MULTOS
Encyclopedia
MULTOS is a multi-application smart card
operating system, that enables a smart card to carry a variety of applications, from chip & pin application for payment to on-card biometric
matching for secure ID and ePassport. MULTOS is an open standard whose development is overseen by the MULTOS Consortium - a body compromised of companies which have an interest in the development of the OS and includes smart card and silicon manufacturers
, payment card schemes, chip data preparation, card management and personalization system providers, and smart card solution providers. There are more than 20 leading companies involved in the consortium.
One of the key differences of MULTOS with respect to other types of smart card OS, is that it implements a patented Public Key cryptography-based mechanism by which the manufacture, issuance and dynamic updates of MULTOS smartcards in the field is entirely under an issuer’s control using digital certificates rather than symmetric key sharing. This control is enabled through the use of a Key Management Authority (KMA), a special kind of Certification Authority. The KMA provides card issuers with cryptographic
information required to bind the card to the issuer, initialize the card for use, and generate permission certificates for the loading and deleting of applications under the control of the issuer.
Application Providers can retrieve and verify the Public Key Certificate of an individual issuer's card, and encrypt their proprietary application code and confidential personalisation data using that card's unique public key. This payload is digitally signed using the Private Key of the Application Provider. The KMA, on request from the card issuer, signs the Application Provider's Public Key and application code has and creates a digital certificate (the Application Load Certificate) that authorises the application to be loaded to an issuer's card or group of cards. Applications are therefore protected for integrity and confidentiality and loaded to a card without any party sharing symmetric keys and therefore needing to trust any other party sharing the card platform - including the card issuer. Both the Application Provider and Card Issuer know that only specific, authorised applications from authorised parties can be loaded to any specific card.
Hundreds of millions of MULTOS smart cards have been issued by banks and governments all around the world, for projects ranging from contactless payment, internet authentication and loyalty, to national identity with digital signature
, ePassport with biometrics
, healthcare and military base and network access control.
. The virtual machine provides:
The key component of dynamic memory is the last in, first out (LIFO) stack as this makes using the various functions much easier. A MULTOS chip is a stack machine
, which makes use of this dynamic memory to pass parameters and perform calculations. In addition, the Input/output
buffer resides in another dynamic memory segment.
are transmitted to the chip. A delete is permitted if a certificate that corresponds to a loaded application is transmitted to the chip.
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
operating system, that enables a smart card to carry a variety of applications, from chip & pin application for payment to on-card biometric
Biometrics
Biometrics As Jain & Ross point out, "the term biometric authentication is perhaps more appropriate than biometrics since the latter has been historically used in the field of statistics to refer to the analysis of biological data [36]" . consists of methods...
matching for secure ID and ePassport. MULTOS is an open standard whose development is overseen by the MULTOS Consortium - a body compromised of companies which have an interest in the development of the OS and includes smart card and silicon manufacturers
Semiconductor
A semiconductor is a material with electrical conductivity due to electron flow intermediate in magnitude between that of a conductor and an insulator. This means a conductivity roughly in the range of 103 to 10−8 siemens per centimeter...
, payment card schemes, chip data preparation, card management and personalization system providers, and smart card solution providers. There are more than 20 leading companies involved in the consortium.
One of the key differences of MULTOS with respect to other types of smart card OS, is that it implements a patented Public Key cryptography-based mechanism by which the manufacture, issuance and dynamic updates of MULTOS smartcards in the field is entirely under an issuer’s control using digital certificates rather than symmetric key sharing. This control is enabled through the use of a Key Management Authority (KMA), a special kind of Certification Authority. The KMA provides card issuers with cryptographic
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
information required to bind the card to the issuer, initialize the card for use, and generate permission certificates for the loading and deleting of applications under the control of the issuer.
Application Providers can retrieve and verify the Public Key Certificate of an individual issuer's card, and encrypt their proprietary application code and confidential personalisation data using that card's unique public key. This payload is digitally signed using the Private Key of the Application Provider. The KMA, on request from the card issuer, signs the Application Provider's Public Key and application code has and creates a digital certificate (the Application Load Certificate) that authorises the application to be loaded to an issuer's card or group of cards. Applications are therefore protected for integrity and confidentiality and loaded to a card without any party sharing symmetric keys and therefore needing to trust any other party sharing the card platform - including the card issuer. Both the Application Provider and Card Issuer know that only specific, authorised applications from authorised parties can be loaded to any specific card.
Hundreds of millions of MULTOS smart cards have been issued by banks and governments all around the world, for projects ranging from contactless payment, internet authentication and loyalty, to national identity with digital signature
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
, ePassport with biometrics
Biometrics
Biometrics As Jain & Ross point out, "the term biometric authentication is perhaps more appropriate than biometrics since the latter has been historically used in the field of statistics to refer to the analysis of biological data [36]" . consists of methods...
, healthcare and military base and network access control.
Technical overview
A MULTOS implementation provides an operating system upon which resides a virtual machineVirtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
. The virtual machine provides:
- Application run-time environmentRun-time systemA run-time system is a software component designed to support the execution of computer programs written in some computer language...
. - Memory management.
- Application loading and deleting.
Run-time Environment
The run-time environment operates within the application space. This consists of code space and data space. The code, developed in the C language and compiled into MULTOS bytecodes is interpreted every time it is executed. The virtual machine performs code validity and memory access checks during execution of the code. The data space is divided into static and dynamic portions. Static memory is persistent and transaction protection ensures the integrity of application's stored data.The key component of dynamic memory is the last in, first out (LIFO) stack as this makes using the various functions much easier. A MULTOS chip is a stack machine
Stack machine
A stack machine may be* A real or emulated computer that evaluates each sub-expression of a program statement via a pushdown data stack and uses a reverse Polish notation instruction set....
, which makes use of this dynamic memory to pass parameters and perform calculations. In addition, the Input/output
Input/output
In computing, input/output, or I/O, refers to the communication between an information processing system , and the outside world, possibly a human, or another information processing system. Inputs are the signals or data received by the system, and outputs are the signals or data sent from it...
buffer resides in another dynamic memory segment.
Memory Management
Each application resides with a rigorously enforced application memory space, which consists of the application code and data segments. This means that an application has full access rights to its own code and data, but can not directly access that of another application. If an application attempts to access an area outside its space, it results in an abnormal end to processing.Application Loading and Deleting
A MULTOS card permits the loading and deleting of applications at any point in the card's active life cycle. A load can take place once the application and its corresponding certificatePublic key certificate
In cryptography, a public key certificate is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth...
are transmitted to the chip. A delete is permitted if a certificate that corresponds to a loaded application is transmitted to the chip.