Sách hay về thẻ smartcards

Chia sẻ: Monkey68 Monkey68 | Ngày: | Loại File: DOC | Số trang:103

0
143
lượt xem
65
download

Sách hay về thẻ smartcards

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Một tài liệu đầy đủ về thẻ smartcard.

Chủ đề:
Lưu

Nội dung Text: Sách hay về thẻ smartcards

  1.                                                                    Contents Preface...................................................................................................................3 1. Introduction....................................................................................................4 2. Smart Card Basic..........................................................................................8 2.1 What is smart card..........................................................................................8 2.2 History of smart card development...............................................................9 2.3 Different types of smart cards.......................................................................9 2.3.1 Memory Cards..........................................................................................9 2.3.2 Contact CPU Cards................................................................................10 2.3.3 Contactless Cards..................................................................................10 2.3.4 Combi-Card............................................................................................11 2.4 Different standards of smart cards.............................................................11 3. Current Smart Card Applications.................................................................14 3.1 Electronic payment Applications................................................................14 3.1.1 Electronic Purse.....................................................................................14 3.1.2 Stored Value Cards................................................................................15 3.2 Security and Authentication Applications.................................................15 3.2.1 Cryptographic uses................................................................................15 3.2.2 Identity card............................................................................................16 3.2.3 Access control card................................................................................16 3.2.4 Digital certificate.....................................................................................17 3.2.5 Computer login.......................................................................................17 3.3 Transportation uses......................................................................................18 3.4 Telecommunication Applications................................................................18 3.5 HealthCare Applications...............................................................................19 3.6 Loyalty Applications.....................................................................................19 4. Technology Aspects of Smart Card.............................................................21 4.1 Overview of ISO 7816 Standards ..............................................................21 4.2 Communication Protocol between Terminal and Smart Cards...............22 4.3 Overview of File Systems ............................................................................26 4.4 Overview of Naming Scheme.......................................................................27 4.5 Overview of the Security Architecture.......................................................27 4.6 An Example of Smart Card Application : SmartFlow Internet Payment System...................................................................................................................28 5. Java Card Programming..............................................................................32 6. Building your own smart card application....................................................36 6.1 Plan the smart card solution........................................................................36 6.2 Understand the need of smart card............................................................38 6.3 Managing data storage on the card............................................................39 6.4 Determine the required back end support.................................................43 6.5 Choosing card-side and host-side environment.......................................45 6.6 Miscellaneous Tools.....................................................................................46 7. Future trend of smart card...........................................................................50 7.1 Unification of smart card host-side standards on PC..............................50 7.1.1 Personal Computer/Smart Card standard (PC/SC)..............................51 7.1.2 Alternative standard of smart card in PC and Mini-computer (OpenCard Framework) .................................................................................55 7.2 Trends in smart card card-side standards.................................................60 7.2.1 Java inside..............................................................................................60 7.2.2 Mondex MULTOS OS............................................................................62 Guide to Smart Card Technology Page 1
  2. 7.2.3 Microsoft Windows in Smart card..........................................................64 7.2.4 Card OS future.......................................................................................65 7.3 Smart card in electronic commerce............................................................66 7.3.1 Smart Card Payment Protocol...............................................................67 7.3.2 Smart card as prepaid and loyalty card.................................................68 7.3.3 Smart card as electronic wallet..............................................................68 7.3.4 Electronic Payment over Mobile Telecommunications.........................69 7.4 Smart card in Internet security....................................................................69 7.4.1 Smart card as Digital ID.........................................................................70 7.4.2 Smart card as Computer access logon key..........................................72 7.4.3 Smart card in Intrusion detection System as user-profile holder.........74 7.4.4 Biometric authentication........................................................................76 8. Summaries and Conclusions.......................................................................77 Glossary..........................................................................................................81 References......................................................................................................90 Appendix.........................................................................................................96 A. Price Comparison of different cards and readers......................................96 B. Resources....................................................................................................100 Collections of Smart Card Books.................................................................100 Collections of General Smart Card Internet Resources..............................100 Collections of Java Card Technology on Internet.......................................101 Collections of Smart Card Security Technology on Internet.......................101 Collections of Smart Card Payment Technology on Internet.....................102 Collections of Smart Card Vendors.............................................................102 Guide to Smart Card Technology Page 2
  3. Preface This handbook aims to provide a comprehensive overview of the current state of the art in smart card software technology development, applications, and future trends. The information would be useful to IT managers and executives wishing to explore the possibility of developing smart card applications. The handbook consists of three sections. The basic concepts of smart cards and current applications are presented in the first section in layman's language. The second section gets into some of the technical aspects of smart card internals, and offers suggestions on smart card development procedures as well as general ideas in programming smart cards, including the new Java Card. This section is for programmers and IT managers who would like to go beyond the basic concepts and get an idea on what it takes to develop smart card applications. Finally, the third section presents our views on future trends in smart card development framework, standards and possible applications. A list of useful reference materials is also included. The growth of smart card adoption in Asia is increasing rapidly and we believe this technology will be an important one in the near future. The Cyberspace Center is working to develop the security, biometric identification, micropayment and other aspects of smart card technology for use over the Internet. The handbook summarizes some of our experience in this work. Many people have contributed to the handbook, especially Ricci Ieong, Andy Fung, Ivan Leung, Patrick Hung, James Pang and Ronald Chan. Ricci, Ivan, Andy and Patrick in particular, wrote parts of the handbook. This document can be accessed online from the Cyberspace Center's home page http://www.cyber.ust.hk. Some chapters are actually better viewed on-line since they provide URLs directly to sources of additional information. Finally, I would like to acknowledge the Industry Department of the Hong Kong SAR for funding the Cyberspace Center. Our objective is to help Hong Kong industries make more effective use of the Internet to enhance their competitiveness in the world markets. This and our other handbooks are part of the effort in attaining this goal. Please visit our web site to learn about some of our other activities. Samuel Chanson Director Cyberspace Center Guide to Smart Card Technology Page 3
  4. 1. INTRODUCTION Smart card technology has been around for more than 20 years. Since its first introduction into the market, its main application is for the payphone system. As card manufacturing cost decreases, smart card usage has expanded. Its use in Asia is expected to be growing at a much faster pace than in Europe. According to a survey performed by Ovum Ltd. [Microsoft1998a], the number of smart card units will reach 2.7 billion by 2003. The largest markets will be in prepayment applications, followed by access control, and electronic cash applications. According to a recent study by Dataquest [Microsoft1998c], the overall market for memory and microprocessor-based cards will grow from 544 million units in 1995 to 3.4 billion units by 2001. Of that figure, microprocessor-based smart cards, which accounted for only 84 million units in 1995 will grow to 1.2 billion units in 2001. Based on the report from Hong Kong SAR Government Industry Department on the Development and Manufacturing Technology of Smart Card [HKSAR1997], Hong Kong industries have the capability and should participate in development and manufacturing of smart card IC chips, readers and card operating systems. To promote this, Hong Kong SAR government has decided to form a Hong Kong Smart Card Forum. Under this active participation and encouragement from the Hong Kong SAR Government, smart card development and support will expand in Hong Kong. Although the Octopus card is relatively new to Hong Kong, smart cards have already been introduced in Hong Kong for at least two years. These include Mondex by Hong Kong bank and GSM cards in the mobile phone market. However, using this powerful and highly secure card on Personal computer (PC) as well as the Internet is still not common. Many international companies have identified the smart card as one of the new directions in electronic money and personal identification and authentication tools. In May 1996, several companies including Microsoft, Hewlett-Packet and Schlumberger formed a PC/SC workgroup which aimed at integrating the smart card with personal computer (PC). This workgroup mainly concentrates on producing a common smart card and PC interface standards for the smart card and PC software producers. Many of the interface standards and hierarchy have already been established. Some of these prototype products are now available on the market. Moreover, Netscape and Microsoft have also announced that the smart card will be their new direction in computer security and electronic commerce area. Microsoft has even published some documents on its role in the smart card market. Although it will not be a smart card manufacturing company, it has indicated that the smart card will be a key component in Microsoft Windows 98 and Windows NT 5.0. Guide to Smart Card Technology Page 4
  5. Together with the latest smart card operating system announcement [Microsoft1998a], Microsoft will be actively involved in the smart card market. Furthermore, programming modules for smart cards using Visual C++, Visual J++ and Visual Basic have also been developed. The Cyberspace Center believes smart card technology will play a major role in Internet applications in the future. Therefore, we decided to start evaluating the available Smart card development tools and study the use of Smart card in Internet security and electronic commerce. With first-hand information and experience, we will be able to provide advice and assistance to the Hong Kong Industry. The smart card is expected to be used in many applications and especially in personal security related applications such as access control, computer logon, secure email sending and retrieving services. The reason for this growth lies in the smart card’s portability and security characteristics. In addition, as the recent growth of palmtop computers shows, people are looking for smaller and smaller devices for carrying their data with them. Smart card provides a good solution for many applications. Applications are the driving force behind the new smart card market. Many of these applications have already been implemented, such as prepayment for services, credit and debit card, loyalty card, and access control card. The most commonly known example is the prepayment services cards, namely, prepaid phone cards, transportation cards and parking cards. Based on the e-purse card, people could perform bank transaction from ATM machines at home or in the bank. With the use of loyalty cards, companies could store discount information and shopping preferences of their customers. Using these shopping preferences, companies could design new strategies for the users. Access control systems to buildings, computers or other secure areas will soon be handled by a single smart card. In this handbook, we shall briefly describe what smart card is and how it can be used in different applications. The aim of this handbook is to provide a business and executive overview to companies that wish to join the smart card era. This handbook is divided into 8 chapters classified into 3 sections – Smart card Overview, Smart card in Details, and Smart card in the Future. In the first section, basic concepts of smart cards will be described. In chapter 2, we review the history of smart cards. Then we outline the different types of smart cards and their standards. Current applications and uses of smart cards are mentioned in chapter 3. In the second section, technical aspects of smart card internals as well as programming tips are briefly described in chapter 4. Because programming and design methodology for the Java card is different from traditional card programming, in chapter 5, we describe the basics in Java Card programming. In chapter 6, procedures of smart card development are given. Guide to Smart Card Technology Page 5
  6. In the last section of this handbook, the future of smart card development is presented. Different ideas on future smart card applications are used in formulating a forecast in chapter 7. Lastly, we conclude the handbook with a summary of different research, survey and reports on smart cards. References and glossaries are provided at the end of this handbook. We hope that based on our handbook, company executives, technical managers and software developers would gain knowledge and insight into the emerging smart card technology and applications. Guide to Smart Card Technology Page 6
  7. Part I. Smart card Overview Guide to Smart Card Technology Page 7
  8. 2. SMART CARD BASIC A smart card is a plastic card with a microprocessor chip embedded in it. The card looks like a normal credit card except for its metal contact (in contact card only), but applications performed could be totally different. Other than normal credit card and bankcard functions, a smart card could act as an electronic wallet where electronic cash is kept. With the appropriate software, it could also be used as a secure access control token ranging from door access control to computer authentication. The term “smart card” has different meanings in different books [Guthery1998, Rankl1997] because smart cards have been used in different applications. In this chapter, we provide our definition of “smart card” to put the subsequent chapters in context. We also describe the development history of smart cards and depict the types of card available on market. Finally, descriptions on different smart card standards, such as ISO and EMV are given at the end of this chapter. 2.1 What is smart card In the article “Smart cards: A primer” [DiGiorgio1997a], the smart card is defined as a “credit card” with a “brain” on it, the brain being a small embedded computer chip. Because of this “embedded brain”, smart card is also known as chip or integrated circuit (IC) card. Some types of smart card may have a microprocessor embedded, while others may only have a non-volatile memory content included. In general, a plastic card with a chip embedded inside can be considered as a smart card. In either type of smart card, the storage capacity of its memory content is much larger than that in magnetic stripe cards. The total storage capacity of a magnetic stripe card is 125 bytes while the typical storage capacity of a smart card ranges from 1K bytes to 64K bytes. In other words, the memory content of a large capacity smart card can hold the data content of more than 500 magnetic stripe cards. Obviously, large storage capacity is one of the advantages in using smart card, but the single-most important feature of smart card consists of the fact that their stored data can be protected against unauthorized access and tampering. Inside a smart card, access to the memory content is controlled by a secure logic circuit within the chip. As access to data can only be performed via a serial interface supervised by the operating system and the secure logic system, confidential data written onto the card is prevented from unauthorized external access. This secret data can only be processed internally by the microprocessor. Due to the high security level of smart cards and its off-line nature, it is extremely difficult to "hack" the value off a card, or otherwise put unauthorized information on the card. Because it is hard to get the data without authorization, and Guide to Smart Card Technology Page 8
  9. because it fits in one’s pocket, a smart card is uniquely appropriate for secure and convenient data storage. Without permission of the card holder, data could not be captured or modified. Therefore, smart card could further enhance the data privacy of user. Therefore, smart card is not only a data store, but also a programmable, portable, tamper-resistant memory storage. Microsoft considers smart card as an extension of a personal computer and the key component of the public-key infrastructure in Microsoft Windows 98 and 2000 (previous known as Windows NT 5.0) [Microsoft1997a]. 2.2 History of smart card development A card embedded with a microprocessor was first invented by 2 German engineers in 1967. It was not publicized until Roland Moreno, a French journalist, announced the Smart Card patent in France in 1974 [Rankl1997]. With the advances in microprocessor manufacturing technology, the development cost of the smart card has been greatly reduced. In 1984, a breakthrough was achieved when French Postal and Telecommunications services (PTT) successfully carried out a field trial with telephone cards. Since then, smart cards are no longer tied to the traditional bankcard market even though the phone card market is still the largest market of smart cards in 1997. Due to the establishment of the ISO-7816 specification in 1987 (a worldwide smart card interface standard), the smart card format is now standardized. Nowadays, smart cards from different vendors could communicate with the host machine using a common set of language. 2.3 Different types of smart cards According to the definitions of “smart card” in the Smart card technology frequently asked questions list [Priisalu1995], the word smart card has three different meanings: • IC card with ISO 7816 interface • Processor IC card • Personal identity token containing ICs Basically, based on their physical characteristics, IC cards can be categorized into 4 main types, memory card, contact CPU card, contactless card and combi card. 2.3.1 Memory Cards A memory card is a card with only memory and access logic onboard. Similar to the magnetic stripe card, a memory card can only be used for data storage. No data processing capability should be expected. Without the on-board CPU, memory cards use a synchronous communication mechanism between the reader and the Guide to Smart Card Technology Page 9
  10. card where the communication channel is always under the direct control of the card reader. Data stored on the card can be retrieved with an appropriate command to the card. In traditional memory cards, no security control logic is included. Therefore, unauthorized access to the memory content on the card could not be prevented. While in current memory cards, with the security control logic programmed on the card, access to the protection zone is restricted to users with the proper password only. 2.3.2 Contact CPU Cards A more sophisticated version of smart card is the contact CPU card. A microprocessor is embedded in the card. With this real “brain”, program stored inside the chip can be executed. Inside the same chip, there are four other functional blocks: the mask-ROM, Non-volatile memory, RAM and I/O port [HKSAR1997, Rankl1997]. Except for the microprocessor unit, a memory card contains almost all components that are included in a contact CPU card. Both of them consist of Non- volatile memory, RAM, ROM and I/O unit. Based on ISO 7816 specifications, the external appearance of these contact smart cards is exactly the same. The only difference is the existence of the CPU and the use of ROM. In the CPU card, ROM is masked with the chip’s operating system which executes the commands issued by the terminal, and returns the corresponding results. Data and application program codes are stored in the non-volatile memory, usually EEPROM, which could be modified after the card manufacturing stage. One of the main features of a CPU card is security. In fact, contact CPU card has been mainly adopted for secure data transaction. If a user could not successfully authenticate him/herself to the CPU, data kept on the card could not be retrieved. Therefore, even when a smart card is lost, the data stored inside the card will not be exposed if the data is properly stored [Rankl1997]. Also, as a secure portable computer, a CPU card can process any internal data securely and outputs the calculated result to the terminal. 2.3.3 Contactless Cards Even though contact CPU smart card is more secure than memory card, it may not be suitable for all kinds of applications, especially where massive transactions are involved, such as transportation uses. Because in public transport uses, personal data must be captured by the reader within a short period of time, contact smart card which requires the user to insert the card to the reader before the data can be captured from the card would not be a suitable choice. With the use of radio frequency, the contactless smart card can transmit user data from a fairly long distance within a short activation period. The card holder would not have to insert Guide to Smart Card Technology Page 1 0
  11. the card into the reader. The whole transaction process could be performed without removing the card from the user’s wallet. Contactless smart cards use a technology that enables card readers to provide power for transactions and communications without making physical contact with the cards. Usually electromagnetic signal is used for communication between the card and the reader. The power necessary to run the chip on the card could either be supplied by the battery embedded in the card or transmitted at microwave frequencies from the reader onto the card. Contactless card is highly suitable for large quantity of card access and data transaction. However, contactless smart card has not been standardized. There are about 16 different contactless card technologies and card types in the market [ADE]. Each of these cards has its specific advantages, but they may not be compatible with each other. Nevertheless, because of its high production cost and the technology is relatively new, this type of cards has not been widely adopted. 2.3.4 Combi-Card At the current stage, contact and contactless smart cards are using two different communication protocols and development processes. Both cards have their advantages and disadvantages. Contact smart cards have higher level of security and readily-available infrastructure, while contactless smart cards provide a more efficient and convenient transaction environment. In order to provide customers with the advantages of these two cards, two methods could be employed. The first method is to build a hybrid card reader, which could understand the protocols of both types of cards. The second method is to create a card that combines the contact functions with the contactless functions. Because the manufacturing cost of the hybrid reader is very expensive, the later solution is usually chosen. Sometimes, the term “combi card” is being misused by manufacturers. In general, there are two types of combine contact-contactless smart cards, namely the hybrid card and the combi card. Both cards have contact and contactless parts embedded together in the plastic card. However, in the hybrid card, the contact IC chip and contactless chip are separate modules. No electrical connections have been included for communications between the two chips. These two modules can be considered as separate but co-existing chips on the same card. While in the combi card, the contact and contactless chips could communicate between themselves, thus giving the combi card the capability to talk with external environment via either the contact or contactless method. As the combi card possess the advantages of both contact and contactless cards, the only reason that is hindering its acceptance is cost. When the cost and technical obstacles are overcome, combi cards will become a popular smart card solution. 2.4 Different standards of smart cards Guide to Smart Card Technology Page 1 1
  12. Throughout the history of smart card development, various standards have been established for resolving the interoperability problem. The very first standard is the ISO 7816 smart card standard published by the International Organization for Standardization (ISO) in 1987. Before this, card vendors and manufacturers developed their own proprietary cards and readers which could not interoperate. With the ISO standard, smart cards could communicate using the same protocol. The physical appearance and dimensions of a card is also fixed. The meaning and location of the contacts, the protocols and contents of the high and low level messages exchanged with the IC card are all standardized. This ensures that card manufactured and issued by one company can be accepted by a device from other companies. Because this specification is important to card programming development, details of this standard is given in Chapter 4, “Technical Aspects of smart card”, of this handbook. Two other important standards in this area are EMV (Europay, Mastercard and Visa) and GSM (Global Standard for Mobile Communications). EMV standard is for debit/credit cards where major international financial institutions Visa, Mastercard and Europay are involved. It started in 1993 and was finalized in 1996 [HKSAR1997]. This standard covers the electromechanical, protocol, data elements and instruction parts together with the transactions involving bank microprocessor smart cards. The goal of the EMV specification is for payment systems to share a common Point of Sales (POS) Terminal, as they do for magnetic stripe applications. Because the magnetic stripe-based banking card would soon be replaced by the smart card, this standard has to be established to ensure that the new smart card based banking card would be compatible with the bank transaction system. Based on this specification, all bank-related smart card solutions would be compatible with one another as well as the previous magnetic stripe card solution. Terminal manufacturers could develop and modify their own sets of API in EMV standard for their terminals, so these terminals could be used in different payment systems. Credit, debit, electronic purse and loyalty functions could be processed on these EMV-compliant terminals. With the flexibility provided by the EMV standard, banks are allowed to add their own options and special requirements in the smart card payment system. The GSM standard is one of the most important smart card and digital mobile telecommunication standards. GSM specification started in 1982 under CEPT (Conference Europeenne des Postes et Telecommunications) and was later continued by ETSI (European Telecommunications Standards Institute). Originally, this specification is designated for the mobile phone network. However, when the smart card is used in the mobile phone system as the Subscriber Identification Module (SIM), parts of the GSM specification becomes a smart card standard. This part of the GSM specification started in January 1988 by the Subscriber Identification Module Expert Group (SIMEG). Within a GSM network, all GSM subscribers would be issued a SIM card which can be viewed as the subscriber’s key into the network. The size of a SIM card is fixed to be either the normal credit card or mini card size. Because this card is used Guide to Smart Card Technology Page 1 2
  13. for handling the GSM network functions, a rather high performance microcontroller (a 16-bit microprocessor) is used and the EEPROM memory is dedicated for storing the application data, including the network parameters and subscriber data. The GSM specification is divided into two sections. The first section describes the general functional characteristics, while the second section deals with the interface description and logical structures of a SIM card. Details of this specification are given in [Scourias]. Before the smart card could be widely adopted by the market, one or more standardized card development environment is needed. Currently, four significant smart card standards have been recently established in the smart card industry, they are PC/SC, OpenCard Framework, JavaCard and MULTOS and all of them are compatible to the ISO smart card standard. Details of these specifications are briefly mentioned in chapters 5 and 7 of this handbook while other specifications could be found in [CityU1997]. Guide to Smart Card Technology Page 1 3
  14. 3. CURRENT SMART CARD APPLICATIONS With the rapid expansion of Internet technology and electronic commerce, smart cards are now more widely accepted in the commercial market as stored-value and secure storage cards. Moreover, it has also been widely used as an identity card. For instance, in City University of Hong Kong, the old student/staff cards have been replaced by the hybrid-card based identity cards. This identity card can be used for normal access control as well as electronic payment. The smart card has also been used in transportation such as the Octopus card which has been adopted by the MTRC and KCRC to replace of the old Magnetic stripe card. Medical record can also be stored in the smart card. This enables critical information of the patient to be retrieved whenever it is required. With the help of smart card technology, many secure data such as the computer login name and password can also be kept, so user need not remember a large number of passwords. In this chapter, we shall briefly describe some current applications of smart cards. These applications can be classified into 6 main categories: Electronic Payment, Security and Authentication, Transportation, Telecommunications, Loyalty Program and Health Care Applications. 3.1 Electronic payment Applications 3.1.1 Electronic Purse The Electronic Purse is also known as electronic cash. Funds can be loaded onto a card for use as cash. The electronic cash can be used for small purchases without necessarily requiring the authorization of a PIN. The card is credited from the cardholder’s bank account or some other ways. When it is used to purchase goods or services, electronic value is deducted from the card and transferred to the retailer’s account. Similar to a real wallet, the cardholder could credit his/her card at the bank any time when required. Electronic cash transactions do not usually require the use of a PIN. This speeds up the transactions but the electronic cash on the card is then vulnerable like conventional cash. The amounts involved, fortunately, are usually small, so loses will not be significant. Widespread adoption of electronic cash will reduce the costs to banks and retailers in handling large quantities of cash. Since 1994, there has been significant development of Intersector electronic purse applications in Europe which has been extended to outside of Europe. Several global card projects have been developed for this purpose, such as Proton Guide to Smart Card Technology Page 1 4
  15. card by Banksys, VisaCash by Visa International and Mondex card by Mastercard [Bull1998]. These have all been adopted by shops from all over the world. 3.1.2 Stored Value Cards Another use of smart cards in electronic commerce is Electronic token. It is an example of the stored-value card. The principle is that some memory in the smart card is set aside to store electronic tokens or electronic tickets. A smart card can store tokens for different services and each of the tokens can be refilled, depending on the types of the memory card. This allows the cost to be distributed over a number of services and over a much longer life span. For example, the card could be used to pay for gas and instead of putting coins in a parking meter. Consumers load up the card from a vending machine. The card can then be used to operate the meters. One advantage of this system is that collections of coins would no longer be necessary. This would reduce the operation overhead and eliminate theft. This would also benefit the consumer as tokens could be bought and stored in the card in advance so it is not necessary to carry many heavy coins around. It is also possible that the card could monitor patterns of use and return the information to the merchant as well as the consumer, so better shopping model could be derived [McCrindle1990]. 3.2 Security and Authentication Applications 3.2.1 Cryptographic uses From the point-of-view of the supplier and system operator, the main requirement of almost all machine-readable card systems is to ensure that the card presented is valid and the cardholder is indeed the person entitled to use that particular card. To verify the cardholder’s identity, users are required to enter their PIN code (personal identification number). This PIN code is kept in the card rather than on the terminals or host machines. Identification and authentication procedures take place at the card terminal. One of the problems is to ensure that the card furnishes some sort of machine-readable authenticity criterion. This can be solved by the use of encrypted communications between the card and terminal. It is well known that encryption can be used to ensure secrecy of messages sent and also to authenticate messages. In order to perform the encryption procedure, the cryptographic smart cards must have the following properties: • The cards must have sufficient computational power to run the cryptographic algorithms. • The cryptographic algorithms must be theoretically secure. This means that it is not possible to derive the secret key from the corresponding texts. • The smart cards must be physically secure. It should not be possible to extract the secret key from the card’s memory. Guide to Smart Card Technology Page 1 5
  16. Provided these conditions are met, and with advances in card microcontroller technology, the microprocessor-based smart card can be made to meet the required security level [Chaum1989]. For instance, Verisign and Schlumberger have developed the use of Cryptoflex smart card for carrying a Verisign Class 1 Digital ID [Verisign9701]. Cryptoflex card is the first cryptographic smart card in the industry, which is designed based on the PC/SC specifications. This enables the use of smart card for portable Internet access with Microsoft Internet Explorer 3.0 at all sites accepting Verisign Digital IDs. In Michigan University, the Cyberflex card has been used for storing Kerberos keys in a secure login project [Michgan9701]. 3.2.2 Identity card The identification of an individual is one of the most complex processes in the field of Information Technology. It requires both the individual to identify himself and for the system to recognize the incoming connection is generated by a legal user. The system then accepts responsibility for allowing all subsequent actions, sage in the knowledge that the user has authorization to do whatever he is asking of the system. If a smart card is used, the information stored on the card can be verified locally against a ‘password’ or PIN before connection is made to the host. This prevents the password from being eavesdropped by perpetrators on the Internet. Some of the smart cards will have personal data stored on the card. For example, the cardholder’s name, ID number, and date of birth [Devargas1992]. 3.2.3 Access control card The most common devices used to control access to private areas where sensitive work is being carried out or where data is held, are keys, badges and magnetic cards. These all have the same basic disadvantages: they can easily be duplicated and when stolen or passed on, they can allow entry by an unauthorized person. The smart card overcomes these weaknesses by being very difficult to be reproduced and capable of storing digitized personal characteristics. With suitable verification equipment, this data can be used at the point of entry to identify whether the user is the authorized cardholder. The card can also be individually personalized to allow access to limited facilities, depending on the holder’s security clearance. A log of the holder’s movements, through a security system, can be stored on the card as a security audit trail [McCrindle1990]. The card could contain information on the user’s privileges (i.e. access to secure areas of the building, automatic vehicle identification at entrances to company car parks, etc.) and time restrictions. All information are checked on the card itself. Access to different areas of the building can be distinguished by different PINs. Guide to Smart Card Technology Page 1 6
  17. Furthermore it can also track the user’s movement around the building [Devargas1992]. 3.2.4 Digital certificate The most important security measures we encounter in our daily business have nothing to do with locks and guards. A combination of a signed message and the use of public key cryptosystem, so called digital signature, are typically used. A digitally signed message containing a public key is called a certificate. In addition to a public key, a certificate typically contains a name, address, and other information describing the holder of the corresponding secret key. All of these carry the digital signature of a registry service that records public keys for all members of the community. To become a member of this community, a subscriber must do two things: • Provide the directory service with a public key and the associated identification information so that other people will be able to verify his/her signature. • Obtain the public key of the directory service so that he/she can verify other people’s signatures. Because certificates are extremely tamper resistant, the authenticity of a certificate is a property of the certificate itself, rather than of the authenticity of the channel over which it was received. This important property allows certificates to be employed in very much the same way as a passport. The border police expect to see your passport and in most cases count on the passport’s tamper resistance to guarantee its authenticity. Because of the fragility of paper credentials, however, there are circumstances in which this is not considered adequate. In making a classified visit to a military installation, for example, no badge or letter of introduction by itself is sufficient. Prior arrangements must have been made using channels maintained for the purpose. Because public key certificates are more secure than any paper document, they can be safely authenticated by direct signature checking and no trusted directory is needed. 3.2.5 Computer login Access to the Computer room and its services can be controlled by the smart card. In terms of network access, smart card can authenticate the user to the host. Furthermore, depending on the environment being protected the network access card can also perform the following functions: • Manipulation of different authentication codes for different levels of security. • Use of biometric techniques as an added security measure. • Maintaining an audit trail of failures and attempted violations. Guide to Smart Card Technology Page 1 7
  18. Meanwhile, in terms of access to the computer room itself, PIN checking can be done on the card without the need for hard wiring the access points to a central computer. The identification of a user is usually done by means of a (Personal Identification Number) PIN. The PIN is verified by the microcomputer of the card with the PIN stored in its RAM. If the comparison is negative, the CPU will refuse to work. The chip also keeps tack of the number of consecutive wrong PIN entries. If this number reaches a pre-set threshold, the card blocks itself against any further use. 3.3 Transportation uses The smart card can act as electronic money for car drivers who would need to pay a fee before being able to use a road or tunnel. It would then contain a balance that can be increased at payment stations or in the pre-paid process, and is decreased for each use. If privacy is not an issue (i.e. the driver does not care if he is identified as using a particular stretch of motorway at a particular point in time), then the card could be linked to a bank debiting system as a debit card. Besides, the card could also act as a credit card. Another example is the Octopus card. This service aims at reducing the amount of cash handled by the service provider and also increasing management information. This information would be invaluable in giving the customer the right service at the right time. Each individual would possess a reloadable card that could either be paid directly (immediately) or as a credit payment based system where monthly settlement would be required. If the card has a positive balance, the card holder could use the card in any of the transport services by simply inserting the card into the card-reader which would be either on the bus or at the entrance to the MTR station. If the travel charge is different for different zones, then the card would need to be used at the entrance of the bus or station and also at the exit. This process would then calculate the amount owed for a certain journey [Devargas1992]. 3.4 Telecommunication Applications Telecommunication is one of the largest markets for smart card applications. In 1997, payphone cards occupy the largest share of the smart card market. Over 70% of the smart cards are issued as payphone cards [CardTech1997] and this will continue be the largest market in at least the next 3 years. Since 1988, smart card has become an essential component in cellular phone systems. Network data, subscriber’s information and all mobile network critical data are kept inside the card. With this card, subscribers could make calls from any portable telephone. Moreover, through the IC card, any calls through the mobile Guide to Smart Card Technology Page 1 8
  19. phone could be encrypted, and thus ensure privacy. In the future, more and more value-added services, such as electronic banking, could be supported by using this microprocessor card. Examples can be found in chapter 7. 3.5 HealthCare Applications Due to the level of security provided for data storage, IC cards offer a new perspective for healthcare applications. Medical applications of smart cards can be used for storing information including personal data, insurance policy, emergency medical information, hospital admission data and recent medical records. Numerous national hospitals in France, Germany and even Hong Kong have already started to implement this kind of healthcare card. With the microcontroller on-board, smart cards could be used for managing the levels of information authorized for different users similar to a workflow control system. Doctors would be able to access the medical record from the patient’s card, while chemists could make use of the prescription information stored on the card for preparing the medical treatment. Emergency data kept on the patient’s card, which includes the cardholder’s identity, persons to contact in case of accident and special illness details, can be used for saving the patient’s life. In some countries, medical insurance is required for hospital payment. With the insurance records stored in the patient’s card, the administrative procedures are simplified. 3.6 Loyalty Applications Loyalty program is another important application of smart cards in the shopping model. The preferred customer status together with detailed information on shopping habits is stored and processed on the smart card. With this information, merchants could derive better shopping model or tailor-make personalized customer shopping profiles. In addition, this shopping habit profile is kept in the customer’s card; therefore, his/her shopping record could be kept confidential from unauthorized access. As an extension to the loyalty application, stored value functions could be added. In current pay television systems, users’ preferences are kept together with the electronic payment scheme. Users would not have to set their preferences each time they use the television system. As this card will also be used as the key to the television, users would not be permitted to use the television box unless they have paid their television fee. So sufficient security and convenient television usage could be guaranteed. Guide to Smart Card Technology Page 1 9
  20. Part II. Smart card in details Guide to Smart Card Technology Page 2 0

CÓ THỂ BẠN MUỐN DOWNLOAD

Đồng bộ tài khoản