2. Security Technologies2.1. Physical Structure and Life Cycle2.1.1. Physical Structure2.2.2. Life Cycle of the Smart Card2.1.2.1. Fabrication Phase2.1.2.2. Pre-personalization Phase2.1.2.3. Personalization Phase2.1.2.4 Utilization Phase2.1.2.5. End-of-Life Phase2.2 Communication with the Outside World2.3. Operating System2.3.1. Logical File Structure2.3.2. Access Controls2.3.2.1. Levels of Access Rights2.3.2.2. PIN Presentation and Management3. Attacks on Smart Card3.2. Physical Attacks3.3. Functional Attacks4. ConclusionSmart Card Security1. IntroductionSmart card looks like a credit card but embeds an integrated circuit chip. Besides providing memory capacity, smart card also provides computational capabilities. Unlike ordinary credit cards, smart card does not rely on external resources for data encryption and decryption. Because of its self-containment, smart card is “resistant to attack as it dose not need to depend upon potentially vulnerable external resources” [1].Therefore, it is widely used in the applications that require high security protection and authentication.Today, smart card is used as credit/debit card, medical card, identification card, entertainment card, voting card, or mass transit card [3]. All these applications contain sensitive data, such as card owner’s biometrics information, personal medical record, and cryptographic keys used for authentication. They need to be strongly protected. As a result, security becomes a big issue in smart card.This paper discusses the security related to the smart card and existing attacks and their resistances.2. Security TechnologiesIn order to give a detailed description, we analyze the security of smart card in three different points of views: physical structure and life cycle, communication with the outside world, and operating system.2.1. Physical Structure and Life CycleThis section shows the physical structure and basic components of the smart card. In addition, the life cycleof the smart card is also presented here. Through these descriptions, we should have a brief view of how thestored information in smart card is securely protected during the processes of transferring from card manufacturer to the application issuer then to the user. 2.1.1. Physical StructureAccording to International Standards Organization (ISO), smart card contains three physical elements: a plastic card, a printed circuit, and an integrated circuit chip. Figure1 shows the main physical components of smart card.Figure 1. Physical Structure of Smart Card [4]The plastic card has a dimension of 85.60mm x 53.98mm x 0.80mm. It must be able to bend in a certaindegree without any damages. The printed circuit is a gold plate that provides the communication betweenthe external power or data and the internal chip. Moreover, it prevents the circuit chip from mechanicalstress and static electricity. The most important component in the smart card is the integrated circuit chip.Figure 2. Smart Card Microchip Components [4]As shown in Figure 2, it consists of a microprocessor, read only memory (ROM), non-static random access memory (RAM), and electrically erasable programmable read only memory (EEPROM). The integrated circuit chip must be a few millimeters in size because it is made of silicon, which is easy to break [1].2.2.2. Life Cycle of the Smart CardEach smart card runs an operating system that contains the manufacturer identification number (ID), type of component, serial number, profile information, and most important the keys. Obviously, information should be hided and not to be revealed by intruders. Thus, the process from the manufacturer to the application provider then to the card user is divided into five phases. In every phase, there are limitations on the transferring and accessing data to protect the information in different areas [1].2.1.2.1. Fabrication Phase In Fabrication phase, the integrated circuit chip is made and tested by the chip manufacturers. To prevent chip from modifying, a unique fabrication key (FK) is added. The FK stays in the chip until it is assembled into the supporting plastic card. Fabrication key is created based on a master manufacturer key.2.1.2.2. Pre-personalization PhasePre-personalization phase is controlled by the card suppliers. In this phase, the circuit chip is placed on the plastic card. To support the secure delivery of the card to the card issuer, a new key, called personalization key (PK), is used to replace the fabrication key. Later, a personalization lock VPER is set to prevent further modification. From this time, the card only can be accessed by the logical memory addressing instead of physical memory access instructions. By doing this, it makes sure that the system and fabrication areas cannot be modified.2.1.2.3. Personalization PhaseIn personalization phase, card issuer writes the data files and application data to the card. Meanwhile, information related to the identity of the card owner is also stored. Finally, a utilization lock VUTIL is set to indicate that this card is ready for the utilization phase.2.1.2.4 Utilization Phase When smart card is in utilization phase, it is able to be used by the card holder. There are application security policies to rule the access of the information. The detailed discussion will be presented in the following section.2.1.2.5. End-of-Life PhaseEnd-of-life phase also called invalidation phase. There are two approaches to put the card into this stage. One is to set an invalidation lock to an individual or master file. Thus, operating system will disable almost all the operations, including writing and updating. However, read operation still keeps alive for the purpose of further analysis. Another way is to block all PINs to disable all operations, including read.2.2 Communication with the Outside WorldSmart card’s physical features, such as thickness, size and bend requirement, give card a good protection from the physical damages. But, this also adds the restriction of the memory and processing resources in the card. To solve this problem, smart card usually needs the external peripherals to cooperate. For example, it must be connected to the card acceptor device (CAD) to obtain power and input/output information. These untrusted external peripherals may reduce the security of smart card.In order to remedy this flaw, smart card standard specifies that data exchange between the circuit chip and the CAD is limited to 9600 bits per second. The data
View Full Document
Unlocking...