‘SMART CARD SECURITY ‘Abstract Now-a days Chip card technology (smart cards) is fast becoming commonplace in our culture and daily ives. A smart card isa card that is embedded with either a microprocesser and a memory chip or only a memory chip with non-programmable logic. The microprocessor card can add, delete, and otherwise manipulate information on the card, while a memory-chip card (for example, pre-paid phone cards) can only undertake a pre-defined operation. Smart cards, unlike magnetic stipe cards, can carry all necessary functions and information on the card, Therefore, they do not require access toremote databases at the time of the transection, This paper deals with what is a smart card, why smart cards are used, what are the different types of chip cards, multi application card systems, and their security This paper mainly concentrates on smart cards security. Lastly this paper discuss on applications and on future scope. Introduction Asmart card, a type of chip card is a plastic card embedded with a computer chip that stores and tansacts data between users, This data is associated with either value or information or both and is stored and processed within the card's chip, either a memory or microprocessor. The card data is transacted via @ reader that is part of a computing system. Smart card-enhanced systems are in use today throughout several key applications, including healthcare, banking, entertainment and transportation, To various degrees, all applications can benefi from the added features and security that smart cards provide Why Smart Cards ‘Smart cards greatly improve the convenience and security of any transaction. They provide tamper-proof storage of user and account identity. Smart cards also provide vital components of system security for the exchange of data throughout virtually any type of network. They protect against a full range of security threats, from careless storage of user passwords to sophisticated system hacks. Mulitunction cards can also serve as network system access and slore value and other data, People worldwide are now using smart cards for a wide vaiey of diy tasks, these include: + Loyalty and Stored Value © Securing information and Physical Assets * Commerce © Health Care * Network Security «Loyalty and Stored Value Aprimary use of smart cards is slored value, particularly loyalty programsthat track and incentives repeat customers, Stored value is more convenient and safer than cash, For mutt-chain retailers that administer loyalty programs across many different businesses and Point of sale systems, smart cards can centrally locate and track all data. The applications are ‘numerous, from parking and laundry to gaming, as well as all retail and entertainment uses. Securing Information and Physical Assets In addition to information security, smart cards achieve grealr physical secunty of services and equipment, because the card rosticts access to allbut the authorized users) E-mail and PCs are being locked- down wth smart cards. Informetion and entetzinment ia boing dofvored vi to tho home or PC. Home dairy of service is enerypted and decrypted per subscriber access, Digtal video broadcasts accoptemart cards as cloctroric keys or protection. Smart cards can alco act ‘2s keys to machina sottngs for senstwve laboratory ‘oqupment and sponsors for crugs, tool, Korary card, health cub equipment ete E-Commerce ‘Smart cards make it easy for consumers to securely store information and cash for purchasing. The advantages they offer consumers are © The card can cany personal account, crest ‘and buying preference informaton that can be ‘accessed wih a mouse click instead ling cut forme + Cards can manage and contol expenditures wah automate mits and reporting + Internet loyalty programs can be deployed ‘221035 muliple vendors with disparate POS systems and the card acts as a secure central ‘depository for points or rewards © Micro Payments - paying nominal costs witout transaction fees associated with credit cards o for amounts too small for cash ike roprint charges, Health Care The explosion of heath cre data brings up naw challengos tothe effcioney of patient care and privacy safeguards. Smart cards colo both challenges wih secure storage and estrauton of everthing from emergency dala to benefits satus. Rapid identification ofpations; improved treatment © A-conveniont vay to cary deta botwoon systams or to sts without systoms © Reduetion afrecords mairtanance costs Network Security Business to business Inranets and Vital Private Networks "Vans" ae enhanced by tho use of smart cards. Users can be authenticated and authorized to hhave access to specficinformation based on preset privileges. Additonal applications range from secure ‘emai fo electronic commerce, Types of Chip Cards ‘Smart cards are datined according to 1). How the card data is read and written and 2). The type of chip implanted within the card and its capabilties, There is @ wide range of options to choose from when designing your system. Contact CardsTho most common typo of smat card. Electrical contacts located onthe outside ofthe card connect fo a card reader when the card is inserted, Increased levels of processing power, fexblty and ‘memory add cost. Single fanation cards are offen the most cost-effective soluion, Choose the right type of smartcard fr your appication by valuabng cost versus functonalty and determine your required level of secutly. Al ofthese vaiables should be weighted agains the expected lifecycle ofthe card. On average th cards typically comprise ony 10 fo 15 percent ofthe total systom cost wth the infaeructro, issuance, traning and advertising making up tho athor 85 porcork. The tllowng chart demonstratas some ganeral rues of thu Card Function Trade-Offs Memory Cards Memory cards have no sophisticated processing power ‘and caret manage fies dyramicaly. All memory cards communicate to readers through synchronous pretocal Ina memory cars you road and wite toa fxed adder ‘on tho card. Thore are three prmary typos of memory cards: 1). Straight, 2). Protected, and 3). Stored Value. 4. Straight Memory Cards ‘These cardsjust sore data and have no deta prozessing capabilies, These cards are the lowest cost per bit for user memory. They should be regarded as floppy disks of varying sizes wthout tho lock mechanism. Those ‘ards cannot identy themselves tothe reader, so your host systom has to know what fype of card is being inserted inta a reader. These cards are easily uplcated ‘and cant be tracked by card idenifrs. 2. Protected / Segmented Memory Cards These cards have buil-in logic to control the access to the memory of the card, Sometimes referred to as Intelligent Memory cards, these devices can be set fo write protect some or the entire memory array Some of these cards can be configured to restrict access to both reading and waiting. This is usually done through a password or system key. Segmented memory cards can be divided into logical sections for planned mmuli-functionaiity. These cards are not easily duplicated but can possibly be impersonated by hackers. They typically can be tracked by an on-card identifier. _-~ 3, Stored Value Memory Cards These cards ae designed fr the specie purpose of slorng rave or otens The cads are ether disposable or rechargeable, Most cards ofthis type incorporate pormanentsecuriy measures atthe pont of Imanufature, Those measures canned password Keys and loge hat ar harasses it the ep bythe manufactures. The memoy arayson these devices are setup as decrements or counters. Thetis ite oro memo lt or anyother tncton For simple “applications such asa telephone card the chip has 60 or ‘2 memory cells, one foreach telephone unt. A memory callis cleared each tme a telephone unit is used. Once athe memory unts are used, the card becomes usoless ‘ands thrown away. Ths process can be reversed in the case of rechargeable cards Contactless Cards ‘Thoso ara smartcard that employ a radio foquoncy (RFID) between card and reader without physicalinsorton oftho card instead the cardi passed along tho eater ofthe reader and read. Typesinctude proxy cards which ae implomerted 282 readony technology foc bling acoss. These cards funtion wth aiméed memory and communicate at 125 MHz. True read & wie contacts cards were frst used i rangporation for auick dcremerting and roading of fare vals where that lover security was nt an issue, They conmuneste 1356 MHz, and conform tothe [5014443 standard ‘These cards are afen sagt momory types. They ae ais ging popularity in etal stored value, sce they can speed-up transactions and nt lower trensacton processing revenues (ie VISA and Mestrcard), he traditional smart cards. Variations ofthe 15014843 spocfeatin ind A,B, and ©, wich spocty chips ffom aor spaie or various manufactuors. A=Phiips ®8+Everybady els and C=Sony chips. Gontsctess card aback include he mts of cryptographic fcions ‘and user manory versus microprocessor cards andthe ltd distance between card and reader required for peat, Combination Cards ‘These are hybrids that employ both contact and contactless technology in one card. Combi-cards can ‘also contain two efferent ypes of chips in contrast to @ Dat Inlerfaco card whoro a single chip manages both functone Multi-Application Card Systems Itis highly recommended that you graphically eiagram the fw of information 28 shovi belo Building a smartcard sytom that stores value. git cetfeates, show tickets, redemption poets or cash ‘equvalents requires an attention to detal net necessary in other iformation management systems, The Key to suacess isnt to overrun the system wih features that can confuse users and cause problems in management \We recommend that you phasesin each feature sel afer the fst one is working, Hereis a Ist ofsome questions that re pertinent io these systems in addon to the above questions. Deployment As the minimum stops in deploying a stored valie ot mut-appicaton sysom, estabish clear zchiovablo program objectives: AA, Make sue the organization has a stake inthe projets succass an that management bys int tho project Sela budget ‘Name a project manager Assembla poet team and cesta fesm Graphically erst an infomation - card and funds-fow dagran Assess the card andreader options Wile a detaiedspeccaton or te syston Sel areas schedule wih né-stones ane milestones Ectablch tho socurty paramotrs for both pope and the sytem Phase. eath sytem element testing a5 you epi Reassoss fr secur leaks Deploy the feat phase of cards antes test Train the Hey employees responsible fr each Setup a system user manual Check he reoting structures Have conngeney pans shoud problems arse Deploy and snnounco Advertise and market your system = z97 m cop poROz Ex Smart Card Securityprovide computing and business systems the enormous benefit of portable and secure storage of data and value. At the same time, the integration of smart cards into your system introduces its own security management issues, as people access card data far and wide in a variety of applications. The following is a basic discussion of system security and smartpm SEES neduals pe funtion nd eearanc such a usta, vrs, vendors [ung sy, [ouside emeraeney [zneigeny esponse soo cards, designed to familiarize you with the terminology and concepts you need in order to start your security planning. What Is Security? SSocuily is basiealy the protection of omathing valuable to ensure that tis not stolen ast, or altered. Tho tom “data securiy* governs an estemely wide range of applications and touches everyone's daly life. Concerns ‘over data secunty are al an alime high, due to the rapid advancement of technology ita vitualy avery transacon, fom parking meters to national defense. Data is created, updated, exchanged and stored via networks. A network is any computing system where Users are highl interac and interdependent and by {efntion, not all inthe same physical place. In ary network, diversiy abounds, certainly in tems of types of ala, but also types of users. For that reason, a system of secu fs essential to maintain computing and network funcions, keep sensitive data secret or simply maintain worker safely. Any one company might provide ‘an example of these multiple security concems: Take, for instance, aphamacoutical manufacturer What Is Information Security? Information securiy isthe application of measures to ‘onewre the safety and privacy of data by managing t's storage and disbuton Information security as bath technical and social mpications. Te frst simply deals. wal the how and"how much’ question of apphing secure measures ata reasonable cost. The second (grapples wih issues of ncvicualfeadom, publ Concerns, legal standards-and how the need fr privacy interseets them. This dscussion covers a range of options open to business manages, system planners ‘and programmers that wll contibute to your ulimate socutty strategy. The eventual choice rests wth the system designer and issuer, The Elements Of Data Security Inimplementng a security system, al data networks deal wah the folowing main elements: 41. Hardware, including servers, rodundart mass storage devices, communication channels and lines, hardware tokens (smet cards) and Temotly located devices (e.g, thin cents or Infornet agpiances) serving asintrfacos between users and computers 2 Software, including operating systems, database management systems, communication and securty applieation programs 3. Data, including databases containing cuslomer = elated information, 4. Personne, to act as crginalorsandior users ofthe dats, professional personnel, clerical staff, administrative personnel, and computer staff The Mechanisms Of Data Security Working withthe abevo cloments, an ofacbve data security eystom works wit the folowing key mechanisms to answor: 1. Has My Data Arrived Intact? (Osta integity) This mechanism ensures tat dala was not lost or conupted when i was sen to you 2. Is The Dala Correct And Does ltCome From The Right Person? (Authentication) This praves user of system identities 3. Can Confirm Receipt Of The Data And ‘Sender Identity Back To The Sender? (Non- Repuxiation) 4. Can I Koep This Data Private? (Confidontaliy)- Ensuros only sondore and Fecoivors access tho data. This is ypicaly ‘one by employing one or more encryption techniques to secure your data 5. Can Safely Share This Data i Choose? (@uthorzstion ané Delegation) You can set ‘and manage access prijleges for adctional Lsers and groups 6. Can Verily The That The System Is Working? (Auctng and Logging) Provides @ constant monitor and troubleshooting of secutly system function 7. Can I Actively Manage The System? (Management) Allows administration of your security system‘Smart Card Security (Section 2) Data Integrity Tri isthe function that verfos tho charactors of document and a transaction, Cnaractorisbes oft aro inepected and eonfirmod for contont and corroct authorization. Data Integr is achieved with electronic cryptography that assign a unique Henk to data ke a fingorpint. Any attomptto change tis dontty signals the change and tage any tampering Authentication This inspects, then confems, the proper identity of people Involved in a transaction of data or vale. In authenteation systoms, authonicaion is measured by assessing the mechanisms strength and how nay factors are used to confim the identity, Ina PKI sjslem a Digital Signature verifes data atts origination by Producing an ident that can be mutually vetted by all Patties involvedin the transaction. A cryptographic hash algorithm produces a Digtal Signature Non-Repudiation This olminato the possibly of a trancaction boing repudiciod, or invalidate by incorporating a Digéal Signatur tats third party can verify as correct. Similar in conceptto registered mail, the recpient of data re- hashes it ves the Digtal Signature, and compares the two to see that they match, Authorization and Delegation Authorization is the processes of allowing access to specific data within a system. Delegation is the utilization of a third party to manage and certify each of the users of your system. (Certificate Authorities) Auditing and Logging This is the independent examination and recording of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures Management Isthe oversight and design ofthe elements and ‘mecharisms discussed above and below. Card ‘managemant also roquies the management of card issuanea, replacoment and rebromeont as wall a potcos that gover a syst, Cryptography/Confidentiality CConfdontaiy i tho use of eneypton to protect information fom unauthoreed disclosure. Plain tee is turned inte cipher tot via an algorithm, then decrypted backint plain txt using the same method. CCrypography is the method of converting data rom a human readable farm toa madd form, and then back torts orginal readaale frm, to make unauthorized access difcut. Cryptography is used in the folowing ways: Ensure daia privacy, by encryping data © Ensures dataintegy, by recognizing if data hasbeen manipulated in an unauthorized way Ensures data uniqueness by checking that ata i “origina, and nota “copy” ofthe “origina. The sender allaches a unigue iontiorto tho “origina” data, This unique identifiers then checked by the receiver ofthe ala The original data may be in a human-readable orm, such 2s.atost fie, orit may be na computorreadabe form, such as.a database, sproadsheot or graphics flo. Tho ‘orginal data scaled unencrypted date o plaintext The ‘modified data is caled encrypted data or cipher text The process of corwering the unensryped daia i called teneryption. The process of converting encrypted data to unencrypted datas caled decryption Data Security Mechanisms and their Respective Algorithms Inorder to convertthe data, you need to have an toneryption algorithm and a koy. tho same koy is used for both oncrypton and decryption that key is clad a sesret key andthe algothm is called a symmetric algorithm. The most wol-Inown symmotrealgoritm is DES (Data Encryption Standard),‘The Data Eneryption Standard (DES) was invented by the IBM Corporation in the 1970's, During the prozess of becoming a standard algaritm, & was modied ‘aocording to recommendations fom the National Socuity Agoncy (NSA). Tho algorithm has boon studied by erptographers for neary 20 years. During this ime, no methods have been published that descrivea way to break the algorthm, except for brte-force techniques. DES has a S6-bithey, which ofers 256 0° 7x 1016 possble variations. Ther area very smal numbers of ‘weak key, butt is easy to teat fr these keys and they ‘aro ay to avoid ‘Teple-DES is a method ofusing DES to provide ‘adgional security. Triple-DES can be dane with two or wah three keys. Since the algorhm performs an encrypt: eerypt-oncrypt sequence, ths is sometimes called the EDE mode. This diagram shows Tnple.DES thiee-key mode used for encryption If ferent keys are used for encryption and decryption, the algorithm i called an asymmetre algorithm. The most wel-knowm asymmetric algorithm is RSA, named aris three inventors (Rivest, amir, and Adleman}, ‘This algorithm uses two key, called the private hoy. ‘These boys are mathematical inked, Here isa diagram that iustrates an asymmetcalgoritim: ‘Asymmetric algorthms invohe extremely complex mathemabes ypicaly valving the factoring of large rime numbers. Asymmetric algorthms are lypically stronger than a short key ength symmetric algorithm. But because of heir complex they are used in signing a ‘massage ora cartficao, They not ordnarly used for dala trnemission encryption ‘Smart Card Security (Section 3) As the card issver, you must define al ofthe parameters for card and data secunty. There are two methods of Using cards for data system security hostbased and card-based, The safest systems employ both methodologies. Host-Based System Security A host-based system treats a card as a simple data carrier. Because of this, straight memory cards can be used very cost-effectively for many systems, All protection of the data is done from the host computer. The card data may be enorypted but the transmission fo the host can be vulnerable to attack A common method of increasing the security is to write inthe clear (not encrypted) 2 key that usually contains a date and/or time along with a secret reference toa set of keys on the host. Each time the card is re-written the host can write a reference to the keys, This way each transmission is different, But parts of the keys are in the clear for hackers to analyze, This securty can be increased by the use of smart memory cards that employ a password mechanism to prevent unauthorized reading of the data. Unfortunately the passwords can be sniffed in the clear, Access is then possible to the main memory. These methodologies ere often used when a network can batch up the data regularly and compare values and card usage and generate a problem card list Card-Based System Securty Thoso systoms aro typical microprocessor cae-basod, Acatd, or toten-based system treats a cad as an active compuing device. The inleracton between te host and the cad can be a sores of sops to dotrmine f the card is auhorized to be used inthe system. The process aso checks ifthe usor can be identified, authenticated and if the card wil present the appropriate credentials to Conducta transaction, The cad itself can also demand the same from fe host before proceeding wth a trensacton. The accesso specif information in the cardi contralled by A) the cards internal Operating ‘System and B) the preset permissions set by the card issuor rogardig the fies conditons, The card can be in a standard CR80 form falar or bo in a USE dongle orit could bo a GSM SIM Card Threats To Cards and Data Security Effective security systom planning takos into account the eed for authored users to access data reasonably easily, wile considering the many threats that ths ‘cess prosentst the integrity and safety ofthe information, There ae base steps to flow to secure all smartcard systems, regardless oftype or size. © Analysis: Typos of data to secure; usors, Points of contact, transmission, Relaive rikdimpact of dala loss * Deployment of your proposed eystem + Road Test Altempl to hack your system; leam about weak spots, oe + Synthesis: Incorporate road lest data, re- eploy *Augitng:Perioe securty monitoring, checks of systom,fne-uring When analyzing the threals to your data an organization shouid look closely at two spoctic areas: Interna attacks ‘and ederal attacks, The fst and most commen compromise of data comes fiom disgruntled employees, owing this, @ good system manager separates all back-up data and back-up systoms into a soparatoly Paritoned and secured space. The intodution of Viruses andthe attempted formating of network crves is ‘a typeal inemal attack behavier. By deploying employee catds that log an employee ito the system and record the time, date and machine that the employee ison, 2 compary automatcally discourages these ype of facts Extemeal attacks are typically aimed at fe ‘weakest linkin a company’s secutly armor. The frst place an extemal hacker looks atis where they can inferegt the transmission of your data. Ina smart card- enhanced system this earts with he card The following sats of questions ao relovart to your analysis. Is the ala on th card tranemittodin the clea a is it cenerypted? Ifthe tranamissin is snifled, is each session socured wih a different key? Doos the data move from the reader tothe PC in the clear? Doos tho PC or ckart trenemitthe data in the clear? Ithe packet i eid, is ‘each session securod witha dfront kay? Does tre ‘operating systom have a back door? Isthore a mmecharism to upload and dovm load functioning code? How sezure i ths system? Does the OS provider have a (good secu track record? Does the card manufacturer have procaine in place to secure your data? De thay Understand the libites? Can they provide other security ‘measures that can be implemented on the card and or ‘module? When the cardissubjaced to ferential Power altacks and Differential Thormal attacks does the (0S roveal any secrets? Wil he semiconductor uized meets scrutiny? Do your suppliers understand these ‘questions? Cte types af problems that can be a treat to your assels include: * _Impropery secured passwords (witng thom down, satng) Assigned Pits and the replacement mecharisms © Delegated Authertication Services # Poor deta sogmortation© Physical Securily (the physical removal or struction of your computing hardware) ‘Security Architectures \Whnen designing a system a planner should lok at the total cost of ownorshp this includes: Analysis Installation and Deployment Delagated Services Trainng Mangement Audis and Upgrades Infrastructure Cosis (Software and Hardware) Over 99% of all U.S.- based financial networks are secured with a Private Key Infrastructure. This is changing over time, based on the sheer volume of transactions managed daily and the hassles that come with private key management. Private Key- based systems make good sense if your expected user base is less than 500,000 participants Public Key Systems are typically cost effective only in large volumes or where the value of data is so high that its worth the higher costs associated with this type of deployment. What most people don_t realize is that Public Key systems siil rely heavily on Private Key encryption forall transmission of data. The Public Key encryption algorithms are only used for non-repudiation and to secure dala integrity. Public Key infrastructures as a rule employ every mechanism of data security in a nested and coordinated fashion to insure the highest level of security available today. ‘The most common Smart card applications are: Credit cards Etectronic cash Computer securly systems Wireless communication Loyalty systems (ke frequent tyer points) = Barking © Satelite TV © Government identification Future of Smart Cards: Given the advantages of smart cards over magnetic stripe cards, there can be no doubt thatthe future of smart cards is very bright. Ifthe currant trends are anything to goby, the emart card market ie cot for ‘exponential growth inthe next few years. Futur for ‘matt cards depends mainly onthe introduction of ruit-application cards and overcoming the simpitic mindset that amart cards are ust amethod of making payment, Conclusion: ‘Smatt cards can add convenience and safety to any transacton of vale and data; but the choices facng today's managers can be daunng, We hape this paper has adequately presented the options and given you ‘enoughinfarmation to make informed evaluations of Porformanco, cost and socurty that wi produce a smart card system that ts today’s needs an those of tomorrow ts our sincere belie that informed users ‘make bettr choices, which loads o batter business for everybody.