Smart card

An automated card with an integrated chip was invented by German engineer Helmut Grettrup and his colleague Jürgen Deslof in 1968; The patent was finally approved in 1982. The first mass use of such cards was in France to pay for telephone bills, which began in 1983.

French inventor Roland Moreno patented his first idea of ​​a memory card in 1974. In 1977, Michelle Hijack from Honeywell Bull invented the first smart card with an integrated microprocessor . In 1978, Honeywell Bull patented the SPOM (Self-Programming Single-Chip Microcomputer), which defines the necessary architecture to automate chip programming. 3 years later, the very first CP8 chip based on this invention was made by Motorola . At that time, Bull had 1,200 patents related to smart cards.

In 2001, Bull sold its share of CP8 along with all Schlumberger patents. Schlumberger subsequently merged its smart card and CP8 department and established Axalto. In 2006, Axalto and Gemplus, the two leading leaders in the smart card market at the time, merged and became known as Gemalto. The second mass use of this technology with the integration of microchips in all French debit cards ( Carte Bleue ) ended in 1992. When paying bills in France using Carte Bleue, their owners had to insert a card into the payment terminal, then enter the PIN code , and then perform the necessary operation.

Electronic money systems based on smart card technology began to be actively used in Europe in the mid-1990s, more significantly in Germany ( Geldkarte ), Austria (Quick), Belgium (Proton), France (Moneo), the Netherlands ( Chipknip ) , Switzerland (Cash), Norway (Mondex), Sweden (Cash), Finland (Avant), Great Britain (Mondex), Denmark (Danmønt) and Portugal (Porta-moedas Multibanco).

The greatest increase in the use of smart cards came in the 1990s, with the introduction of smart cards based SIM cards in GSM mobile phone devices in Europe. With the spread of mobile phones in Europe, smart cards have also become ubiquitous.

In 1993, the international payment systems MasterCard , Visa and Europay signed a collaboration agreement to develop the technical characteristics for using smart cards when paying bills with credit and debit cards. The first version of EMV standard systems (Europay, MasterCard, Visa) was released in 1994. In 1998, the next version of the technical specifications became available.

Everywhere, with the exception of some countries, such as the United States, there has been significant progress in using EMV-compatible equipment at retail outlets and in issuing debit and credit cards with specifications complying with the EMV standard. Usually, national payment associations, with the participation and support of MasterCard International, Visa International, American Express and JCB, gradually implemented the plan agreed with all interested parties involved.

For banks interested in implementing smart cards, the only quantifiable plus is the possibility of a significant reduction in fakes. Some critics argue that the savings are much less than the cost of implementing EMV, and therefore many think that US payment systems prefer to wait out the current EMV cycle, and then introduce a new, contactless technology.

A smart card with a contactless interface is becoming increasingly popular for paying bills and travel on public transport. Visa and MasterCard signed an agreement for an easy-to-implement version, which was put into use in the USA in 2004-2006. Contactless public transportation collection systems have been introduced worldwide. On a closer look, various evolving standards are incompatible, although Philips Mifare non-contact technology has a significant share in US and European trade.

Smart cards have also been introduced into personal identification and documentation at the regional, national and international levels, these are civil cards, driver's licenses and medical documents. In Malaysia, MyKad ID cards, which include 8 different functions, have 18 million residents. Contactless smart cards are embedded in biometric passports to increase the level of security in international travel.

All smart cards can be divided by the method of exchange with a reader to:

• contact smart cards with ISO 7816 interface;
• contact smart cards with a USB interface;
• contactless ( RFID ) smart cards.

There are cards that include both contact and contactless interfaces.

According to the functionality of the card can be divided into

• memory cards (contain a certain amount of data and a mechanism for restricting access to them)
• smart cards (contain a microprocessor and the ability to manage data on the card)

Contact smart cards with ISO 7816

Contact smart cards have a contact area containing several small contact petals. When the card is inserted into the reader, the chip is in contact with electrical connectors, and the reader can read and / or write information from the chip.

The shape of the card, contacts, their location and purpose are regulated in the standards ISO / IEC 7816 and ISO / IEC 7810 . The ISO / IEC 7816 standard also regulates communication protocols and some aspects of working with data that are used for other smart cards.

Contact cards do not contain batteries; energy is supplied by readers.

The most popular contact smartcards are cellular SIM cards, pay phones, and modern bank cards.

USB Contact Smart Cards

Usually they are a chip of a standard ISO 7816 card, combined with a USB reader in one miniature case. This makes the use of smart cards for computer authentication much more convenient.

An example is Rutoken and eToken products.

Contactless Smart Cards

Contactless smart cards are cards in which the card communicates with the reader using RFID technology . It is required to bring the cards close enough to the reader to carry out the necessary operations. They are often used in areas where it is necessary to carry out an operation quickly, for example, in public transport.

The standard for contactless smart cards is ISO / IEC 14443 , less commonly ISO / IEC 15693 .

To work with contactless smart cards, RFID technology is used. Like contact smart cards, contactless do not have batteries. They have an inductance coil built in to store energy for the initial RF pulse, which is then rectified and used to operate the card.

Examples of widely used contactless smart cards are travel cards in the subway and land transport, electronic (“biometric”) passports, and some types of cards in access control systems ( ACS ).

Memory Cards

They contain a certain amount of data and a fixed mechanism for restricting access to them. As a rule, these are cards for micropayments in transport, pay phones, in leisure parks, customer loyalty cards, etc.

The access restriction mechanism can be either very simple (write once, password, unique number) or more complicated (mutual authentication using standard symmetric cryptographic algorithms AES , DES ).

Memory cards are the most common smart cards (travel cards in the subway and land transport, payphone cards).

Intelligent Cards

They contain a microprocessor and the ability to load algorithms for its operation. Possible actions of such cards include complex authentication actions, complex exchange protocols, registration of access facts, etc.

In addition to symmetric cryptography (AES, DES), they know asymmetric ( RSA ), public key infrastructure (PKI) algorithms, have hardware random number generators, and enhanced protection against physical attacks.

As a rule, they operate under the control of the operating system (for example, JCOP or MULTOS ) and are equipped with an appropriate certificate package.

Examples are electronic (“biometric”) passports and visas, SIM cards.

Despite the name - a smart card reader, most terminal devices, or interface devices (IFD, InterFace Device), are capable of both reading and writing, if smart card capabilities and access permissions allow. Smart card readers can connect to a computer by:

• serial port
• PCMCIA slots ;
• USB serial bus.

Smart card readers can be integrated into the keyboard .

Some manufacturers produce other types of hardware devices, which are the integration of a contact smart card with a smart card reader. In terms of memory properties and computational capabilities, they are completely similar to smart cards. The most popular hardware keys using the USB port. USB keys are attractive to some organizations, as USB is becoming a standard that is becoming more common in new computers: organizations do not need to purchase any readers for users.

Smart cards, USB keys and other smart devices can increase the reliability of PKI services: a smart card can be used to securely store private keys of a user, as well as to safely perform cryptographic conversions. Of course, intelligent authentication devices do not provide absolute protection, but their protection far exceeds the capabilities of a conventional desktop computer.

There are many ways to store and use a private key, and different developers use different approaches. The simplest of them is the use of an intelligent device as a floppy disk: if necessary, the card exports the private key, and cryptographic operations are performed on the workstation. This approach is not the most perfect from the point of view of security, but it is relatively easy to implement and requiring low requirements for an intelligent device.

The other two approaches are safer because they involve the implementation of cryptographic operations by an intelligent device. At the first, the user generates the keys on the workstation and saves them in the device’s memory. In the second, the user generates keys using the device. In both cases, after the private key is saved, it cannot be removed from the device and received in any other way.

Key pair

In the case of generating a key outside the device, the user can backup the private key. If the device fails, is lost, damaged or destroyed, the user will be able to save the same private key on a new card. This is necessary if the user needs to decrypt any data, messages, etc., encrypted using the corresponding public key, but these are short-term problems in providing authentication. In addition, the user's private key is at risk of being stolen.

In the case of generating a key using the device, the private key does not appear in open form, and there is no risk that the attacker will steal his backup copy. The only way to use the private key is to own an intelligent device. Being the most secure, this solution places high demands on the capabilities of the smart device: it must generate keys and implement cryptographic transformations. This solution also assumes that the private key cannot be restored if the device fails, and so on. You need to worry about this when using the private key for encryption, but not where it is used for authentication or in other services where digital signature is used .

Computer Security

Some disk encryption systems, such as FreeOTFE , TrueCrypt, and Microsoft BitLocker, can use smart cards to securely store keys and also add an additional level of encryption to critical parts on the protected disk. Smart cards are also used for single sign-on .

Financial Applications

Smart card applications include their use in bank , discount, phone and fare cards, various consumer services, etc.

Smart cards can also be used as e-wallets . Information on the means by which the owner can pay at various retail outlets can be downloaded to the smart card chip (see card with stored value ).

Cryptographic protocols protect the information exchange between a smart card and an ATM.

If at the same time there is no direct connection with the bank, then work with the card takes place off-line, unlike magnetic cards that make a request to the bank, and it already gives permission for operations with the card.

Identification

The use of smart cards in digital identification is growing rapidly. In this area, cards are used for identification. A more general example is the conjunction with PKI. The smart card stores the encrypted digital certificate received from the PKI along with some other owner information.

When combining such smart cards with biometric data, two- or three-factor authentication is obtained.

The first smart card-based driver license system was introduced in the province of Mendoza in Argentina . There was a high level of road accidents and a low level of payment of fines. Smart rights met modern requirements for recording violations of the rules and unpaid fines. They also contained the personal information of the driver, his photo, and, at the request of the owner, medical information. The government expected the new system to help raise more than $ 10 million in fines.

By early 2009, the entire population of Spain and Belgium had eID cards that were issued by the government and were used for identification. These cards contain 2 certificates: one for authentication, the other for signature. More and more services in these countries use eID cards for authorization.

In 2010, the Russian Federation announced the introduction of a universal electronic card as a means of identification (the issuance and issuance of cards were discontinued at the beginning of 2017, implementation nationwide was not completed).

Digital TV

Smart cards (conditional access cards) are widely used to activate encrypted pay-per-view digital, satellite and cable television channels.

They are used in various conditional access systems .

The chip of the card not only carries out part of the decoding of the signal, but also contains the individual number (ID) of the subscriber, which allows the operator of digital television to control access. When the subscription of the subscriber ends, the operator includes additional control commands in the encoded video signal stream, upon receipt of which, the subscriber’s access card blocks the viewing of the encoded TV channels. After paying for a subscription in the same way, access to encrypted channels is resumed.

Used by most satellite TV operators, for example: NTV-Plus , Viaccess encoding; " Continent TV " and " Rainbow TV ", encoding Irdeto ; “ Telecard TV ”, encoding Conax ; " Tricolor TV ", encoding DRE-Crypt .

Standards

Smart card security issues are regulated by a large number of international and company standards and rules. Apart from this, state laws governing: export / import of equipment and digital security algorithms; digital security rules in government.

The following standards are best known:

• ISO / IEC 15408 , commonly known as Common Criteria, is a broad set of rules related to the security of digital systems.
• Federal Information Processing Standards ( FIPS ). US National Information Security Standards. With regard to the security of smart cards, FIPS-140 is the most famous - the requirements for cryptographic mechanisms.
• EMV is a joint Europay, MasterCard and VISA standard for card payment systems.

Security issues are often included in industry standards, for example, GlobalPlatform , EPC , JavaCard , etc.

Smart Card Attack Methods ^[1]

• Search for vulnerabilities of smart card cryptographic algorithms. This is facilitated by the almost complete openness of all the algorithms used. However, the vulnerabilities found are quickly resolved.
• Differential power analysis - an assessment of the waveforms of the energy consumed by a smart card at the time the cryptographic algorithm is executed.
• Physical hacking - gaining access to the electrical circuits of a smart card after chemical removal of the protective layers from the crystal. Allows you to analyze the smart card device and connect to it using microelectrodes.
• Unusual operating conditions for smart cards. For example, abnormal temperature conditions, voltage and frequency of the signal at the contacts, etc. This can lead to malfunctions in the algorithms and then gain access to information.

• Possible failure. A plastic card during operation experiences significant deformation effects, which entails an increase in the likelihood of a chip break. However, for large banking systems, the costs associated with smart card failures offset the potential costs associated with fraud.
• Using smart cards in public transport is a threat to privacy, because such a system allows third parties (the transport company) to monitor the movement of cardholders.
• Using smart cards to identify and authenticate the owner is the most secure way for online banking applications, but security is still not complete. If malware is installed on the computer, then the safe execution of Internet applications is not guaranteed. For example, this software can change operations unnoticed by the owner. An example of such software is the Silent Banker Trojan. Some banks ( Fortis and Dexia in Belgium) supplement their smart cards with a contactless reader; the owner makes a request on the bank’s website, entering his PIN code, the desired operation and the digital signature received from the reader, and this signature is compared by the bank.
• The problem is the lack of standards for smart cards. To solve this problem, the ERIDANE project was launched, which is developing a new structure of smart cards that will work on Point Of Interaction (POI) equipment.

• Enhanced communication capabilities of the card.
• Implementation of multitasking operation mode - the ability to simultaneously run multiple applications ^[2] .

• Java card
• MULTOS
• PC / SC
• Universal electronic card

• Smart card / E. B. Starodubtseva // Big Russian Encyclopedia : [in 35 vols.] / Ch. ed. Yu.S. Osipov . - M .: Great Russian Encyclopedia, 2004—2017.
• I.M. Goldovsky. Bank microprocessor cards. - M .: Alpina Publisher , 2010. - 694 p. - (Library of the Center for Payment Systems Research and Settlements). - ISBN 978-5-9614-1233-8 .