Smart Card Fundamentals PDF

Chat with Document Download

Document Details

Uploaded by Deleted User

2015

Tags

smart cards smart card technology integrated circuits telecommunications

Related

Summary

This document provides a detailed overview of smart card fundamentals, covering their history, types, functionalities, and applications. It also explores various aspects such as integrated circuit types, form factors, communication interfaces, memory sizes and types, operating systems, along with manufacturing and reader considerations. Crucially, it outlines relevant standards and specifications in the smart card domain. Topics include standards like ISO/IEC 7810, 7816, and 14443.

Full Transcript

Module 1: Smart Card Fundamentals Smart Card Alliance Certified Smart Card Industry Professional Accreditation Program Smart Card Alliance © 2015...

Module 1: Smart Card Fundamentals Smart Card Alliance Certified Smart Card Industry Professional Accreditation Program Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 1 For CSCIP Applicant Use Only About the Smart Card Alliance The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.smartcardalliance.org. Important note: The CSCIP training modules are only available to LEAP members who have applied and paid for CSCIP certification. The modules are for CSCIP applicants ONLY for use in preparing for the CSCIP exam. These documents may be downloaded and printed by the CSCIP applicant. Further reproduction or distribution of these modules in any form is forbidden. Copyright © 2015 Smart Card Alliance, Inc. All rights reserved. Reproduction or distribution of this publication in any form is forbidden without prior permission from the Smart Card Alliance. The Smart Card Alliance has used best efforts to ensure, but cannot guarantee, that the information described in this report is accurate as of the publication date. The Smart Card Alliance disclaims all warranties as to the accuracy, completeness or adequacy of information in this report. Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 2 For CSCIP Applicant Use Only TABLE OF CONTENTS 1 INTRODUCTION................................................................................................................................. 6 2 SMART CARD OVERVIEW............................................................................................................... 7 2.1 SMART CARD HISTORY AND MARKET...............................................................................................7 2.2 TYPES OF SMART CARDS....................................................................................................................9 2.3 SMART CARD FUNCTIONS AND APPLICATIONS................................................................................10 3 INTEGRATED CIRCUIT TYPES.................................................................................................... 12 3.1 MEMORY AND SECURE MEMORY.....................................................................................................12 3.2 MICROCONTROLLER.........................................................................................................................13 4 FORM FACTORS FOR SMART CARD TECHNOLOGY............................................................ 16 4.1 CARD FORM FACTOR.......................................................................................................................16 4.2 USB TOKENS...................................................................................................................................16 4.3 SUBSCRIBER IDENTITY MODULE/UNIVERSAL INTEGRATED CIRCUIT CARD FORM FACTOR.............17 4.4 SECURE ELEMENT AND EMBEDDED CARD FORM FACTORS.............................................................17 4.5 OTHER FORM FACTORS....................................................................................................................18 5 COMMUNICATIONS INTERFACES............................................................................................. 19 5.1 CONTACT INTERFACE.......................................................................................................................19 5.1.1 Contact Interface Standards.............................................................................................20 5.1.2 Data Transmission Protocols............................................................................................20 5.2 CONTACTLESS INTERFACE...............................................................................................................22 5.2.1 Contactless Technology Standards...................................................................................23 5.3 DUAL INTERFACE.............................................................................................................................30 6 MEMORY SIZES AND TYPES........................................................................................................ 32 6.1 MEMORY-BASED SMART CARDS.....................................................................................................32 6.2 SECURE MICROCONTROLLER-BASED SMART CARDS.......................................................................32 7 SMART CARD OPERATING SYSTEMS....................................................................................... 34 7.1 NATIVE OPERATING SYSTEMS.........................................................................................................34 7.2 OBJECT-ORIENTED OPERATING SYSTEMS........................................................................................35 7.2.1 MULTOS...........................................................................................................................37 7.2.2 Java Card: A Tool for Smart Card Applet Developers.....................................................38 7.2.3 Basic Card: Proprietary Solution for Easy Card Development........................................38 8 SMART CARD MANUFACTURING PROCESS........................................................................... 39 8.1 CARD BODY MATERIAL AND PRODUCTION......................................................................................40 8.2 SMART CHIP MICRO-MODULES.......................................................................................................40 8.3 SMART CARD MANUFACTURING......................................................................................................42 8.4 SMART CARD PERSONALIZATION.....................................................................................................43 9 SMART CARD READERS................................................................................................................ 44 9.1 SMART CARD READERS FOR SECURE COMPUTER ACCESS...............................................................44 9.2 SMART CARD READERS AT THE POINT-OF-SALE..............................................................................45 9.3 SMART CARD READERS AND PHYSICAL ACCESS CONTROL.............................................................46 10 RELEVANT STANDARDS AND SPECIFICATIONS................................................................... 48 10.1 STANDARDS RELEVANT TO SMART CARD PHYSICAL CHARACTERISTICS.........................................48 10.1.1 ISO/IEC 7810 – Identification Cards – Physical Characteristics.....................................48 10.1.2 ISO/IEC 7816 – Identification Cards – Integrated Circuit Cards....................................49 Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 3 For CSCIP Applicant Use Only 10.1.3 ISO/IEC 10373 – Identification Cards – Test Methods.....................................................49 10.1.4 ISO/IEC 24789 – Identification Cards – Card Service Life..............................................49 10.2 STANDARDS RELEVANT TO TECHNOLOGIES WHICH COULD BE FOUND ON A SMART CARD............49 10.3 STANDARDS AND SPECIFICATIONS RELEVANT TO TECHNOLOGIES RELATED TO THE CARD INTERFACE.......................................................................................................................................49 10.3.1 ISO/IEC 7816 Series – Identification Cards – Integrated Circuit(s) Cards with Contacts49 10.3.2 ISO/IEC 14443 Series – Identification Cards – Contactless Integrated Circuit(s) Cards – Proximity Cards..................................................................................................50 10.3.3 ISO/IEC 15693 – Contactless Integrated Circuit Cards – Vicinity Cards........................50 10.3.4 ISO/IEC 18092 – Information technology – Telecommunications and Information Exchange between Systems – Near Field Communication – Interface and Protocol.......50 10.3.5 Personal Computer/Smart Card (PC/SC) Specifications..................................................50 10.3.6 Circuit(s) Card Interface Device (CCID) Specification....................................................51 10.4 STANDARDS AND SPECIFICATIONS RELEVANT TO THE CARD COMMANDS AND APPLICATION DATA STRUCTURES..............................................................................................................................................51 10.4.1 ISO/IEC 7816 Series – Identification Cards – Integrated Circuit(s) Cards.....................51 10.4.2 ISO/IEC 8825-1................................................................................................................51 10.4.3 GlobalPlatform.................................................................................................................52 10.4.4 Java Card..........................................................................................................................52 10.5 STANDARDS AND SPECIFICATIONS RELEVANT TO SECURITY OR CRYPTOGRAPHY...........................52 10.5.1 ISO/IEC 9798 - Information Technology – Security Techniques – Entity Authentication 52 10.6 STANDARDS AND SPECIFICATIONS RELEVANT TO SECURITY OR CRYPTOGRAPHY...........................52 10.6.1 ISO/IEC 9798 - Information Technology – Security Techniques – Entity Authentication 52 10.6.2 ISO/IEC 11770 - Information Technology – Security Techniques – Key Management....52 10.6.3 ISO/IEC 18033 - Information Technology – Security Techniques – Encryption Algorithms.........................................................................................................................53 10.6.4 ISO/IEC 24727 - Information Technology – Identification cards – On-Card Biometric Comparison.......................................................................................................................53 10.6.5 Common Criteria..............................................................................................................53 10.6.6 NIST Federal Information Processing Standards.............................................................53 10.7 STANDARDS AND SPECIFICATIONS RELEVANT TO ISSUERS OR SPECIFIC INDUSTRY SECTORS..........54 10.7.1 ISO/IEC 7501 Series, Identification Cards – Machine Readable Travel Documents.......54 10.7.2 ISO/IEC 7812 Series, Identification Cards – Identification of Issuers.............................54 10.7.3 ISO/IEC 7813, Identification Cards – Financial Transaction Cards...............................55 10.7.4 ISO/IEC 7816 Series, Identification Cards – Integrated Circuit(s) Cards with Contacts.55 10.7.5 ISO/IEC 8583 – Financial Transaction Card Originated Messages – Interchange Message Specifications.....................................................................................................55 10.7.6 ISO/IEC 9992 – Financial Transaction Cards – Messages between the Integrated Circuit Card and the Card Accepting Device...................................................................55 10.7.7 ISO/IEC 18013 – Personal Identification – ISO-Compliant Driving License..................55 10.7.8 ISO/IEC 21549 – Health Informatics – Patient Health Card Data..................................56 10.7.9 ISO/IEC 24014-1 – Public Transport – Interoperable Fare Management System – Architecture.......................................................................................................................56 10.7.10 Doc 9303, ICAO Machine Readable Travel Documents...................................................56 10.7.11 European Telecommunications Standards Institute (ETSI)..............................................56 10.7.12 Comité Européen de Normalisation Technical Committee TC 224..................................57 10.7.13 ECMA International..........................................................................................................57 10.7.14 NFC Forum.......................................................................................................................58 10.7.15 EMV: Integrated Circuit Card Specifications for Payment Systems.................................58 10.7.16 Common Electronic Purse Specification...........................................................................59 10.7.17 Comité Européen de Normalisation..................................................................................59 10.7.18 Contactless Fare Media Standard....................................................................................59 10.7.19 Integrated Transport Smartcard Organization.................................................................59 10.7.20 Verband Deutscher Verkehrsunternehmen.......................................................................59 Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 4 For CSCIP Applicant Use Only 10.7.21 Open Standard for Public Transport................................................................................59 10.7.22 ANSI INCITS 410-2006 – Identification Cards – Limited Use (LU), Proximity Integrated Circuit Card (PICC)........................................................................................59 10.8 OTHER STANDARDS RELATED TO SMART CARDS OR THEIR SOFTWARE CLIENTS............................60 10.8.1 ISO/IEC 24727 Identification Cards – Integrated Circuit Card Programming Interfaces60 10.9 PRIMARY U.S. STANDARDS AND SPECIFICATIONS RELATED TO SMART CARDS – FEDERAL INFORMATION PROCESSING STANDARDS (FIPS)..............................................................................60 10.9.1 FIPS Standards for Digital Signatures.............................................................................60 10.9.2 FIPS Standards for Digital Encryption.............................................................................60 10.9.3 FIPS 140 Security Requirements for Cryptographic Modules Standard..........................60 10.9.4 FIPS 201 Personal Identity Verification of Federal Employees and Contractors............61 10.10 BIOMETRICS STANDARDS.................................................................................................................63 10.11 OTHER STANDARDS AND SPECIFICATIONS THAT RELATE TO SMART CARD-BASED APPLICATIONS.64 10.11.1 G-8 Health Standards.......................................................................................................64 10.11.2 ISO/IEC Standards for Healthcare Informatics................................................................64 10.11.3 The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Public Law 104-191)............................................................................................................................64 10.11.4 The Health Information Technology for Economic and Clinical Health (HITECH) Act..64 10.11.5 American National Standards Institute.............................................................................64 10.11.6 USB Implementers Forum.................................................................................................64 10.11.7 Initiative for Open Authentication (OATH)......................................................................65 10.11.8 SD Association..................................................................................................................65 11 REFERENCES.................................................................................................................................... 66 12 ACKNOWLEDGEMENTS................................................................................................................ 67 Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 5 For CSCIP Applicant Use Only 1 Introduction This module describes the fundamentals of smart card technology and uses. After reviewing this module, CSCIP applicants should be able to answer the following questions:  What are common smart card-based applications?  What are the different types of integrated circuits (ICs) used in smart cards?  What are the different smart card communications interfaces and what standards are used to govern those interfaces?  What are the components of a microcontroller-based smart card?  What form factors is smart card technology available in?  What operating systems are available for smart cards? What are the functions performed by the operating system? How do operating systems differ?  How are smart cards manufactured?  What types of smart card readers are available?  What are the relevant industry standards and specifications and how are they used in different applications? Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 6 For CSCIP Applicant Use Only 2 Smart Card Overview This section provides an overview of the history of smart card technology, the current market size, the types of smart cards available and example smart card functions and applications. 2.1 Smart Card History and Market A smart card (also called an "integrated circuit card") is a device in which an integrated circuit, or chip, is embedded. Systems using smart cards have multiple point-of-service terminals (or readers) which communicate with the card and with a central host computer system. The development of smart cards dates back to the 1970s, when patents were filed in France, Germany, and Japan. The first practical smart card implementation was developed in France, to combat the rising cost of fraud in telecommunications and banking applications. Motorola produced the first secure single-chip microcontroller (MCU)1 in 1979 for use in French bank cards. Two types of smart card products were introduced in the early 1980s. One, for telephone cards, used a serial-memory integrated circuit (IC) 2. The other, for banking applications, used the more secure MCU. The first mass rollout of smart cards took place in 1992, when the cards were adopted by all French banks. More than 10 million cards were issued that year. Smart card shipments have grown dramatically, with Eurosmart forecasting a growth for the worldwide shipments of smart cards and secure elements of 9% to 8.79 billion units to be shipped in 2015, with an estimate of 8.04 billion secure elements shipped in 2014.3 This rapid growth is due to the increasing use of smart cards for many financial, telecommunications, transit, healthcare, access and secure identification applications. An area of high growth is secure contactless devices, with 23% growth forecast from 2013 to 2014; this growth is driven by increasing use of contactless smart cards for financial, government, access control and transit applications. Table 1, Table 2 and Table 3 show Eurosmart estimates of worldwide smart card shipments for 2014 and 2015.4 The name, "smart card," is something of misnomer. While the plastic card was the initial smart card form factor, smart card technology is now available in wide variety of form factors, including plastic cards, key fobs, subscriber identification modules (SIMs) used in GSM mobile phones, watches, electronic passports and USB-based tokens. Devices that incorporate smart card technology may be called smart cards, secure elements or smart secure devices by different industry sources. What started as an electronic device to store bank account information securely has evolved into a sophisticated computing device capable of supporting many different applications on a single card or token. These applications include bank cards, mobile phone subscriber identity modules (SIM), healthcare cards, government and enterprise ID cards, benefits and social welfare cards, driver’s licenses, physical and logical access cards, mass transit (ticketing) cards, and even cards that combine multiple applications on a single card. 1 An MCU is a computer chip that contains the components of a controller. Typically, these include a central processing unit (CPU), random access memory (RAM), some form of read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), input/output (I/O) ports, and timers. Unlike a general purpose computer, a microcontroller is designed to control only a particular system 2 A memory-only smart card chip contains a memory array with hard-wired security logic to control access to the memory and to prevent unauthorized writing and erasing of the data. It has neither a microprocessor nor MCU, so its functionality and security capabilities are limited. 3 Eurosmart forecast, “Providing Trust and Security is Key for a Successful Mobile Lifestyle in the Hyperconnected World of 2020,” November 2014, http://www.eurosmart.com/publications/market-overview 4 Note: Eurosmart refers to “smart secure devices” and “secure elements.” These are other names for devices that use smart card technology. These modules refer to all such devices as “smart cards.” Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 7 For CSCIP Applicant Use Only Table 1. Worldwide Smart Secure Device Shipments – 2014 and 2015 Forecasts (Millions of Units, Source: Eurosmart - November 2014) 2015 vs 2014 vs Worldwide 2014 2015 2014 2013 2013 Shipments* (Forecast) (Forecast) % % growth growth Telecom 4,850 5,100 5,250 5% 3% Banking 1,550 1,950 2,350 26% 21% Government 350 390 440 11% 13% Device Manufacturers 190 190 310 0% 63% Others 390 410 440 5% 7% Total 7,330 8,040 8,790 10% 9% *Shipments of secure elements are reported by issuing entity: - Telecom represents mobile network operators; banking represents banks; government represent public authorities as well as private healthcare organizations - Device manufacturers represent original equipment manufacturers of mobile phones, tablets, navigation devices and other connected devices - Others include shipments from entities issuing transport, pay TV and physical and logical access cards Table 2. Worldwide Smart Secure Contactless Shipments– 2014 and 2015 Forecasts (Millions of Units, Source: Eurosmart - November 2014) 2015 vs 2014 vs Worldwide 2014 2015 2014 2013 2013 Contactless** (Forecast) (Forecast) % % growth growth Banking 590 800 1,000 36% 25% Government 200 230 260 15% 13% Others** 250 250 280 0% 12% Total 1,040 1,280 1,540 23% 20% **Others include transport and physical and logical access cards. Table 3. Worldwide NFC Secure Element Shipments– 2014 and 2015 Forecasts (Millions of Units, Source: Eurosmart - November 2014) 2015 vs 2014 vs Worldwide NFC 2014 2015 2014 2013 2013 Secure Elements*** (Forecast) (Forecast) % % growth growth NFC Secure Elements 270 350 600 30% 71% Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 8 For CSCIP Applicant Use Only *** NFC secure elements include NFC enabled UICCs and embedded secure elements and other form factors of NFC enabled secure elements. 2.2 Types of Smart Cards5 Three different types of chips can be associated with smart cards: memory only, which includes serial- protected memory, wired logic and microcontroller. The terms “memory only,” “wired logic” and “microcontroller” refer to the functionality that the chip provides. The following further discusses the types of chip cards.6, 7  Memory-Only Integrated Circuit Cards (including Serial Protected Memory Cards). Memory-only cards are “electronic magnetic stripes,” and provide little more security than a magnetic stripe card. The two advantages they have over magnetic stripe cards are: a) they have a higher data capacity (up to 1024 kilobits (Kbits) compared with 80 bytes per track), and b) the read/write device is much less expensive. The memory-only chip cards do not contain logic or perform calculations; they simply store data. Serial-protected memory chip cards have a security feature not found in the memory-only chip card; they can contain a hardwired memory that cannot be overwritten. Early versions of memory-only cards were read-only, low capacity (maximum of 160 units of value), prepaid disposable cards with little security. New versions include prepaid disposable cards that use read/write memory and binary counting schemes that allow the cards to carry more than 20,000 units of value. Many of these cards also have advanced logic-based authentication schemes built into the chip. Other memory-only cards have been developed for re-loadable stored value applications. The cards contain a purse, which can be protected through the use of a personal identification number (PIN) and counters, which limit the number of times the purse can be reloaded.  Wired Logic Integrated Circuit Smart Cards. A wired logic chip card contains a logic-based state machine that provides encryption and authenticated access to the memory and its contents. Wired logic cards provide a static file system supporting multiple applications, with optional encrypted access to memory contents. Their file systems and command set can only be changed by redesigning the logic of the IC. Wired logic-integrated chip cards include contactless variations such as I-ClassTM or MIFARETM.  Secure Microcontroller Integrated Circuit Smart Cards. Microcontroller cards contain a microcontroller, an operating system, and read/write memory that can be updated many times. The secure microcontroller chip card contains and executes logic and calculations and stores data in accordance with its operating system. The microcontroller card is like a miniature PC one can carry in a wallet. All it needs to operate is power and a communication terminal. Contact, contactless and dual-interface microcontroller ICs are available. Unlike memory-only products, these microcontroller ICs have been designed (and can be verified) to meet security targets, such as Common Criteria (for example, the Department of Defense Common Access Card). There are two primary types of smart card interfaces—contact and RF-enabled contactless. The terms “contact” and “contactless” describe the means by which electrical power is supplied to the chip and by which data is transferred from the chip to an interface (or card acceptance) device (reader).  Contact Smart Cards. A contact smart card must be inserted into a smart card reader that directly touches the conductive contact plate on the surface of the card. Transmission of commands, data, and card status takes place over these physical contact points. 5 Source: Government Smart Card Handbook, U.S. General Services Administration, 2004 (with updates) 6 Jack M. Kaplan, Smart Cards: The Global Information Passport, (New York: International Thomson Computer Press, 1996), 69-75. 7 Jose Luis Zoreda and Jose Manuel Oton, Smart Cards (Boston: Artech House, Inc., 1994), 5-6. Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 9 For CSCIP Applicant Use Only  RF-Enabled Contactless Smart Cards. RF-enabled contactless smart cards must only be in near proximity to the reader (generally within 4-10 centimeters or 2-4 inches) for data exchange to take place. The contactless data exchange takes place over radio frequency (RF) waves. The device that facilitates communication between the card and the reader are RF antennae internal to both the card and the reader.  Hybrid Smart Cards. A hybrid card contains two chips on the card, one supporting a contact interface and one supporting a contactless interface. The chips contained on the card are generally not connected to and cannot communicate with each other.  Dual-Interface Smart Cards. A dual-interface smart card contains a single chip that supports both contact and contactless interfaces. These dual-interface cards provide the functionality of both contact and contactless cards in a single form factor, with designs able to allow the same information to be accessed via contact or contactless readers. Dual interface cards can apply different security protocols to the same data, depending on which interface is used to access it. Contact, contactless and dual-interface smart cards support the same high levels of security that are needed for protecting sensitive information and enabling secure transactions. 2.3 Smart Card Functions and Applications Smart card technology is used provide data portability, security and convenience for many different applications. Smart cards allow data and applications to be securely stored and accessed on the chip and enable secure data exchange with a reader and host system. Smart card technology provides high levels of security and privacy protection, making it ideal for handling sensitive information such as payment account and identity information. Since smart cards can store virtually any type of information, they can be combined with other technologies such as biometrics in systems requiring the highest levels of assurance. Smart cards are now used worldwide in many payment, identity and access applications. Table 4 shows examples of smart card applications; these applications are discuss in more detail in CSCIP Modules 4, 5 and 6. Table 4. Example Smart Card Applications8  Environment: port facility, campus, single building, parking lot Physical access  Interior: entrances, lobbies, offices, computer rooms, vaults  Transportation: buses, planes, trains, ships, subways  Network and computer system login  Signed and encrypted e-mail, secure transactions requiring higher levels of assurance Logical Access  Common files: shared/working documents, employee handbook, newsletters  Confidential files: payroll, trade secrets, human resource files  Property management  Clearance information  Personnel rosters Data Storage  Medical information  Training/certifications  Personal information for electronic forms submission  Electronic purse: cafeteria, transit, parking Financial  ATM, credit, debit and prepaid payment (contact and contactless) 8 Smart Card Alliance, Secure Identification Systems: Building a Chain of Trust, March 2004 Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 10 For CSCIP Applicant Use Only  Healthcare  Voting Privilege Management  Driver’s license  Travel/border crossing  Electronic benefits  Criminal records  Citizenship Law Enforcement  Immigration status  User/document authenticity confirmation  Identification at time of death Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 11 For CSCIP Applicant Use Only 3 Integrated Circuit Types9 Integrated circuits go by many names: IC, microcircuit, microchip, silicon chip, or just plain chip. An IC is simply a miniaturized electronic circuit that is manufactured in the surface of a thin substrate semiconductor material. In a smart card, the IC provides the computing platform for executing applications specific to that card. The ICs used in smart cards are "secure" ICs – meaning that they have been designed and manufactured with features that are used to protect the data and enable secure transactions with smart card applications. Applications contained on smart cards vary in complexity, memory requirements, and the security required to protect the information stored and processed in the IC. Depending on the requirements, the ICs used for smart card programs are either secure memory ICs or secure microcontrollers. 3.1 Memory and Secure Memory Memory ICs are used for smart card applications that need data storage, but that have minimal requirements for data protection. The data can be any information required by the specific smart card application. For example, the following information can be stored on a memory IC to support an identification application:  Card issuer  Card serial number  Other user information (depending on the card application) Memory smart cards use non-volatile memory (NVM) which allows the card to hold data even after its power source is removed. The NVM in a memory smart card can incorporate different memory technologies but typically uses erasable programmable read-only memory (EPROM) or electrically erasable programmable read-only memory (EEPROM). EPROM can only be changed once and is often used in prepaid service cards such as telephone calling cards that count off the minutes used and are then discarded. EEPROM can be changed up to 500,000 times. Logic that can be used to update a counter in prepaid service cards is built in. Every secure memory IC is identified by a unique serial number. Optional fields on the memory IC include authentication logic, counter logic, error counter, data, and secret codes or keys. Application developers have options for several different memory card structures to meet design requirements. Figure 1 shows the block diagram of a typical secure memory IC. Figure 1. Secure Memory IC Block Diagram Of the two types of secure ICs – memory and microcontroller – used in smart cards, the secure memory IC is the less secure. In the simplest designs, secure memory ICs have logic that prevents writing or erasing data. More complex designs also restrict memory read access. Security for the memory card is managed by static logic that allows for the execution of symmetric cryptographic algorithms, which are 9 Smart Card Alliance, What Makes a Smart Card Secure?, October 2008 Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 12 For CSCIP Applicant Use Only used to encrypt the data to be transmitted from the card. Currently, secure memory cards support symmetric algorithms with key lengths of up to 128 bits. 3.2 Microcontroller The secure microcontroller is a more sophisticated smart card IC. A secure microcontroller chip has10:  An 8-bit to 32-bit central processing unit (CPU);  Read Only Memory (ROM) or flash memory that contains the chip’s operating system and, optionally, application software;  Random Access Memory (RAM) that serves as a temporary register for data;  Other non-volatile memory (NVM) that is used for storage of user data (e.g., Electrically Erasable Programmable Read Only Memory (EEPROM), ferroelectric RAM, flash memory);  Features that integrate countermeasures against known and foreseen security threats to achieve Common Criteria or FIPS 140-2 certification;  Environmental sensors (e.g., voltage, frequency, temperature);  At least one serial communication port;  A random number generator;  Timers;  Optional cryptography engine(s) (e.g., hardware accelerators for commonly used cryptographic algorithms such as 3DES, AES, RSA, and ECC);  Optional other dedicated peripherals (e.g., checksum accelerator, Serial Peripheral Interface (SPI) communication port). Figure 2 shows a block diagram of a typical secure microcontroller IC. Secure microcontroller ICs are programmed to execute applications, and functionality can be performed dynamically. Depending on what security functions the microcontroller is required to perform in a particular application, the controller may also have a cryptographic engine to more quickly and securely process asymmetric and/or symmetric algorithms. Figure 2. Components of a Typical Secure Smart Card Microcontroller 10 Source: Government Smart Card Handbook. Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 13 For CSCIP Applicant Use Only ROM EEPROM RAM CPU Smart Card IC Design in 2000 Smart Card IC Design in 1996 Figure 3. Example Smart Card IC Designs11 Figure 3 shows the layout of an example smart card IC design in 1996 and in 2000. In earlier smart card designs, the IC's blocks can be easily identified, with no shield or glue logic and bus lines clearly visible. Current smart card ICs provide additional security protections, with 0.18μm designs, an active shield, glue logic and no visible bus lines. Program code is written into the microcontroller’s ROM during the IC manufacturing process. This program code, which is often referred to as the IC’s operating system (OS), supports the execution of the applications that the microcontroller is intended to perform. Data and application program code are stored in NVM, which can be modified under the control of the OS after the IC has been manufactured and embedded into the smart card. The NVM in a secure microcontroller IC can be one or a combination of memory technologies: EPROM, EEPROM, flash memory and ferroelectric random access memory (FRAM). Flash memory is a specific type of EEPROM that is erased and programmed in large blocks. FRAM is a fast and low power technology that uses the material to hold and change polarity for data storage over 100 trillion times. One of the primary features of a secure microcontroller is dynamic active security. Microcontrollers have been adopted in smart cards mainly for secure data transactions. If a user or system cannot successfully authenticate to the microcontroller, the data stored on the card cannot be retrieved. Therefore, even if a smart card is lost, the data stored on the card will not be exposed. In addition, as a portable computer, a microcontroller smart card can process internal data securely and output the calculated result to a terminal for further processing. The integrity of the stored data is protected by a suite of countermeasures that are invoked when the microcontroller senses an attempted attack. These countermeasures are discussed in CSCIP Module 2. 11 CSCIP Exam Preparatory Course, Module 2, Gilles Lisimaque, July 2010 Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 14 For CSCIP Applicant Use Only Secure microcontrollers offer on-chip security features that protect against physical and logical attacks. External clock frequency and voltages are monitored. Memory access rights are controlled by the memory management and protection unit. An active shield layer can detect attempts to probe or force internal components or signal lines. Random generation of current noise on idle buses (bus confusion) protects against attackers who analyze the bus. When someone tries to analyze the IC with various techniques, the built-in sensors are activated and trigger a special security reset, which immediately overwrites the RAM area. A functional current scrambling engine, in conjunction with the true random number generator and random wait state feature, protect against power and timing analyses. Secure microcontrollers have begun to replace secure memory ICs as semiconductor technology has evolved to offer more functionality on less silicon area (i.e., lower cost). At the low-end, secure microcontrollers are available with 8KB or less NVM and provide basic file system card capabilities or traditional paged/banked storage space structured similarly to the NVM of secure memory ICs. Such low cost and fixed ROM devices provide the security features of secure microcontrollers presented in this paper, but can be confused or mis-identified as secure memory ICs. Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 15 For CSCIP Applicant Use Only 4 Form Factors for Smart Card Technology The name, "smart card," is something of misnomer. The term "smart card" now refers to any form factor that incorporates a smart card integrated circuit. While the ID-1 format plastic card was the initial smart card form factor, smart card technology is now available in wide variety of form factors, including plastic cards, key fobs, subscriber identification modules (SIMs) used in GSM mobile phones, watches, electronic passports and USB-based tokens. 4.1 Card Form Factor ISO/IEC 7816 Parts 1 and 2 and ISO/IEC 7810 describe the specifications for the physical characteristics of integrated circuit cards with contacts and the dimensions and location of coupling areas for contact smart cards. Figure 4 shows the dimensions of the contact card form factor. The card form factor is the widely used for access, identity, healthcare and payment applications and is available with both contact and contactless interfaces. (See Section 5 for a detailed discussion of smart card interfaces.) Figure 4. Dimensions of the ID-1 contact smart card form factor12 4.2 USB Tokens Smart card technology is built into USB-based tokens that provide a portable authentication device that can be used with any computer with a USB port – i.e., without a dedicated smart card reader. USB- based tokens can be used for any logical access applications that a smart card can be used for – secure data, password and PKI credential storage, encryption/decryption and multi-factor access to computers and networks. Smart card-based USB tokens may be designed to incorporate a SIM to provide field- serviceability. Figure 5 shows examples of smart-card-based USB tokens. 12 Won J. Jun, "Smart Card Technology Capabilities," presentation, July 8, 2003 Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 16 For CSCIP Applicant Use Only Figure 5. Examples of Smart Card USB Tokens13 4.3 Subscriber Identity Module/Universal Integrated Circuit Card Form Factor The European Telecommunications Standards Institute (ETSI) defined the dimensions of the plug-in SIM/UICC that is used in mobile phones and is now also used in conjunction with USB tokens. The SIM/UICC has the same thickness as the ID-1 form factor14 and is available in two form factors, both standardized in ETSI TS 102 221:  Plug-in UICC (2FF, or second form factor), which is 25 mm x 15 mm.  Mini UICC (3FF, or third form factor), which is 15 mm x 12 mm. Plug-in SIM cards are typically supplied as a full-sized card with the smaller card held in place by a few plastic links that are broken to remove the smaller SIM (see Figure 6). Figure 6. Examples of SIM cards/UICCs15 4.4 Secure Element and Embedded Card Form Factors Smart card technology is also available in surface mount device (SMD) form factors to be used as the secure element in mobile devices or as an embedded secure device in machine-to-machine applications. These form factors are available as:  A solderable small SIM (MFF1 or MFF2), which is 5 mm x 6 mm and is standardized in ETSI TS 102 671. 13 Images provided courtesy of ActivIdentity, Gemalto, HID Global and SCM Microsystems. 14 ETSI, Digital Cellular Telecommunications System (Phase 2+); Specification of the Subscriber Identity Module - Mobile Equipment (SIM - ME) Interface, GSM 11.11, December 1995 15 Images provided courtesy of Oberthur Technologies and Giesecke & Devrient. Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 17 For CSCIP Applicant Use Only  A SIM component in surface mount device packaging to allow the component to soldered onto printed circuit boards. Figure 7 shows examples of these form factors. Figure 7. SMD Form Factors for Secure Elements and Embedded Cards16 4.5 Other Form Factors Contactless smart card technology has enabled a wide range of new form factors, including key fobs, wrist watches, mini cards, contactless USB devices and ePassports. Near Field Communication (NFC) technology is also enabling mobile phones to be used for proximity mobile payments at point-of-sale terminals that accept contactless payments. With these new form factors, contactless smart card technology enables convenient and secure identity and payment transactions. Figure 8 shows examples of different contactless form factors to illustrate the variety of form factors now available. Figure 8. Examples of Form Factors Using Contactless Smart Card Technology17 16 Images provided courtesy of Oberthur Technologies. 17 Images provided courtesy of Oberthur Technologies, First Data, MasterCard and Visa. Visa image and logo are copyright Visa 2008. Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 18 For CSCIP Applicant Use Only 5 Communications Interfaces18 In general, smart cards currently cannot display information or directly accept input from the user. 19 For the user to access the information a smart card contains, the card needs an interface to communicate with a reader or terminal, such as a merchant point-of-sale terminal, a bank ATM or a computer smart card reader. Four elements are required for a smart card to communicate with the outside world:  A power source  Clock signal transmission  Data transfer to the secure IC  Data transfer from the secure IC Data can be transferred either by physical contact, using electrical connections with the contact pads on the surface of the smart card, or without contact (i.e., contactless), using radio frequency (RF) transmission. The two methods of data transfer give rise to three types of smart cards: contact cards with a contact interface, contactless cards with a contactless interface, and dual-interface cards, with both a contact interface and a contactless interface. The choice of interface depends on both application and business requirements, which must also include security considerations. Contact and contactless smart cards may use either secure memory or a secure microcontroller as the underlying IC. 5.1 Contact Interface A typical smart card is assembled with an IC delivered as a sawn wafer, packaged in a module, and embedded into a plastic card.20 The component elements are shown in Figure 9. Interfacing with the outside world requires the card to be inserted into a smart card reader or terminal in such a way that the smart card module makes a physical connection with the contact wiper pads within the reader device. Two primary types of contact readers are used: landing contact and friction contact (also known as sliding or wiping). In card readers featuring friction contact, the contact part is fixed. The contact wipes on the card surface and the chip when a card is inserted. In card readers using the landing type, the contact part is movable. The contact "lands" on the chip after a card is wholly inserted. In general, card readers of the landing type provide better protection to the card than that of the friction type. Landing type readers typically have longer lives in terms of the number of insert/remove cycles before failure. Contact smart cards are used for many applications, including EMV credit/debit cards, healthcare cards, national ID cards and government and corporate employee ID cards that are used for accessing computers and networks. 18 Smart Card Alliance, What Makes a Smart Card Secure?, October 2008 19 Smart cards are emerging with numeric LED displays that can display (for example) an internally generated authorization code or with an activation button that controls whether a particular function (e.g., contactless mode) is on or off. However, these cards are currently complex and costly and have yet to reach mass deployment with proven reliability. They usually contain additional circuitry, such as additional ICs, and require a battery to power any display. 20 Secure IC-based devices (i.e., smart cards) can come in a variety of form factors, including plastic cards, key fobs, wristbands, wristwatches, PDAs, and mobile phones. Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 19 For CSCIP Applicant Use Only Figure 9. Component Elements of a Contact Smart Card 5.1.1 Contact Interface Standards A contact smart card’s protocol interface for data communication is standardized in ISO/IEC 7816-3, while its physical connections are standardized in ISO/IEC 7816-2. ISO/IEC 7816-3 specifies the power and signal structures, and information exchange between an integrated circuit card and an interface device such as a terminal. It also covers signal rates, voltage levels, current values, parity convention, operating procedure, transmission mechanisms and communication with the card. ISO/IEC 7816-3 supports the following contacts. C1: supply power input (VCC) C2: reset signal input (RST) C3: clock signal input (CLK) C5: ground (GND) C7: input/output for serial data (I/O) ISO/IEC 7816-3 standard defines the various bytes contained in the technical bytes of the Answer-to- Reset (ATR) as well as the various transmissions protocols (T=0 or T=1) available to contact smart cards. A section also defines how a card and the interface device can negotiate the transmission protocol of the various parameters (e.g., speed, block size) of the transmission. This procedure, which happens just after the answer-to-reset, is called Parameter Protocol Selection (PPS). 5.1.2 Data Transmission Protocols Two data transmission protocols, T=0 and T=1, defined in ISO/IEC 7816-3 are primarily used with contact smart card implementations. Both T=0 and T=1 protocols are master/slave oriented, with the terminal always initiating the command to the card. The protocol T=0 is a half-duplex byte-oriented protocol. The interface device initiates every command by transmitting a five-byte header that tells the card what to do. The command processing continues with the transfer of a variable number of data bytes in one direction under the control of procedure bytes Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 20 For CSCIP Applicant Use Only transmitted by the card. It is assumed that the card and the interface device know a priori the direction of transfer, in order to distinguish:  Commands for incoming data transfer where the data bytes enter the card while processing, and  Commands for outgoing data transfer where the data bytes leave the card while processing. The protocol T=1 is a half duplex block transmission protocol. A block is a byte string conveyed in asynchronous characters. The interface device and the card may initiate these commands. The main characteristics of the T=1 transmission protocol are the following.  The transmission protocol starts with a first block transmitted by the interface device; it continues with alternating the right to transmit a block.  A block is the smallest data unit that can be exchanged. A block may be used to convey application data transparent to the transmission protocol and transmission control data (including transmission error handling).  The block structure allows checking the received block before processing the conveyed data. The T=1 transmission protocol applies the principle of the OSI reference model. Three layers are defined: - The physical layer transmits moments organized in asynchronous characters. - The data link layer includes a character component and a block component. The character component recognizes the beginning and the end of a block. The block component exchanges blocks. - The application layer processes commands, which involves the exchange of at least one block or chain of blocks in each direction. In addition to the protocols defined in ISO 7816-3, ISO 7816-12 defines a USB electrical interface and operating procedures for data transmission. Figure 10 shows the assignment of the contact fields for a USB interface and – to illustrate interoperability – the assignment used in ISO/IEC 7816-3. Figure 10. Assignment of Contacts for USB-ICC Two other transmission protocols used with smart cards are:  The MultiMediaCard (MMC) interface. The MMC interface specification, published by the MultiMediaCard Association, was designed for data transfer with a memory card. Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 21 For CSCIP Applicant Use Only  The Single Wire Protocol (SWP). The SWP is a specification for communication between a GSM phone's Subscriber Identity Module (SIM) and the Near Field Communication (NFC) controller, providing another channel for SIM communication. The specification is published by the European Telecommunications Standards Institute (ETSI).21 5.2 Contactless Interface Contactless smart card technology is used increasingly in applications that must protect personal information and deliver fast, secure transactions. Leveraging many years of smart card security developments, contactless smart cards have the ability to store, protect, manage, and provide access to secure data and to support the security protocols and algorithms required by an application. In addition, contactless smart card technology delivers the convenience, durability, and reliability required by applications that must support fast transaction throughput in demanding environments. Contactless cards and readers can be used in hostile environments (e.g., outdoor use) that might cause contact card or reader failure due to exposure to moisture. A contactless smart card-based device includes an embedded secure microcontroller or equivalent intelligence, internal memory, and a small antenna, and communicates with a reader through a contactless radio frequency (RF) interface. The contactless interface provides users with the convenience of allowing the contactless device to be read at short distances with fast transfer of data. Contactless smart chip technology is available in a variety of forms–plastic cards, watches, key fobs, documents, and other handheld devices such as mobile phones. Contactless technology is used for applications such as mass transit tickets, physical access control, and debit and credit payment cards. Contactless mobile payment applications 22 are also now being implemented using Near Field Communication (NFC) technology, which follows universally implemented standards from ISO, Ecma International, and the European Telecommunications Standards Institute (ETSI) and is compliant with ISO/IEC 14443. There are two main differences between a contact and contactless smart card. First, there are no physical connections between the contactless card and the reader. Second, a contactless card's power to drive the secure IC is derived from energy transferred from an RF field generated by the reader that induces an electrical current in the IC's antenna coil when it enters the reader's RF field (Figure 11). Figure 11. Contactless Smart Card in RF Field The secure IC module is embedded in the card with no exposure to the card surface. The module has only two external contacts (whereas a contact smart card normally has five), which connect to an antenna coil that is also embedded in the card (Figure 12). 21 http://en.wikipedia.org/wiki/Single_Wire_Protocol 22 Contactless mobile payment is also called proximity mobile payment. Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 22 For CSCIP Applicant Use Only Figure 12. Contactless Card 5.2.1 Contactless Technology Standards The International Organization for Standards (ISO) has created standards for three contactless technologies that are relevant for smart card interfaces and applications:23  ISO/IEC 10536 close coupling cards  ISO/IEC 14443 proximity cards  ISO/IEC 15693 vicinity cards ISO/IEC 10536 has not been widely deployed. In addition, advances in the ISO/IEC 14443 and ISO/IEC 15693 technologies have made the ISO/IEC 10536 contactless standard increasingly less appealing. ISO/IEC 10536, ISO/IEC 14443 and ISO/IEC 15693 contactless technologies make use of the application-level standards defined in ISO/IEC 7816, part 4 and above. These standards define the structure of commands sent to the card, data and file structures, security mechanisms, identification of applications, inter-industry data elements and card life cycle management. While not a smart card standard, the Near Field Communication (NFC) standard, ISO/IEC 18092, is an important contactless technology standard that is expected to be integrated into mobile phones and other devices. 5.2.1.1 ISO/IEC 14443 ISO/IEC 14443 is an international standard that defines the interfaces to a “proximity” contactless smart card, including the radio frequency (RF) interface, the electrical interface, and the communications and anti-collision protocols. ISO/IEC 14443 compliant cards operate at 13.56 MHz and typically have an operational range of up to 4-10 centimeters (2-4 inches). ISO/IEC 14443 is the primary contactless smart card standard being used for transit, financial, and access control applications. It is also used in electronic passports and in the FIPS 201 PIV card. Type A and Type B are two communication methods defined by the standard. Differences include the modulation of the magnetic field used for coupling, the coding format and the anticollision method (i.e., how the cards and readers respond when more than one card responds at the same time to a reader’s request for data). In 1994, when standardization began, Type A and Type B had slightly different application focus. Today’s technological advances have removed this application differentiation. By including both in the final version of the ISO/IEC 14443 standard, the widest base of vendors are able to offer standardized contactless technology.  ISO/IEC 14443 Part 1 - Physical characteristics. The standard defines the following: - Card dimensions (referring to 7810 for ID-1 cards) - Surface quality for printing - Mechanical resistance - UV and X-ray resistance 23 Smart Card Alliance, Contactless Technology for Physical Access: Technology and Standards Choices, October 2002 Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 23 For CSCIP Applicant Use Only - Sensitivity to surrounding magnetic fields The standard also introduces the following specific terms: - PICC: Proximity integrated circuit(s) card - PCD: Proximity coupling device (the card reader or terminal)  ISO/IEC 14443 Part 2 - Radio frequency power and signal interface. This standard describes the characteristics of power transfer (based on inductive coupling) and communication between the PICC and PCD. Power is transferred to the card using a frequency-modulated field at 13.56 MHz +/- 7 kHz. Two different types of communication signal interfaces (bit coding) are specified: Type A and Type B. The bit protocol timings are defined and the standard (default) data transmission rate is defined at 106 kBaud. Figure 13 shows the communications interface signals with Type A and Type B methods. The protocol as defined in the standard (Type A or Type B) does not imply the nature of the chip in the card. Since many current MCUs are able to generate their clock internally, even when the external modulation is 100% (Type A), MCU-based smart cards can be fully compatible with ISO/IEC 14443 Type A protocol. Figure 13. Type A and Type B Communication Interface Signals24 Type A communication interface signal Type B communication interface signal 24 eEurope Smart Cards document: TB6 WP1 Interoperability Draft May 2002 Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 24 For CSCIP Applicant Use Only  ISO/IEC 14443 Part 3 Initialization and anticollision. This part of ISO/IEC 14443 describes: - Polling for PICCs entering the field of a PCD (i.e., the terminal talks first). - Byte format, command frames and timing. - Request (REQ) and Answer To Request (ATQ) commands - Anti-collision methods to detect and communicate with one particular card when several cards are presented to the same reader. Anti-collision methods rely on a unique ID per card; however, depending on the communication type (A or B), the anti-collision method is different.  Type A: Binary search method referring to the unique identifier (UID) of the card.  Type B: Slotted Aloha method.  ISO/IEC 14443 Part 4 Transmission protocol. This standard specifies a half-duplex block transmission protocol (T = CL). Several protocol scenarios are included in Appendix B of the standard, showing how this common transmission protocol can be used. The standard also defines the transparent exchange of data, independent of the lower layers. The commands in this set are all mandatory, providing interoperability with fully compliant products. 5.2.1.2 ISO/IEC 15693 ISO/IEC 15693 describes standards for “vicinity” cards. Specifically, it establishes standards for the physical characteristics, radio frequency power and signal interface, and anti-collision and transmission protocol for vicinity cards that typically operate within 1.5 meters (approximately 5 feet). ISO/IEC 15693- based smart cards are typically used in physical access control applications.  ISO/IEC 15693-1 Physical characteristics. This standard refers to ISO/IEC 7810 for dimensions and introduces specific terms: - VICC: Vicinity integrated circuit(s) card - VCD: Vicinity coupling device ISO/IEC 15693-1 also includes definitions for the behavior of the card when exposed to mechanical stress, static and alternating electric fields, and magnetic fields.  ISO/IEC 15693-2 Air interface and initialization. This part of ISO/IEC 15693 describes the characteristics of power transfer (based on inductive coupling) and communication between the VICC (card) and VCD (reader device). The power is transferred to the card using a frequency- modulated field at 13.56 MHz +/- 7 kHz. The standard requires that several different modes be supported by the VICC.  ISO/IEC 15693-3 Anti-collision and transmission protocol. This part of ISO/IEC 15693 describes: - Protocols and commands. - Other parameters required to initialize communication between a VICC and a VCD. - Methods to detect and communicate with one card among several cards presented (anti- collision). - Data elements – for example, UID and Application Family Identifier (AFI). - Memory organization. - Behavior of VICCs described in state machine diagrams. - Set of commands (mandatory, optional, custom and proprietary). 5.2.1.3 Near Field Communication Standards and Specifications Near Field Communication (NFC) is a short-range wireless connectivity technology that provides intuitive, simple, and safe communication between electronic devices. Communication occurs when two NFC- compatible devices are brought within four centimeters of one another. NFC operates at 13.56 MHz and transfers data at up to 424 Kbits/second. Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 25 For CSCIP Applicant Use Only NFC-enabled devices are specified by standards in ISO/IEC (ISO/IEC 18092), ETSI (ETSI TS 102 10 V1.1.1 (2003-03)) and Ecma International (ECMA-340) and by specifications published by the NFC Forum. ISO/IEC 1809225 (also ECMA-340) defines communication modes for Near Field Communication Interface and Protocol (NFCIP-1) using inductive coupled devices operating at the center frequency of 13.56 MHz for interconnection of computer peripherals. The standard defines:  Both active and the passive communication modes of NFCIP-1 to realize a communication network using Near Field Communication devices for networked products and also for consumer equipment.  Modulation schemes, codings, transfer speeds and frame format of the RF interface, as well as initialization schemes and conditions required for data collision control during initialization.  Transport protocol including protocol activation and data exchange methods. ISO/IEC 18092 allows backward compatibility with existing contactless devices by supporting ISO/IEC 14443 Type A, and the Japanese Industrial Standard (JIS) X 6319-4 (also known as FeliCa, see Section 5.2.1.4) contactless interface protocols. An NFC-enabled device can operate in reader/writer and peer-to-peer mode, and may operate in card emulation mode. An NFC tag is typically a passive device (for example, integrated in a smart poster) that stores data that can be read by an NFC-enabled device. NFC Forum-certified devices in NFC Forum Reader/Writer mode must support the RF requirements for ISO/IEC 14443 Part A, ISO/IEC 14443 Part B and FeliCa (see Section 5.2.1.4) and as outlined in the relevant parts in the ISO/IEC 18092.26 ISO/IEC 21481 (also ECMA-352) specifies the communication mode selection mechanism for devices implementing ISO/IEC 18092, ISO/IEC 14443 or ISO/IEC 15693; the standard was designed to not disturb any ongoing communication at 13.56 MHz. Additional information about the application and implementation of NFC is covered in detail in CSCIP Module 4, Smart Card Usage Models: Mobile and NFC. 5.2.1.4 Other Contactless Smart Card Technology Implementations Vendors also offer contactless smart card technology based on proprietary specifications. In general, most smart card applications today use one of the contactless technology standards discussed above. Two of the prominent proprietary specifications that are now included in industry standards are the NXP Semiconductor MIFARE™ protocol and the Sony FeliCA protocol. 5.2.1.4.1 NXP Semiconductors MIFARE27 NXP Semiconductors MIFARE Classic™ contactless memory IC uses a protocol complying with ISO/IEC 14443 Type A up to Part 3 and ISO/IEC 18092. The protocol for this IC does not implement ISO/IEC 14443 Part 4 and uses a proprietary cryptographic algorithm. NXP Semiconductors' MIFARE Classic is one of the most widespread contactless technologies used in contactless e-ticketing systems. In addition, NXP Semiconductors offers MIFARE-branded products that are fully compliant with ISO/IEC 14443 Type A up to Part 4. Furthermore, the trend towards open cryptography is reflected in the MIFARE DESFire EV1, MIFARE Plus and MIFARE Ultralight C products, which are based on the Advanced Encryption Standard AES-128 and/or on DES/Triple DES. The MIFARE Plus and MIFARE DESFire EV1 products feature a fixed operating system on a contactless microcontroller IC and are certified according to Common Criteria EAL 4+. 25 Source: ISO/IEC 26 NFC Forum, NFC Forum Frequently Asked Questions, http://www.nfc-forum.org/resources/faqs/ 27 Source: NXP Semiconductors Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 26 For CSCIP Applicant Use Only According to NXP, more than 1 billion MIFARE-based contactless and dual-interface smart card chips and 10 million reader components have been sold.28 5.2.1.4.2 Sony FeliCa FeliCa is a contactless smart card technology developed by Sony and widely used in Asia for electronic purse systems, mobile payment and public transport payment and ticketing. Prominent implementations include: the East Japan Railway's Suica card (ticket and e-money); bitWallet, Inc.'s Edy e-money in Japan; and the Hong Kong Octopus Card (ticket and e-money). FeliCa complies with Japanese Industrial Standard (JIS) X 6319-4, Specification of Implementation for Integrated Circuit(s) Cards - Part 4: High Speed Proximity Cards, and in ISO/IEC 18092. FeliCa is similar to ISO/IEC 14443. FeliCa operates at 13.56 MHz, uses Manchester coding at up to 424 Kbit/sec, and has on operating range of 10 centimeters or less. 5.2.1.5 Comparison of Contactless Technology: ISO/IEC 14443 and ISO/IEC 15693 ISO/IEC 14443 and ISO/IEC 15693 technologies, the primary contactless technology standards, have evolved with their own set of features and specifications. Both solve specific market requirements and each is now expanding into application areas originally addressed by the other technology. The key differentiators between the technologies are their operational ranges, speed (data transfer rates) and extent and maturity of features and applications using the technologies. ISO/IEC 14443 and ISO/IEC 15693 technologies share the following important features and benefits:  13.56 MHz frequency of operation. This frequency is able to be used throughout the world for contactless applications.  Read/write capability to the card. This allows user information to be stored and updated on the card (for example, a PIN or biometric template) and helps eliminate the need to access a host computer or database during use.  Ability for manufacturers to implement security features. Although neither standard specifies security, features such as DES, Triple DES and AES, are commonly available.  Support for card-to-reader authentication.  Support for multiple interface readers, allowing a single reader to work with multiple technologies. This approach offers businesses a migration path into contactless smart card technology that does not require them to abandon their currently installed access control solution.  Hybrid card capability, allowing incorporation of multiple contactless technologies on a single card. The various RF standards specify the minimum and maximum field strength but do not define any minimum or maximum operational range. The distance at which a contactless smart card can be read is subject to multiple factors, including size and gain of the antenna (for receiving and transmitting data), magnetic field strength, frequency used, and power required by the chip to operate. Operational ranges specifying the maximum distance at which the different RF technologies work can be expected to vary based on these factors. For example, ISO/IEC 10373 tests ISO/IEC 14443-compliant smart cards from 0 to 4 centimeters, but some chips/cards could operate to 10 centimeters under favorable conditions. ISO/IEC 15693-based smart cards have three different modes of operation which support varying operational ranges (based on different power requirements for the chip):  To read a device unique number, the range can be up to 5 feet (approximately 1.5 meters);  To both read and write, operations are possible from 1- 2 feet;  To support a cryptographic authenticated mode (if available in the chip), the range is approximately 4 inches (10 centimeters). 28 http://www.nxp.com/#/pip/pip=[pfp=53422]|pp=[t=pfp,i=53422] Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 27 For CSCIP Applicant Use Only Table 5 compares technical features for contactless smart card technology and Section 10.3 includes additional information about contact and contactless smart card standards. ISO/IEC 14443-based contactless smart card technology is now being used in credit/debit payment, transit payment and physical access applications. ISO/IEC 15693-based contactless smart card technology is primarily used for physical access applications. Table 5. Comparison of Contactless Technology Technical Features Features ISO/IEC 14443 ISO/IEC 15693 ISO/IEC 14443 ISO/IEC 15693 Standards ISO/IEC 7810 ISO/IEC 7810 Frequency 13.56 MHz 13.56 MHz Up to 4-10 centimeters Up to 1-1.5 meter Operational range (~2-4 inches) (~5 feet) Memory Memory Chip types supported Wired logic Wired logic Microcontroller29 Encryption and Supplier specific, MIFARE, 3DES, AES, authentication RSA31, ECC 3DES functions30 Memory capacity range 64 to 64K bytes 256 and 2K bytes Read/write ability Read/write Read/write Data transfer rate Up to 106 (ISO) Up to 26.6 (Kb/sec) Up to 848 (available) Anti-collision Yes Yes Card-to-reader Challenge/Response Challenge/Response authentication Hybrid card capability Yes Yes Contact interface Yes Yes support In addition to the standards-based contactless technology, proprietary contactless smart card technologies are also in use32, primarily for transit applications. 5.2.1.6 Comparison of Contactless Technology: ISO/IEC 14443 and ISO 18092/NFC ISO/IEC 18092 was defined to allow backward compatibility with existing contactless devices by supporting ISO/IEC 14443 Type A and the Japanese Industrial Standard (JIS) X 6319-4 (also known as FeliCa, see Section 5.2.1.4) contactless interface protocols. 29 ISO/IEC 14443 uses the standard ISO/IEC 7816 for common application-level functions. 30 The ISO standard does not specify security functions. 31 RSA-based encryption and authentication may not be available on all cards due to power consumption, execution time or key length constraints. 32 Examples are Sony FeliCa, Cubic GO Card and Calypso. Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 28 For CSCIP Applicant Use Only Table 6 shows a comparison of NFC devices with contactless smart card systems. Two primary differences from an architectural perspective are:  An NFC-enabled device can be either an Initiator (i.e., initiating and controlling the data exchange) or a Target (i.e., a device that responds to commands from the Initiator). A contactless smart card operates only as a Target, with the reader/writer the Initiator.  The NFC protocol supports active and passive communication modes. In active mode, both the Initiator and the Target generate an RF field for transmitting data; in passive mode, only the Initiator generates an RF field. Table 6. Comparison of NFC Devices and Contactless Smart Card Systems 33 NFC Devices Contactless Smart Card Systems Contactless smart Initiator Target Reader/writer card Active communication mode: Both Initiator and Target generate RF field Communication Reader generates RF field and card Principle Passive communication mode: Initiator answers using load modulation generates RF field and Target answers using load modulation Active communication mode: RF collision avoidance Initialization Initialization and anti-collision Passive communication mode: Initialization and anti-collision Speed at 106 for ISO/IEC 14443 Type A initialization 106, 212, 424 (Kbit/s) 212, 424 for FeliCa ISO/IEC 14443 transmission protocol Communication NFC IP-1 data exchange protocol MIFARE: fixed command set protocol FeliCa: fixed command set 106, 212, 424, 848 for ISO/IEC Type A Speed at (including amendments) communication 106, 212, 424 106 for MIFARE protocol (Kbit/s) 212, 424 for FeliCa Table 7 and Table 8 show how ISO/IEC 18092 accommodates compatibility among the existing standards and proprietary specifications that make up the majority of the installed base of contactless smart cards. Table 7. Comparison of ISO/IEC 18092 Initiator Passive Mode, ISO/IEC 14443 and FeliCa 34 Initiator MIFARE ISO/IEC 14443 ISO/IEC 14443 NFC (Passive) FeliCa (Reader) Classic Type A Type B Data Exchange ISO Protocol ISO Protocol Protocol MIFARE Classic FeliCa Protocol (T=CL) (T=CL) Bitwise (106 Anti-collision Kbit/s); Time Bitwise Bitwise Slot Marker Time Slot procedure Slot (212, 424 Kbit/s) 33 NFC vs. ISO 14443 vs. Felica, Bob Jiang, Philips presentation, Feb. 23, 2006, http://blogs.forum.nokia.com//data/blogs/resources/300066/Philips-NFC-vs-ISO14443-vs-Felica-SLIDES.pdf, , with updates from the NFC Forum 34 Ibid. Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 29 For CSCIP Applicant Use Only Initiator MIFARE ISO/IEC 14443 ISO/IEC 14443 NFC (Passive) FeliCa (Reader) Classic Type A Type B 13.56 MHz 13.56 MHz 13.56 MHz 13.56 MHz 13.56 MHz 106 - 424 Kbit/s 106 Kbit/s 106 - 848 Kbit/s 106 - 848 Kbit/s 212 Kbit/s 106: 100% ASK 106: 100% ASK 212/424: 8-30% 100% ASK 10% ASK 8-30% ASK RF Interface >212: 60% ASK ASK 106: Modified Miller Modified Miller Modified Miller NRZ Manchester 212/424: 8-30% Manchester Table 8. Comparison of ISO/IEC 18092 Target (Card/Tag) Passive Mode, ISO/IEC 14443 and FeliCa35 MIFARE ISO/IEC 14443 ISO/IEC 14443 Target (Tag) NFC (Passive) FeliCa Classic Type A Type B Data Exchange ISO Protocol ISO Protocol Protocol MIFARE FeliCa Protocol (T=CL) (T=CL) Bitwise (106 Anti-collision Kbit/s); Time Bitwise Bitwise Slot Marker Time Slot procedure Slot (212, 424 Kbit/s) 13.56 MHz 13.56 MHz 13.56 MHz 13.56 MHz 13.56 MHz 106 - 424 Kbit/s 106 Kbit/s 106 - 848 Kbit/s 106 - 848 Kbit/s 212-424 Kbit/s Load Modulation Load Modulation Load Modulation Load Modulation Load Modulation RF Interface 106: Manchester (with subcarrier) Manchester Manchester BPSK Manchester (with subcarrier) (with subcarrier) 212/424: Manchester 5.3 Dual Interface The dual-interface smart card, as the name implies, has both a contact interface and a contactless interface. Physically the card looks like a contact card, but the IC module has two additional contact points for the antenna coil. The IC can use either ISO/IEC 7816 or ISO/IEC 14443 protocols to communicate with a reader. Figure 14 shows an illustration of a dual-interface card. 35 Ibid. Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 30 For CSCIP Applicant Use Only Figure 14. Dual-Interface Smart Card A dual-interface card may be required, for example, for a transit card, which requires the contactless mode for fast transaction times and throughput at turnstiles and the contact mode to allow funds to be reloaded at an ATM or merchant POS terminal. A hybrid smart card can be considered a type of dual-interface card. Hybrid cards operate in both contact and contactless modes by using separate secure ICs for each mode. Hybrid cards, while still in use, do not represent current technology; they were an earlier solution to allow smart cards to operate in both contact and contactless modes, which is now readily available with today’s dual-interface products. Hybrid cards differ from dual-interface cards in that the two interfaces of a hybrid card typically provide access to different memories, while the single memory of a dual-interface can be accessed via either interface. Smart Card Alliance © 2015 CSCIP Module 1- Fundamentals FINAL - Version 5 – May 7, 2015 31 For CSCIP Applicant Use Only 6 Memory Sizes and Types 6.1 Memory-Based Smart Cards36 Memory smart cards are used for applications that need data storage, but that have minimal requirements for data protection. The data can be any information required by the specific application. Memory smart cards use non-volatile memory (NVM) which allows the card to hold data even after its power source is removed. The NVM in a memory smart card can incorporate different memory technologies but typically uses erasable programmable read-only memory (EPROM) or electrically erasable programmable read-only memory (EEPROM). EPROM can only be changed once and is often used in prepaid service cards such as telephone calling cards that count off the minutes used and are the

Use Quizgecko on...
Browser
Open
Browser
Browser