorithm. The fact is that an asymmetric encryption algorithm uses block-wise multiplication of two large numbers modulo a large number. This operation requires the presence of non-standard block multiplication instructions in the processor instruction set. Without the support of such commands, the 8-bit processor of the microcircuit will execute the RSA algorithm, when using the open 1021-bit key module, it will take 10-20 seconds. Considering that the standard processing time for a transaction should not exceed 3 seconds, the use of only the main processor of the microcircuit immediately disappears. As a result of the use of cryptoprocessors, the execution time of the encryption operation on the private key is up to tens of milliseconds.

Smart Card Readers​

Organization of data transfer by contact method​

The I / O channel of the smart card chip is a unidirectional serial interface. This means that at a time, only 1 bit of information can be transmitted over it and transmitted in only one direction (half duplex). In accordance with ISO 7816-3 standards, data exchange between the reader and the card can be carried out at a speed of up to 115200 bps. The baud rate supported by the card is determined by the ability of the asynchronous transceiver to multiply the frequency of an external or internal clock signal, UART interfaces support clock multiplication by 4, 8, 16 times.

To organize data transfer between the reader and the card in a contact way, two lines of the card interface are used. The I / O line (I / O line) carries data bits. The second line, the clock line (CLK line), indicates when to sample the I / O line to get the data bit. A half-duplex communication line assumes that data is supplied to the I / O line by a reader and read by the card, or data is transmitted by the card and read by the reader. Thus, each participant in the exchange monitors whether it is in a transmitting transmitting or receiving state.

There are also cards that support work with the terminal via the USB protocol. The USB interface uses two additional lines to form a second I / O or duplex connection. A duplex SWP (Single Write Protocol) connection is established using pin C6 (Fig. 2). The typical exchange rate for such a connection is 1.5 Mbit / s.

The connection between the reader and the smart card uses the user (reader) - server (smart card) relationship. The reader sends requests to the card and receives responses; the smart card never initiates data transfer to the reader on its own.

Organization of data transfer in a contactless way​

The contactless method of data transmission for short-range passive cards is described in the ISO 14443 standard. For contactless cards, a high-frequency wavelength range of 3-30 MHz is used. The first part of the ISO 14444-1 standard defines the physical characteristics of a contactless card:
  • Card dimensions and physical characteristics of plastic
  • Bending and torsion tests the card must pass
  • UV and X-ray resistance
  • The surface quality of the card for printing on it
  • Sensitivity to static and alternating electric and magnetic fields
  • Compliance with temperature conditions from 0 to 50C

The second part of the ISO 14443-2 standard defines the radio frequency characteristics of signals and signal interfaces (modulation and bit coding methods):
  • RF carrier frequency 13.56 MHz + - 7 KHz
  • The default modulation rate is 106 Kbaud or 84800 Bit / s
  • Two types of signal interfaces in forward (reader - card) and return (card - reader) channels - Type A and Type B
  • Subcarrier frequency 847.5 kHz for modulation of the signal in the return channel

The third part of ISO 14443-3 defines anti-collision procedures and methods between multiple contactless cards caught in the reader's area.
The fourth part of the ISO 14443-4 standard defines a high-level half-duplex block protocol for transferring data between a card and a reader. It describes the encapsulation of data, the format of data blocks, procedures for dividing data into blocks, procedures for detecting errors, and procedures for recovering damaged data.

Types of smart card readers​

In addition to the fact that smart card readers differ in the type of communication with the card, contact or contactless, they also differ in purpose.
  • For programming contact memory cards. Readers of this type have a usb interface for connecting to a computer and a set of drivers included. Used to program and read data from processor smart cards and memory cards.
  • Acquiring terminals or POS terminals for servicing bank cards. With a keyboard, or hybrid - with a magnetic stripe scanner or biometrics. Used in retail outlets to receive payments and service bank cards.
  • For use in an access control and management system. Readers Long Range is used for reading the high marks, such as passes of cars in parking lots. Readers short range, contact - readers touch memory keys , contactless - readers contactless card.

Standards used in smart cards​

First of all, smart card standards regulate physical properties, communication characteristics, parameters of memory operation and used data.

ISO / IEC standards. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are some of the world's leading technology standardization bodies. The main standards for smart cards are ISO / IEC 7816, ISO / IEC 14443, ISO / IEC 15693, and ISO / IEC 7501.
  • ISO / IEC 7816 is an international standard with 14 parts. ISO / IEC 7816 Parts 1, 2 and 3 only deal with contact smart cards and define various aspects of the card and its interfaces, including the physical dimensions of the card, electrical interface, and communication protocols. ISO / IEC 7816 Parts 4, 5, 6, 8, 9, 11, 13 and 15 apply to all types of smart cards (both contact and contactless). They define the logical structure of the card (files and data items), the various commands used by the API for basic use, application management, biometric verification, cryptographic services, and application naming. ISO / IEC 7816 Part 10 is used by memory cards for applications such as prepaid calling cards or vending machines.
  • ISO / IEC 14443 is an international standard that defines the interfaces for a "near field" contactless smart card, including radio frequency (RF) interface, electrical interface, and communication and anti-collision protocols. ISO / IEC 14443 compliant cards operate at 13.56 MHz and have an operating range of up to 10 centimeters (3.94 inches) ISO / IEC 14443 is the primary standard for contactless smart cards used for transportation, finance and access control. It is also used in ePassports and in the FIPS 201 PIV card.
  • ISO / IEC 15693 describes standards for contactless cards. Specifically, it sets standards for physical performance, RF power and signaling interfaces, and a collision avoidance protocol for cards that operate at a maximum distance of up to 1 meter.
  • ISO / IEC 7501 describes standards for machine-readable travel documents and provides clear guidelines for smart card topology.

ISO / IEC 18092, while not a standard for smart cards, is a Near Field Communication (NFC) standard and is an important contactless technology standard that is integrated into mobile phones and other devices.
  • ISO / IEC 18092 (also ECMA-340) defines communication modes for the Near Field Communication Interface and Protocol (NFCIP-1) using inductively coupled devices operating at a central frequency of 13.56 MHz to connect computer peripherals. ISO / IEC 18092 provides backward compatibility with existing contactless devices by supporting ISO / IEC 14443 Type A and Japanese Industrial Standard (JIS) X 6319-4 also known as FeliCa, contactless interface protocols.
  • The NFC Forum defines NFC tag formats, data record formats, and other technical specifications to facilitate interoperability between devices and services.

In addition, there is also the ISO / IEC 24727 standard , which consists of several parts and aims to provide interoperability between different smart card systems. ISO / IEC 24727 is a set of programming interfaces for communication between integrated circuit boards (ICs) and external applications. The organization and operation of IC is in accordance with ISO / IEC 7816-4 . FIPS Standards FIPS International Standards are designed to protect federal computing and telecommunications systems. The following FIPS standards apply to smart card technology and relate to digital signature standards, advanced encryption standards, and security requirements for cryptographic modules. Digital signatures:
  • FIPS 186-2 defines a set of algorithms used to generate and verify digital signatures. This specification specifically refers to three algorithms, the Digital Signature Algorithm (DSA), the RSA Digital Signature Algorithm, and the Elliptic Curve Digital Signature Algorithm (ECDSA).
  • ANSI X9.31-1998 contains specifications for the RSA signature algorithm. The standard specifically covers both manual and automatic key material management using both asymmetric and symmetric key cryptography for the wholesale financial services industry.
  • ANSI X9.62-1998 contains specifications for the ECDSA signature algorithm.

Advanced encryption standards
  • FIPS 197 : Advanced Encryption Standard (AES) defines a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt and decrypt information.

Security requirements for cryptographic modules
  • FIPS 140 : The security requirements contained in FIPS 140 (currently version 2) relate to areas related to the secure design and implementation of a cryptographic module, namely: the cryptographic module specification; ports and interfaces of the cryptographic module; roles, services and authentication; end state model; physical security; operating environment; cryptographic key management; electromagnetic interference / electromagnetic compatibility (EMI / EMC); self-diagnosis; design support; and mitigating other attacks.

GlobalPlatform GlobalPlatform (GP) is an international non-profit association. GlobalPlatform secures digital services by standardizing and certifying a combination of hardware and firmware security known as the Security Element (covered in the NFC article), a trust environment on a device. This facilitates collaboration between service providers and device manufacturers, enabling them to provide the necessary level of security across all devices to protect against threats. The GlobalPlatform specifications also standardize the secure management of digital services once deployed to devices. International Civil Aviation Organization International Civil Aviation Organization (ICAO) is responsible for producing standardization guidance and specifications for machine-readable travel documents (MTDs) - that is, passports, visas and travel documents. ICAO has published a specification for e-passports that uses a contactless smart chip in the passport to securely store the passport holder's data.

International Aviation and Transport Association The International Aviation and Transport Association (IATA) develops standards for recommendations for the airlines and the transport industry. IATA has formed a task force to develop interoperability standards for smart card free travel. Its task is to ensure easy and convenient negotiation of electronic air tickets.

Global System for Mobile Communications (GSM)
Standards There are several telecommunication standards in the mobile phone industry, but GSM is the dominant one in the world. The GSM standard uses smart cards called Subscriber Identity Modules (SIMs), which have the information necessary to authenticate a GSM-compatible mobile phone, allowing the phone to receive service when it is within range of a suitable network. The GSM standard is managed by the European Telecommunications Standards Institute. EMV EMV is a set of open standards for smart card payment and acceptance devices. EMVCo (Europay + Mastercard + Visa + Company), owned by American Express, JCB, MasterCard and Visa, manages, maintains and improves EMV specifications to ensure global compatibility of chip-based payment cards with receiving devices such as POS terminals and ATMs ... The EMV standard originally started out as a specification for terminals, but later expanded to include four books:
  • Book 1, Integrated Circuit (IC) Interface and Terminal Requirements, describes the minimum functionality required for integrated circuit boards and terminals to ensure correct operation and compatibility regardless of the application being used.
  • Book 2, Security and Key Management, describes the minimum security functionality required for ICs and terminals to ensure correct operation and compatibility. Additional requirements and recommendations are provided for online communication between IC and issuer and cryptographic key management at the terminal, issuer and payment system level.
  • Book 3, Application Specification, defines the procedures that are required to effect a payment system transaction in an international exchange environment between a card and a terminal.
  • Book 4, “Requirements for the Cardholder, Operator, and Acquirer Interface,” defines the mandatory, recommended, and additional terminal requirements required to support the acceptance of integrated circuit boards in accordance with Books 1, 2, and 3.

EMVCo is also actively developing specifications, requirements and approval processes to support contactless and mobile payments. Working Group on Personal Computers / Smart Cards

The Personal Computing / Smart Card (PC / SC) Working Group was formed in 1996 and included Schlumberger, Bull CP8, Hewlett-Packard, Microsoft and other leading computer hardware vendors. This group has developed open specifications for integrating smart cards with personal computers. The specifications are platform independent and based on existing industry standards. They are designed to enable application developers to create secure, network-based smart card applications for banking, healthcare, corporate security, and e-commerce. Specifications include cryptographic functionality and secure storage, APIs for smart card readers for PCs, and a high-level API for application development.

OpenCard Framework OpenCard Framework
is a set of guidelines from IBM, Netscape, NCI, and Sun Microsystems for integrating smart cards with networked computers. The recommendations are based on open standards and provide an architecture and a set of application programming interfaces (APIs) that enable application developers and service providers to build and deploy smart card solutions on any OpenCard-compatible networked computer. Through the use of a smart card, the OpenCard-compatible system allows access to personalized data and services from any networked computer and dynamically downloads from the Internet all device drivers required to communicate with the smart card. By providing a high-level interface that can support multiple types of smart cards,

American Public Transportation Association The American Public Transportation Association (APTA) is a non-profit international association of 1,500 public and private sector organizations that set standards for the transportation industry. Java Card The Java Card provides a smart card operating system that runs applications on the smart card. Applicable Java Card Specification: Java Card Platform Specification 3.0.1 . MULTOS MULTOS is a highly secure multitasking operating system for smart cards. It is created by an open consortium of industry companies, the MULTOS consortium, which creates and licenses MULTOS specifications covering all stages of the life cycle of an intelligent device.

Well, and the most important thing is your opinion.​

Nothing motivates me to write new articles as much as your rating, if the rating is good I will cut the articles further, if negative I think how to improve this article. But, without your assessment, I do not have the most valuable thing for me - feedback from you. Do not take it for work, choose from 1 to 5 stars, I tried.
 
You must log in or register to reply here.

Similar threads

Father
Smart cards and programming (python)
Replies
0
Views
74
Father
Father
Lord777
Smart cards for the youngest users
Replies
0
Views
459
Lord777
Lord777
Brother
About smart cards
Replies
0
Views
234
Brother
Brother
CUK77
Smart cards are coming. What do you need to know?
Replies
0
Views
186
CUK77
CUK77
CarderPlanet
Smart cards 2024
Replies
0
Views
626
CarderPlanet
CarderPlanet
Top