smart card applications design models for using and programming smart cards

NVM nonvolatile memoryOCF open card framework OCR optical character recognition P1, P2, P3 Parameter 1, Parameter 2, Parameter 3 PC/SC Personal Computer/Smart Card PCD proximity coupling

Design Models for using and

programming smart cards

Copyright  2007 John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester,

West Sussex PO19 8SQ, England Telephone ( +44) 1243 779777 Email (for orders and customer service enquiries): cs-books@wiley.co.uk

Visit our Home Page on www.wileyeurope.com or www.wiley.com

All Rights Reserved No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London W1T 4LP, UK, without the permission in writing of the Publisher Requests to the Publisher should be addressed to the Permissions Department, John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England, or emailed to permreq@wiley.co.uk, or faxed to ( +44) 1243 770620.

Designations used by companies to distinguish their products are often claimed as trademarks All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners The Publisher is not associated with any product or vendor mentioned

Other Wiley Editorial Offices

John Wiley & Sons Inc., 111 River Street, Hoboken, NJ 07030, USA

Jossey-Bass, 989 Market Street, San Francisco, CA 94103-1741, USA

Wiley-VCH Verlag GmbH, Boschstr 12, D-69469 Weinheim, Germany

John Wiley & Sons Australia Ltd, 42 McDougall Street, Milton, Queensland 4064, Australia

John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop #02-01, Jin Xing Distripark, Singapore 129809 John Wiley & Sons Canada Ltd, 6045 Freemont Blvd, Mississauga, Ontario, L5R 4J3, Canada

Wiley also publishes its books in a variety of electronic formats Some content that appears

in print may not be available in electronic books.

Anniversary Logo Design: Richard J Pacifico

British Library Cataloguing in Publication Data

A catalogue record for this book is available from the British Library

ISBN 978-0-470-05882-4 (HB)

Typeset in 10/12 Times by Laserwords Private Limited, Chennai, India

Printed and bound in Great Britain by Antony Rowe Ltd, Chippenham, Wiltshire

This book is printed on acid-free paper responsibly manufactured from sustainable forestry

in which at least two trees are planted for each one used for paper production.

Foreword xi

Symbols and Notation xiii

Abbreviations xv

1 Overview of Smart Cards 1

1.1 Card Classification 1

1.2 Card Formats 2

1.3 Card Elements 3

1.3.1 Printing and labelling 3

1.3.2 Embossing 4

1.3.3 Hologram 4

1.3.4 Signature panel 4

1.3.5 Tactile elements 4

1.3.6 Magnetic stripe 4

1.3.7 Chip module 5

1.3.8 Antenna 5

1.4 Smart Card Microcontrollers 5

1.4.1 Processor 8

1.4.2 Memory 8

1.4.3 Supplementary hardware 8

1.4.4 Electrical characteristics 9

2 Smart Card Operating Systems 11

2.1 File Management 11

2.1.1 File types 12

2.1.2 File names 12

2.1.3 File structures 13

2.1.4 File attributes 15

2.1.5 File selection 15

2.1.6 Access conditions 16

2.1.6.1 State-based access conditions 16

2.1.6.2 Rule-based access conditions 17

2.1.7 File life cycle 18

2.2 Commands 19

2.3 Data Transmission 22

2.3.1 Answer to Reset (ATR) 23

2.3.2 Protocol Parameter Selection (PPS) 24

2.3.3 Transmission protocols 24

2.3.3.1 T=0 transmission protocol for contact cards 25

2.3.3.2 T=1 transmission protocol for contact cards 25

2.3.3.3 USB transmission protocol for contact cards 25

2.3.3.4 Contactless transmission protocols 26

2.3.4 Secure Messaging 26

2.3.5 Logical channels 26

2.4 Special Operating System Functions 26

2.4.1 Cryptographic functions 27

2.4.2 Atomic processes 28

2.4.3 Interpreter 28

2.4.4 Application management 28

3 Application Areas 31

3.1 Smart Card Systems 31

3.2 Potential Uses 32

3.3 Application Types 33

3.3.1 Memory-based applications 33

3.3.2 File-based applications 33

3.3.3 Code-based applications 35

4 Basic Patterns 37

4.1 Data Protection 37

4.1.1 Definition of terms 38

4.1.2 General principles 39

4.1.3 Recommendations for smart card systems 40

4.1.4 Summary 43

4.2 Export Control 44

4.3 Cryptographic Regulation 46

4.4 Standards 47

4.4.1 Standards for card bodies 48

4.4.2 Standards for operating systems 48

4.4.3 Standards for data and data structuring 49

4.4.4 Standards for computer interfaces 49

4.4.5 Standards for applications 49

4.5 Documents for Smart Card Systems 50

4.5.1 Specification partitioning 52

4.5.1.1 System specification 52

4.5.1.2 Background system specification 52

4.5.1.3 Smart card specification 53

4.5.1.4 Terminal specification 54

4.5.2 Elements of a typical card specification 54

4.5.2.1 General information 54

4.5.2.2 Smart card 55

4.5.2.3 Smart card operating system 55

4.5.2.4 Application 56

4.5.3 Document distribution 58

4.5.4 Document version numbering 59

5 Architecture Patterns 61

5.1 Data 61

5.2 Data Coding 62

5.3 Files 63

5.3.1 Access conditions 64

5.3.2 File names 67

5.4 Log Files 67

5.4.1 Data storage 67

5.4.2 Assigning data to log files 68

5.4.3 Invoking logging 68

5.4.4 Access conditions for log files 68

5.4.5 Logged data 69

5.4.6 Consistency and authenticity of log data 70

5.4.7 Log file size 71

5.4.8 Logging process 72

5.5 Pairing 73

5.6 Protecting Transaction Data 74

5.7 Reset-proof Counters 77

5.8 Proactivity 77

5.9 Authentication Counter 79

5.10 Manual Authentication of a Terminal 81

5.11 PIN Management 83

5.12 One-time Passwords 84

5.13 Key Management 88

5.14 State Machines for Command Sequences 89

5.15 Speed Optimization 91

5.15.1 Computing power 93

5.15.2 Communication 93

5.15.3 Commands 94

5.15.4 Data and files 95

6 Implementation Patterns 97

6.1 Application Principles 97

6.1.1 Program code 97

6.1.2 Commands 99

6.1.3 Data 99

6.1.4 Security 100

6.1.5 Application architecture 102

6.1.6 System 106

6.2 Testing 108

6.3 User–Terminal Interface 114

6.4 Smart Card Commands 115

6.4.1 Command structure 116

6.4.2 Interruption of commands 117

6.4.3 Command coding 118

6.4.4 Parameterization 118

6.4.5 Test commands 119

6.4.6 Secret commands 119

6.5 Java Card 120

6.5.1 Data types 122

6.5.2 Arithmetic operations 128

6.5.3 Control structures 129

6.5.4 Methods 131

6.5.5 Applets 132

7 Operation Patterns 137

7.1 Initialization and Personalization 137

7.2 Migration 141

7.3 Monitoring 143

7.3.1 System integrity 143

7.3.2 Attack detection 144

8 Practical Aspects of Smart Cards 147

8.1 Acceptance 147

8.2 Tell-tale Signs of Difficult Smart Card Systems 150

8.2.1 Inappropriate use of smart cards 150

8.2.2 Unclear specifications 151

8.2.3 Abundant options 151

8.2.4 Piggyback applications 152

8.2.5 Economizing on testing 153

8.2.6 Downloading applications 154

8.2.7 Offline systems 155

8.2.8 Intolerant smart cards and terminals 155

8.2.9 Strict compatibility requirements 156

8.2.10 Excessively stringent security requirements 157

8.2.11 Exaggerated future-proofing 158

8.3 Prerequisites for Easy Smart Card Systems 159

8.3.1 Expert advice 159

8.3.2 Foresighted design 160

8.3.3 Prototyping 160

8.3.4 Single-application smart cards 161

8.3.5 Simple structures 161

8.3.6 Robust design 161

8.3.7 Centralized systems 163

8.3.8 Staged deployment 163

8.4 In-field Faults 164

8.4.1 Fault classification 164

8.4.2 Fault impact 165

8.4.3 Actions in response to a fault 167

8.4.4 Fault search procedure 168

8.4.5 Fault remedies 170

9 Illustrative Use Cases 173

9.1 Monastery Card 173

9.2 Access Card 176

9.3 Telemetry Module 184

9.4 Business Card 186

9.5 Theft Protection Card 190

9.6 Admission Pass 193

9.7 PKI Card 196

9.8 SIM Card 198

Bibliography 203

Index 209

There was a tremendous breakthrough mood in the smart card world in the mid-1990s.The technology was seen to have reached a sufficient level of maturity and achievedsufficient functionality to enable a wide variety of security applications to be effectivelyimplemented The largest application areas were electronic purse systems – with an as-tonishing wealth of variants – and mobile communication systems, which were spreadingover the entire world.

Unfortunately, system operators were confronted with many problems after large numbers

of smart cards hosting these new, technically interesting smart card applications foundtheir way into the hands of end users There were instances in which no terminals wereavailable for use by customers, and in some cases, system developers overlooked thefact that customers have their own interests and needs and cannot be manipulated tobehave in a way that makes no sense to them

Smart card technology has continued to develop unobtrusively in the meantime, and aparadigm shift has occurred in parallel with this development Technology has vanishedinto the background as a driver for smart card applications, and its role as a guide tothe future has been taken over by the applications User needs now occupy the focus ofattention This is quite a normal cycle in the course of technology development, as hasbeen seen repeatedly in this form and in similar forms

This new aspect of the situation inspired me to write this book, as the current trend is

to use smart cards on account of their positive characteristics instead of simply becausethey exist

My objective with this book is not to elaborate on the theoretical aspects of abstractdesign models, but instead to concentrate on useful, proven solutions that can be im-plemented directly using available smart card operating systems More than 15 years ofprofessional experience with smart cards and their applications, as well as hundreds of

letters from readers I have received as one of the co-authors of the Smart Card Handbook,

have contributed to the creation of this book

The design models described here are illustrated by a large number of interestingexamples in order to maintain contact with real life I have also intentionally includedexamples of failed and otherwise unsuccessful projects, because such examples oftenserve as excellent guides on how to do things better

The central aim of this book is to describe reusable model solutions and modules thatcan be used to handle commonly occurring tasks and can be presented independently ofactual program code This is fully in accordance with the established method of breaking

down a problem into smaller, subordinate problems that are easier to solve, developingindividual solutions to these subordinate problems, and then combining the individualsolutions to create an overall solution to the original problem.

This book is neither a reformatted version of the Smart Card Handbook nor an abridged

version of that book, but instead a book that stands on it own and focuses on the subject

of smart card applications The first two chapters provide a brief introduction to theworld of smart cards, but they address the underlying technology only to the extentnecessary for a proper understanding of the following chapters If you are interested indelving further in the technical details at any point, I take the opportunity here to refer

you to the Smart Card Handbook.

I would like to express my thanks to the following people: Dieter Weiß for frequent andlong discussions on the interpretation of ISO standards, Ralf Holly and Martin R¨osnerfor many helpful tips on programming Java cards, Christoph Schiller for convincing me

to use LATEX, Sylvia Bernecker for the wonderful griffin, which looks just as I alwaysimagined it but could never manage to realize on paper, Kenneth Cox for the translation,and of course Alexandra Rankl for her patience, without which I could never have writtenthis book

Munich, Spring 2006

Wolfgang Rankl

Rankl@gmx.net

www.WRankl.de

– The least significant bit is designated as bit 1 in conformance with ISO nomenclature.– In concatenated data elements, the higher-order byte is located at the start of the stringand the lower-order byte is located at the end – the data format is thus big endian.– The term ‘byte’ corresponds to its meaning in common usage and means a series ofeight bits.

– The lengths of data elements and objects and all countable quantities are stated indecimal notation

– When used in connection with data or memory sizes, the prefixes ‘kilo’, ‘mega’ and

‘giga’ have the values 1024 (210), 1 048 576 (220), and 1 073 741 824 (230) tively Similarly, the symbols ‘KB’, ‘MB’, and ‘GB’ designate 1024, 1 048 576, and

respec-1 073 74respec-1 824 bytes

– Binary values are used in a context-dependent manner and are not always explicitlyidentified as such

– Smart card commands are set in upper-case letters (e.g SELECT FILE)

– As a rule, only the positive results are shown in sequence charts

Representation of Characters and Numbers

0, 1 Binary value (used according to context)

8 Decimal value

'00' Hexadecimal value

''ABC'' ASCII value

bn Bit number n (e g b8)

Bn Byte number n (e g B1)

Dn Digit number n (e g D3)

Logical Functions and Program Code

= Assignment operator (also used as an comparison operator depending

on the context)

=,
=, <, >, ≤, ≥ Comparison operators

+,−, ·, / Arithmetic operators

 Concatenation operator (e.g for two data elements)

References

See‘ .’ This is a reference to another location in the book

(N Y) or N (Y) This is a reference to a document or Internet site listed in the

bibliog-raphy For documents with identified authors, ‘N’ is the last name ofthe first author listed in the bibliography and ‘Y’ is the year of publi-cation References to Internet sites and documents without identifiedauthors are generally shown as unique abbreviations or organizationnames without a year

Functions

e = C(m) Calculate the error detection code e of the message m

t = T(d) Structure data d using TLV coding The result is the

TLV-coded data t

p = P(d, v, l) Pad data d to a integer block length l using the value

or method v The result is the padded data p

c = E(p, k) Encrypt plain text p using a symmetric cryptographic

algorithm and the key k The result is the cipher text c

p = D(c, k) Decrypt cipher text c using a symmetric cryptographic

algorithm and the key k The result is the plain text p

a = M(m, k) Calculate the message authentication code (MAC) of

the message m using the secret key k

s = S(m, sk) Sign the message m using the secret key sk

r = V(m, s, pk) Verifying the signature s of the message m using the

public key pk The result is ‘true’ or ‘false’

h = H(m) Calculate the hash value h of the message m

C = (A, pkA, S(A pkA, skCA)) Generate the certificate C of the public key pkAof user

A The certificate is signed using the secret key skCA

of the certification authority CA

r = V(A pkA, C, pkCA) Verify the certificate C of the public key pkAof user A

using the public key pkCAof the certification authority

CA The result is ‘true’ or ‘false’

3DES Triple DES (data encryption standard)

3GPP 3rd Generation Partnership Project

ADK additional decryption key

ADN abbreviated dialling number

AES Advanced Encryption Standard

AID application identifier

API application programming interface

ARM Advanced RISC Machine

ARR access rule reference

ASCII American Standard Code for Information InterchangeASN.1 Abstract Syntax Notation One

AT attention

ATR answer to reset

AUX1, AUX2 Auxiliary 1, Auxiliary 2

BAFA Bundesamt f¨ur Wirtschaft und Ausfuhrkontrolle

(German Federal Office of Economics and Export Control)BCD binary coded digit

BNA Bundesnetzagentur (German Federal Network Agency)BSI Bundesamt f¨ur Sicherheit in der Informationstechnik

(German Federal Office for Information Security)CCS cryptographic checksum

CDMA code division multiple access

CEN Comit´e Europ´een de Normalisation

(European Committee for Standardization)CHV card holder verification information

CICC contactless integrated chip card

CLA class

CLK clock

CPU central processing unit

CRC cyclic redundancy code

DES Data Encryption Standard

DF dedicated file

DO data object

DPA differential power analysis

DSA digital signature algorithm

DSS Digital Signature Standard

EC elliptic curve crypto algorithm

ECC elliptic curve cryptosystem

ECC error correction code

ECDSA elliptic curve digital signature algorithm (DSA)

EDC error detection code

EEPROM electrical erasable program read-only memory

EF elementary file

EMV Europay MasterCard Visa

ETSI European Telecommunications Standards Institute

etu elementary time unit

GND ground (electrical)

GNU GNU is not Unix

GPL GNU General Public License

GUI graphical user interface

HMAC keyed-hash message authentication code (MAC)

HTML hypertext markup language

I/O input/output

IBE identity-based encryption

ICAO International Civil Aviation Organization

ICC integrated chip card

ID identifier

IEC International Electrotechnical Commission

IFD interface device

IMSI international mobile subscriber identity

INS instruction

IPR intellectual property rights

ISO International Organization for Standardization

ITU International Telecommunications Union

JC Java Card

JCP Java Community Process

JCRE Java Card runtime environment

JIT just in time

JSR Java specification request

Lc length command

Le length expected

MAC message authentication code

MD5 Message Digest Algorithm 5

NVM nonvolatile memory

OCF open card framework

OCR optical character recognition

P1, P2, P3 Parameter 1, Parameter 2, Parameter 3

PC/SC Personal Computer/Smart Card

PCD proximity coupling device

PGP Pretty Good Privacy

PIN personal identification number

PIX proprietary application identifier extension

PKI public key infrastructure

PPS Protocol Parameter Selection

PUK personal unblocking number

RACE Research and Development in Advanced Communications Technologies

in EuropeRAM random access memory

Reg TP Regulierungsbeh¨orde f¨ur Telekommunikation und Post

(German regulatory agencies for telecommunication and postal services)

RF radio frequency

RFC Request For Comment

RFID radio frequency identifier

RFU reserved for future use

RID registered application provider identifier

RIPEMD RACE Integrity Primitives Evaluation Message Digest

RISC reduced instruction set computer

RMI remote method invocation

RND random number

ROM read-only memory

RSA Rivest, Shamir and Adleman cryptographic algorithm

RST reset

SAT SIM Application Toolkit

SATSA Security and Trust Services API

SECCOS Secure Chip Card Operating System

SFI short file identifier

SIM subscriber identity module

SMS short message service

SPA simple power analysis

SPU standard or proprietary use

SSC send sequence counter

TDES Triple DES (data encryption standard)

TETRA Trans-European Trunked Radio

TLV tag length value

TSCS The Smart Card Simulator

UART universal asynchronous receiver transmitter

UCS universal character set

UICC universal integrated chip card

UML unified modelling language

UMTS Universal Mobile Telecommunication System

USB Universal Serial Bus

USIM universal subscriber identity module

Vcc supply voltage

VM virtual machine

XML extensible markup language

XOR logical exclusive OR operation

Overview of Smart Cards

In contrast to information technology practices in the PC realm, the development andfunctionality of smart cards are strongly driven by international standards The reasonfor this is that interoperability and interchangeability are very important factors for smartcards From the very beginning, this has fostered specification of their characteristics instandards Another significant factor is that none of the suppliers of smart card hardware

or software has ever held a monopoly position

If you were to classify smart cards in the same manner as living beings in biology, youwould obtain a tree chart similar to what is shown in Figure 1.1 The top level includesall types of cards, which can have various formats

Chip card (smart card)

Processor card

Processor card without coprocessor

Processor card with coprocessor Memory card

Card without chip

Card

Figure 1.1 Classification of cards with and without chips

Smart Card Applications: Design Models for using and programming smart cards W Rankl

 2007 John Wiley & Sons, Ltd

Cards can be divided into cards without chips and cards with chips Logically enough,

the latter type are called chip cards, which are also commonly known as smart cards.

The chip, which is the essential distinguishing element, can be either a memory chip,

in which case the card is called a memory card , or a microcontroller chip, in which case the card is called a processor card Processor cards can be further subdivided

into processor cards with or without coprocessors for executing asymmetric graphic algorithms such as RSA (Rivest, Shamir and Adleman) or ECC (elliptic curvecryptosystems)

crypto-This classification provides an adequate overview of the most widely used types of cards.However, it can also be extended to include devices that use smart card technology Thebest-known examples of such devices are ‘super smart cards’ and tokens A super smartcard has a direct user interface to the smart card microcontroller, in the form of additionalcard elements such as a display and buttons A token has a different form that is bettersuited to its intended use than the usual card format Typical examples include tokens inthe form of USB plugs that can be connected directly to a PC However, the underlyingtechnology is still the same as that of smart cards, with only the appearance beingdifferent

The most common types of cards in current use have one feature in common, which

is a thickness of 0.76 mm As illustrated in Figure 1.2, all other dimensions can differ.These formats are not arbitrary Instead, they are specified by international standards or

by specifications stipulated by major card issuers This is also important, since at least

in case of contact cards they must be able to fit into corresponding terminals or readers

ID-1 ID-00 ID-000/Plug-in Visa Mini

Mini-UICC

Figure 1.2 Relative sizes of commonly used card formats

Typical smart card formats are summarised in Table 1.1 The most commonly used cardformat, which is also undoubtedly the best known format, is ID-1 The reason it is sowidely used is that practically all credit cards and other forms of payment cards are made

Table 1.1 Summary of typical card formats All stated dimensions are exclusive of tolerances.

All formats have the same thickness: 0.76 mm

(mm)

Height (mm)

Use

not used

in this format The plug-in format for smart cards used in mobile telecommunicationsapplications is also very common Another name for this format is ID-000 This hasbecome the standard format for cards used in mobile telephones

The recently defined mini-UICC format is also available for the mobile cations sector It was developed in response to the ongoing miniaturization trend thatprevails in this sector The Visa Mini format is a smaller version of the ID-1 format It

telecommuni-is intended to meet customer demand for cards with the smallest possible dimensions.Cards with shapes other than the usual rectangular card body are also being made now.For example, there are cards with one corner rounded at a large radius and cards shaped

in the outline of an animal The constraints with respect to the shape of contact cards arethat they must fit into the slot of an ID-1 terminal, be readily removed from the terminalafter use, and make reliable electrical contact with the terminal Incidentally, most cardswith special shapes are made by stamping them from cards in ID-1 format to achievethe desired shape

The card body is usually more than just a carrier for the chip module It also includesinformation for the user and card accepters and of course security elements for protectionagainst forgery Furthermore, the card body is an excellent advertising medium The cardissuers must coordinate all these functions, some of which are mutually contradictory,with their own specific wishes The ultimate result is the issued card

1.3.1 Printing and labelling

A rather wide variety of processes are available for printing and labelling cards Textelements that are common to all cards of a series are normally applied using offsetprinting or silkscreen printing, but sheet printing and individual card printing processesare also used

Lasering is widely used for printing individual cards This consists of using a laserbeam to darken the surface of the plastic card body This process produces irreversiblecard labelling, but it requires a certain amount of investment in technology A more

economical alternative is thermal transfer printing, which can also be used for colourprinting One of the drawbacks of this method is that the colour layers are located close

to the surface of the card, so they can be removed almost completely Digital printingprocesses for high-quality printing of individual cards are a relatively new development

The main advantage of embossing, which is commonly used with credit cards, is that thelabelling can be transferred to paper using a simple stamping machine The embossedsection of the card can be restored to its original state by heating the card to a relativelyhigh temperature For this reason, the check digits at the end of the embossing usuallyextend into the hologram area As the hologram will be visibly damaged if the card isheated, this makes it relatively easy to detect manipulation of the embossing

Technically sophisticated equipment is necessary to produce the white-light reflectionholograms used on cards As forgers usually do not have access to such equipment,holograms are commonly used on smart cards as security features Some other reasonsfor using holograms are that they are inexpensive in large quantities, they can be checkeddirectly by users, and the hologram cannot be removed from the smart card without de-stroying it Unfortunately, there is no link between the hologram and the microcontroller,which reduces its advantages from the perspective of the chip

Tactile elements can be applied to the card to enable visually impaired and blind people

to recognize the orientation of the card The best known example is a semicircular recess

in one of the long edges of the card The hole punched in some payment cards is alsosuitable for use as an orientation aid, although its original purpose was to allow the card

to be hung from a strap or cord

1.3.6 Magnetic stripe

With many types of cards, the only reason to retain the magnetic stripe (with its datastorage capacity of a few hundred bytes) is compatibility with a widely distributedterminal infrastructure However, it will still take a long time before magnetic-stripecards are fully replaced by smart cards, since they are significantly cheaper

1.3.7 Chip module

The chip module is a protective housing for the microcontroller chip, which is fitted tothe rear of the module The module can have six or eight visible contacts on its externalsurface, although modern smart cards need only five contacts The other contacts arereserved for future applications The microcontroller is glued to the rear of the contactsubstrate and electrically connected to the contact surfaces on the front side by thinbonding wires Figure 1.3 shows the signal assignment of the contacts of a chip module

Vcc RST CLK AUX1

GND SPU I/O

Vcc RST CLK

GND SPU I/O AUX2

Figure 1.3 Contact assignments of a smart card module Abbreviations: Vcc= Supply

volt-age, RST= Reset, CLK = Clock, AUX1 = Auxiliary 1, GND = Ground, SPU =Standard or Proprietary Use, I/O= Input/Output, AUX2 = Auxiliary 2

Smart cards that communicate without using contacts must have an integrated antenna

in the card body The antenna is a sort of coil consisting of several turns along the outeredge of the entire card Various methods can be used to produce the antenna Methodsthat are used in practice include a coil of thin copper wire embedded in the card body,etched copper tracks, and printed coils

The characteristics of a smart card are largely determined by its microcontroller chip microcontrollers are normally used A single-chip microcontroller consists of a smallsilicon chip equipped with all the functions necessary for its intended use Smart card mi-crocontrollers are not standard microcontrollers such as those used in coffee machines andtoasters, but are instead chips specially adapted for use in smart cards The adaptationsencompass electrical and physical parameters such as the maximum current consumption,the range of allowed clock frequencies, and the allowable temperature range

Single-Besides all these functional parameters, there is another essential item: security tions Smart card microcontrollers are specially hardened against attacks This includesdetecting undervoltage and overvoltage conditions and detecting clock frequencies out-side the specified range These microcontrollers also incorporate light and temperaturesensors to enable them to recognize attacks via these routes and respond accordingly.However, these are only relatively simple protective mechanisms There are also rel-atively complex methods, which are quite widely used, such as scrambling all thememories and the busses between the processor and the memories It is even possible to

func-periodically swap the scrambling key during an individual session The microcontrollerhardware can even defend against hard attacks such as measuring its current consump-tion in order to perform a statistical analysis to discover which data was processed bythe processor.

Besides technologically advanced smart card microcontrollers, there are also memorychips which are essentially intended to be used as simple data storage devices with fixedlogic circuitry designed by the semiconductor manufacturer Figure 1.4 shows the basicfunctional groups present on the chip The ROM (read-only memory) contains data aboutthe chip type The EEPROM (electrically erasable programmable read-only memory)provides the storage area for a unique chip identification number and data stored inread/write memory A terminal can store several hundred bytes to a few thousand bytes

EEPROM

Control line

Figure 1.4 Block diagram of a memory chip for a smart card with a contact interface

The security logic, which varies according to the chip type, monitors access to the data.For instance, successful verification of a PIN (personal identification number) in thememory chip may be necessary before write access is possible

Telephone cards, which are chip cards that can be used with public pay phones, have

a similar operating principle The security logic of a telephone card incorporates anauthentication algorithm so that the telephone can determine whether it is dealing with

a genuine chip card If the card is genuine, a counter in the EEPROM is decrementedaccording to the duration of the call This counter can only count down, and it stopswhen it reaches zero When this happens, the card has been used up

Microcontrollers for smart cards have significantly more functionality than simple ory chips, as can be seen from Figure 1.5 on the facing page The CPU (central processingunit) is a freely programmable control unit that executes the machine instructions of theoperating system, which is located in the ROM The CPU is assisted by a numericalcoprocessor (NPU – numeric processing unit) for numerical calculations, particularlythose dealing with cryptography These special processors combine extremely high per-formance with low power consumption Operating system extensions and the actual

mem-Data memory and operating system routines

Working memory

Coprocessor and Processor

Operating system

CLK RST I/O

Vcc GND

Figure 1.5 Block diagram of a microcontroller for a smart card with a contact interface

applications and associated data are stored in the EEPROM Just as in a PC, the RAM(random-access memory) serves as working memory to hold data during operation.These functional groups must all be integrated in a single chip that is limited to amaximum size of 25 mm2for reasons of strength and robustness As a consequence, theamount of available memory is many orders of magnitude less than what is commonlyfound in a modern PC The ROM capacity of smart card microcontrollers typicallyranges from 16 to 400 KB, the EEPROM capacity ranges from 1 to 500 KB, and theRAM size ranges from 256 bytes to 16 KB These wide ranges are due to the widevariety of application areas The simplest processor cards do not even have an operatingsystem, but instead contain only the application software At the other extreme, smartcards currently at the top of the technology ladder fully exploit all the available memory.These memory sizes are quite normal in the embedded applications area, but they aremini-memories compared with the memories of modern PCs Nevertheless, the semi-conductor technology of smart card microcontrollers is comparable to the technologyused to manufacture modern high-performance processors, since integrating the vari-ous memory technologies and the necessary hardening against attacks is rather difficult.The microcontrollers are fabricated using semiconductor processes with 90-nm technol-ogy, which is only one development step away from the current state-of-the-art 65-nmtechnology

Additional interfaces are integrated into smart card microcontrollers to expand theirrange of potential uses For instance, the commonly used half-duplex bit-serial port can

be augmented by a USB interface or a wireless communication interface tor manufacturers usually base such developments on existing smart card microcon-trollers, which are upgraded to support the additional interfaces The result is thus asingle-chip microcontroller that can communicate with the outside world via additionalinterfaces

Semiconduc-1.4.1 Processor

If you analyse the sales volumes of currently used smart card microcontrollers, you willfind that most of them still have an 8-bit CPU This is usually a simple 8051 CPU, whichhas proved itself over the last two decades, along with a few extensions The processingpower of such a CPU is sufficient for all operating systems that do not include aninterpreter However, if the operating system must provide a Java interpreter, there is adistinct preference for microcontrollers with 16-bit processors Some of these processorsare also based on a modified 8051 architecture.1

There are also a few smart card microcontrollers that are based on well-known 32-bitprocessor families such as ARM 7 or MIPS The limiting factor for using such high-performance processors is the chip area There is a more or less direct relationshipbetween chip area and price, and a 32-bit processor occupies a significantly larger areathan an 8-bit processor It is often more economical to invest in optimizing the speed

of the software than to use a processor that needs more chip area This is ultimately aconsequence of the fact that smart cards have to be low-cost, mass-production items

In addition to a processor, every microcontroller needs several types of memory withdiffering characteristics The main type of nonvolatile memory used in smart card mi-crocontrollers is ROM If the data located in memory must be modified in operation,electrically erasable memory (EEPROM) is used

Besides microcontrollers with ROM and EEPROM, a steadily increasing number of chipswith flash memory are being used Flash memory is a sort of EEPROM with reducedcell dimensions, but unlike EEPROM it cannot be erased or written byte-wise Flashmemory can take over the functions of ROM and EEPROM

EEPROM and flash memory are similar in that they cannot be erased and written anunlimited number of times and these accesses cannot occur at the full speed of theprocessor Currently, the erase and write times are typically 3.5 ms each, and the guar-anteed number of such accesses is 500 000 This has a major impact on the design ofthe operating system and application software

Static RAM is used as volatile memory for storing data during operation

Besides a processor and its associated memory, smart card microcontrollers incorporatevarious types of supplementary hardware Figure 1.6 shows a large range of possibilities.The clock signal required by the smart card is usually provided by the terminal However,

as the relevant standards restrict the frequency of this clock signal to a range of 1–5 MHz,more and more microcontrollers include internal clock multiplier or clock generatorcircuitry

1 If you are willing to generate the time-critical parts of the operating system in assembly language instead of

C and invest a fairly significant amount of time in optimizing its real-time behaviour, it is certainly possible

to develop an interpreter that will run at an acceptable speed on an 8-bit CPU

generator Reset Interrupt

MMU

CRC

Obligatory components Optional components

Figure 1.6 Block diagram of a smart card microcontroller with a selection of currently common

components linked to the CPU via a shared address, data and control bus The ROMand EEPROM memories may be omitted in some types of microcontrollers if flashmemory is used

A UART (universal asynchronous receiver transmitter) is included for bit-serial munication with the terminal, and in the case of smart cards with USB or contactlessinterfaces, the corresponding communication components are also present in the hard-ware

com-Most of the supplementary hardware is related to cryptography, since considerable cessing power is sometimes necessary for this purpose Random numbers are almostalways generated using a hardware random number generator, although the results arefurther processed in software before being used Symmetrical cryptographic algorithmssuch as DES (Data Encryption Standard), Triple DES (TDES) and AES (Advanced En-cryption Standard) are also usually present in hardware, and they generally require only

pro-a few clock cycles for full encryption or decryption

Hardware for computing asymmetric cryptographic algorithms is not generally included

in all microcontrollers, as it would increase the price If it is present, it supports theusual algorithms such as RSA (Rivest, Shamir and Adleman cryptographic algorithm),DSA (digital signature algorithm) and ECC (elliptic curve cryptosystems) The hardwareimplementation of such algorithms is always kept relatively modular to enable it tosupport various key lengths and versions, extending as far as key generation

1.4.4 Electrical characteristics

In mobile telecommunication applications, low power consumption of all components

of a mobile telephone is a visible feature even for end users, since it directly affects thespeech and standby times of the telephone The mobile telecommunication sector hasthus developed into a driver for smart cards with the lowest possible operating voltagesand current consumptions This is in full contrast to all terminals connected directly to

Table 1.2 Voltage classes as specified by ISO/IEC 7816-3 The stated maximum clock rate is

a typical value, which can optionally be changed to a wider range (4–20 MHz) Theterminal must be informed of this via the ATR

Incidentally, modern smart cards can usually work with all three voltage classes ever, the processing power may decrease with decreasing supply voltage This is due tothe internal frequency multiplication of the chip, which depends on the amount of poweravailable

How-Smart Card Operating Systems

The nature of a smart card depends more on the operating system running in the card than

on the microcontroller implanted in the card The operating system is what transforms

a piece of plastic with an embedded processor, memory and a few peripheral functionsinto a full-fledged smart card with its presently known range of uses

Current smart card operating systems are stored in the ROM of the microcontroller inunalterable form They use a large portion of the available RAM and a small portion ofthe EEPROM Nearly all commonly used smart card operating systems are based on theprovisions of the ISO/IEC 7816 family of standards

Smart card operating systems can be classified into native operating systems andinterpreter-based operating systems Native smart card operating systems and the ap-plications that run under them execute in the machine language of the associated targetprocessor They are usually generated in the C programming language, and they do nothave an interpreter or compiler to translate programs into the machine language of thetarget processor

Most interpreter-based operating systems are also written in C, but the application grams that run under them do not have to be generated in the machine language ofthe target processor Instead, they can be written in an interpreted programming lan-guage such as Java Consequently, these operating systems incorporate an interpreter totranslate programs into the machine language of the target processor Some well-knownexamples of interpreter-based operating systems are Java Card, BasicCard, and Multos

Managing files is the principal task of a smart card operating system File managementmeans not only providing read and write access to files and creating and deleting files, butalso granting access privileges and monitoring compliance with access privileges Filemanagement is especially important because most smart card applications are file-based.1

1 See Section 3.3.2

Smart Card Applications: Design Models for using and programming smart cards W Rankl

 2007 John Wiley & Sons, Ltd

File management in smart cards is almost entirely based on the provisions of the ISO/IEC7816-4 standard They specify a maximum possible functional scope, which in turn isimplemented in actual smart card operating systems only to the extent necessary.

2.1.1 File types

Smart card file structures are always based on a tree structure with a root directory,

as illustrated in Figure 2.1 The root directory of a smart card, which is analogous to

the ‘c:’ volume of a PC, is called the MF (master file) and is present only once in the

file tree of the smart card It has the properties of a directory, which means it can onlycontain other directories and cannot store data directly

Figure 2.1 The two possible forms of file-based applications in smart cards A simple smart card

file system is shown on the left It contains an MF with application-independent EFslocated directly below the MF, along with a DF with application data contained inEFs A DF without a visible MF is shown on the right It also contains application

data in the form of EFs located below the DF This sort of DF is also called an ADF

The directories of a smart card are called DFs (dedicated files), and in theory they can be

nested indefinitely Three or four levels are commonly used in actual applications, andsmart card operating systems rarely support more than eight levels The ADF (applicationdedicated file) is a special type of DF It is a DF for a specific application and can belocated in the file tree of the smart card without there being any direct relationship tothe root directory Typically, it holds all the files of a particular application ADFs arerarely encountered in actual practice

The actual application data and operating system data are stored in EFs EFs are alwayslocated in directories, and there are two possible types: working EFs and internal EFs.Working EFs are used to store application data that is accessible to the outside world viasmart card commands By contrast, internal EFs are used by the smart card operatingsystem to store data for internal purposes For example, they can be used to store keys

or a seed (initial value) for a random number generator

As smart cards are always used under the control of a terminal, it is not necessary tomake the file names compatible with human needs Standard file names thus consist

of a 2-byte data element called the FID (file identifier ) The FID of the MF, which is

'3F00', is reserved for this purpose All other FIDs can be freely chosen Table 2.1 liststhe file names of commonly used types of smart card files and summarises their keycharacteristics

Each directory file (DF) has a supplementary name in addition to its FID, and it can

be addressed in the file tree using this supplementary name This supplementary name

is called the DF name, and it usually includes an AID (application identifier) The AID

consists of an RID (registered application provider identifier) and a PIX (proprietaryapplication identifier extension) RIDs can be registered officially to ensure that theyare unique throughout the world In this case, the PIX can be used as necessary tofurther identify a specific DF This makes it possible to define a unique name for aspecific smart card application, which can then be used to recognize and select it inevery smart card

The EFs provided to hold data are also assigned FIDs, similar to all smart card files Inaddition, each EF has an SFI (short file identifier), which can be provided as a parameter

of a read or write command to select the EF directly

Table 2.1 Possible file names as specified by ISO/IEC 7816-4 The restrictions on the range of

values for the FID described in Section 5.3.2 must be observed

DF name (usually includes an AID) 1–16 bytes 0 'F F'

AIDdefinition

The maximum file size is not specified, but the maximum address range of READBINARY and UPDATE BINARY limits it to 33 023 bytes (consisting of a maximumoffset of 32 768 bytes and a maximum read or write length of 255 bytes)

L L L L L

Transparent file structure Linear file structure

Linear variable file structure

m

1 2

m

Figure 2.2 The five possible structures of data files (EFs) used in smart cards Each cell in the

diagrams represents a data byte

Besides the transparent file structure, there are three record-oriented file structures EFswith a linear fixed file structure can be used to store equal-length records The linearvariable file structure allows the records to have different lengths If records with differentlengths must be stored in a smart card, the amount of memory space required will be less

if a linear variable EF is used than if a linear fixed EF is used These two file structuresare typically used to store personal data such as addresses or telephone numbers.The cyclic file structure extends the linear file structure to include a pointer that indicateswhich record was most recently written This structure is thus ideal for a variety of logfile applications.1

The records of all record-oriented files can be read and written using the READ RECORDand UPDATE RECORD commands Normally, it is only possible to read or write com-plete records although relatively recent operating systems also support access to partialrecords

The fifth type of file structure enables data objects to be stored in a TLV structure Insuch a structure, each data object is identified by tag (T) and length (L) elements, whichare followed by the actual data or value (V) This file structure can also be used to storenested data objects Data objects can be read and stored using the GET DATA and PUTDATA commands

Table 2.2 lists commonly used types of smart card files and summarises their key acteristics

char-1 See Section 5.4

Table 2.2 Reasonable minimum and maximum file sizes The restrictions do not result directly

from any standards, but instead result indirectly from the limitations of the accesscommands The standards are vague on this subject, and sometimes even mutuallycontradictory Consequently, our recommendation here is to always maintain a safetymargin relative to the limits and in any case to make a preliminary test with the smartcard operating system you intend to use

Number of data objects Not specified (typically 255)

2.1.4 File attributes

Files in smart cards can also have various attributes, depending on the specific operating

system The best-known set of attributes is shareable and not shareable These attributes

can be used to specify for each file whether it permits concurrent read or write accessvia multiple logical channels There are many other possible file attributes, but they arenot standardized

2.1.5 File selection

The smart card SELECT command is used to explicitly select a file A file must always

be selected before it can be accessed with the usual commands such as READ BINARY

Selection using a path name enables fast selection across several DFs with a singlecommand With this method, the path to the file to be selected is passed to the smartcard as a command parameter This path can be referenced to the MF or to the currentlyselected file This is the simplest selection option, and above all, it is the option thatrequires the least amount of transaction time The MF can be selected in a similar manner

It can be selected from anywhere in the entire file tree using a single command.The four commonly used read and write commands (READ BINARY, UPDATE BI-NARY, READ RECORD and UPDATE RECORD) also support file selection during

EF

EF

EF EF

Figure 2.3 File selection options for smart cards Option 1 is explicit selection using an FID (file

identifier); option 2 is implicit file selection using an SFI (short file identifier); tion 3 is selection using a DF name; option 4 is selection using an FID (file identifier)and a path parameter

op-command transaction (implicit selection) This eliminates the need to use SELECT toselect the desired file before issuing the actual read or write command This function is

called implicit file selection, and it is quite useful for reducing file access times.

2.1.6 Access conditions

Access conditions associated with the files defined in a file system are an essentialcomponent of the file system They specify which conditions must be satisfied to enableread or write access to the files These conditions could be, for example, successful PINverification or successful authentication of the terminal by the smart card

Two different methods are commonly used in smart cards for technical implementation

of access conditions: state-based access conditions and rule-based access conditions Thefirst method has been used for more than a decade in large systems, such as the SIMsused in GSM mobile telecommunication systems Rule-based access conditions werefirst published as a standard1 in the late 1990s They are actually just a generalizationand extension of the state-based method As a result, all aspects of state-based accessconditions can be reproduced using rule-based conditions

2.1.6.1 State-based access conditions

In the case of state-based access conditions, each form of access (read or write) is onlypossible if a certain state has been attained, independent of other forms of access

1 See ISO/IEC 7816-4 (2005)

The EFADN (abbreviated dialling number) file of a SIM can be used here as a typicalexample This file can only be read using the READ RECORD command if PIN 1 haspreviously been correctly verified by the smart card.

Nearly all file-based smart card applications can be implemented with relative ease usingstate-based access conditions However, a growing number of smart card operating sys-tems support the rule-based method, which is more future-proof and significantly moreflexible

2.1.6.2 Rule-based access conditions

Rule-based access conditions in smart cards are based on assigning all files (DFs and EFs)references to a record-oriented file containing sets of access rules This file is assignedthe name EFARR (access rule reference), and each reference is simply composed of theFID of the EFARR and a record number that addresses the appropriate set of rules TheFID of EFARR is freely selectable

Each record in EFARR contains a set of rules for the various forms of access, such asread and write As directory files can also be assigned references to an EFARR, it is alsopossible to define rules for creating and deleting files.1 This method can also be used in

a similar manner to manage access to data objects

With rule-based access conditions, it is even possible to specify that certain files canonly be accessed using Secure Messaging.2 The ISO/IEC 7816-9 standard forms thebasis for the coding and the available functionality, but you should always consult thespecifications of the smart card operating system being used, since the standard providesmany options and there are large differences between individual operating systems Theoperating principle of rule-based access is illustrated in Figure 2.4

Record no Rule set 1

2 3

Reference rule set via

FID and record number

of the EFARRfile

Figure 2.4 Operating principle of using an EFARR to manage rule-based access conditions for

files and data objects

All commonly encountered requirements for access to files and data objects in smartcard applications can be implemented using rule-based access conditions Although thismethod is not especially simple, it is very powerful As a comment regarding security,

we can note here that it is essential to ensure that write accesses to EFARR can only beperformed by authorized entities Otherwise, the entire security of an application can beeffectively bypassed

1 See Section 5.3

2 See Section 2.3.4

A mistake in connection with EFARR that can nearly be regarded as classic must bementioned here If it is possible to freely delete and create files in the directory containing

EFARR, the following simple but highly effective attack is possible The attacker firstuses DELETE to delete EFARR and then uses CREATE to create a new EFARR in whichall read and write conditions for the files that reference this file are set to ‘always’ Afterthis, the attacker can use standard commands to read all EFs containing application data,and of course the attacker can also alter the contents of these files Although this isessentially a primitive form of attack, it shows quite clearly that even a sophisticatedmethod such as rule-based access requires suitably careful planning

2.1.7 File life cycle

In the ideal case, it is possible to create, use and then delete files in a smart card filesystem whenever so desired In addition, the amount of free memory available to thefile system is ideally just as large after completion of this cycle as at the beginning Thelife cycle of files, including all possible options, is illustrated in Figure 2.5

Deactivate

file

Create file (variant 1)

Terminate file

Terminate file Delete file

Delete file Terminate card

File does

not exist

File does not exist

Create file (variant 2)

Create file (variant 3)

Activate file

Activate file

Activate file

File in use (activated)

File in use (deactivated)

File created File initialized

be reduced by several bytes for each pass through the described life cycle

Of course, these simple operating systems have the advantage that they can run onmicrocontrollers with significantly less processing power (and correspondingly lowerprices) than what is required to run an operating system that supports the full range

of options of the file life cycle The simpler version is entirely adequate for manyapplications because, quite often, only the file contents are modified in actual practice,and never the actual files.

Commands for file operations The commands for file operations include SELECT,which is used to select a specific file, and READ BINARY and READ RECORD,which are used to read data from files having various structures By contrast, UPDATEBINARY and UPDATE RECORD are the commands for writing data to files Thesearch commands SEARCH BINARY and SEARCH RECORD can be used to searchfor specific values in the EFs of the associated directory and file structure

Commands for file management The commands for file management are used foradministrative purposes to manage the directory files (DFs) and data files (EFs) in thefile tree of a smart card This includes using CREATE FILE to create new files, APPENDRECORD to enlarge files, and DELETE FILE to delete existing files The ACTIVATEFILE and DEACTIVATE FILE commands block and unblock files The TERMINATE

DF and TERMINATE EF commands permanently block files without deleting them fromthe file tree

Commands for data objects Application data can be stored in data objects and/or files.

GET DATA and PUT DATA read data from data objects and write data to data objects

Commands for security functions The best-known security function command isVERIFY, which is used to verify PINs GET CHALLENGE requests a random numberfor a subsequent EXTERNAL AUTHENTICATE command, which is used to authen-ticate the outside world with respect to the smart card By contrast, INTERNAL AU-THENTICATE can be used to authenticate a smart card with respect to the rest of theworld by using a challenge–response process MUTUAL AUTHENTICATION can beused to authenticate the smart card and the outside world with respect to each other in

a single operation

The PERFORM SECURITY OPERATION (PSO) command can be used to invoke allthe cryptographic functions of a smart card under the control of parameters passed