Making the smart card tamper-proof
How has the smart card come to be seen as the ultimate portable security medium.
 

There are different types of security mechanisms used in smart cards. Those necessary for a memory-only card are less sophisticated than those for a microprocessor card.

Access to the information contained in a smart card is controlled two ways:

• Who can access the information (everybody, the card holder or a specific third party).
• How can the information be accessed (read only, added to, modified or erased).

Who can access the information

Everybody - Some smart cards require no password. Anyone holding the card can have access (e.g. the patient's name and blood type on a MediCard can be read without the use of a password).

Card Holder Only - The most common form of password for card holders is a PIN (Personal Identification Number), a 4 or 5 digit number which is typed in on a key pad. Therefore, if an unauthorized individual tries to use the card, it will lock-up after 3 unsuccessful attempts to present the PIN code. More advanced types of passwords are being developed.

Third Party Only - Some smart cards can only be accessed by the party who issued it (e.g., an electronic purse can only be reloaded by the issuing bank).

How can the information be accessed

Information on a smart card can be divided into several sections:

• Information which is read only
• Information which is added only
• Information which is updated only
• Information with no access available

When Passwords Are Not Enough

A smart card can restrict the use of information to an authorized person with a password. However, if this information is then transmitted by radio or telephone, additional protection is necessary.

One form of protection is ciphering, which is like translating the information into some unknown foreign language. Some smart cards are capable of ciphering and deciphering (translating back to an easily understood form) so the stored information can be transmitted without compromising confidentiality.

Smart cards can cipher into billions and billions of foreign languages, and choose a different language at random every time they communicate. This authentication process ensures only genuine cards and computers are used and makes eaves-dropping virtually impossible.

Welcome to Smart Cards
Learn how smart cards work and how applications are developed for specific needs.

A smart card is the latest addition in the world of information technology. It is the size of a conventional credit card, and it has an electronic microchip embedded in it. The chip stores electronic data and programs that are protected by advanced security features.

Smart cards come in two types:

Contact smart cards must be inserted into a smart card reader.
They have a small gold plate about ½" in diameter on the front, instead of the a magnetic strip on the back like a credit card. When the card is inserted into a smart card reader, it makes contact with electrical connectors that transfer data to and from the chip.

Contactless smart cards are passed near an antenna to carry out a transaction.
They look just like plastic credit cards, except that they have an electronic microchip and an antenna embedded inside. These components allow the card to communicate with an antenna / coupler unit without an physical contact. Contactless cards are the ideal solution when transactions must be processed very quickly, as in mass-transit or toll collection activities.

The size of the card is determined by the international standard (ISO 7810). The ISO 7816 standard also defines the physical characteristics of the plastic, including the temperature range and flexibility, position of the electrical contacts and how the microchip communicates with the outside world.

A number of standards have also been defined for specific applications, including digital cell phones, credit card functions (Europay, Mastercard, Visa) and electronic purses (Visacash, Multos, Proton).

The implementation of Java on smart cards is also the subject of ongoing standardization work (Javacard version 1 and 2).

The Terms you Need to Know
The world of smart cards is full of technical jargon. This lexicon should help you make sense of these different terms.

ABS
Acrylonitrile Butadiene Styrene, a plastic used to make the card body for certain cards (see also PVC).

APDU (Application Protocol Data Unit)
The basic command unit for a smart card. An APDU contains either a command message or a response message, sent from the interface device to the smart card or from the card to the device. See ISO 7816-3 standard for more information.

Asynchronous
Microprocessor cards (MPCOS, GPK2000, GemXplore, etc.). A card operating in asynchronous mode is capable of automatically adjusting to the transmission frequency. See also Synchronous Cards.

ATM (Automatic Teller Machine)
A device that allows a bank account holder to carry out certain transactions using his bank card.

ATR (Answer To Reset)
A message that is returned by a smart card when it is powered up. The ATR indicates the card type, communication protocol and other basic information that is used to determine the parameters for the communication between the card and the interface device.

Authentication
There process whereby a card or a terminal verifies that the other party is genuine.

Biometrics
The technique of studying physical characteristics of a person such as finger prints, hand geometry, eye structure or voice pattern.

Cardholder
Generally the person to whom a nominative card is issued. For financial transaction cards, the cardholder is usually the customer associated with the primary account number recorded on the card.

Chip
A piece of silicon etched with electronic circuits (synonym: Integrated circuit).

Contact
A point of electrical connection between an integrated circuit card and its external interface device. ISO standard IC cards have eight contacts (the contact plate is commonly called a module).

Contact Smart Card
A smart card that operates by physical contact between the reader and the smart card's different contacts (in comparison to Contactless smart cards).

Contactless Smart Card
A smart card that communicates with an antenna by means of a radio frequency signal. There is no need of physical contact between the card and a reader (in comparison to Contact smart cards).

Coupler
A coupler is an electronic system used to read the smart card. It is the basis of a reader. Designed to be integrated in a machine (e.g., gaming machine, gas meter...).

DF (Dedicated File)
Memory organization for microprocessor cards: A DF is a logical entity that holds a number of elementary files (EF). In muliti-purpose cards (e.g., MPCOS) each DF will normally correspond to a distinct application.

EEPROM (Electrically-Erasable Programmable Read-Only Memory)
Memory whose contents can be loaded after manufacture. Contents can be erased and new data can be reloaded

EF (Elementary File)
Memory organization for microprocessor cards: The smallest logical entity that can be secured in the operating system. File containing data.

Electronic Banking
Banking operation conducted by electronic means, especially electronic funds transfer.

Electronic Purse
A small portable device which contains electronic money. The smart card is the ideal device to implement an electronic purse. It is sometimes called the electronic wallet or the stored value card (SVC).

Embedding
This operation consists in placing the micromodule in the cavity of the card body. An electrical test is carried out and the embedded module is then encoded.

Embossing
The action of implementing raised letters or logos on a plastic card.

EMV (Europay - Mastercard - Visa)
Set of specifications defining the main structures for an international Debit/Credit smart card.

Encoding
Writing of system, issuer and cardholder data onto the smart card.

EP (Electronic Purse)
This is a special type of smart card designed to replace currency (prepayment scheme).

ETSI (European Telecommunications Standards Institute)
The E.U. organization in charge of defining European telecommunications standards. The most well known European telecom standard is GSM.

Film
A roll with a series of electrical contacts (ready to receive the chip).

Filtered Function
Refers to a smart card function that has been downloaded into the card's EEPROM. A masked function, by comparison, is hardwired in the card's chip (ROM).

Hologram
A flat optical image which looks three dimensional when viewed with the naked eye. Holograms are implemented as a security feature to prevent fraud.

Home Banking
Retail banking operations conducted by customers using electronic payment terminals in their own homes.

IC (Integrated Circuit) = Chip
An electronic circuit in which many active or passive elements are fabricated and connected together on a continuous substrate.

ICC (Integrated Circuit Card) = Smart Card
A card into which one or more ICs have been incorporated.

Initialization
First stage of the card issuing process. The purpose of this process is to load all the data common to one application into the smart card's EEPROM.

Interoperability
The ability of products manufactured by different companies to operate correctly with one another.

I/O (Input/Output)
The process or devices that move information between the Central Processing Unit and peripherals.

Mapping (or memory map)
A functional representation of the different memory blocks.

Masked Function
A function that is manufactured into the original chip (see also Filtered Function).

Master File (MF)
Memory organization for microprocessor cards: This file is unique and obligatory. It has its own security attributes and may contain DFs and/or EFs. After a reset or power up, this file is automatically selected by the operating system.

Memory
General term for computer hardware that stores information in electrical or magnetic form.

Micromodule
The electronic unit on a smart card. The mircomodule is formed of a chip and a contact plate, connected by fine wires and encapsulated in a drop of epoxy resin. The micromodule is inserted into a cavity in the card body to form a finished card.

Microprocessor
A chip that serves as the Central Processing Unit controlling a computer. It provides programmable intelligence.

Pad
A point of electrical connection between a micromodule and the chip.

PC Card
Standard architecture-independent expansion device. These cards are typically used in laptop computers (formerly called PCMCIA)

PCMCIA (Personal Computer Memory Card International Association).
(see PC Card)

Personalization
During this process a smart card is modified to contain the information for one person. There are two sorts of personalization: graphical and electrical. Graphical personalization modifies the visual aspect of the card (holder's name, photograph) electrical personalization modifies the information held in electronic form.

Plug (or Plug-In Card)
Preliminary cut-out in mobile telephone cards.

POS (Point Of Sale)
POS terminals (in comparison to central terminal) are the locations at which a transaction is contracted.

Pre-Paid Card
A card paid for at the point of sale, and permitting the holder to buy goods or services usually of a particular type up to the pre-paid value. Not all such cards are ISO standard identification cards because some do not show the identity of the bearer (e.g., phonecards…).

PIN
Personal Identification Number. The number or code that a card holder must type in to confirm that he is the genuine owner of the card.

PROM (Programmable Read-Only Memory)
A read-only memory that can be written to only once. Programmed after manufacture by external equipment.

Protocol
A set of rules and procedures governing interchange of information between a smart card and a reader. The ISO defines several protocols, including T=0, T=1 and T=14

PVC
Polyvinyl Chloride. A type of plastic used to product of card bodies for certain types of smart cards, notably those that require embossing, signature panel or overlays (see also ABS)

RAM (Random-Access Memory)
A volatile memory that is used as a scratchpad by the microprocessor in certain smart cards.

ROM (Read-Only Memory)
A memory in which the information can be read but not written. Chip operating systems are normally masked into the ROM, which is also referred to as  firmware.

SAM (Security Access Module)
A dedicated microprocessor unit that enables active authentication with appropriate memory or microprocessor card.

Session
Period of time between two card resets, or between power up and a power down.

SET
Secure Electronic Transaction. A technology developed by a group of companies including IBM and Visa for e-commerce.

SIM (Subscriber Identification Module)
A specific type of smart card for GSM systems holding the subscriber's ID number, thus allowing him to call from any GSM device.

Smart Card
Also called IC card. A card formed of a plastic body and a micromodule embedded in a special cavity.

Standards
A standard is a set of specifications defining the physical, electrical or logical properties of a device. For smart cards, there are a number of ISO standards defining such issues.

Synchronous Cards
Memory cards. These are the least complex cards. The communication frequency for these cards is determined by the reader. See also Asynchronous Cards.

Tag
An electronic device (contactless) that can communicate with a reader by means of a radio frequency signal.

Volatile Memory
A memory device that does not retain stored information when power is interrupted (e.g., RAM).

Wafer
Arrays of ICs or discrete devices are fabricated in the wafers during the manufacturing process.