Smart card - AbsoluteAstronomy.com

This article is regarding smart cards that use electrical connectors to transmit data. For smart cards that use radio
Radio
Radio is the transmission of signals through free space by modulation of electromagnetic waves with frequencies below those of visible light. Electromagnetic radiation travels by means of oscillating electromagnetic fields that pass through the air and the vacuum of space...

see contactless smart card
Contactless smart card
A contactless smart card is any pocket-sized card with embedded integrated circuits that can process and store data, and communicate with a terminal via radio waves. There are two broad categories of contactless smart cards. Memory cards contain non-volatile memory storage components, and perhaps...

A smart card, chip card, or integrated circuit
Integrated circuit
An integrated circuit or monolithic integrated circuit is an electronic circuit manufactured by the patterned diffusion of trace elements into the surface of a thin substrate of semiconductor material...

card (ICC), is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor

Microprocessor

A microprocessor incorporates the functions of a computer's central processing unit on a single integrated circuit, or at most a few integrated circuits. It is a multipurpose, programmable device that accepts digital data as input, processes it according to instructions stored in its memory, and...

cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride

Polyvinyl chloride

Polyvinyl chloride, commonly abbreviated PVC, is a thermoplastic polymer. It is a vinyl polymer constructed of repeating vinyl groups having one hydrogen replaced by chloride. Polyvinyl chloride is the third most widely produced plastic, after polyethylene and polypropylene. PVC is widely used in...

, but sometimes acrylonitrile butadiene styrene

Acrylonitrile butadiene styrene

Acrylonitrile butadiene styrene is a common thermoplastic. Its melting point is approximately 105 °C ....

or polycarbonate

Polycarbonate

PolycarbonatePhysical PropertiesDensity 1.20–1.22 g/cm3Abbe number 34.0Refractive index 1.584–1.586FlammabilityV0-V2Limiting oxygen index25–27%Water absorption – Equilibrium0.16–0.35%Water absorption – over 24 hours0.1%...

. Smart cards may also provide strong security authentication

Authentication

Authentication is the act of confirming the truth of an attribute of a datum or entity...

for single sign-on

Single sign-on

Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...

(SSO) within large organizations.

Overview

A smart card may have the following generic characteristics:

Dimensions similar to those of a credit card
Credit card
A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services...

. ID-1 of the ISO/IEC 7810 standard defines cards as nominally 85.6 millimetre. Another popular size is ID-000 which is nominally 25 millimetre (commonly used in SIM cards
Subscriber Identity Module
A subscriber identity module or subscriber identification module is an integrated circuit that securely stores the International Mobile Subscriber Identity and the related key used to identify and authenticate subscriber on mobile telephony devices .A SIM is held on a removable SIM card, which...

). Both are 0.76 millimetre (0.0299212598425197 in) thick.
Contains a tamper-resistant security system (for example a secure cryptoprocessor
Secure cryptoprocessor
A secure cryptoprocessor is a dedicated computer on a chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance....

and a secure file system
File system
A file system is a means to organize data expected to be retained after a program terminates by providing procedures to store, retrieve and update data, as well as manage the available space on the device which contain it. A file system organizes data in an efficient manner and is tuned to the...

) and provides security services (e.g., protects in-memory information).
Managed by an administration system which securely interchanges information and configuration settings with the card, controlling card blacklisting
Blacklist (computing)
In computing, a blacklist or block list is a basic access control mechanism that allows everyone access, except for the members of the black list . The opposite is a whitelist, which means allow nobody, except members of the white list...

and application-data updates.
Communicates with external services via card-reading devices, such as ticket readers, ATM
Automated teller machine
An automated teller machine or automatic teller machine, also known as a Cashpoint , cash machine or sometimes a hole in the wall in British English, is a computerised telecommunications device that provides the clients of a financial institution with access to financial transactions in a public...

s, etc.

Benefits

Smart cards can provide identification, authentication, data storage and application processing.

The benefits of smart cards are directly related to the volume of information and applications that are programmed for use on a card. A single contact/contactless smart card can be programmed with multiple banking credentials, medical entitlement, driver’s license/public transport entitlement, loyalty programs and club memberships to name just a few. Multi-factor and proximity authentication can and has been embedded into smart cards to increase the security of all services on the card. For example, a smart card can be programmed to only allow a contactless transaction if it is also within range of another device like a uniquely paired mobile phone. This can significantly increase the security of the smart card.

Governments gain a significant enhancement to the provision of publicly funded services through the increased security offered by smart cards. These savings are passed onto society through a reduction in the necessary funding or enhanced public services.

Individuals gain increased security and convenience when using smart cards designed for interoperability between services. For example, consumers only need to replace one card if their wallet is lost or stolen. Additionally, the data storage available on a card could contain medical information that is critical in an emergency should the card holder allow access to this.

History

Invention

In 1968 German

Germany

Germany , officially the Federal Republic of Germany , is a federal parliamentary republic in Europe. The country consists of 16 states while the capital and largest city is Berlin. Germany covers an area of 357,021 km2 and has a largely temperate seasonal climate...

electrical engineer Helmut Gröttrup

Helmut Gröttrup

Helmut Gröttrup was a German electrical engineer and assistant of Wernher von Braun in the V-2 rocket-project. Gröttrup was responsible for the guidance system....

and his colleague Jürgen Dethloff invented the automated chip card, receiving a patent only in 1982, while working for German company Giesecke & Devrient

Giesecke & Devrient

Giesecke & Devrient is a German company headquartered in Munich that provides banknote and securities printing, smart cards, and cash handling systems....

. The first mass use of the cards was as a Télécarte
Telephone card
A telephone card, calling card or phone card for short, is a small plastic card, sized and shaped like a credit card, used to pay for telephone services. It is not necessary to have the physical card except with a stored-value system; knowledge of the access telephone number to dial and the PIN is...

for payment in French pay phones

Payphone

A payphone or pay phone is a public telephone, often located in a phone booth or a privacy hood, with pre-payment by inserting money , a credit or debit card, or a telephone card....

, starting in 1983.

French inventor Roland Moreno patented the memory card concept in 1974. In 1977, Michel Ugon from Honeywell Bull

Groupe Bull

-External links:* * — Friends, co-workers and former employees of Bull and Honeywell* *...

invented the first microprocessor smart card. In 1978, Bull patented the SPOM (Self Programmable One-chip Microcomputer) that defines the necessary architecture to program the chip. Three years later, Motorola

Motorola

Motorola, Inc. was an American multinational telecommunications company based in Schaumburg, Illinois, which was eventually divided into two independent public companies, Motorola Mobility and Motorola Solutions on January 4, 2011, after losing $4.3 billion from 2007 to 2009...

used this patent in its "CP8". At that time, Bull had 1,200 patents related to smart cards. In 2001, Bull sold its CP8 division together with its patents to Schlumberger, who subsequently combined its own internal smart card department and CP8 to create Axalto. In 2006, Axalto

Axalto

Axalto has been a smart card manufacturer, that during its brief independent existence, with over 4,500 employees in 60 countries, was one of the world's leading providers of microprocessor cards and also a major supplier of point of sale terminals.Axalto's business covered the telecommunications,...

and Gemplus, at the time the world's no. 2 and no. 1 smart card manufacturers, merged and became Gemalto

Gemalto

Gemalto is an international digital security company, providing secure personal devices such as smart cards and tokens in addition to software applications and managed services. The company was formed in June 2006 by the combination of two companies Axalto and Gemplus International...

Carte Bleue

The second use integrated microchips into all French Carte Bleue
Carte Bleue
Carte Bleue is a major debit card payment system operating in France. Unlike Visa Electron or Maestro debit cards, Carte Bleue allows transactions without requiring authorization from the cardholder's bank. In many situations, the card works like a credit card but without fees for the cardholder...

debit card

Debit card

A debit card is a plastic card that provides the cardholder electronic access to his or her bank account/s at a financial institution...

s in 1992. Customers inserted the card into the merchant's POS

Point of sale

Point of sale or checkout is the location where a transaction occurs...

terminal, then typed the PIN

Personal identification number

A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...

, before the transaction was accepted. Only very limited transactions (such as paying small highway tolls

Electronic toll collection

Electronic toll collection , an adaptation of military "identification friend or foe" technology, aims to eliminate the delay on toll roads by collecting tolls electronically. It is thus a technological implementation of a road pricing concept...

) are processed without a PIN.

Smart-card-based "electronic purse" systems store funds on the card so that readers do not need network connectivity and entered service throughout Europe in the mid-1990s, most notably in Germany (Geldkarte

Geldkarte

Geldkarte is a Stored-value card or electronic cash system used in Germany. It operates as an offline smart card for small payment at things like vending machines and to pay for public transport or parking tickets. The card is pre-paid and funds are loaded onto the card using ATMs or dedicated...

), Austria (Quick Wertkarte

Quick Wertkarte

Quick is an electronic purse system available on Austrian bank cards to allow small purchases to be made without cash. The history of the Quick system goes back to 1994....

), Belgium

Belgium

Belgium , officially the Kingdom of Belgium, is a federal state in Western Europe. It is a founding member of the European Union and hosts the EU's headquarters, and those of several other major international organisations such as NATO.Belgium is also a member of, or affiliated to, many...

(Proton

Proton (bank card)

Proton is an electronic purse application for debit cards in Belgium. The system was introduced in February 1995 with the goal to replace cash primarily for small transactions around the 15 EUR...

), France (Mon€o

Mon€o

Moneo, sometimes branded as mon€o, is an electronic purse system available on French bank cards to allow small purchases to be made without cash....

), the Netherlands (Chipknip and Chipper), Switzerland ("Cash"), Norway ("Mondex

Mondex

Mondex is a smart card electronic cash system which was originally developed by National Westminster Bank in the United Kingdom and subsequently sold to MasterCard International. Mondex launched in a number of markets during the 1990s, expanding from an original trial in Swindon, UK to Hong Kong,...

"), Sweden ("Cash", decommissioned in 2004), Finland ("Avant"), UK ("Mondex

Mondex

"), Denmark ("Danmønt") and Portugal ("Porta-moedas Multibanco").

The major boom in smart card use came in the 1990s, with the introduction of smart-card-based SIM

Subscriber Identity Module

A subscriber identity module or subscriber identification module is an integrated circuit that securely stores the International Mobile Subscriber Identity and the related key used to identify and authenticate subscriber on mobile telephony devices .A SIM is held on a removable SIM card, which...

s used in GSM mobile phone equipment in Europe

Europe

Europe is, by convention, one of the world's seven continents. Comprising the westernmost peninsula of Eurasia, Europe is generally 'divided' from Asia to its east by the watershed divides of the Ural and Caucasus Mountains, the Ural River, the Caspian and Black Seas, and the waterways connecting...

. With the ubiquity of mobile phones in Europe, smart cards have become very common.

EMV

The international payment brands MasterCard

MasterCard

Mastercard Incorporated or MasterCard Worldwide is an American multinational financial services corporation with its headquarters in the MasterCard International Global Headquarters, Purchase, Harrison, New York, United States...

, Visa, and Europay agreed in 1993 to work together to develop the specifications for smart cards as either a debit

Debit card

A debit card is a plastic card that provides the cardholder electronic access to his or her bank account/s at a financial institution...

or a credit card

Credit card

A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services...

. The first version of the EMV

EMV

EMV stands for Europay, MasterCard and VISA, a global standard for inter-operation of integrated circuit cards and IC card capable point of sale terminals and automated teller machines , for authenticating credit and debit card transactions.It is a joint effort between Europay, MasterCard and...

system was released in 1994. In 1998 a stable release of the specifications became available. EMVco, the company responsible for the long-term maintenance of the system, upgraded the specification in 2000 and in 2004. EMVco's purpose is to assure the various financial institutions and retailers that the specifications retain backward compatibility with the 1998 version.

With the exception of a few countries such as the United States

United States

The United States of America is a federal constitutional republic comprising fifty states and a federal district...

EMV-compliant cards and equipment are widespread. Typically, a country's national payment association, in coordination with MasterCard

MasterCard

International, Visa International, American Express

American Express

American Express Company or AmEx, is an American multinational financial services corporation headquartered in Three World Financial Center, Manhattan, New York City, New York, United States. Founded in 1850, it is one of the 30 components of the Dow Jones Industrial Average. The company is best...

and JCB

Japan Credit Bureau

Japan Credit Bureau is a credit card company based in Tokyo, Japan. Its English name is .Founded in 1961, JCB established dominance over the Japanese credit card market when it purchased Osaka Credit Bureau in 1968, and its cards are now issued in 20 different countries...

, jointly plan and implement EMV systems.

Contactless

Contactless smart cards that do not require physical contact between card and reader are becoming increasingly popular for payment and ticketing applications such as mass transit and highway tolls. Visa and MasterCard have agreed to an easy-to-implement version that was deployed in 2004–2006 in the USA. Most contactless fare collection implementations are custom and incompatible, though the MIFARE

MIFARE

MIFARE is the NXP Semiconductors-owned trademark of a series of chips widely used in contactless smart cards and proximity cards. According to the producers, billions of smart card chips and many millions of reader modules have been sold...

Standard card from Philips

Philips

Koninklijke Philips Electronics N.V. , more commonly known as Philips, is a multinational Dutch electronics company....

has a considerable market share in the US and Europe.

Smart cards are also being introduced in personal identification and entitlement schemes at regional, national, and international levels. Citizen cards, drivers’ licenses, and patient card schemes are appearing. In Malaysia, the compulsory national ID scheme MyKad

MyKad

MyKad is the compulsory identity document for Malaysian citizens aged 12 and above. Introduced by the National Registration Department of Malaysia on 5 September 2001 as one of four MSC Malaysia flagship applications and a replacement for the High Quality Identity Card , Malaysia became the first...

includes eight different applications and has 18 million users. Contactless smart cards are part of ICAO biometric passport

Biometric passport

A biometric passport, also known as an e-passport or ePassport, is a combined paper and electronic passport that contains biometric information that can be used to authenticate the identity of travelers...

s to enhance security for international travel.

Contact

Contact smart cards have a contact area of approximately 1 square centimetre (0.15500031000062 sq in), comprising several gold-plated contact pad

Contact pad

Contact pads are designated surface areas of a printed circuit board or die of an integrated circuit. Possibilities to contact to pads include soldering, wirebonding, Flip chip mounting, or probe needles....

s. These pads provide electrical connectivity when inserted into a reader

Card reader

A card reader is a data input device that reads data from a card-shaped storage medium. Historically, paper or cardboard punched cards were used throughout the first several decades of the computer industry to store information and programs for computer system, and were read by punched card readers...

.

The ISO/IEC 7810 and ISO/IEC 7816 series of standards define:

physical shape and characteristics
electrical connector positions and shapes
electrical characteristics
communications protocol
Communications protocol
A communications protocol is a system of digital message formats and rules for exchanging those messages in or between computing systems and in telecommunications...

s, including commands sent to and responses from the card
basic functionality

Cards do not contain batteries

Battery (electricity)

An electrical battery is one or more electrochemical cells that convert stored chemical energy into electrical energy. Since the invention of the first battery in 1800 by Alessandro Volta and especially since the technically improved Daniell cell in 1836, batteries have become a common power...

; power is supplied by the card reader.

Communication protocols

Communication protocols
Name	Description
T=0	Character-level transmission protocol, defined in ISO/IEC 7816-3
T=1	Block-level transmission protocol, defined in ISO/IEC 7816-3

Signals

VCC : Power supply

IC power supply pin

Almost all integrated circuits have at least two pins that connect to the power rails of the circuit in which they are installed. These are known as the IC's power supply pins...

.
RST : Reset signal, used to reset the card's communications.
CLK : Provides the card with a clock signal

Clock signal

In electronics and especially synchronous digital circuits, a clock signal is a particular type of signal that oscillates between a high and a low state and is utilized like a metronome to coordinate actions of circuits...

, from which data communications timing is derived.
GND : Ground

Ground (electricity)

In electrical engineering, ground or earth may be the reference point in an electrical circuit from which other voltages are measured, or a common return path for electric current, or a direct physical connection to the Earth....

(reference voltage).
VPP : ISO/IEC 7816-3:1997 designated this as a programming voltage - an input for a higher voltage to program persistent memory (e.g., EEPROM

EEPROM

EEPROM stands for Electrically Erasable Programmable Read-Only Memory and is a type of non-volatile memory used in computers and other electronic devices to store small amounts of data that must be saved when power is removed, e.g., calibration...

).
ISO/IEC 7816-3:2006 designates it SPU, for either standard or proprietary use, as input and/or output.
I/O : Serial input and output (half-duplex).
C4, C8 : The two remaining contacts are AUX1 and AUX2 respectively, and used for USB interfaces and other uses.

Reader

Contact smart card readers are used as a communications medium between the smart card and a host (e.g., a computer, a point of sale terminal) or a mobile telephone.

Because the chips in financial cards are the same as those used in Subscriber Identity Module

Subscriber Identity Module

s (SIMs) in mobile phones, programmed differently and embedded in a different piece of PVC

Polyvinyl chloride

, chip manufacturers are building to the more demanding GSM/3G standards. So, for example, although the EMV

EMV

standard allows a chip card to draw 50 mA from its terminal, cards are normally well below the telephone industry's 6 mA limit. This allows smaller and cheaper financial card terminals.

Protocol analysis

Hardware and software tools are available to monitor and analyze communications between smart cards and readers.

Contactless

A second card type is the contactless smart card, in which the card communicates with and is powered by the reader through RF induction technology (at data rates of 106–848 kbit/s). These cards require only proximity to an antenna to communicate. They are often used for quick or hands-free transactions such as paying for public transportation without removing the card from a wallet

Wallet

A wallet, or billfold, is a small, flat case that is used to carry personal items such as cash, credit cards, identification documents , photographs, business cards and other paper or laminated cards...

.

Like smart cards with contacts, contactless cards do not have an internal power source. Instead, they use an inductor

Inductor

An inductor is a passive two-terminal electrical component used to store energy in a magnetic field. An inductor's ability to store magnetic energy is measured by its inductance, in units of henries...

to capture some of the incident radio-frequency interrogation signal, rectify

Rectifier

A rectifier is an electrical device that converts alternating current , which periodically reverses direction, to direct current , which flows in only one direction. The process is known as rectification...

it, and use it to power the card's electronics.

Communication protocols

Communication protocols
Name	Description
ISO/IEC 14443	APDU transmission via contactless interface, defined in ISO/IEC 14443-4

Hybrids

Dual-interface cards implement contactless and contact interfaces on a single card with some shared storage and processing. An example is Porto

Porto

Porto , also known as Oporto in English, is the second largest city in Portugal and one of the major urban areas in the Iberian Peninsula. Its administrative limits include a population of 237,559 inhabitants distributed within 15 civil parishes...

's multi-application transport card, called Andante

Andante ticket

Andante is a public transport ticketing system used in and around Porto, Portugal.It started operation in November 2002 at Metro do Porto stations and is now a cross-network ticket used on the Porto Metro, selected bus and train routes and the Funicular dos Guindais cable railway.Two types of card...

, which uses a chip with both contact and contactless

Contactless smart card

A contactless smart card is any pocket-sized card with embedded integrated circuits that can process and store data, and communicate with a terminal via radio waves. There are two broad categories of contactless smart cards. Memory cards contain non-volatile memory storage components, and perhaps...

(ISO/IEC 14443 Type B) interfaces.

Computer security

The Mozilla Firefox

Mozilla Firefox

Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...

web browser

Web browser

A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...

can use smart cards to store certificate

Public key certificate

In cryptography, a public key certificate is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth...

s for use in secure web browsing.

Some disk encryption systems

Disk encryption software

To protect confidentiality of the data stored on a computer disk a computer security technique called disk encryption is used. This article discusses software that is used to implement the technique...

, such as FreeOTFE

FreeOTFE

FreeOTFE is an open source on-the-fly disk encryption computer program for PCs running Microsoft Windows, and personal digital assistants running Windows Mobile . It creates virtual drives, or disks, to which anything written is automatically encrypted before being stored on a computer's hard or...

, TrueCrypt

TrueCrypt

TrueCrypt is a software application used for on-the-fly encryption . It is free and open source. It can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device .- Operating systems :TrueCrypt supports Microsoft Windows, Mac OS X, and...

and Microsoft Windows 7 BitLocker, can use smart cards to securely hold encryption keys, and also to add another layer of encryption to critical parts of the secured disk.

Smart cards are also used for single sign-on

Single sign-on

to log on to computers.

Smart card support functionality has been added to Windows Live

Windows Live

Windows Live is the collective brand name for a set of services and software products from Microsoft, part of their software plus services platform. A majority of these services are Web applications, accessible from a browser, but there are also client-side binary applications that require...

passports.

Credit cards

These are the best known payment cards (classic plastic card):

Visa: Visa Contactless, Quick VSDC—"qVSDC", Visa Wave, MSD, payWave
MasterCard: PayPass Magstripe, PayPass MChip
American Express: ExpressPay
Discover: Zip

Roll-outs started in 2005 in USA. Asia and Europe followed in 2006. Contactless (non PIN) transactions cover a payment range of ~$5–50. There is an ISO/IEC 14443 PayPass implementation. Some, but not all PayPass implementations conform to EMV.

Non-EMV cards work like magnetic stripe cards. This is a typical USA card technology (PayPass Magstripe and VISA MSD). The cards do not hold/maintain the account balance. All payment passes without a PIN, usually in off-line mode. The security of such a transaction is no greater than with a magnetic stripe card transaction.

EMV cards have contact and contactless interfaces. They work as a normal EMV card via contact interface. Via contactless interface they work somewhat differently in that the card command sequence adopts contactless features such as low power and short transaction time.

Cryptographic smart cards

Cryptographic smart cards are often used for single sign-on

Single sign-on

. Most advanced smart cards include specialized cryptographic hardware that uses algorithms such as RSA and DSA

Digital Signature Algorithm

The Digital Signature Algorithm is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology in August 1991 for use in their Digital Signature Standard , specified in FIPS 186, adopted in 1993. A minor...

. Today's cryptographic smart cards generate key pairs on board, to avoid the risk from having more than one copy of the key (since by design there usually isn't a way to extract private keys from a smart card). Such smart cards are mainly used for digital signature

Digital signature

A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...

and secure identification, (see applications section).

The most common way to access cryptographic smart card functions on a computer is to use a vendor-provided PKCS#11

PKCS11

In cryptography, PKCS #11 is one of the family of standards called Public-Key Cryptography Standards , published by RSA Laboratories, that defines a platform-independent API to cryptographic tokens, such as Hardware Security Modules and smart cards...

library. On Microsoft Windows

Microsoft Windows

Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...

the CSP

Cryptographic Service Provider

In Microsoft Windows, a Cryptographic Service Provider is a software library that implements the Microsoft CryptoAPI . CSPs implement encoding and decoding functions, which computer application programs may use, for example, to implement strong user authentication or for secure email. CSPs are...

API is also supported.

The most widely used cryptographic algorithms in smart cards (excluding the GSM so-called "crypto algorithm") are Triple DES

Triple DES

In cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block....

and RSA. The key set is usually loaded (DES) or generated (RSA) on the card at the personalization stage.

Some of these smart cards are also made to support the NIST

National Institute of Standards and Technology

The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...

standard for Personal Identity Verification, FIPS 201.

Financial

Smart cards serve as credit or ATM cards, fuel card

Fuel card

A fuel card or fleet card is used as a payment card most commonly for gasoline, diesel and other fuels at gas stations. Fleet cards can also be used to pay for vehicle maintenance and expenses at the discretion of the fleet owner or manager. The use of a fleet card also eliminates the need for...

s, mobile phone SIM

Subscriber Identity Module

s, authorization cards for pay television, household utility pre-payment cards, high-security identification and access-control cards, and public transport

Public transport

Public transport is a shared passenger transportation service which is available for use by the general public, as distinct from modes such as taxicab, car pooling or hired buses which are not shared by strangers without private arrangement.Public transport modes include buses, trolleybuses, trams...

and public phone payment cards.

Smart cards may also be used as electronic wallets. The smart card chip can be "loaded" with funds to pay parking meters and vending machines or at various merchants. Cryptographic protocol

Cryptographic protocol

A security protocol is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods.A protocol describes how the algorithms should be used...

s protect the exchange of money between the smart card and the accepting machine. No connection to the issuing bank is necessary, so the holder of the card can use it even if not the owner. Examples are Proton

Proton (bank card)

Proton is an electronic purse application for debit cards in Belgium. The system was introduced in February 1995 with the goal to replace cash primarily for small transactions around the 15 EUR...

, Geldkarte

Geldkarte

, Chipknip and Mon€o

Mon€o

Moneo, sometimes branded as mon€o, is an electronic purse system available on French bank cards to allow small purchases to be made without cash....

. The German Geldkarte is also used to validate customer age at vending machine

Vending machine

A vending machine is a machine which dispenses items such as snacks, beverages, alcohol, cigarettes, lottery tickets, consumer products and even gold and gems to customers automatically, after the customer inserts currency or credit into the machine....

s for cigarettes.

Health care (medical)

Smart health cards can improve the security and privacy of patient information, provide a secure carrier for portable medical record

Medical record

The terms medical record, health record, and medical chart are used somewhat interchangeably to describe the systematic documentation of a single patient's medical history and care across time within one particular health care provider's jurisdiction....

s, reduce health care fraud, support new processes for portable medical records, provide secure access to emergency medical information, enable compliance with government initiatives and mandates, and provide the platform to implement other applications as needed by the health care organization.

Identification

A quickly growing application is in digital identification. In this application, the cards authenticate identity. The most common example employs Public key infrastructure

Public key infrastructure

Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...

(PKI). The card stores an encrypted digital certificate issued from the PKI provider along with other relevant information. Examples include the U.S. Department of Defense

United States Department of Defense

The United States Department of Defense is the U.S...

(DoD) Common Access Card

Common Access Card

The Common Access Card is a United States Department of Defense smart card issued as standard identification for active-duty military personnel, reserve personnel, civilian employees, other non-DoD government employees, state employees of the National Guard, and eligible contractor personnel.The...

(CAC), and various identification cards used by many governments for their citizens. Combined with biometrics, cards can provide two- or three-factor authentication. Smart cards are not always privacy-enhancing, because the subject carries possibly incriminating information on the card. Contactless smart cards that can be read from within a wallet or even a garment simplify authentication.

The first smart card driver's license system in the world was implemented in 1987 in Turkey. Turkey had a high level of road accidents and decided to develop and use digital tachograph devices on heavy vehicles, instead of the existing mechanical ones, to reduce speed violations. Since 1987, the professional driver's licenses in Turkey are issued as smart cards and the driver is required to insert his driver's license into the digital tachograph before starting to drive. The tachograph unit records speed violations for each driver and gives a printed report. The driving hours for each driver is also being monitored and reported. In 1990 the European Union conducted a feasibility study through BEVAC Consulting Engineers, titled "Feasibility study with respect to a European electronic drivers licence (based on a smart-card) on behalf of Directorate General VII". In this study, chapter seven is dedicated to the experience in Turkey, stating that the electronic driver's license application, in the form of smart cards, was first implemented in Turkey in 1987.

A smart card driver's license system was later issued in 1995 in Mendoza province of Argentina. Mendoza had a high level of road accidents, driving offenses, and a poor record of recovering outstanding fines. Smart licenses hold up-to-date records of driving offenses and unpaid fines. They also store personal information, license type and number, and a photograph. Emergency medical information such as blood type, allergies, and biometrics (fingerprints) can be stored on the chip if the card holder wishes. The Argentina government anticipates that this system will help to collect more than $10 million per year in fines.

In 1999 Gujarat was the first Indian state to introduce a smart card license system. To date it has issued 5 million smart card driving licenses to its people.
In 2002, the Estonian government started to issue smart cards named ID Kaart

Estonian ID card

The Estonian identity card is a chipped picture ID issued in the Republic of Estonia by the Citizenship and Migration Board of the Ministry of Internal Affairs. It is officially a primary-picture ID in Estonia, and is therefore recognised by all member states of the European Union or the Schengen...

as primary identification for citizens to replace the usual passport in domestic and EU use.
As of 2010 about 1 million smart cards have been issued (total population is about 1.3 million) and they are widely used in internet banking, buying public transport tickets, authorization on various websites etc.

By the start of 2009 the entire population of Spain

Spain

Spain , officially the Kingdom of Spain languages]] under the European Charter for Regional or Minority Languages. In each of these, Spain's official name is as follows:;;;;;;), is a country and member state of the European Union located in southwestern Europe on the Iberian Peninsula...

and Belgium

Belgium

will have an eID card that is used for identification. These cards contain two certificates: one for authentication and one for signature. This signature is legally enforceable. More and more services in these countries use eID for authorization

Authorization

Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...

.

Smart cards are also beginning to be used in emergency situations. In 2004, The Smart Card Alliance issued a statement expressing the need to "to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification". In light of this, emergency response personnel have now begun to carry these cards so that they can be positively identified in emergency situations. WidePoint Corporation

WidePoint Corporation

WidePoint Corporation is an American company based in Oakbrook Terrace, Illinois that provides technology-based products and services to the government sector and commercial markets in the United States...

, a smart card provider to FEMA

Federal Emergency Management Agency

The Federal Emergency Management Agency is an agency of the United States Department of Homeland Security, initially created by Presidential Reorganization Plan No. 1 of 1978 and implemented by two Executive Orders...

, produces cards that contain additional personal information, such as medical records and skill sets. Cards like these provide immediate access to information, which allows first responders to bypass organizational paperwork and focus more time on the emergency resolution.

Schools

Smart cards are being provided to students at schools and colleges. Usage includes:

Tracking student attendance
As an electronic purse, to pay for items at canteens, vending machines etc
Tracking and monitoring food choices at the canteen, to help the student maintain a healthy diet
Tracking loans from the school library

Public transit

Smart cards and integrated ticketing

Integrated ticketing

Integrated ticketing allows a person to make a journey that involves transfers within or between different transport modes with a single ticket that is valid for the complete journey, modes being buses, trains, subways, ferries, etc...

have become widely used by public transit operators around the world. Card users may use their cards for other purposes than for transit, such as small purchases. Some operators offer points for usage, exchanged at retailers or for other benefits. Example include the Octopus Card

Octopus card

The Octopus card is a rechargeable contactless stored value smart card used to transfer electronic payments in online or offline systems in Hong Kong...

used in Hong Kong, London's Oyster Card

Oyster card

The Oyster card is a form of electronic ticketing used on public transport services within the Greater London area of the United Kingdom. It is promoted by Transport for London and is valid on a number of different travel systems across London including London Underground, buses, the Docklands...

, Montréal's OPUS card and San Francisco's Clipper card. However, they have been criticized for presenting a privacy

Privacy

Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...

risk because it can allow the mass transit operator (and the government) to track an individual's movement. In Finland, for example, the Data Protection Ombudsman

Ombudsman

An ombudsman is a person who acts as a trusted intermediary between an organization and some internal or external constituency while representing not only but mostly the broad scope of constituent interests...

prohibited the transport operator Helsinki Metropolitan Area Council

Helsinki Metropolitan Area Council

The Helsinki Metropolitan Area Council was a co-operation agency operating in the Helsinki Metropolitan Area, now replaced by HSL and HSY. The organisation had a few responsibilities, most notably regional public transport and waste management. It was subordinated to the city councils of the four...

(YTV) from collecting such information, despite YTV's argument that the card owner has the right to a list of trips paid with the card. Earlier, such information was used in the investigation of the Myyrmanni bombing

Myyrmanni bombing

The Myyrmanni bombing took place on October 11, 2002, in Myyrmäki, Vantaa, Finland, in Greater Helsinki, at the Myyrmanni shopping mall. The bomb killed seven, including two teenagers, a 7-year-old child and the presumed bomber. 166 people were injured, including 10 children. 66 victims required...

Concessionary travel

A highly successful use for smart cards within the UK is in concessionary travel schemes. Mandated by the Department for Transport

Department for Transport

In the United Kingdom, the Department for Transport is the government department responsible for the English transport network and a limited number of transport matters in Scotland, Wales and Northern Ireland which are not devolved...

, travel entitlements for elderly and disabled residents are administered by local authorities and passenger transport executives. Smart cards have been issued as bus passes to qualifying residents; however these smart cards can instead now be used by elderly and disabled people who qualify for concessionary taxi travel. These schemes are part of an additional service offered by some local authorities as an alternative for residents unable to make use of their bus pass. One example is the "Smartcare go" scheme provided by Ecebs.

Other

Smart cards are widely used to protect

Television encryption

Television encryption, often referred to as "scrambling", is encryption used to control access to pay television services, usually cable or satellite television services.-History:...

digital television streams. VideoGuard

VideoGuard

VideoGuard , produced by NDS, is a digital encryption system for use with conditional access television broadcasting. It is used on digital satellite television systems - some of which are operated by News Corporation, which owns about half of NDS...

is a specific example of how smart card security worked (and was cracked).

The Malaysian government uses smart identity cards carried by all citizens and resident non-citizens. The personal information inside the MYKAD card can be read using special APDU commands.

Since April 2009, has manufactured reusable smart cards for money transfer and made from paper instead of plastic.

Security

Smart cards have been advertised as suitable for personal identification tasks, because they are engineered to be tamper resistant. The chip usually implements some cryptographic algorithm

Cryptography

Cryptography is the practice and study of techniques for secure communication in the presence of third parties...

. There are, however, several methods for recovering some of the algorithm's internal state.

Differential power analysis

Differential power analysis
involves measuring the precise time and electrical current required for certain encryption or decryption operations. This can deduce the on-chip private key used by public key algorithms such as RSA. Some implementations of symmetric ciphers can be vulnerable to timing or power attacks as well.

Physical disassembly

Smart cards can be physically disassembled by using acid, abrasives, or some other technique to obtain unrestricted access to the on-board microprocessor. Although such techniques obviously involve a fairly high risk of permanent damage to the chip, they permit much more detailed information (e.g. photomicrographs of encryption hardware) to be extracted.

Problems

The plastic card in which the chip is embedded is fairly flexible, and the larger the chip, the higher the probability that normal use could damage it. Cards are often carried in wallets or pockets—a harsh environment for a chip. However, for large banking systems, failure-management costs can be more than offset by fraud reduction.

Client-side identification and authentication cards are the most secure way for e.g., internet banking applications, but security is never 100% sure. If the account holder's computer hosts malware

Malware

Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...

, the security model may be broken. Malware can override the communication (both input via keyboard and output via application screen) between the user and the application. The malware (e.g. the trojan Silentbanker) could modify a transaction, unnoticed by the user. Banks like Fortis

Fortis (finance)

Fortis N.V./S.A. was a company active in insurance, banking and investment management. In 2007 it was the 20th largest business in the world by revenue but after encountering severe problems in the financial crisis of 2008, most of the company was sold in parts, with only insurance activities...

and Dexia

Dexia

Dexia N.V./S.A., also referred to as the Dexia Group, is a Belgian-French financial institution active in public finance, providing retail and commercial banking services to individuals and SMEs, asset management, and insurance...

in Belgium combine a smart card with an unconnected card reader to avoid this problem. The customer enters a challenge received from the bank's website, a PIN and the transaction amount into the reader, The reader returns an 8-digit signature. This signature is manually entered into the personal computer and verified by the bank, preventing malware from changing the transaction amount.

Another problem is the lack of standards for functionality and security. To address this problem, The Berlin Group launched the ERIDANE Project to propose "a new functional and security framework for smart-card based Point of Interaction (POI) equipment".

Terminology

ATR: answer to reset
Answer to reset
An Answer To Reset is a message output by a contact Smart Card conforming to ISO/IEC 7816 standards, following electrical reset of the card's chip by a card reader...
BCD: binary-coded decimal
Binary-coded decimal
In computing and electronic systems, binary-coded decimal is a digital encoding method for numbers using decimal notation, with each decimal digit represented by its own binary sequence. In BCD, a numeral is usually represented by four bits which, in general, represent the decimal range 0 through 9...
CHV: card holder verification
COS: card operating system
DF: dedicated file
IC: integrated circuit
PC/SC
PC/SC
PC/SC is a specification for smart-card integration into computing environments.Microsoft has implemented PC/SC in Microsoft Windows 200x/XP and makes it available under Microsoft Windows NT/9x....

: personal computer / smart card
MF: master file
PPS: protocol and parameters selection
RFU: reserved for future use

External links

The source of this article is wikipedia, the free encyclopedia. The text of this article is licensed under the GFDL.

Overview

Benefits

History

Invention

Carte Bleue

EMV

Contactless

Contact

Communication protocols

Signals

Reader

Protocol analysis

Contactless

Communication protocols

Hybrids

Computer security

Credit cards

Cryptographic smart cards

Financial

Health care (medical)

Identification

Schools

Public transit

Concessionary travel

Other

Security

Differential power analysis

Physical disassembly

Problems

Terminology

See also

External links