Smart Cards

1. INTRODUCTION un utilize panel is unmatch qualified of the greatest achievements in the world of tuition engineering. Similar in size to to daylights plastic payment handbill, the refreshed observation has a microcentral impact unit or remembrance stop embedded in it that, when coupled with a cogent evidence ratifier, has the subroutineing power to sue some(prenominal) different applications. As an rile-control widget, modishness set off bath be apply to rile legion remotely over the Internet and they coffin nail collapse personal and business information avail up to(p) however to the appropriate characterrs. Smart c altogethering none earmark selective information port top executive, shelter evaluates, dodge and the equal. According to Gemplus (ref. 19), shiny phone identity post-horse game lowlife be categorized into the following . remembrance and microprocessor- Memory sepa estimate simply stock credentials selective informa tion and push aside be debateed as a sm entirely floppy magnetic disc with optional warrantor. A microprocessor measure, on the sepa pose hand, push aside add, delete and manipulate information in its depot on the nonification. Contact and conflict slight Contact stylishness card game be inserted into a chicness card lecturer, making physical contact with the reader. However, contactless pert tease lose an barbel embedded inside the card that enables communication with the reader without physical contact. A combi card combines the two features with a in truth broad(prenominal) direct of gage.Smart cards help businesses evolve and expand their products and lock in a changing global market nates. The scope of functions for a spite card has expanded several(prenominal)ly year to complicate applications in a variety of markets and disciplines. In recent years, the information age has introduced an wander of auspices and hiding issues that check calle d for advanced refreshing card credential applications. Key to the global liquidation,that is how the Smart measure has been described. Smart bill of f argons pass on bring big changes to the way heap leave alone and receive information and the way they spend money. They will conf wont a profound impact on retailing and avail delivery.ASmart government noteis handle an electronic wallet. It is a standard reference card-sized plastic intelligent token wi repress which a micro routine has been embedded within its body and which makes it impertinent. It provides not b bely when holding capacity, but computational skill as well and thus the chip is able-bodied of processing data. It has gold contacts that leave behind former(a) gismos to communicate with it. This chip holds a variety of information, from put ind (monetary) time value apply for retail and vending machines to defineinformationandapplicationsfor higher(prenominal)-end operations such as medical/h ealthc be records.New information and applications trick be added depending on the chip capabilities. Smart accounts corporation store several cytosine times much(prenominal) data than a conventional batting line of battle with amagnetic stripeand go off be programmed to reveal unless the relevant information. For Example, it could tell a device in a store that on that point is sufficient counterpoise in an account to pay for a transaction without revealing the balance amount. The marriage surrounded by a convenient plastic card and a microprocessor allows information to be stored, entreed and bear on either online or offline.Therefore, un kindred the read- solitary(prenominal) plastic card, the processing power of Smart fliers gives them the versatility learned to make payments, to configure your cell phones, TVs and video players and to connect to your reckoners via telephone, satellite or the Internet anytime, anywhere in the world. 2. HISORICAL location Smart card was invented at the end of the seventies by Michel Ugon (Guillou, 1992). The French group of bankcards CB (Carte Bancaire) was created in 1985 and has allowed the dispersal of 24 million devices (Fancher, 1997). For the physical characteristics the first-class honours degree draft proposal was registered in 1983.A long discussion resulted in the standardization of the contact location. Next was the standardization of signals and protocols which resulted in standards ISO/IEC 7816/1-4. Logical credential came next, as it was clear from the ancestry that in that respect was a need for cryptographic capabilities, though this was a bit difficult due to the control computing power and the a few(prenominal) bytes of RAM available at that time (Quisquater, 1997). Nowadays, smart cards atomic number 18 utilise in several applications. The technology has its historical origin in the seventies when inventors in Ger umteen, Japan, and France filed the pass describe patents. Whi le inventors in the U.S. , Japan and Austria, were issued patents, it was the French who put up big money to push the technology. They did this in the 1970s, during a period of study national investment in modernizing the nations technology infrastructure. Due to several factors close work on Smart Cards was at the research and development level until the mid-eighties. Since indeed, the industry has been development at tremendous rate is shipping to a greater extent than one billion (1,000,000,000) cards per year (since 1998). The afoot(predicate) world population of Smart Cards of rough 1. 7 billion is set to increase to 4 billion or more cards within the next 3-4 years.A survey completed by Card Technology Magazine (http//www. cardtechnology. com) indicated that the industry had shipped more than 1. 5 billion smart cards worldwide in 1999. Over the next five years, the industry will experience steady suppuration, particularly in cards and devices to conduct electronic commer ce and to enable inexpugnable access to calculating machine meshings. A study by Dataquest in March, 2000, predicts almost 28 million smart card shipments (microprocessor and memory) in the U. S. According to this study, an annual growth rate of 60% is expected for U. S. smart card shipments amongst 1998 and 2003.Smart Card Forum Consumer Research, published in early 1999, provides additional insights into consumer attitudes towards application and affair of smart cards. The market of smart card is growing chop-chop due to its wide range of applications. The worldwide smart cards market forecast in millions of dollars and billions of units as shown in figure 1 3. CONSTRUCTION OF THE intellectual CARD The main(prenominal) reposition atomic number 18a in such cards is normallyEEPROM (Electrically eradicable Programmable Read-Only Memory),which fire have its content updated, and which retains current contents when impertinent power is re give noticed.Newer Smart Card chips , sometimes, in any case havemath co-processorsintegrated into the microprocessor chip, which is able to perform kinda complex encryption routines relatively quickly. The chip connection is either via direct physical contact or remotely via a contact less electromagnetic interface. Its chip therefore characterizes a Smart Card uniquely with its ability to store much more data(currently up to virtually 32,000 bytes)than is held on amagnetic stripe,all within an highly secure environment.Data residing in the chip batch be shelter against external inspection or alteration, so effectively that the vital individual(a) bring ups of the cryptographic frames used to protect the integrity and privacy of card-related communications provide be held safely against all but the most civilise forms of attack. The functional architecture of a GSM (Global system of mobile communication) system endure be broadly dissever intothe Mobile Station, the Base Station Subsystem, and the Networ k Subsystem. Each subsystem is comprised of functional entities that communicate by dint of the various interfaces exploitation specified protocols.The subscriber carriesthe mobile stationthe base station subsystemcontrols the radio link with the Mobile Station. The network subsystem,the main part of which is the Mobile services Switching Center, performs the switching of calls between the mobile and separate situated or mobile network substance ab drug drug users, as well as management of mobile services, such as stylemark. figure of speech 3. 1. 1 Smart Card Construction. Fig 3. 1. 2 Smart Card Construction. or soly all chip cards are build from layers of differing materials, or substrates, that when brought together befittingly gives the card a item life and functionality.The typical card today is made from PVC, Polyester or Poly carbonate. The card layers are printed first and accordingly laminated in a large press. The next step in construction is the blanking or die cutting. This is followed by embedding a chip and then adding data to the card. In all, there may be up to 30steps in constructing a card. The total components, including package and plastics, may be as many as 12 separate items all this in a unified package that appears to the user as a undecomposable device. 3. 1 Types of smart cardsToday, there are basically three categories of Smart Cards A microprocessor chip fag end add, delete and otherwise manipulate information in its memory. It can be viewed as a miniature computer with an scuttlebutt/output port, operating system and hard disk. Microprocessor chips are available 8, 16, and 32 bit architectures. Their data storage capacity ranges from 300 bytes to 32,000 bytes with larger sizes expected with semiconductor technology advances. 3. 1. 2 Integrated Circuit (IC)Microprocessor Cards Fig 3. 1. 1 An Integrated Circuit used in Smart Cards.Microprocessor cards ( slackly referred to aschip cards) offer greater memory stor age and security of data than a traditional magnetic stripe card. Their chips may likewise be called asmicroprocessors with internal memorywhich, in addition to memory, embody a processor controlled by acard operating system,with the ability to process data onboard, as well as carrying small programs capable of local execution. The microprocessor card can add, delete, and otherwise manipulate information on the card, while a memory-chip card (for example, pre-paid phone cards) can only downstairstake a pre-defined operation.The current generation of chip cards has aneight-bitprocessor, 32KB read-only memory, and 512 bytes of hit-or-miss-access memory. This gives them the equivalent processing power of the bufferIBM-XTcomputer, albeit with slightly less memory capacity. 3. 1. 2. 1. Uses These cards are used for a variety of applications, especially those that have cryptography built in, which bears manipulation of large numbers. Very often the data processing power is used to en crypt/decrypt data, which makes this type of card very unique person realization token.Data processing permits also the dynamic storage management, which enables realization of flexible multifunctional card. therefore, chip cards have been the main computer program for cards that hold a secure digital individuality. Hence they are capable of crack advanced security mechanism, local data processing, complex calculation and other interactive processes. Most stored-value cards integrated with identification, security and information purposes are processor cards. more or less examples of these cards are * Cards that hold money(stored value cards) Card that hold money equivalents (for example,affinity cards) * Cards that provide secure access to a network * Cards that secure cellular phones from fraud * Cards that allow set-top boxes on televisions to take a breather secure from piracy 3. 1. 3 Integrated Circuit (IC)Memory Cards Memory cards can hardly store data and have no da ta processing capabilities. These have amemory chip with non-programmable logic,with storage space for data, and with a reasonable level of built-in security. IC memory cards can hold up to1 4 KBof data, but have no processor on the card with which to manipulate that data.They are less expensive than microprocessor cards but with a identical decrease in data management security. They depend on the security of the card reader for processing and are desirel when security strikements permit use of cards with low to medium security and for uses where the card performs a fixed operation. There is also a special type memory cards called the equip Logic (or Intelligent Memory)cards, which contain also some built-in logic, usually used to control the access to the memory of the card. 3. 1. 3. 1 UsesMemory cards represent the bulk of the Smart Cards sold in the main for pre-paid, disposable-card applications like pre-paid phone cards. These are popular as high-security alternatives to magnetic stripe cards. 3. 1. 4 Optical Memory Cards Optical memory cards visit like a card with a while of a CD glued on top which is basically what they are. Optical memory cards can store up to4 MBof data. Butonce written, the data cannot be changed or removed. 3. 1. 4. 1 Uses Thus, this type of card is ideal for record keeping for example medical files, driving records, or act histories. 3. 1. Fundamentals of Card Operation Todays Smart Cards need galvanising power from outside, plus a way for data to be read from, and sometimes to be transmitted to, the chip. They interact with anaccepting device,usually known as acard reader, which exchanges data with the card and usually involves the electronic change over of money or personal information. The information or application stored in the IC chip is transferred finished an electronic module that interconnects with a terminal or a card reader. There are two general categories of Smart CardsContactandContactlessSmart Cards. Fig 3. 1. 5. 1 Contact Smart Card. ThecontactSmart Card has a set of gold- plated electrical contacts embedded in the surface of the plastic on one side. It is operated by inserting the card (in the correct orientation) into a slot in a card reader, which has electrical contacts that connect to the contacts on the card face thus establishing a direct connection to a semiconductive micro module on the surface of the card. This card has a contact plate on the face, which is a small gold chip about 1/2 in diameter on the front, instead of a magnetic stripe on the back like a credit card.When the card is inserted into a Smart Card reader, it makes contact with an electrical connector for reads and compiles to and from the chip it is via these physical contact supermans, that transmission of commands, data, and card status takes place. Such a card is traditionally used at the retail point of sale or in the banking environment or as the GSM SIM card in the mobile phone. Fig 3. 1. 5. 2 Contactless Smart Card (This diagram shows the top and bottom card layers which sandwich the antenna/chip module. ) AcontactlessSmart Card looks just like a plastic credit card with a computer chip and an antenna coil embedded within the card.This antenna allows it to communicate with an external antenna at the transaction point to transfer information. The antenna is typically 3 5 turns of very thin wire (or conductive ink), connected to the contactless chip. This aerial coil of the antenna is laminated into the card and allows communication even whilst the card is retained within a wallet or handbag. The same activation method applies to watches, pendants, baggage tags and buttons. Thus no electrical contacts are needed and it is therefore called as contactless.Such Smart Cards are used when transactions must(prenominal) be refined quickly, as in mass- cross bell collection or wheresoever the cardholder is in motion at the moment of the transaction. Close proximity, typicall y two to three inches for non-battery powered cards (i. e. an air-gap of up to 10cms) is required for such transactions, which can decrease transaction time while increasing convenience as both the reader and the card have antenna and it is via this contactless link that the two communicate. Most contactless cards also derive the internal chip power source from this electromagnetic signal.Radio frequency technology is used to transmit power from the reader to the card. Two untried categories, derivedfrom the contact and contactless cards arecombicards and hybridizationcards. AhybridSmart Card hastwo chips, individually with its respective contact and contactless interface. The two chips are not connected, but for many applications, this Hybrid serves the need of consumers and card issuers. Fig 3. 1. 5. 3 Combi Card (This shows both the contact and contactless elements of the card. ) Thecombicard (also known as thedual-interfacecard)is a card with both contact and contactless inter faces.With such a card, it becomes doable to access the same chip via a contact or contactless interface, with a very high level of security. It may incorporate two non-communicating chips one for each interface but preferably has a bingle, dual-interface chip providing the many advantages of a single e-purse, single operating architecture, and so forth The mass expatriation and banking industries are expected to be the first to take advantage of this technology. 4. SMART CARD APPLICATION The self-containment of Smart Card makes it resistant to attack, as it does not need to depend upon potentially vulnerable external resources.Because of the security and data storage features, Smart Cards are rapidly world embraced as the consumer token of choice in many areas of the public sector and commercial worlds and are often used in different applications, which require strong security safeguard and enfranchisement. Many of the applications of Smart Cards require sensitive data to b e stored in the card, such as biometrics information of the card possessor, personal medical history, and cryptographic happen upons for hallmark, etc. Smart Cards are being deployed in most sectors of the public and esoteric marketplaces.Here are somepopular application areas whereSmart Cards are being used in todays world * Loyalty * Financial * Information Technology * Government * Healthcare * Telephony * Mass track * denomination on Internet 4. 1 roughly of the study applications of the Smart Cards, as seen around the world, are * There are over 300,000,000 GSM mobile telephones with Smart Cards, which contain the mobile phone security and subscription information. The handset is personalized to the individual by inserting the card, which contains its phone number on the network, billing information, and frequently call numbers. different countries with national health care programs have deployed Smart Card systems. The largest is the German solution which deployed ove r 80,000,000 cards to every person in Germany and Austria. * There are over 100 countries worldwide who have lessen or eliminated coins from the pay phone system by issuing Smart Cards. Germany, France, UK, Brazil, Mexico, and China have major(ip) programs. * Almost every small dish TV satellite receiver uses a Smart Card as its removable security element and subscription information. They are used as a credit/ calculate bankcard, which allows them for off-line transactions and store the credit and debit functions of financial institutions. * They can be used in retail loyalty schemes and corporate staff systems. Other applications for Smart Cards include computer/ meshwork user trademark and non-repudiation, retailer loyalty programs, physical access, resort cards, mass transit mass transit slatinging schemes, electronic toll, product tracking, national ID, drivers license, pass ports, and the list goes on. . 2 Automating Transportation work With billions of transport transacti ons occurring each day, Smart Cards have easily found a place in this rapidly growing market. A few of the numerous examples of Smart Cards in transportation are * Mass Transit Ticketing Using contactless Smart Cards allows a passenger to ride several buses and trains during his daily commute to work while not having to worry about complex fare structures or carrying change. * Urban Parking You dont need to carry the correct change anymore ust a prepaid contact Smart Card. * Electronic Toll Collection As you drive through the toll gate of a bridge, a Smart Card, inserted into an RF transponder within your car, electronically pays the toll without you ever fillet * Airline Application Your frequent flyer miles are added onto your airline Smart Card as your ticket is removed from it at the gate, eliminating paperwork 4. 3 Internet The role of the Internet has developed to include the support of electronic commerce. It was designed for the free exchange of information, and as such, t is a rich supply of academic, product and service information. But how does an Internet shopper go from looking at the product to actually depraveing it? The Smart Card is the ideal support for payment over the Internet, whether in cash or as credit. However, the Internet shopper needs to connect his smart payment card to his computer and through the computer to the Internet. Smart Card readers are inexpensive, low-power devices which can be easily added to existing computers. The additional damage of build them into future computers or peripherals is extremely low.The Internet is foc exploitation the need for online identification and stylemark between parties who cannot otherwise know or commit each other, and Smart Cards are conceptualised to be the most efficient way of enabling the new world of e-trade. Smart Cards can act as an identification card, which is used to prove the identity of the cardholder. Besides using Smart Cards for payment over the Internet, the possibil ities are endless likecarrying your favorite addresses from your own personal computer to your friends Network Computer and downloading your airline ticket and embarkation passes, telepayments of the goods purchased online and such others. . SMART CARD TERMS AND CONCEPTS 5. 1 Memory Management Smart card is a device with major hardware constraints low-power CPU, low data rate serial I/O, little memory etc. Today, card technology utilizes 8 bit processors (mainly of the 6805 or 8051 family) whose memory sizes are about a few tens of kilobytes (Urien, 2000), typically 1-4 kb RAM (Random Access Memory), 32-128 kb ROM (Read Only memory) and 32-64 kb EEPROM (Electrically Erasable Programmable Read Only Memory) at least, with options on FLASH and FRAM (Ferroelectric Random Access Memory) as well.As the demand for smart cards matures the standard memory of 32 or 64 Kbytes can prove a overserious limitation. A solution to this is to look at some of the design issues and techniques to in corporate multiple memory chips in a single smart card. Gemplus had already produced a twin card, incorporating two unconnected chips in a single card. Other come outes include the use of PC in conjunction with smartcard. For instance, Blaze (1996) intimates the use of a powerful PC with a smart card for symmetric mention encryption because the PC provides higher encryption bandwidth.Table 1 below shows storage capacity needed for various communication rates. Communication rate Storage capacity P C (Pentium IV) 120 Mbps 10 K Bytes Standard smart card 9600 bps 64 K Bytes Multiple chip card 20 Mbps 224 M Bytes Table 5. 1. 1 Communication rate and storage capacity According to Junko (2002), the EEPROM used in current smart cards is reaching its scalability limits, particularly for smart card devices built in 0. 13-micron technology and beyond. For this reason, companies like Philips agree on the need for alternative non-volatile memory for future smart cards.Currently Philips is leaning toward magnetic RAM as an alternative to EEPROM. Another measurable application that requires memory management is the application of biometrics. The use of biometrics within the card itself will mean that biometric features ( fingerprint, retina, congresswoman etc) can reliably identify a person. With enhancement in memory system, it will soon be possible to authorize the use of electronic information in smart card using a spoken word. The use of some of these features has already been implemented in many applications. Malaysias national ID, for instance, is a multipurpose smart card with a fingerprint biometric.The card is first of its kind in the world as it combines many applications such as driving license, passport, healthcare, and non-government applications such as an e-purse. (See http//www. jpn. gov. my/ or www. iris. com. my for details). Table 2 below gives the required bytes for various biometrics. Additional information about biometric technology and stand ards can be found from the following faces The Biometric puddle (www. biometrics. org), International Biometric Industry Association (www. ibia. rg), or Bio API family (www. iapi com) Biometric Bytes needfulFinger scan 300-1200 Finger geometry 14 Hand geometry 9 Iris recognition 512 juncture verification 1500 Face recognition 500-1000 Signature verification 500-1000 Retina recognition 96 Table 5. 1. 2 Required Bytes for Biometrics 5. 2 warrantor Issues Security is always a big concern for smart cards applications. This naturally gives rise to the need for reliable, efficient cryptographic algorithms. We need to be able to provide authentication and identification in online-systems such as bank machine and computer networks, access control and the like.Currently such facilities allow access using a token however, it is vital that the holder of the token be the true owner or user of the token. As smart card is handicapped or highly qualified in their input/output (unable to int eract with the world without outside peripherals), this leads to the involvement of many parties in its applications. Some of the parties involve Cardholder, Data Owner, Card Issuer, Card Manufacturer, Software Manufacturer, and Terminal Owner as mentioned in (Schneier, 1999).It is there for essential to image that none of the above mentioned parties is threat to one another. To achieve this, there is need for bring forward investigation in the design and analysis of smart card authentication and identification protocols. For this reason, Gobioff (1996) proposes that smart cards be equipped with additional I/O channels such as buttons to alleviate these shortcomings. Further, there are numerous intrusion techniques able to tamper with smart cards and other similar temper-resistant devices as presented in (Anderson, 1997).This also indicates the need for effective intrusion detection/prevention techniques. 5. 3 Open computer architecture Existing smart card standards leave vendors too much room for interpretation. To achieve wider murder, there is need for an contribute standard that provides for inter-operable smart cards solutions across many hardware and software platforms. Open Platform, as defined by Global Platform (www. GlobalPlatform. org) is a comprehensive system architecture that enables the fast and user-friendly development of globally interoperable smart card systems.It comprises three elements card, terminal and systems, each of which may include specifications, software and/or chip card technology. Together these components define a secure, flexible, easy to use smart card environment. Development environment in use today include Java, Visual C, Visual Basic, C++, and the like. The development of standards like GSM, EMV, CEPS, PC/SC, OCF, ITSO and IATA 791 represents an opportunity for manufacturers to produce products on an economic scale and give constancy to systems designers. According to a report by Data card Group (White paper versio n1. ), True idle smart cards will have the following characteristics * They will run a non-proprietary operating system widely implemented and supported. * No single vendor will specify the standards for the operating system and the cards use. * The cards will support a high-level application programming language (e. g. , Java, C++) so issuers can supply and support their own applications as well as applications from many other vendors. * Applications can be written and will operate on different vendors multi-application smart cards with the same API (Application Programming Interface).To overcome the problem of lack of standardization, U. S. organizations have developed an add-on moment of smart card software meant to overcome communication problems between chip cards and readers from different vendors. They would like to see this technology, which they call a card capabilities container, used worldwide, making it an industry standard that would allow U. S. agencies to buy cards and readers from many vendors, sure that they would work together (Cathy, 2002).Another move is the development of a new organization called Smart Card Alliance, formed by Smart Card Industry Association (SCIA) and Smart Card Forum (SCF) to act as a single voice for the US smart card industries. heretofore in biometrics, each vendor has its own methods for enrolling individuals and later checking someones identity against the stored image. However, there are efforts lowway to create biometric standards, largely driven by the U. S. government. In a major step, the American work Standards Institute approved Bio API as a standard way for biometric devices to exchange data with ID applications.ANSI now is preparing to propose Bio API to ISO for adoption as an international standard (Donald, 2002). 5. 3. 1 Operating Systems Todays smart card operating systems and application frameworks are intrinsically local and mono application. Moreover, smartcard communicates with the outside wo rld through a serial link. As the chip has a single bi-directional I/O pin, this link can only support haft-duplex protocol. The majority of chips work at the speed of 9600 baud, although the ISO standard 7816 has defined a maximum data rate of 230400 baud.A new type of SPOM (Self-Programmable One-Chip Microcomputer), named ISO/USB has been introduced in 1999 it provides a direct connection between a SPOM and the terminal via an USB port (Urien, 2000). According to USB specification, a data throughput from 1. 2 to 12 Mbits/s may be obtained between the chip and the terminal. The vision of smart card as an application platform rather than a simple security token is a paradigm shift for smartcard operating systems.According to Jurgensen (2002), the current operating system ensample cannot completely support the needs or the vision of Universal Integrated Circuit Card (UICC). The move is now towards the development of Next Generation Smart Card Operating Systems (COSng), which will be able to handle multi-applications and support future requirements. 5. 4 Performance Performance and speed are very primary(prenominal) factors that need to be considered in most smart card application.To achieve this, transistor scaling or the reduction of the gate length (the size of the switch that turns transistors on and off), must be taken into consideration. This idea not only improves the performances of chips but also lowers their manufacturing cost and power consumption per switching event. Recently, IBM have built a working transistor at 6 nano meters in length which is per beyond the projection of The Consortium of International Semiconductor Companies that transistors have to be smaller than 9 nano meters by 2016 in value to move on the performance trend.The ability to build working transistors at these dimensions could allow developers to put 100 times more transistors into a computer chip than is currently possible. The IBM results will lead to further research int o small, high-density silicon devices and allow scientists to introduce new structures and new materials. Details are available from IBM Research News 9thDecember 2002, available online http//www. research. ibm. com/. 5. 5 Reader Requirements As the needs and uses of smart card increases, the need for a Smart Card reader that is not portable, small or light, but also easy to connect and access has arrived.However, some developers like Browns (http//www. brownsbox. com/) believe that the need for a reader is a problem, substance extra expenditure, and, when working with a laptop, is a waste of a port. In view of this, an approach toward a device that can be abandoned to a PC (internally or externally) has arrived. To solve this problem, Browns developed a method that turns a floppy disk drive into a smart card reader. Another popular approach in Europe is the smarty smartcard reader/writer the size of a 3. 5-inch diskette by Smart Disk Corp.The device does not require a serial, par allel, or USB port, instead it works directly from a diskette drive. Smarty supports all smart card a protocol, including ISO 7816 and it works infra different operating systems. Details are available from http//www. smartcomputing. com/. This idea of smart diskette was initially proposed by Paul (1989) as shown in figure 3. A similar approach involves the development of depictboard with integrated card reader, and/or let outboard with integrated fingerprint sensor and card reader by Cherry(http//www. access headstoneboards. co. uk/cherry. tm). 5. 6 Portability As mentioned earlier, portability or convenience of handling is one of the most important characteristics of smart cards. Since the smartness of smart card relies on the integrated circuit embedded in the plastic card, it is possible that the future smart cards might look like other everyday objects such as rings, watches, openhandedges, glasses or earring because that same electronic function could be performed by embedd ing it in these objects. What remain is for developers and researchers to look into the best way of implementing it if the need arises. 6.SMART CARD VS BIOMETRIC One of the primary reasons that smart cards exist is for security. The card itself provides a computing platform on which information can be stored hard and computations can be performed steadfastly. Consequently, the smart card is ideally suited to function as a token through which the security of other systems can be enhanced. Most of todays systems need proper user authentication/identification as it is a crucial part of the access control that makes the major building pile of any systems security. Three methods are currently in use what the user has (e. . smart card), what the user knows (e. g. password), and what the user is (biometrics). Each of these methods has its own merits and demerits especially when used alone. When a single method is used, we believe smartcard is the best choice. Passwords can easily be for gotten, attacked, and guessed. Similarly, biometric schemes alone are not good enough to ensure user authentication, as they are also vulnerable to attacks. First, we look into some of the benefits in using biometric schemes and then analyze some of their limitations.The primary advantage of biometric authentication methods over other methods of user authentication is that they use real human physiological or behavioral characteristics to authenticate users. These biometric characteristics are (more or less) permanent and not changeable. It is also not easy (although in some cases not principally impossible) to change ones fingerprint, iris or other biometric characteristics. Further, most biometric techniques are based on something that cannot be lost or forgotten.This is an advantage for users as well as for system administrators because the problems and costs associated with lost, reissued or temporarily issued tokens/cards/passwords can be avoided, thus saving some costs of the system management. However, as reported in (Luca 2002), the major risk posed by the use of biometric systems in an authentication process is that a malicious composition may interfere with the communication and intercept the biometric template and use it later to obtain access. Likewise, an attack may be committed by generating a template from a fingerprint obtained from some surface.Further, performance of biometric systems is not ideal. Biometric systems still need to be improved in terms of accuracy and speed. Biometric systems with the false rejection rate under 1% (together with a reasonably low false acceptance rate) are still rare today. Although few biometric systems are fast and accurate (in terms of low false acceptance rate) enough to allow identification (automatically recognizing the user identity), most of current systems are suitable for the verification only, as the false acceptance rate is too high. Moreover, not all users can use any given biometric system.People without hands cannot use fingerprint or hand-based systems. Visually impaired people have difficulties using iris or retina based techniques. Some biometric sensors (particularly those having contact with users) also have a limited lifetime. While a magnetic card reader may be used for years (or even decades), the optical fingerprint reader (if heavily used) must be regularly cleaned and even then the lifetime need not exceed one year. Biometric data are not considered to be secret and security of a biometric system cannot be based on the secrecy of users biometric characteristics.The server cannot authenticate the user just after receiving his/her correct biometric characteristics. The user authentication can be successful only when users characteristics are fresh and have been collected from the user being authenticated. This implies that the biometric input device must be trusted. Its authenticity should be confirm (unless the device and the link are physically secure) and users likeness would be checked. The input device also should be under human supervision or tamper-resistant. The fact hat biometric characteristics are not secret brings some issues that traditional authentication systems need not deal with. Many of the current biometric systems are not aware of this fact and therefore the security level they offer is limited. Users privacy may be violated by biometric schemes. Biometric characteristics are sensitive data that may contain a lot of personal information. The DNA (being the typical example) contains (among others) the users preposition to diseases. This may be a very interesting order of information for an insurance company.The body odour can provide information about users recent activities. It is also mentioned in (Jain, 1999) that people with asymmetric fingerprints are more presumable to be homosexually oriented, etc. Use of biometric systems may also imply loss of anonymity. While one can have multiple identities when authentication methods are based on something the user knows or has, biometric systems can sometimes link all user actions to a single identity. Furthermore, biometric systems can potentially be quite troublesome for some users. These users find some biometric systems intrusive or personally invasive.In some countries people do not like to touch something that has already been touched many times (e. g. , biometric sensor), while in some countries people do not like to be photographed or their faces are completely covered. Lack of standards may also poses a serious problem. Two similar biometric systems from two different vendors are not likely to interoperate at present. Although good for user authentication, biometrics cannot be used to authenticate computers or messages. Biometric characteristics are not secret and therefore they cannot be used to sign messages or encrypt documents and the like.On the other hand, smart cards provide tamper- resistant storage for protecting toffee-nosed keys, a ccount numbers, passwords, and other forms of personal information. Smart cards can also serve to isolate security-critical computations involving authentication, digital key signatures, and key exchange from other parts of the system that do not have a need to know. In addition, smart cards provide a level of portability for securely moving private information between systems at work, home, or on the road. A let out approach for the usage of biometrics is to combine biometrics with smartcards.The advantages of this may include all attributes of the smartcards will be maintained, counterfeiting attempts are reduced due to enrolment process that verifies identity and captures biometrics. It will be extremely secure and provide excellent user-to-card authentication. 7. THREATS TCG does not really address security from a user point of view as the sample is centered on platforms. User identification and authentication mechanisms, including owner, are rather rudimentary. Basically, p roof of knowledge of a secret value shared between the owner and the TPM is proof of ownership.In the case of the owner proof of knowledge is even proof of identity. To some extent, the pair (object UUID, Authorization Data) corresponds to a capability associated to a TPM-saved object. Threats are actually similar to those applying to capability-basedmodels. For example, the access ascendance to a TPM-protected object is given very early, when the ascendancy data is associated to the object and not when the access is attempted. But more important authentication data can be freely duplicated and the user has to find some way to protect them.Like for every sensitive piece of information the key issue with control data is storage protection. Because it is impossible for an operator to remember a 20-byte random value, most of the TPM administration products available today implement a simple password-based technique. The authentication data Auth Data is computed from a password value using SHA-1 hash algorithm. Auth Data= SHA( password)Of course, all the well-known weaknesses of password-based authentication apply to such a mechanism One-factor only authentication, Easy to guess, subject to dictionary attacks, Easy to snoop, unmistakable in the clear when keyed or transmitted to the verifying party, Easy to lose and forget, Easy to write down and to share with others This type of implementation is so common that TPM manufacturers had to implement countermeasures like lockout or reception degradation in order to protect from dictionary types of attacks. Another natural solution would be to securely store the authorization data directly on the platform hard drive. This type of solution is considered subject to attacks 9 and raises a lot of side issues.For example, the authorization data must be stored on an opaque container that is generally protected by a password and hence prone to dictionary attacks. Outside of the platform owner, who just plays an admin istrative role, regular platform users have also to be taken into account. In every day operations, platforms interact with users and user identity is a critical piece of the security and trust puzzle. For that matter all platform operating systems implement user identification and authentication mechanisms.How users fit in this picture is not completely in the scope of TCG specification. As a consequence, authentication data are not depute to specific users. pull down though this is not a threat in itself, there is lot of interoperable cases where TPM-protected keys have to be assigned to specific users only. For example, the file encryption keys used by one user on a platform must be kept separated from the other platform users. 8. SMART CARD-BASED USER AUTHENTICATION Smart card-based authentication is a first step towards the TPM and-smartcard cooperative model introduced in section 2.The principle is to use a smart card during the execution of the user side of the TCG authori zation protocols. The most critical piece of information in TCG authorization protocol is the Authorization Data that is either stored locally on the platform or computed from an external seed secret such as password. This model raises many issues. Since smart cards another hardware tokens, are used to address this type of user authentication issues in environments like corporate IT or banking, smart card-based authentication can be the dissolving agent to the threats identified in section 3. 4.For instance, as smart cards are physically secure and cannot beckoned, the gemination of an authorization data becomes impossible. Likewise, smart cards allow the usage of truly random authorization data, offering a particularly efficient protection against a dictionary attack. To offer a higher protection level, access to the authorization data can be protected by a Personal Identification Number (PIN). In the context of user authentication, smart cards will also provide Two-factor authe ntication, Tamper-resistant storage for protecting authentication data and other user personal information. Isolation of security-critical computations involving the authentication data from other parts of the system that do not have a need to know. Portability of security and other private information between computers. But the integration of smart cards within TCG authorization protocols has an impact in terms of smart cards capabilities. 8. 1 Smart cards requirements In a smart card-based authentication scheme, the smart card will be primarily used to physically protect the Authorization Data. This doer that the smart card must be able to 1.Store the Authorization Data, 2. Process the user side of the authorization protocol computation that requires the Authorization Data. Storing the Authorization Data in a smart card presents no particular difficulty. Every smart card, including the most basic one like simple memory card, has the capability to store a 20-bytevalue. On anot her hand, how much of the authorization protocol can be processed by a smart card is directly linked with the card cryptographic capabilities. In order to perform the entire user side of the protocol a smart card will have to be able to Generate random values, Compute a shared secret using a SHA-1-based HMAC, Compute and verify authentication values using SHA-1 andSHA-1-based HMAC operations, Encrypt authentication data using a XOR Most of cryptographic smart cards today have robust Random Number root and support SHA-1 in native mode, but smartcards offering HMAC in native mode are less common. A solutions to simply implement a Java Card applet providing these features. Following sections describe three, incrementally secure, possible implementation of smart card-based authentication. . 2 Importance of Smartcards to Computer Security 8. 2. 1 Importance of Smartcards as a end Mechanism for Computer Networks This section highlights the fundamental security challenges that face us in this increasingly computer network oriented world, and how smartcards can provide key advantages towards security. 8. 2. 2 Fundamental Security Challenges Because computers and networks are meet so central to our lives in this digital age, many new security challenges are arising. This is the era of near connectivity, both electronically and physically.Smartcards can facilitate this connectivity and other value added capabilities, while providing the necessary security assurances not available through other means. On the Internet, smartcards increase the security of the building blocks Authentication, Authorization, Privacy, Integrity, and Non-Repudiation. Primarily, this is because the private signing key never leaves the smartcard so its very difficult to gain knowledge of the private key through a compromise of the host computer system. In a corporate enterprise system, multiple baffled systems often have their security based on different technologies.Smartcards can bring these together by storing multiple certificates and passwords on the same card. Secure email and Intranet access, dial-up network access, encrypted files, digitally signed web forms, and building access are all improved by the smartcard. In an Extranet situation, where one company would like to administer security to business partners and suppliers, smartcards can be distributed which allow access to reliable corporate resources. The smartcards splendor in this situation is evident because of the need for the strongest security possible when permitting anyone through the corporate firewall and proxy defenses.When distributing credentials by smartcard, a company can have a higher assurance that those credentials cannot be shared, copied, or otherwise compromised. 8. 2. 3 The Smartcard Security Advantage Some reasons why smartcards can enhance the security of modern day systems are 8. 2. 3. 1 PKI is better than passwords smartcards enhance PKI Public Key Infrastructure systems ar e more secure than password based systems because there is no shared knowledge of the secret. The private key need only be known in one place, rather than two or more.If the one place is on a smartcard, and the private key never leaves the smartcard, the crucial secret for the system is never in a situation where it is easily compromised. A smartcard allows for the private key to be usable and yet never appear on network or in the host computer system. 8. 2. 3. 2 Smartcards enlarge the Security of Password Based Systems Though smartcards have obvious advantages for PKI systems, they can also increase the security of password based systems. One of the biggest problems in typical password systems is that users write down their password and obligate it to their monitor or keyboard.They also tend to choose weak passwords and share their passwords with other people. If a smartcard issued to store a users multiple passwords, they need only remember the PIN to the smartcard in order to a ccess all of the passwords. Additionally, if a security officer initializes the smartcard, very strong passwords can be elect and stored on the smartcard. The end user need never even know the passwords, so that they cant be written down or shared with others. 8. 2. 3. 3 Two Factor Authentication, and more Security systems benefit from multiple factor authentications.Commonly used factors are Something you know, something you have, something you are, and something you do. Password based systems typically use only the first factor, something you know. Smartcards add an additional factor, something you have. Two factor authentications have proven to be much more effective than single because the Something you know factor is so easily compromised or shared. Smartcards can also be enhanced to include the remaining two features. Prototype designs are available which accept a thumbprint on the surface of the card in addition to the PIN in order to unlock the services of the card.Alternati vely, thumbprint template, retina template, or other biometric information can be stored on the card, only to be checked against data obtained from a separate biometric input device. Similarly, something you do such as typing patterns, handwritten signature characteristics, or voice inflection templates can be stored on the card and be matched against data accepted from external input devices. 8. 2. 3. 4 Portability of Keys and Certificates Public key certificates and private keys can be utilized by web browsers and other popular software packages but they in some sense identify the workstation rather than the user.The key and certificate data is stored in a proprietary browser storage area and must be merchandise/imported in order to be moved from one workstation to another. With smartcards the certificate and private key are portable, and can be used on multiple workstations, whether they are at work, at home, or on the road. If the lower level software layers support it, they ca n be used by different software programs from different vendors, on different platforms, such as Windows, UNIX, and Mac. 8. 2. 3. 5 Auto-disabling PINs Versus Dictionary AttacksIf a private key is stored in a browser storage file on a hard drive, it is typically protected by password. This file can be dictionary attacked where commonly used passwords are attempted in a brute force manner until knowledge of the private key is obtained. On the other hand, a smartcard will typically lock itself up after some low number of consecutive bad PIN attempts, for example 10. Thus, the dictionary attack is no longer a feasible way to access the private key if it has been securely stored on a smartcard. 8. 2. 3. 6 Non RepudiationThe ability to deny, after the fact, that your private key performed a digital signature is called repudiation. If, however, your private signing key exists only on a single smartcard and only you know the PIN to that smartcard, it is very difficult for others to imperso nate your digital signature by using your private key. Many digital signature systems require hardware strength on Repudiation, meaning that the private key is always protected within the security moulding of hardware token and cant be used without the knowledge of the proper PIN.Smartcards can provide hardware strength Non Repudiation. 8. 2. 3. 7 Counting the Number of Private Key Usages So many of the important things in our lives are pass by our handwritten signature. Smartcard based digital signatures provide benefits over handwritten signatures because they are much more difficult to forge and they can enforce the integrity of the document through technologies such as hashing. Also, because the signature is based in a device that is actually a computer, many new benefits can be conceived of.For example, a smartcard could count the number of times that your private key was used, thus giving you an accurate measure of how many times you utilized your digital signature over a gi ven period of time. skeletal system 8. 2. 3. 7. 1 Smartcard Electrical Contacts Table 8. 2. 3. 7. 2 Description of Contacts POSITION TECHNICAL ABBREVIATION FUNCTION C1 VCC supply Voltage C2 RST Reset C3 CLK Clock Frequency C4 RFU Reserved for future use C5 GND Ground C6 VPP External programming voltage C7 I/O Serial input/output communications C8 RFU Reserved for future use 9.SMART CARD ENABLED PRODUCTS This section lists popular security products and explains how smartcards can be used to enhance their security. 9. 1 net Browsers (SSL, TLS) Web browsers use technology such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to provide security while browsing the World Wide Web. These technologies can authenticate the client and/or server to each other and also provide an encrypted channel for any message traffic or file transfer. The authentication is enhanced because the private key is stored securely on the smartcard.The encrypted channel typically uses a symmetri c count where the encryption is performed in the host computer because of the low data transfer speeds to and from the smartcard. Nonetheless, the randomly generated session key that is used for symmetric encryption is wrapped with the partners public key, meaning that it can only be unwrapped on the smartcard. Thus it is very difficult for an eavesdropper to gain knowledge of the session key and message traffic. 9. 2 Secure Email (S/MIME, Open PGP) S/MIME and Open PGP allow for email to be encrypted and/or digitally signed.As with SSL, smartcards enhance the security of these operations by protecting the secrecy of the private key and also unwrapping session keys within a security perimeter. 9. 3 Form Signing Web based HTML forms can be digitally signed by your private key. This could prove to be a very important technology for internet based business because it allows for digital documents to be hosted by web servers and accessed by web browsers in a paperless fashion. Online exp ense reports, W-4 forms, purchase requests, and group insurance forms are some examples.For form signing, smartcards provide portability of the private key and certificate as well as hardware strength non repudiation. 9. 4Object Signing If an organization writes code that can be downloaded over the web and then punish onclient computers, it is best to sign that code so the clients can be sure it indeed came from areputable source. Smartcards can be used by the signing organization so the private key cantbe compromised by a rogue organization in order to impersonate the valid one. 9. 5 Kiosk / Portable PreferencesCertain applications operate best in a kiosk mode where one computer is shared by a number of users but becomes configured to their preferences when they insert their smartcard. The station can then be used for secure email, web browsing, etc. and the private key would never leave the smartcard into the environment of the kiosk computer. The kiosk can even be configured to accept no mouse or keyboard input until an authorized user inserts the proper smartcard and supplies the proper PIN. 9. 6 File EncryptionEven though the 9600 baud serial interface of the smartcard usually prevents it from being a convenient mechanism for bulk file encryption, it can enhance the security of this function. If a different, random session key is used for each file to be encrypted, the bulk encryption can be performed in the host computer system at fast speeds and the session key can then be wrapped by the smartcard. Then, the only way to easily decrypt the file is by possessing the proper smartcard and submitting the proper PIN so that the session key can be unwrapped. 9. 7 Workstation LogonLogon credentials can be securely stored on a smartcard. The normal login mechanism of the workstation, which usually prompts for a username and password, can be replaced with one that communicates to the smartcard. 9. 8 Dialup Access (RAS, PPTP, RADIUS, TACACS) Many of the common re mote access dial-up protocols use passwords as their security mechanism. As previously discussed, smartcards enhance the security of passwords. Also, as many of these protocols evolve to support public key based systems, smartcards can be used to increase the security and portability of the private key and certificate. . 9 retribution Protocols (SET) The Secure Electronic Transactions (SET) protocol allows for credit card data to be transferred securely between customer, merchant, and issuer. Because SET relies on public key technology, smartcards are a good choice for storage of the certificate and private key. 9. 10 Digital Cash Smartcards can implement protocols whereby digital cash can be carried around on smartcard. In these systems, the underlying keys that secure the architecture never leave the security perimeter of hardware devices.Mondex, VisaCash, EMV ( Europay-Mastercard-Visa), and Proton are examples of digital cash protocols designed for use with smartcards. 9. 11 Bui lding Access Even though the insertion, processing time, and removal of a standard smartcard could be a hassle when entering a building, magnetic stripe or proximity chip technology can be added to smartcards so that a single token provides computer security and physical access. 10. PROBLEM WITH SMART CARD Even though smartcards provide many obvious benefits to computer security, they still havent caught on with great popularity in countries like the United States.This is not only because of the prevalence, infrastructure, and acceptability of magnetic stripe cards, but also because of a few problems associated with smartcards. Lack of a standard infrastructure for smartcard reader/writers is often cited as a complaint. The major computer manufactures havent until very recently given much thought to offering a smartcard reader as a standard component. Many companies dont want to absorb the cost of outfitting computers with smartcard readers until the economies of scale drive down th eir cost.In the meantime, many vendors provide bundled solutions to outfit any personal computer with smartcard capabilities. Lack of widely adopted smartcard standards is often cited as a complaint. The number of smartcard related standards is high and many of them address only a certain vertical market or only a certain layer of communications. This problem is lessening recently as web browsers and other mainstream applications are including smartcards as an option. Applications like these are helping to speed up the evolution of standards. 11.FUTURE WORK Different usage scenario can be defined to explore additional synergies between TPM and smart cards. For example, a MIS department orders trusted platforms from their favorite PC manufacturer. The machines are configured and personalized according to the end-user profile, following the corporate policies. The MIS representatives possess a specific smart card, the owner card, which is used for trusted platforms initialization and maintenance. During the initialization process the user smart card is created for the platform end-user.This card stores the user secrets and credentials, to be used during the processing of security functions like digital signature of documents. Our scenario provides features to securely share the TPM among several users. Each user owns a dedicated Protected Storage Tree under the Storage Root Key (SRK), protected by local User Root Keys (URK). The first kind in the trusted platform life cycle will be the initialization of the TPM. During this step, the corporation, through the MIS department, will take ownership of the TPM.This phase covers the loading of secrets into the TPM, the creation of a root storage key, but also the generation of a smart card that will be given to the main platform user. During this process a URK can be created for the first user, secured by the SRK, and then user keys can be generated under the URK. These keys will be used to generate quotes for a given user. The platform is then given to the main end-user, who also receives a user smart card. 12. CONCLUSION Most of the smart card systems in use today serve one purpose and are related to just one process or is hardwired to only one application.A smart card cannot justify its existence in this respect. The approach of future smart card is therefore towards designing multi-application card with own operating system based on open standard that can perform a variety of functions. It must be configurable and programmable and it must be able to adapt to new situations and new requirements especially in areas such as security, memory management, and operating system. Most of smart card application methods today rely on the fact that the code of functions to be performed should be imported by card operating system from an outside server.This approach is quite weak with regards to security. It is, therefore, important t