SMART CARDS. Miguel Monteiro FEUP / DEI

Similar documents
Secure Elements 101. Sree Swaminathan Director Product Development, First Data

Smart Card Operating Systems Overview and Trends

Smart cards are made of plastic, usually polyvinyl chloride. The card may embed a hologram to prevent counterfeiting. Smart cards provide strong

Smartcards. ISO 7816 & smartcard operating systems. Erik Poll Digital Security Radboud University Nijmegen

MTAT Applied Cryptography

MTAT Applied Cryptography

Smart Cards. Outline. José Costa Application Domains: Smart Cards. Software for Embedded Systems

Java Card Technology Overview

Smart Card ICs. Dr. Kaushik Saha. STMicroelectronics. CSME 2002 (Chandigarh, India) STMicroelectronics

2 nd ETSI Security Workshop: Future Security. Smart Cards. Dr. Klaus Vedder. Chairman ETSI TC SCP Group Senior VP, Giesecke & Devrient

Smart Card Basics Smart Card Basics

Smart Cards. José Costa. Software for Embedded Systems. Departamento de Engenharia Informática (DEI) Instituto Superior Técnico

Security Policy for Schlumberger Cyberflex Access 32K Smart Card with ActivCard Applets

Ch 9: Mobile Payments. CNIT 128: Hacking Mobile Devices. Updated

Presentation of the Interoperability specification for ICCs and Personal Computer Systems, Revision 2.0

Design and Implementation of a Mobile Transactions Client System: Secure UICC Mobile Wallet

CREDENTSYS CARD FAMILY

Preface. Structure of the Book

basic schemes, memory types: transient vs. persistent, garbage collection basic schemes, system-level vs. user-level transactions

The SIM Turns 20. Dr. Klaus Vedder. Chairman ETSI TC SCP. 3rd ETSI Security WS Sophia Antipolis, France January 2008

Chapter 2 Basics. 2.1 Smartcards. This chapter summarizes basic concepts of smartcards, Near Field Communication (NFC) and payment cards.

ETSI TS V ( )

The Open Application Platform for Secure Elements.

Hitachi Releases Smart Card Microcontroller AE45X series Equipped with Contact/Contactless Dual Interface in a Single Chip

CALYPSO FUNCTIONAL SPECIFICATION. CNA Calypso rev 3.1 Applet Presentation

Dr. Char-Shin Miou Chunghwa Telecom. Co. April 7, 2011

Expert 3.2

Module 1: Smart Card Fundamentals. Smart Card Alliance Certified Smart Card Industry Professional Accreditation Program

Security of NFC payments

Expert 3.2

GSM Association (GSMA) Mobile Ticketing Initiative

IDCore. Flexible, Trusted Open Platform. financial services & retail. Government. telecommunications. transport. Alexandra Miller

Contents. Preface. Acknowledgments. xxiii. List of Acronyms i xxv

Secure Element APIs and Practical Attacks on Secure Element-enabled Mobile Devices

Card Specifications & 2.1 Frequently Asked Questions December 2004

Distributed Systems. Smart Cards, Biometrics, & CAPTCHA. Paul Krzyzanowski

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (2) ETI2511 Friday, 31 March 2017

Practical Attack Scenarios on Secure Element-enabled Mobile Devices

CIPURSE V2 Certification Program

Relay Attacks on Secure Elementenabled

Advances with Osaifu-Keitai Starting Services Supporting NFC (Type A/B) on NTT DOCOMO UIM Cards. contactless IC cards that is being adopted

MultiApp ID V2.1 Platform FIPS Cryptographic Module Security Policy

An Approach to the Generation of High-Assurance Java Card Applets

ETSI TS V9.0.0 ( ) Technical Specification. Smart Cards; Remote APDU structure for UICC based applications (Release 9)

Distributed Systems. Smart Cards, Biometrics, & CAPTCHA. Paul Krzyzanowski

WHAT FUTURE FOR CONTACTLESS CARD SECURITY?

DynaPro Go. Secure PIN Entry Device PCI PTS POI Security Policy. September Document Number: D REGISTERED TO ISO 9001:2008

Expert Embedded Security

ETSI TS V6.0.0 ( )

MTAT Applied Cryptography

Entrust IdentityGuard PIV Credential FIPS Cryptographic Module Security Policy Version: 1.0 Date: January 24, 2013

The Gemalto offer for PKI market in Russia

SETECS OneCARD PIV II Java Card Applet. on Gemalto GemCombi'Xpresso R4 E72K PK card

ETSI TS V7.3.0 ( )

Introduction to Electronic Identity Documents

MDG. MULTOS Developer's Guide. MAO-DOC-TEC-005 v MAOSCO Limited. MULTOS is a registered trademark of MULTOS Limited.

ETSI TS V ( )

EAP-TLS Smartcards, from Dream to Reality

Secure Application Trend in Smartphones. STMicroelectronics November 2017

3GPP TS V ( )

NFC is the double click in the internet of the things

PayPass M/Chip 4. Card Technical Specification

Analysis of Security Models For Smart Cards

ETSI TS V7.1.0 ( )

Security in NFC Readers

COPYRIGHTED MATERIAL. Overview of Smart Cards. Chapter Card Classification

ID-One Cosmo V7-a Smart Card Cryptographic Module

FIPS Level 3. Security Policy of Java Card Platform Implementation for Infineon on SLE 78 (SLJ 52GxxyyyzR) V1.0f. August Version 2.

SIM Smart Card Overview

The Future of Smart Cards: Bigger, Faster and More Secure

SMART CARDS APPLET DEVELOPMENT. Miguel Monteiro FEUP / DEI

GemXpresso R4 E36/E72 PK. Security Policy

The Mobile Finnish Identity Certificate

Mobile Identity Management

Java Card Technology-based Corporate Card Solutions

MTAT Applied Cryptography

Security Policy for. DAL C3 2 Applet Suite on Axalto Cyberflex Access 64Kv1 Smart Card Chip. FIPS Level 2. Version 1.03 January 31, 2005

ID-One PIV (Type A) FIPS Security Policy. (PIV Applet Suite on ID-One Cosmo V7-n) Public Version

A Novel Scheme for On-demand Distribution of Secure Element Keys

Technical Specification Smart Cards; UICC Application Programming Interface and Loader Requirements; Service description (Release 10)

Security Target Lite ProxSIM Taurus

NFC embedded microsd smart Card - Mobile ticketing opportunities in Transit

ST Payment Secure Solution - Java Card platform with up to 90 Kbytes of user NVM for Visa, MasterCard, AMEX, Discover and Interac applications

JSM: A small Java Processor Core for Smart Cards and Embedded Systems

GLDA MAO-DOC-TEC-008 v2.28

Past & Future Issues in Smartcard Industry

EMV Contactless Specifications for Payment Systems

SIM Evolution. Klaus Vedder. Presented by: 10 July 2018 ETSI th Sigos Conference

Java Card. Erik Poll. Digital Security Radboud University Nijmegen

Visa Mobile. Proximity Payment Testing & Compliance Requirements for MicroSD and Mobile Accessories

3GPP TS V9.1.0 ( )

Mobile Station Execution Environment (MExE( MExE) Developing web applications for PDAs and Cellphones. WAP (Wireless Application Protocol)

Strategies for the Implementation of PIV I Secure Identity Credentials

Interoperability Stepping Stones. Release 6

An Interoperable Payment Protocol for the Public Transit Fare Payment System

Java Card 3 Platform. Runtime Environment Specification, Classic Edition. Version May 2015

NXP Semiconductors JCOP 3 SecID P60 OSA FIPS Cryptographic Module Non Proprietary Security Policy

ETSI TS V9.0.0 ( ) Technical Specification

Oberthur ID-One Cosmo 64 v5.4 D. FIPS Level 3. Security Policy. Public Version. Version 1.0. May 22, 2007

OpenCrypto. Unchaining the JavaCard Ecosystem

Transcription:

SMART CARDS Miguel Monteiro apm@fe.up.pt FEUP / DEI

WHAT IS A SMART CARD Distinguishable characteristics Can participate in automated electronic transactions Used primarily to add security Not easily forged or copied Can store data securely Can host/run a range of security algorithms and functions Comments Smart usually implies the fifth characteristic Some capacity to do transformations and/or processing The word card sometimes is misleading Nowadays these devices can take a variety of forms 2 a small hexagonal piece

SMART CARD MAIN APPLICATIONS Smart Cards can be used in several areas and functions Mobile telecommunications Banking Transportation Identity cards / passports Service entitlement Health Physical access control IT access control Satellite TV and set top boxes 3

EXAMPLE: BASIC SIM FUNCTION Each SIM contains a unique identifier and an identification key (K i ): the IMSI International Mobile Subscriber Identifier 1. For identification and authentication the SIM sends the IMSI to the mobile operator 2. The operator consults its database and sends a challenge (RAND) back 3. Both the operator and SIM encrypt the challenge (RAND) using algorithm A3 and key K i 4. The SIM sends back the result (SRES) 5. The operator compares the SIM response with its own value 6. If authenticated, both sides derive a new key K c, using algorithm A8, for encrypting further communications (with a different algorithm: A5) 4

SECURITY FUNCTIONS Some of most common security functions performed by smart cards include: Identification Authentication Holding, adding, and modification of private data Holding rights or permissions (authorization) In addition they can be involved in Message confidentiality using encryption Message integrity in both directions (incoming and outgoing) Non-repudiation Can hold certificates for expected message authors A private key of the owner Apply standard hashing and cipher algorithms 5

IS THE MAGNETIC STRIPE CARD SMART? Magnetic stripe cards have been used for many of the previous functions But they don t comply with the 3 rd and mainly the 5 th characteristics of a smart card Its use is now almost inexistent in Europe for security applications But they are yet quite common in many other regions 6

SMART CARD COMPONENTS Considering the smart cards capacity of doing processing operations They need a CPU For storing they also need memory And some mean of communication (I/O) Also, because cryptographic algorithms are demanding, they usually have specialized (hardware) coprocessors Typical architecture for a standard contact card 7

EMBEDDED OR CONTACTLESS (1) Embedded cards can have other forms of connection to other systems Modern SIMs embedded in mobile devices can have other serial links with improved bandwidths another serial interface Nowadays the SWP Single Wire Protocol is common 8

EMBEDDED OR CONTACTLESS (2) Contactless cards use NFC for the serial channel They possess a radio frequency interface Short range (near field) They have an antenna They are powered also wirelessly by the other party 9

MORE DETAILED ARCHITECTURE A High End Smart Card A Philips/NXP smart card From top to bottom and left to right: ROM, Flash, processor, coprocessor, RAM, other units 10

MEMORY TYPES AND ACCESS Besides ROM which is factory recorded, smart cards should have volatile and non-volatile memory Non-volatile is essential to retain data as the smart card is not powered whenever it is not in use EEPROM, Flash, FRAM (ferroelectric random-access) These types has different sizes in the ship (per bit), number of accesses, and speed Example areas of 1 bit Memory types characteristics 11

CONTACTS AND SIZES Smart cards occur in many formats and sizes Contacts some standard sizes C1 VCC operating power C2 RST reset C3 CLK clock signal C5 GND ground C6 VPP programming power C7 I/O serial input/output standard SIM sizes 12

SMART CARD READERS Communicate bidirectionally with the card Some examples PCs and smart card readers communicate using a standard protocol and set of commands:. the PC/SC standard. PC connected reader SIM card in a smartphone A payment terminal A contactless terminal 13 Most PC operating systems incorporate now this standard A contactless card in the form of a ring

SMART CARD SOFTWARE ROM Along the years smart cards have evolved The first were monolithic systems with a single proprietary application Now we have multi application platforms compliant with well accepted standards Monolithic Application Operating System Multi application platform Payment Transport Signature Operating System Technologies JavaCard GlobalPlatform MultOS 14

SMART CARD OPERATING SYSTEM (SCOS) The SCOS is responsible for the management of the resources in the card Transferring data to and from the serial interface Controlling command execution File management Managing and executing cryptographic algorithms Managing and executing application code SCOS architecture evolution 15

MANAGED ENVIRONMENTS On top of the operating system There can be some managed environments Implement a standard providing a working model The GlobalPlatform specification is one common environment for telecommunication cards with multi-owner / multi-application capabilities JavaCard provides a Virtual Machine, Java APIs, and a programming model for writing card applications 16 Smart Card with Global Platform and Java Card

GLOBAL PLATFORM (GP) SPECIFICATION GP defines a set of components Enhance multi-application (and multi-owner) operation They provide Security (isolation and secure domains) Portability Interoperability Security domains represent the organizations that own applications They store their own keys to install new applications Initially there is only the Issuer Domain that can create other domains Applications belonging to different domains (owners) are completely isolated 17

JAVA CARD RUNTIME SYSTEM Most Smart Cards support Java Card Applications can be developed in Java (with the limitations and framework for Java Card) Those applications (called applets) follow a strict programming model Smart card with Java Card Applets can communicate if from the same owner 18

LIMITATIONS OF THE JAVA CARD VM In recent versions: The int type is common, almost always present There is a not automatic garbage collection for freeing dynamic allocated objects Fields of classes and dynamic allocated objects are created in non-volatile memory Local variables of methods (primitive types and arrays of primitive types) are allocated on the stack, in volatile memory 19

JAVA CARD API HIGHLIGHTS Package javacard.framework Classes for dealing APDUs, PINs, memory freeing and the Applet Package javacard.security Most security classes and operations are here: Keys, Exchanges, Hashing, Signatures, Encryption, Random numbers, etc, using several algorithms Package javacardx.biometry Storing and algorithms for biometric data (optional) Package javacardx.crypto Cipher AES algorithms Package javacardx.framework.math Working with big numbers Package javacardx.framework.string String like operations performed in byte[ ]. (For UTF-8 codes) Package javacardx.framework.util Operations in arrays 20

JAVA APPLET DEVELOPMENT AND EXECUTION Several tools are needed until a Java Card applet can be executed 21

SMART CARD AND READER COMMUNICATION Cards and readers (CAD Card Accepting Device) communicate by APDU exchange CAD An APDU (application protocol data unit) is a formatted sequence of bytes for commands (CAD Card) and responses (Card CAD) c-apdu 1 r-apdu 1... c-apdu n r-apdu n Card 8X h instruction (even number) A command APDU 2 parameters size of the response (optional) size of the data field (optional) The response APDU Status word: 9000 h or 61XX h for OK, otherwise an error 22

INITIAL CARD OPERATION When connected to a CAD a reset occurs The card sends an ATR (Answer To Reset) packet Contains communication parameters The CAD should configure itself in conformance for further communication (or request to select some Protocol Parameters) Communications between card and CAD Reset and exchange of info 23

INSTALLATION AND OPERATION OF APPLETS There are several commands to install applets GP defines them in connection to Secure Domains First the security domain is selected Next the applet is loaded and installed After it can be selected, becoming ready for operation Some states of an applet Install for Load* Install for Install* Select this applet Installed Selectable Selected Reset or Select another Delete* * - GP commands require a Secure Channel Protocol (SCP) 24

SECURE CHANNEL PROTOCOL Besides encryption it assures that is the owner of the Security Domain to emit it There are several SCPs defined by the GP Usually they involve the knowledge of 3 symmetric keys by the emitter of the command A very simplified example CAD and Card send each other a 16 byte random number a1 a16 and b1 b16 Both cipher both numbers using a common key α1 α16 and β1 β16 Send each other half of the encrypted challenges for verification (for instance α1 α8 and β9 β16) If verified build both another encryption key formed by the non transmitted halves β1 β8α9 α16 25

THE APPLET JAVA CARD CLASS Applet is an abstract class It implements some methods except one that is defined as abstract abstract void process(apdu apdu) An applet derives from the Applet class public abstract class Applet extends Object { protected Applet() // only the install method should build an Applet static void install(byte[] barray, short boffset, byte blength) // called after loading protected void register() // should be called by install public boolean select() // called when the select command is received. Should return true public void deselect() // called when the card is reset or when other applet is selected abstract void process(apdu apdu) // executes the commands received and builds an answer } 26

APPLET OPERATION Using an applet Host system Card reader (CAD) Install for install Select applet Other command Select another applet or reset JCRE install()* select() process() deselect() Applet * Should build an instance (new) and register() 27

STANDARDIZATION ORGANIZATIONS ETSI/SCP European Telecommunications Standards Institute / Smart Card Platform http://www.etsi.org EMVCo Europay, Mastercard, VISA payment transactions and applications http://www.emvco.com GSM Association http://www.gsma.com Mobey Forum Mobile Finantial Services http://www.mobeyforum.org/ Global Platform https://www.globalplatform.org/home.asp SIM Alliance http://simalliance.org/ 28

BIBLIOGRAPHY (1) Chen Zhiqun Chen, Java Card Technology for Smart Cards, Addison-Wesley, 2000 EMVCo EMV Books 1-4, Version 4.3, 2011. https://www.emvco.com/specifications.aspx?id=223 ETSI TS 102 226, Smart Cards: Remote APDU structure for UICC based applications (Release 13), 2016 http://www.etsi.org/standards-search GP Global Platform Card Specification version 2.3, 2015 https://www.globalplatform.org/specificationscard.asp Hillebrand F. Hillebarand, GSM & UMTS - The Creation of Global Mobile Communication, Wiley, 2002 ISO/IEC ISO/IEC Standard 7816 part 4, Organization, security and commands for interchange, 2013 http://www.iso.org/iso/home/store/catalogue_ics.htm 29

BIBLIOGRAPHY (2) ISO/IEC ISO/IEC Standard 14443 parts 1-4, Identification cards Contactless integrated circuit cards - Proximity cards, 2016 http://www.iso.org/iso/home/store/catalogue_ics.htm ITSO Integrated Transport Smartcard Organisation Specification v 2.1.4, 2015 https://www.itso.org.uk/the-specification MAOSCO MultOs operating system developers guide, 2016 http://www.multos.com/developer_centre/technical_library Oracle Java Card Platform Specification, v. 3.0.5, 2015 https://docs.oracle.com/javacard/3.0.5 Rankl W. Rankl and W. Effing, Smart Card Handbook, Wiley, 2010 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback