Smart Card Handbook phần 7 ppt

Occasionally, suchsmart card operating system mechanisms are enabled for regular cards, thus allowing cards to amount of personalization datathroughput Figure 10.65 Throughput diagram fo

644 The Smart Card Life Cycle

delivered data sets cannot be used if any of the chips are faulty, since the defective chips are nolonger available If this method is used, the personalizer must always report back to the partythat generated the data to inform them which chips have actually been processed This is notnecessary with the personalization methods that are presently in common use, since it is easy

to reproduce a faulty card Incidentally, this is also why the personalization facilities of cardproducers are always secure areas

Unfortunately, the cryptographic procedures and security measures used in the realm of sonalization are largely secret, so it is not possible for us to describe any specific application.However, Figure 10.63 shows an example of an initialization process followed by a person-alization process, as seen from a cryptographic perspective For the cryptographic protection

per-to be effective, these two production steps must take place in separate rooms using separatepersonnel

The illustrated procedure works as follows During initialization, a card-specific key (KD)

is derived in a security module using a unique chip number and a master key (KM) This key

is sent as plaintext to the card, where it is stored Naturally, a lot of other data must be written

to the smart card during the initialization, but generating and storing the card-specific key KD

is the only cryptographically relevant step

Following this, the card is personalized This can be done immediately following the tialization, but it may also be done several weeks later The important factor is that personal-ization must be completely separate from initialization, in order to prevent a KD that has beenillicitly acquired during initialization from being used during personalization to decrypt thecard-specific data

ini-In the personalization process, the personalization data that have been encrypted using ashared key are decrypted for each individual card by the security module This is necessarybecause the producer of the personalization data does not know the individual chip numbers,which are independently generated by the semiconductor manufacturer The security modulethen computes the card-specific key (KD) from the card number that it receives from the smartcard and the master key (KM) Now the security module and the smart card have a shared secret

in the form of KD This is used to encrypt the personalization data, which are then transferred

in encrypted form to the smart card, where they are decrypted and written to the appropriatelocations in the EEPROM This process provides complete cryptographic protection of thepersonalization procedure It protects the data to be used for personalization against beingspied out, as long as the key (KD) that is written to the card during the initialization remainssecret

Figure 10.64 shows an alternative method for securing loading data into smart cards, inwhich the first step consists of having the smart card and the terminal agree on a commonsecret key by means of a Diffie–Hellmann key exchange After this, the data are transmitted

to the smart card in encrypted form using this key The major advantage of this method is that

it never involves transmitting a secret key in non-encrypted form

At the conclusion of the personalization process, the personalization machine runs severalquality control tests on the finished smart card In the latest machines, for example, each card

is scanned by a camera and the visual personalization is evaluated by a computer and checkedagainst a production database In case of an error, the card is ejected into a faulty-card binand a new copy of the card is automatically produced Normally, the personalization data inthe microcontroller are also checked However, this is technically difficult to do, since read

10.4 Phase 3 of the Life Cycle in Detail 645

KD

KD

personalization data in plaintext

store KD

database with encrypted, card-specific personalization data

Figure 10.63 Schematic representation of a typical initialization and personalization procedure usingcryptographically secured transmission of data and keys ‘KM’ designates the master key, which is used

to derive the card-specific keys (KD) Only the cryptographically relevant processes are shown

access to many of the files is no longer allowed Consequently, special security modules forthese tests are frequently present in personalization machines These modules contain secretmaster keys with which the personalized keys in the smart cards can be tested for correctness,possibly via an authentication

Another approach is to provide the personalizer with command strings and correspondingresponse strings for each individual card The personalizer then sends these commands in the

646 The Smart Card Life Cycle

database with encrypted, card-specific personalization data

X, g, n Y

cryptograph-to transmit a previously scryptograph-tored symmetric personalization key cryptograph-to the smart card in cleartext in a separatestep Only the cryptographically relevant processes are shown

correct sequence to the smart card and compares the responses received from the card with theresponses accompanying the commands If they do not match, the smart card is not behaving asexpected and a personalization error must have occurred With this method, it is not necessary

to have a special security module for the tests in the personalization machine

Once a smart card has been personalized, it is generally not possible to reverse the cess, which means that an incorrectly personalized smart card is worthless Of the various

pro-10.4 Phase 3 of the Life Cycle in Detail 647

processes, electrical personalization is the most prone to errors, and any errors that occur in thepersonalization of a large batch of cards would result in major financial losses and delays Con-sequently, there are a few smart card operating systems that allow the complete personalization

to be fully deleted following a suitable authentication With regard to the operating system, thesmart card afterwards behaves the same as after semiconductor fabrication or completion Thiscapability is sometimes used for test cards, since it makes it possible to modify the software

in the card instead of scrapping the card every time the software changes Occasionally, suchsmart card operating system mechanisms are enabled for regular cards, thus allowing cards to

amount of personalization datathroughput

Figure 10.65 Throughput diagram for electrical personalization with single-sided and double-sidedcard printing using a desktop personalization machine

Generally speaking, smart card personalization is not performed for quantities less than(typically) 10,000 cards However, many applications require the ability to reproduce individ-ual, customer-specific smart cards For instance, it must be possible to replace a defective orlost Eurocheque smart card within a few days, since otherwise the cardholder will no longer beable to obtain money from cash dispensers With an increasing level of customer friendliness,there is an increasing demand for this sort of just-in-time personalization equipment It isusually installed alongside the mass-production personalization equipment, receives card datavia data telecommunications and uses smart cards that have already been initialized and held

as partly-finished products With this sort of card production, provision of a replacement card

to the end user (the cardholder) within 24 hours can be guaranteed, should this be necessary.Such equipment, which is designed for fast turnaround, is naturally not suitable for the massproduction of smart cards

648 The Smart Card Life Cycle

Figure 10.66 Example of a desktop personalization machine for electrical personalization and sided color printing with a resolution of 300 dpi The input stack of cards is located on the right-hand

double-side, while the stacks of good and rejected cards are located on the left (Source: F+ D)

Envelope stuffing and shipping

The final processing step in the production of smart cards is packing and shipping the cards This

is not necessary with some types of cards, such as pre-paid phone cards, which are frequently

supplied en masse to the card issuer However, with more sophisticated and expensive cards it

is common for the cardholder to receive a personalized letter containing his or her new card.With some applications, such as credit cards, the cardholder also receives a letter with the PIN.For reasons of security, this is sent separately and a few days later than the card The area inwhich all of these activities take place is often called the lettershop

The envelope of the PIN letter is made with a carbon-paper coating on the inside Thisallows a slip of paper inside the envelope to be printed from the outside using a dot-matriximpact printer The envelope is constructed such that an unauthorized person cannot read theprinted PIN code without visibly damaging the envelope These measures ensure that it is notpossible for someone to spy out PIN codes without being noticed, even while the PIN lettersare being generated High-performance printing systems for PIN letters can print up to 34,000documents per hour

For posting the cards, the personal information (such as the cardholder’s name and address)

is either read from the card or retrieved from the production database, depending on the cardtype This information is printed on a ‘card carrier’, which is a pre-printed letter, using a high-throughput laser printer The letter may have two punched slots to hold the corners of the card.Alternatively, a strip of easily removable adhesive material is often used to attach the card tothe letter Following this, the card carrier is folded and inserted into an envelope After theenvelope has been franked, the smart card with the personalized letter is ready to be posted

to the cardholder High-performance envelope stuffing machines have a throughput of around

7000 letters per hour

The final quality control step is to automatically weigh the finished letters containing thecards The weight of the card, which is around 6 grams, is easily sufficient to ensure reliableverification that each envelope actually contains a card

10.4 Phase 3 of the Life Cycle in Detail 649

Figure 10.67 A system for attaching cards to their associated letters, which are then stuffed intoenvelopes along with any necessary attachments This machine can prepare and stuff up to 7000 envelopes

per hour (Source: B¨owe Systec)

In order to minimize postage costs, it is common to presort the letters by postal code beforehanding them over to the post office This optimization is most easily realized by producingthe cards in the order necessary to satisfy the postal sorting criteria (such as a regional codefollowed by a local code)

Practical experience with even such simple things as sending cards by post repeatedlybrings new and interesting problems to light For instance, one time a major producer ofsmart cards was confronted with sudden failures in smart cards sent by post When the cause

of these failures was investigated, it was discovered that the responsible postal distributioncenter had changed the arrangement of the feed rollers in the sorting machine With the newarrangement, the letters containing the smart cards were bent so severely during sorting that thechips inside the modules broke in some of the cards The problem was solved by shifting theposition of the card on the carrier by a few centimeters For this and other, similar reasons,

a few hundred test letters are often posted in the target region and then analyzed prior to a

Table 10.5 Summary of the relative cost factors for two types of smart cards

containing microcontrollers with different memory capacities

Component or production step Smart card with: Smart card with:

650 The Smart Card Life Cycle

major mailing, in order to ensure that the smart cards will not be damaged during transport orsorting

The production steps and phases that have been described thus far represent a mass tion process, which is standard for cards such as GSM cards and credit cards with chips Otherapplications or card issuers may have other basic requirements with regard to card production.For example, some GSM smart cards are personalized ‘on site’ in the shop and then handeddirectly to the customer The customer naturally receives a favorable impression of the com-petence and capability of the shop if he or she can receive a personalized card immediatelyafter subscribing and paying However, this depends very strongly on the marketing policy andsecurity requirements of the card issuer In contrast to this example, producing card bodies andmodules is basically independent of the ultimate card issuer or his marketing aspects, and thuslargely the same for all applications

produc-10.5 PHASE 4 OF THE LIFE CYCLE IN DETAIL

Phase 4 of the life cycle of a smart card is well known to normal card users from daily experiencewith their own cards New applications can be downloaded or activated, and applicationsalready present in the card can be deactivated if necessary Since the majority of this bookaddresses this phase, it is not described any further here, with the exception of card managementsystems

Card management systems

Administrative systems for cards have been used by a variety of card issuers for many yearsalready However, up to now the emphasis has primarily been on inventory management andassociating cards with specific persons With the increasingly widespread use of smart cardsthat support modifying, downloading and deleting applications, the functions of card manage-ment systems have been fundamentally altered, since they must also deal with the aspects ofcard-specific applications Such systems are called card management systems (CMS), appletmanagement systems (AMS) or sometimes file management systems (FMS) The term ‘cardmanagement system’ is used here

A functional card management system first requires a high-performance database systemcontaining all necessary information about issued cards, as well as at least occasional on-line connections to the cards to be managed For these reasons, existing smart cards used

in telecommunications applications are quite suitable for use with card management systems,since they are continuously connected online to the background system while in use In paymentsystems that operate partially offline, it is still possible to utilize temporary online connections

to the background system, such as when a card is used with a cash dispenser or merchantterminal An essential prerequisite for any sort of online connection is a secure end-to-endconnection between the smart card and the management system

A card management system can have a very broad range of functions The simplest function

is updating the contents of files in specific smart cards, using standard smart card commandsthat are sent to the cards via secure channels A somewhat more complicated function is filemanagement, which means deleting existing files and creating new files, using mechanisms

10.5 Phase 4 of the Life Cycle in Detail 651

that are similar to those used for updating file contents All of these operations on files arereferred to as ‘remote file management’ (RFM)

Significantly larger data volumes are involved in storing a new application in a smart card

If the application is file-based, all of the corresponding files must be created in the smart cardand then filled with data If the new application is program-code based, the program must beloaded into the smart card In the case of Java Card, this is primarily done using the OP loader.12However, it can sometimes be necessary to replace an application by a different application

or a new version of the same application In preparation for this, the data for applicationspresent in the smart card must be secured Following this, the application in question must

be deleted and the new application must be created in the smart card Finally, the secureddata must be loaded into the application, which may involve converting the data to a differentformat

The card management systems described above relate to the period after the smart cardhas been issued to the end user However, the functions of a card management system can

be significantly expanded to cover the entire life cycle of the smart card This is referred to

as life-cycle management It begins with the completion of the smart card operating systemand extends over the initialization and personalization of the smart card through its actual useand any subsequent deactivation of the card that may be necessary at some time, includingtransferring the data to a new smart card

Naturally, this manifold of functions causes card management systems to be quite complex.Furthermore, it should be noted that it is extremely rare for the set of smart cards being managed

to be homogeneous The most common situation is a highly heterogeneous hodge-podge ofdifferent smart card operating systems in various versions running on a variety of hardwareplatforms with different memory sizes The applications to be managed will also have a certainrange of versions

As an example that illustrates the resulting complexity, we can consider the situation of anoperator of a telecommunications network using SIMs having three different versions of theoperating system running on three different hardware platforms with three different versions

of the application In the worst case, the card management system will have to perform 27(= 33) different types of access to the application The card user, by contrast, sees all of these

27 variants as only a single application in his SIM

Besides the large number of variants that can quite easily arise, another consideration isthat the smart cards to be managed must meet certain general conditions In principle, theentire administrative process must be performed in an atomic manner by the card managementsystem, since if it is somehow possible to prevent administration operations from being fullycompleted by means of some sort of interruption to the process, it must be possible to restore theoriginal state For example, consider downloading a Java applet into a SIM via the air interface

If the connection is broken, for instance because there is a coverage gap in a tunnel, this mustnot be allowed to have any sort of technical consequences for the existing functionality of theSIM All of this can be technically achieved using existing mechanisms and procedures, but itrequires substantial effort

There are commercially available card management systems that can provide several of thepreviously described functions However, if smart cards are used on a large scale in a system in

12 See also Section 5.11, ‘Open Platform’

652 The Smart Card Life Cycle

which it is necessary to dynamically manage applications, major extensions to certain aspects ofexisting card management systems will be necessary, regardless of the nature of the functions

10.6 PHASE 5 OF THE LIFE CYCLE IN DETAIL

Phase 5 of the life cycle of smart cards according to the ISO 10202-1 standard defines allmeasures relating to terminating the use of the card Specifically, these measures consist ofdeactivating the application(s) in the smart card, followed by deactivating the smart card itself.However, both of these processes are purely theoretical with most smart cards In practice,cards are either thrown into the trash or carefully labeled and filed away by collectors for someindeterminate length of time Generally speaking, it is quite rare for cards to be returned to thecard issuer

Nevertheless, there are commands that can be used to deactivate individual applicationsand the complete smart card The ISO/IEC 7816-9 commands DELETE FILE, DEACTIVATEFILE, TERMINATE DF and TERMINATE CARD USAGE are explicitly intended to be used

to herald the final stage of the life cycle of an application.13

These commands are primarily essential for managing individual applications in plication cards, but they are rarely used with present-day smart cards, which mostly incorporatemore or less only one application The easiest way to end the life of a smart card is to simply cut

multiap-it into pieces using a pair of scissors Anyone can do this, and some card issuers recommendthis method for ‘terminating’ smart cards

Nevertheless, in some cases it would certainly be justified for reasons of security to returnsmart cards to their issuer Some of them still contain valid secret keys, and if a potentialattacker could manage to acquire several hundred or even a thousand cards, he would have asignificantly larger pool of data for analyzing the hardware and software of the smart cardsthan if he had only a few cards Statistical investigations based on a large number of cards willalways yield more information than those based on individual cards

For this reason, as well as well-known environmental considerations, some card issuerscollect expired cards when they issue new cards In addition, collection bins for empty telephonecards are often placed next to card phones Effective recycling of cards is only possible afterthe cards have first been collected

Recycling

We must honestly admit that little progress has been made in the recycling of smart cards Forone thing, presently there are simply not enough cards collected for a proper recycling process,and the amount of material to be recycled is anyhow not all that large In 1997, approximately40,000 metric tons of plastic were used in the whole world for the production of smart cards.Even under the fully idealistic assumption that an equal weight of cards could be separatelycollected and fed back into a recycling process, this is a vanishingly small amount comparedwith the total amount of plastics produced worldwide, which for PVC alone amounted toapproximately 13 million metric tons in the same year

13 See also Section 7.8, ‘File Management Commands’

10.6 Phase 5 of the Life Cycle in Detail 653

Nevertheless, this will change with the increasingly widespread use of cards Recyclingsmart cards is a particularly difficult problem The card body, which is laminated from severallayers of various types of plastic, is a highly heterogeneous material In addition, the cardsare printed with several different kinds of ink and contain holograms, signature panels andmagnetic stripes, all of which add to the number of different materials in the mix Highlyhomogeneous materials can only be accumulated during card production, for instance as scrapresulting from punching cards from single-layer sheets It is relatively easy to reuse thesematerials, and many card manufacturers already do so

In the case of discarded smart cards, on the other hand, it is currently practically impossible

to separate the cards into homogeneous sorts of material The presently proposed recyclingmethod is to punch the modules out of the cards and then shred the rest of the card bodies.The plastic shreddings can be used to produce low-quality plastic items (garden ornaments are

a typical example of this type of recycling) The modules can also be finely ground, and themetals that they contain can be recovered using electrolytic processes However, such methodsare presently not used anywhere on a large scale In addition, it is not entirely clear that this sort

of complex recycling truly protects the environment better than simple incineration or burial

In the case of contactless smart cards with coils of copper wire or conductive ink embedded

in the card body, it is effectively impossible to separate the material of the card into individualtypes of plastic

Particularly in the case of multilayer cards, the only practical approach is high-temperatureincineration, which some people rather arrogantly refer to as ‘energy recycling’ If the temper-ature is sufficiently high, relatively few harmful materials are released It remains to be seenwhether this solution will be considered to be acceptable in the long term In any case, eventhough a single smart card weighs only 6 grams, the net weight of one million such cards isstill 6 metric tons

Table 10.6 Summary of the major components of smart cards, in terms of weight

magnetic stripe iron oxide and similar materials, ink and adhesive very low

microcontroller (10 mm2) silicon with various doping elements 0.009 g

encapsulation blob for the

microcontroller

adhesive to hold the module

in the card body

module with six contacts epoxy resin, glass fibers, nickel, aluminum, gold 0.170 gmodule with eight contacts epoxy resin, glass fibers, nickel, aluminum, gold 0.180 g

Smart Card Terminals

The only connection between a smart card and the outside world is the serial interface There is

no other way in which data can be exchanged, so an additional device that provides electricalconnections to the card is necessary In this book, such a device is always referred to as aterminal However, other terms are used, such as interface device (IFD), chip-accepting device(CAD), chip-card reader (CCR), smart card reader1and smart card adapter The basic functions,which are to supply power to the card and to establish a data link, are the same for all of thesedevices

Any terminal that consists of more than just a contact unit, a voltage converter and a clockgenerator always has its own processor (usually with an 8- or 16-bit architecture) and associatedmemory In simple equipment, the processor can be part of a microcontroller, but it is often acomponent of a single-board computer Terminals are usually programmed only by terminalmanufacturers using C, C++ or Java [JavaPOS] In mobile telephones, which are also smartcard terminals, a variant of Java (Java 2 Micro Edition, or J2ME) will attain considerableimportance in the future as a programming language

Terminals do not have their own hard disk drives, which means that they must store theirprograms and data in battery-backed RAM, EEPROM or Flash EEPROM The amount ofavailable memory is usually on the order of a few megabytes

The problems related to allowing third parties to program terminals have been solved in thesame manner as for smart cards by using executable program code, so here the solutions willmost likely lead to the same sorts of developments The Europay Open Terminal Architecture(OTA), with a Forth interpreter, was one of the first attempts at a solution in 1996, and Javafor terminals is the next step The EMV specification also explicitly includes a concept fordownloadable program code

In contrast to smart cards, which all have very similar constructions, terminals are built inmany different ways A fundamental distinction can be made between portable and stationaryterminals Portable terminals are battery-powered, while fixed terminals are preferably poweredfrom the mains network or the data interface Terminals can also be classified by their user

1 The terms ‘card reader’ and ‘smart card reader’ should not be understood to mean that data can only be read from the card using such devices Write accesses are naturally also possible

Smart Card Handbook, Third Edition W Rankl and W Effing

2004 John Wiley & Sons, Ltd ISBN: 0-470-85668-8

656 Smart Card Terminals

interfaces Portable devices in particular may have displays and simple keypads to allow theirmost important functions to be used on site Although fixed terminals also often have displaysand keypads, they have permanent links to higher-level computer systems as well A terminallacking a man–machine interface (i.e., display and keypad) must have a direct connection to acomputer in order to provide a link between the smart card and the user

CPU + NPU

volatile memory

nonvolatile memory

interface to higher-level system

Figure 11.1 Typical architecture of a smart card terminal with a display, keypad, magnetic-stripe readerand security module Such terminals are often used at point-of-sale locations to allow payments to bemade using a wide variety of cards (credit cards, debit cards and electronic purses) A keypad that isspecially protected against manipulation (a PIN pad) can be used if necessary This diagram shows thebasic energy and data flows and is not a schematic diagram

There is a general and very practical characterization of classes of terminals in one ofthe specifications of the German ZKA, which divides terminals into four classes A Class 1terminal is one that essentially consists of a contact unit without any supplementary functionalelements, along with an interface to another system (e.g., USB) Class 2 includes all of thecapabilities of Class 1, with the addition of a keypad A Class 2 terminal need not have its ownkeypad if it is connected between a contact unit and a PC A Class 3 terminal has a display, inaddition to the elements of Class 2 Class 4, which is the most elaborate, has all of the functionalelements of Class 3 as well as a hardware security module (HSM) with RSA capability

Smart Card Terminals 657

Table 11.1 Classification of terminals according to the ZKA

Class Functional elements

1 Contact unit and interface to other systems

2 Class-1 functional elements+ keypad

3 Class-2 functional elements+ display

4 Class-3 functional elements+ security module

There are also a few terminals equipped with Infrared Data Association (IrDA) or Bluetoothinterfaces Such terminals can be used for direct communication between the terminal and apersonal digital assistant (PDA) or a mobile telephone The advantage of this is that the user,who can assume that his or her own device is trustworthy, does not have to enter data (such as

a PIN) using a ‘foreign’ terminal

The division into portable and fixed terminals leads to a further distinguishing feature, which

is how the terminal is used An online terminal has an uninterrupted connection to a remote

computer during operation, and this computer assumes part of the control function A typicalexample is a terminal used for physical access control, which is completely controlled by abackground system to which it is permanently connected

The opposite type of terminal is an offline terminal Such a terminal works completely

inde-pendently of any higher-level system However, although there are very many types of onlineterminals, there are practically no ‘pure’ offline terminals All offline terminals occasionallyexchange data with a background system, if only to request a new blacklist or an updatedversion of the terminal software

Figure 11.2 A typical smart card terminal for connection to a computer via a serial interface (Giesecke

& Devrient model CCR2)

In typical applications within a building, the physical link between the terminal and theremote computer is either an electrical cable or a fiber-optic cable However, the link canalso be formed by a telephone connection to the nearest computer center, as is the case withpoint-of-sale terminals for electronic payments This may involve a dial-up link or a permanentlink (leased line), depending on the application Since leased lines are expensive, there is anincreasing tendency to use the telephone line only as necessary, in order to reduce operatingcosts This means that the terminal must be equipped with a dial-up modem

658 Smart Card Terminals

Figure 11.3 Example of a portable smart card terminal for electronic payments using credit cards,debit cards and electronic purses (Giesecke & Devrient model ZVT 900) This terminal has an integratedsecurity module and a printer, and it can be used offline

Smart card terminals in the form of PC cards (formerly called PCMCIA cards) do not readily

fit into the above classification scheme They can be used both online and offline, and withboth desktop and portable computers In principle, such terminals are just simple and usuallyinexpensive hardware interfaces between a smart card and a computer The only prerequisitefor using a PC-card terminal is a PC card slot, which must be either a type I slot (3.3 mmhigh) or type II slot (5 mm high), depending on the manufacturer Some PC-card smart cardterminals contain expansion memory for the smart card and coprocessor ICs for mass dataencryption and decryption, in addition to the smart card interface These terminals, which areonly a few millimeters thick, are certainly the most versatile of all They open up applicationareas for smart cards that in some cases are totally new With such terminals, it is now possiblefor smart cards to work together with standard PCs and standard software without additionalcables, power supplies or external hardware The spectrum of possible applications is verywide It includes access protection for specific PC functions, software copy protection ande-mail transfers protected by digital signatures

‘Diskette terminals’ are also available They provide a simple means to exchange databetween a smart card and a PC Such a terminal has the form of a 3.5-inch diskette and contains

a very thin contact unit, card-activation electronics, a battery and a coil for transferring data

to and from the read/write head of the diskette drive There is enough room in a 3.3-mm thickdiskette terminal to insert a smart card On the PC side, all that is needed is a suitable softwaredriver to handle data exchange This is one way to integrate smart cards into existing systems in

an uncomplicated and economical manner, although in practice this solution has not achievedwidespread acceptance

Many years of R&D activity lie between the earliest two-chip smart cards and the day versions, which are equipped with very powerful microcontrollers Terminals have un-dergone a similar technical evolution over the same period The first terminals often had veryprimitive mechanical and electrical constructions, partly due to lack of experience The conse-quence of this was that smart card microcontrollers were frequently damaged and thus failed

modern-Smart Card Terminals 659

Figure 11.4 A typical smart card terminal in PC-card format (Gemplus model GPR400)

Figure 11.5 A smart card terminal in the form of a USB plug, for use with cards in the ID-000 (plug-in)format

prematurely Since then, most terminal manufacturers have overcome these ‘teething troubles’,and a development stage has been reached in which external design is a more important factor

in the buyer’s choice of terminal than technical features and specifications, which are generallysimilar for all terminals and manufacturers

In functional terms, a smart card terminal consists of two parts: a contact unit for the cardand a terminal computer The card reader, into which the smart card is inserted so that it can

be electrically contacted, essentially has only a mechanical function The terminal computer

is needed to electrically drive the contacting unit, manage the user interface and establish alink to a higher-level system In the simplest case, it can be a single microcontroller, while intechnically more sophisticated solutions, it is a single-board computer

660 Smart Card Terminals11.1 MECHANICAL PROPERTIES

When a smart card is inserted into a terminal, two things happen in a mechanical sense First,the card’s contacts must be electrically connected to the terminal computer This is the task ofthe contact unit Second, the terminal must detect the fact that a card has been inserted Thiscan be handled by a microswitch or an optical sensor (light barrier) One drawback of the latter

is that its reliability can be affected by dirt or cards with transparent bodies A mechanicalswitch is generally the most effective solution

Terminals differ very greatly in terms of the contact units and contacts that are used TheGSM 11.11 specification imposes certain limits on the insertion force and the shape of thecontacts, and almost all terminals use these values According to this specification, the tips ofthe contact elements in the terminal should be rounded rather than pointed, with a radius ofcurvature of at least 0.8 mm This largely prevents scratching the contact surfaces of the card

In addition, the force required to insert the card into the contact unit is significantly lower ifthe contact elements have rounded leading edges than if they are pointed

According to the GSM specification, the maximum force exerted on a single contact mustnot exceed 0.5 N under any circumstances (the EMV specification allows 0.6 N) This isintended to protect the chip located beneath the contacts, since this piece of silicon crystalcould break under greater stress

Although the location of the contacts on the card is internationally standardized by ISO andshould thus be the same everywhere, a French national standard (AFNOR) has the chip nearerthe top edge of the card Consequently, there are terminals that have two contact heads Thisallows both ISO and AFNOR contact locations to be supported This technically complicatedsolution is of interest in systems in which smart cards with ISO and AFNOR contact positionsare used together This is only a transitional situation, since ISO specifies that the AFNORlocation should no longer be used Several French banking applications, for example, employterminals with dual contact heads This allows both the old AFNOR cards and the newer ISOcards to be used during the transition period

Problems can occur with the electrical contacts between the terminal and the smart card,especially with portable terminals and terminals installed in vehicles Such terminals, in par-ticular those in vehicles, are often subjected to high accelerations, which can cause the contacts

to briefly separate from the card’s contact surfaces You can imagine that a vehicle travelingover cobblestones at a certain speed can cause the spring-loaded contacts to oscillate at theirresonant frequency If the card is electrically activated at the time, it is simply impossible topredict what will happen

In the extreme case, when all contacts simultaneously lift free and then reconnect with thecard, the card would probably execute an activation sequence and then send an ATR However,

in this situation it is certain that the electrical activation sequence will not comply with the ISOstandard, which means that this can eventually lead to chip failure if it is frequently repeated

In any case, this brief power interruption will naturally result in the loss of all states that havebeen achieved in the card during the current session Depending on the application, it may thus

be necessary to enter the PIN again or re-authenticate the user

If only one contact lifts free, the consequences strongly depend on which contact it is If

it is the I/O contact, the only consequence is a temporary disturbance to the communicationslink This disturbance can be handled using standard error recovery mechanisms If a differentcontact lifts free, the card will be reset In this case, the communications link must be re-established from the very beginning

11.1 Mechanical Properties 661

In order to prevent the contacts from lifting free due to acceleration forces, the contact forcecan be increased, but the upper limit is still 0.5 N per contact There is no simple satisfactorytechnical solution to this problem, but the probability of contact separation can be minimized

by sensible placement of the terminal For example, the terminal can be mounted so that thecontacts are perpendicular to the main axis of acceleration

In any case, the terminal software must be able to independently re-establish tions if the contacts have briefly lifted free of the card The millions of GSM telephones in dailyuse demonstrate that smart cards can be used in portable equipment without any problems.The service life of the contacts and the technical construction of the terminals vary im-mensely The service life is also strongly affected by environmental conditions, such as tem-perature, humidity and the like An MTBF (mean time between failures) of 150,000 insertioncycles, however, is considered to be a normal value for a terminal

communica-Contact units with wiping contacts

The technically simplest terminals, which are thus the least expensive, have only wipingcontacts in the form of leaf or disc springs No other mechanical contact elements are present

in these simple terminals However, with such a simple spring-based contact unit, the contactsurfaces and part of the card are always dragged across the contacts when the card is insertedand withdrawn, which produces scratch marks These are undesirable for both aesthetic andtechnical reasons

Repeated scratching of the gold-plated contact surfaces of the card gradually wears awaythe protective gold layer, and the exposed metal underneath this plating will then oxidize Thisadversely affects the electrical connection The user may have to insert and remove the cardseveral times in order to rub off the oxide layer so that a satisfactory electrical connection can

be made

Mechanically driven contact units

The next higher class of terminals does not have fixed sliding contacts, but instead a mechanismthat presses the contact unit against the contact surfaces of the card when the card is inserted

in the terminal A lever mechanism converts the force used to insert the card into a forceperpendicular to the contact surfaces

An optimally designed mechanism also produces a very small amount of movement of thecontact unit along the length of the card while the contacts are being applied to the card Thisensures reliable electrical contact with the card, since the sliding motion rubs away any lightsoiling on the contact surfaces The contact pins are also individually spring-loaded, in order

to ensure a well-defined contact pressure for each contact surface

Electrically driven contact units

The technically most complex solution, which is also the best mechanical solution, is a terminalwith an electrically driven contact unit Here a set of parallel contact pins is driven by a motor orsolenoid to make perpendicular contact with the card from above, with a slight lateral motion

662 Smart Card Terminals

contact method a contact method b contact method c contact surface

contact element

Figure 11.6 Methods for making electrical contact with smart cards Method (a) with rounded contactpins is unfavorable, since soiling of the contact surface will adversely affect the reliability of the electricalcontact Methods (b) and (c) represent good solutions for the two types of contact pins illustrated Thesharp-edged contact pins shown in (c) slightly penetrate the contact surface, which can be seen under amicroscope as small surface nicks

Due to the complexity of this electromechanical construction, the terminal is relatively large.However, this type of terminal is quite suitable for use in professional applications, in whichmany millions of contact cycles must be made without maintenance It is therefore typicallyused in automated teller machines (ATMs) and personalization machines employed in smartcard manufacturing

Figure 11.7 A typical self-feeding reader for cash dispensers, with a shutter and magnetic-stripe reader

Card ejection

The smart card is normally inserted manually, which means without any assistance from theterminal Only ATMs have self-feeding card readers, which use a conveyor mechanism to

of the terminal to remove it.

Terminals that automatically eject the card have a spring that is tensioned by inserting thecard This can be released by the terminal computer via a solenoid This causes the card to bepartially extended from the terminal, rather than fully ejected, so that the user can grasp it andpull it out completely

Card-ejecting readers have one major advantage relative to other types Ejection of the cardvery clearly signals the end of the session to the user, while also reminding the user not toforget the card in the terminal This reminder is often emphasized by an audible beep Thispractical argument is the main reason for using card-ejecting readers

Cash dispensers in particular are usually able to retain smart cards if necessary Since theyroutinely have self-feeding card readers, it is naturally technically feasible to route the card to

a special retention bin in the machine if necessary, rather than to the exit slot From a technicalviewpoint, retaining cards presents no major problems, as long as the terminal is large enough

to hold the extra mechanism and the retention bin In certain circumstances, however, therecan be legal problems if the card user is also the legal owner of the card

Ease of card withdrawal

The reliability of a system based on smart cards can suffer severely if users can withdraw theircards from the terminal at any time during a session For one thing, this causes the card to bedisconnected from the power supply without following the prescribed deactivation sequence

It could also interrupt EEPROM read or write operations, causing the content of a file to beundefined This could cause the card to fail completely For these reasons, it is advantageous touse terminals with card-ejecting readers that are designed such that it is impossible to manuallypull the card out of the terminal A hidden mechanical emergency ejector can be provided toremove a smart card from the terminal in case of a power failure However, under normalcircumstances the terminal can determine when to return the card to the user, thus preventingthe user from interfering with ongoing processes

11.2 ELECTRICAL PROPERTIES

With the exception of the contact unit, a terminal primarily consists of electronic components.These are used to provide the interfaces to the user and the background system, and to elec-trically drive the contacts The terminal’s electromechanical parts and the smart card itself

664 Smart Card Terminals

must be supplied with electrical signals The only information that is directly provided by thecontact unit is whether a card has been inserted The only signal that is sent directly to thecontact unit is the signal to actuate the automatic card ejector, if such a device is present.The card interface consists of the five contacts for the ground, supply voltage, clock, resetand data signals Once the electrical connections have been made, it is very important withregard to the service life of the card for the activation sequence specified by ISO/IEC 7816-3 to

be followed exactly Otherwise, the chip may be electrically overstressed, which will increasethe failure rate It is also important to observe the proper deactivation sequence, since otherwisethe same problems may occur

In this regard, there is an important consideration with simple terminals that allow the user toremove the card manually Whenever the contact unit detects that the card is being withdrawn,the terminal’s electronic circuitry must immediately execute a deactivation sequence This isthe only way to prevent the contacts from sliding across the contact field of the card whilethey are possibly still energized, which would produce results that have little in commonwith a standard deactivation sequence However, the consequences of such an unallowed cardwithdrawal can be even more serious, since shorts may occur between the leads if the contactsare worn or slightly bent The mild sparking due to the discharge of capacitors in such asituation will damage both the contact elements and the contact surfaces of the card

With regard to the electric circuitry, almost all terminal manufacturers have realized by nowthat short-circuit protection is indispensable If this point is neglected, a single smart card withshorted contact surfaces can cause the electrical demise of very many terminals Incidentally,shorted cards crop up regularly, partly due to vandalism and partly due to technical defects.Short-circuit protection should extend to the point that every contact can be connected toany other contact or group of contacts without any repercussions Ideally, the circuitry thatdrives the smart card should be fully electrically isolated from the remaining circuitry of theterminal This is standard practice in public card phones in Germany, since it also largelyprotects the equipment against externally applied voltages as well as shorts

The voltage needed for writing and erasing EEPROM pages is generated by the troller via a charge pump on the chip This can draw currents of up to 100 mA for intervals

microcon-of a few nanoseconds The same effect, in a reduced form, can be produced by transistorswitching processes in the CMOS integrated circuits Even very fast regulator circuits in thepower supply cannot handle these short spikes, with the consequence that the supply voltagefor the card collapses due to the heavy current load and the EEPROM write or erase cycle fails

In extreme cases, the voltage dropout can be so severe that the processor lands outside of itsstable operating area and a system crash occurs

The remedy is to connect a capacitor as close as possible to the contacts for the smart card

A ceramic capacitor of about 100 nF is suitable, as it can release its charge very quickly Theleads to the smart card must be as short as possible, so that lead resistance and inductance donot significantly affect the ability of the circuit to meet the increased current demand within thenecessary interval A brief increase in current demand can be met by drawing charge from thecapacitor until the voltage regulator can respond to the change This is a simple and economicalway to avoid power supply problems

Particularly for electronic payment systems, it is nowadays standard to equip the terminalwith a real-time clock This is required for reasons of traceability and user protection According

to the EMV specification for credit card terminals, the clock may not be off by more than 1minute per month This is not technically difficult, since suitably accurate clock components

11.3 SECURITY TECHNOLOGY

Terminals may contain a very large variety of security mechanisms The spectrum rangesfrom mechanically protected enclosures to security modules and sensors for the various cardfeatures In pure online terminals, whose only function is to convert the electrical signals thatpass between the background computer system and the smart card, there is normally no needfor additional built-in security technology In such cases, security is handled entirely by thecomputer that controls the terminal

However, as soon as data must be entered into the terminal or the terminal must operateindependently of the higher-level system, it is necessary to incorporate suitable mechanisms

to provide additional system security The possibilities are almost unlimited, but they dependvery strongly on the smart card in question and its security features

With a typical smart card, whose body is very simple and only serves as a carrier for themicrocontroller, there are usually no security features on the card body There is thus no needfor the terminal to check such features In contrast, smart cards for financial transactions areusually hybrid cards, which means that they have a magnetic stripe in addition to a chip, inorder to maintain compatibility with older systems However, hybrid cards also possess theusual features that enable the terminal to check their genuineness independently of the chip.Suitable sensors must therefore be present in the terminal

Terminals that work offline, either completely or occasionally, must contain master keys forthe cryptographic algorithms that are used, since card-specific keys cannot be derived withoutthese keys These master keys are very sensitive with regard to security, since the entire security

of the system is based on them In order to guarantee their security and confidentiality at alltimes, they are not stored in the normal electronic circuitry of the terminal, but in a separatesecurity module within the terminal that has special mechanical and electrical protection.This security module can for example be a single-board computer encapsulated in epoxyresin, which can exchange data with the actual terminal computer only via an interface Thesecret master keys are never allowed to leave the security module, but are used only internally

to perform computations In a typical application example, the security module receives anindividual card number or chip number from the smart card via the terminal computer, and ituses this number to derive a card-specific key This key is then used within the security module

to compute a signature or perform authentication

Modern versions of this module, which is normally the size of a matchbox, contain extensivesensor systems for detecting attacks They are also largely self-contained electrically, so theycan actively resist attacks, even if denied an external source of power If an attack is detected,the usual defense is to erase all keys, so that an attacker is left with only a circuit board circuitencased in epoxy resin inside a metal case, with no data worth analyzing

Due to the high cost of good security modules, the trend in recent years is to use smartcards instead Although this leads to certain restrictions in terms of memory size, sensors

666 Smart Card Terminals

and self-reliance, the level of security is generally adequate, even for electronic paymentapplications Cards in the IC-000 format (plug-in) are used to limit the physical size

Since security modules in smart-card format are not permanently built into terminals, butcan be exchanged, they are ideally suited to extending terminal hardware, as illustrated by thefollowing example Static unilateral RSA authentication will become increasingly important

in the next few years, partly because it is prescribed in the international EMV specification forcredit cards with chips Since RSA authentication is so computer-intensive that it cannot beperformed by the processors normally used in terminals within an acceptable length of time,permanent built-in security modules represent a problem However, if a plug-in smart card isused as a security module in the terminal, it can easily be exchanged Relatively expensivesmart cards containing supplementary arithmetic coprocessors can then be used for the securitymodules, which can perform RSA computations at high speed once the terminal software hasbeen suitably modified

In the future, a variety of card issuers will market debit and credit cards containing chips.All of these cards will use different keys and different methods for key derivation and au-thentication Furthermore, it is unlikely that all card issuers will be willing to reveal secretdata and methods to manufacturers of security modules In all probability, the approach thatwill be taken is for a card issuer or group of card issuers to issue a common ‘terminal card’that can perform all of the processes relevant to the security of their collective systems andcan execute these processes within the terminal This card will be accessed using one of thetwo standard transmission protocols (T= 0 or T = 1), and it will largely behave just like astandard smart card The only difference will be that the terminal card will contain functionsrelated to secret master keys, key derivation procedures and collecting security-related data(such as sales balances) The terminal will only look after the user interface and uploading

or downloading data to or from the background system All security-related functions will behandled by the terminal card This means that the terminal must be able to work with severaldifferent terminal cards, rather than only one A particular card will be automatically selectedaccording to the card issuer and the selected function The demand for several independentterminal cards has been taken into account in the latest terminals Some of them have up tofour contact units for plug-in cards They can thus use terminal cards from several differentcard issuers in parallel, without mutual interference

One of the commonly used security measures, besides providing mechanical protectionfor the terminal by using a robust housing that can only be opened using special tools andincorporating a security module in the terminal, is to provide mechanical protection againstunauthorized tapping of data transmissions to and from the smart card This consists of asort of guillotine arrangement that cuts through any wires that may run from the card to theexterior of the card reader after the card has been inserted The purpose of this device, which

is called a shutter, is to prevent tapping or manipulation of the messages sent between thecard and the terminal It can be actuated either electrically or simply by inserting the card

If the wires cannot be cut, due to their thickness or composition, the shutter will not closecompletely This is detected by the terminal electronics, and no power is applied to the card,

so no communication takes place

Communication between the terminal and the smart card must fundamentally be designedsuch that tapping or manipulation cannot impair the security of the system Shutters shouldthus not actually be necessary Nevertheless, security can certainly be increased somewhat ifthings are made more difficult for a would-be attacker It makes a big difference whether an

11.4 Connecting Terminals to Higher-Level Systems 667

Figure 11.8 Example of two contact units for plug-in format security modules, located side by side in

a smart-card terminal

attacker can readily tap the data exchange or first has to overcome a few hurdles However,shutters make terminals bigger and more expensive, and very few of them still close preciselyafter several thousand operating cycles The system design should therefore not rely entirely

on this sort of mechanical protection

11.4 CONNECTING TERMINALS TO HIGHER-LEVEL SYSTEMS

For smart cards to be used in a PC environment, it is necessary to have a terminal that isconnected to the PC and to have support from the PC software The difficulty here is naturallythat in the past, each type of terminal required its own software driver to be installed in the

PC Each driver in turn had its own software interfaces, so in practice it was not possible togenerate terminal-independent software In the mid-1990s, work began on developing specifi-cations for terminal-independent integration of smart cards into PC programs This occurred

in various countries and was performed by a wide variety of organizations Internationally,two industrial standards have come to prevail: Personal Computer / Smart Card (PC/SC) and

Open Card Framework (OCF) In Germany, as well as other countries, the Multifunktionales

Kartenterminal (MKT) specification has been in place for some time It has achieved

surpris-ingly widespread used within the German-speaking realm All three of these specificationsare described in summary form below, and they can also be obtained free of charge via theInternet

11.4.1 PC/SC

The first efforts to generate an international specification for linking cards with PC gan in May 1996 The companies Bull, Hewlett-Packard, Microsoft, Schlumberger, Siemens

be-668 Smart Card Terminals

Nixdorf, Gemplus, IBM, Sun, Verifone and Toshiba participated in the development of thisspecification

Version 1.0 of the ‘Interoperability Specification for ICCs and Personal Computer Systems’was published in December 1997 It consists of eight parts, which are described in Table 11.2.The working group was known as PC/SC (for ‘personal computer / smart card’), and thisabbreviation is also used to refer to the specification It can be obtained via the Internet fromthe WWW server of the specification group [PC/SC]

Table 11.2 Summary of the eight parts of the PC/SC specification

Part 1: Introduction and

Architecture Overview

This is the basis for all other parts of the specification

It identifies the relevant standards, summarizes thesystem architecture and the hardware and softwarecomponents, and lists definitions and acronyms.Part 2: Interface Requirements

for Compatible IC Cards

T= 0 and T = 1 protocols are both described.Part 3: Requirements for

PC-Connected Interface

Devices

The requirements imposed on the terminal and thesupported terminal features (display, keypad and so on)

Part 4: IFD Design Considerations

and Reference Design

Interface Definition

Detailed descriptions of the technical software aspects

of the ICC Service Provider and Crypto ServiceProvider, including the associated classes

Part 7: Application Domain

and Developer

Design Considerations

Description of the utilization of the PC/SCspecification from the application perspective

Part 8: Recommendations for

ICC Security and

Privacy Devices

Compilation and definition of recommended functionsand mechanisms that should be supported by a PC/SCSmart Card This includes the file system (MF, DF andEF), associated file access conditions, necessary systemfiles in the smart card (for keys, PINS and so on),commands, return codes and cryptographic algorithms

At least in principle, PC/SC is platform-independent, since it works on all Windows-basedPCs, and these make up the majority of personal computers It allows smart cards to be

11.4 Connecting Terminals to Higher-Level Systems 669

integrated into any desired application in a manner that is largely independent of programminglanguage, since it supports widely used languages such as C, C++, Java and Basic The onlyprerequisites are that a suitable driver must be available for the terminal to be used and thesmart card must be PC/SC-compatible However, this compatibility requirement is reasonablynon-critical, since the scope has been kept relatively broad

The easiest way to gain an overall understanding of the PS/SC specification is to view it interms of the defined hardware and software components The following seven components aredescribed in terms of their functions and mutual interfaces:

rICC-aware application

rICC service provider

rCrypto service provider

rICC resource manager

rIFD handler

rIFD

rICC

The tasks and functions of each of these components are briefly described below, in the order

in which they are listed above

crypto service provider ICC service provider

PC application

ICC resource manager

service provider

smart card 2 (ICC)

Figure 11.9 Overview of the software architecture of the PC/SC specification for linking smart cards

to PC operating systems

670 Smart Card Terminals

ICC-aware application

This is an application that runs on a PC and that wishes to use the functions and data of one ormore smart cards It can also be an application that runs under a multiuser operating systemwith multitasking and multithreading

be used for all functions except cryptographic functions

The service provider does not have to be a single piece of software It can also consist ofmultiple software components linked by a network For example, it is possible to locate thecrypto service provider on a cryptographically secure or high-performance computer that isisolated from the remainder of the PC/SC components

ICC resource manager

The ICC resource manager is the most important component of the PC/SC architecture Itmanages all resources that are necessary to integrate smart cards into the operating system Itmust provide three important functions

First, it is responsible for recognizing connected terminals and smart cards It must alsorecognize when a smart card has been inserted or removed from a terminal, and respond tosuch events by providing suitable messages

Its second function is to manage the allocation of terminals to one or more applications.For this purpose, a terminal resource can be exclusively assigned to a particular application.However, if several applications access the same terminal simultaneously, this terminal must

be identified and managed by the ICC resource manager as a shared resource

The third function is to provide transaction primitives A transaction primitive is formed

by binding the commands related to a particular function into a group This ensures that thesecommands will be executed in an uninterrupted sequence Otherwise, it would be possiblefor two uncoordinated applications to concurrently access a smart card, each using its ownsequence of commands The problems that this would cause can most easily be illustrated bythe following example In a smart card, only one file can be selected at a time If two differentapplications attempt to select different files at the same time using SELECT FILE commandsand then read data from the smart card using read commands (such as READ BINARY),

it is completely undefined which file will actually be read This depends only on the order

11.4 Connecting Terminals to Higher-Level Systems 671

in which the commands arrive at the smart card A much more complicated situation, but

no less tricky, arises when it is necessary to perform complex procedures involving severalapplications interacting with a single smart card (such as paying using an electronic purse).The ICC resource manager ensures that command sequences that belong together cannot besplit up or interrupted by other commands, and so ensures that the individual procedures areexecuted one after the other

IFD handler

The IFD handler is a sort of driver that is specific to a particular terminal Its tasks are to linkthe terminal to the specified interface of the PC and to map the individual characteristics ofthe terminal onto the PC/SC interface In a manner of speaking, the IFD handler represents adata channel from the PC to a particular terminal

IFD (interface device)

The IFD component of the PC/SC specification is a terminal connected to the PC via aninterface The interface is arbitrary, so the terminal can for example be connected to thecomputer via an RS232 interface, a universal serial bus (USB) interface or a PC-card interface.The terminal must meet the ISO/IEC 7816-1/2/3 standards, which among other things meansthat it must support both of the asynchronous data transmission protocols (T= 0 and T = 1).Optionally, it may support synchronous transmission protocols (2-wire, 3-wire and I2C bus)for memory cards, as specified by the ISO/IEC 7816-10 standard In the terminal, in addition

to a display, the PC/SC specification supports a numeric keyboard, a fingerprint scanner andother biometric sensors for user identification

ICC (integrated chip card)

Microprocessor smart cards that are compatible with the ISO/IEC 7816-1/2/3 standards arerequired to be supported by the PC/SC specification Memory cards that comply with theISO/IEC 7816-10 standard may also be used, if this is allowed by the terminal

in the Java environment

672 Smart Card Terminals11.4.3 MKT

In Germany, work on generating a specification for linking smart cards to PCs via software

began at a relatively early date This led to the Multifunktionales Kartenterminal (MKT)

specification, which has been published in various versions by Teletrust Deutschland since

1994 It is primarily oriented toward the interests of the health care field, but it is now used as

a basis for many other types of terminals within Germany

The MKT specification is composed of seven parts Part 1 describes the basic MKT concept,which contains a basic overview of the software architecture and the MKT terminal Part 2specifies the ‘card terminal – integrated chip card’ (CT-ICC) interface This is the interface forcontact-type smart cards using synchronous and asynchronous data transmission

Part 3 contains a description of an application-independent interface for terminals, which

is called the ‘card terminal application programming interface’ (CT-API) This interface isindependent of any particular programming language and has a procedural structure It pro-vides the following three functions: ‘CT init’ for initializing a connection, ‘CT data’ for dataexchange using an existing connection and ‘CT close’ for closing a connection

This is complemented in Part 4 by the specification of several basic, application-independentcommands for controlling terminals, which are called the ‘application-independent card ter-minal basic command set’ (CT-BCS)

Part 5 describes the ATR and general data fields for smart cards using synchronous datatransmission Part 6 contains the associated transmission protocols, as well as correspondinggeneral commands to be sent to the terminal Based on this, Part 7 specifies the translation ofISO/IEC 7816-4 commands into commands for smart cards using synchronous data transmis-sion, which means memory cards

The MKT specification was one of the first documents of its type in the world, and it hasbeen given an extremely broad basis in Germany by thousands of terminals used with 80million medical insurance cards Although it certainly no longer represents the technical state

of the art, it will remain a national industry standard for many years to come

11.4.4 MUSCLE

Suitable drivers are required for using smart cards with Linux, as with all other types of PCoperating systems However, for a long time such drivers were not available, which made itrather cumbersome to use smart cards with Linux for operations such as logging on

The first version of MUSCLE (Movement for the Use of Smart Cards in a Linux ronment), which is intended to fill exactly this gap, was published in 2000 With regard to itsarchitecture, MUSCLE is strongly based on PC/SC, but in contrast to PC/SC the source code

Envi-is openly available under a GPL license [MUSCLE], which means that it can also be modifiedand further developed by third parties MUSCLE defines a Linux API that allows smart cards

to be accessed in a relatively uncomplicated manner using a connected terminal

Smart Cards in Payment Systems

The original primary application of smart cards with microcontrollers was user identification

in the telecommunications sector In recent years, however, smart cards have established selves in another market sector, namely electronic payment systems Due to the large number

them-of cards in use, the market potential them-of this sector is enormous This is underscored by thefact that more than one billion credit cards have been issued throughout the world.1The futureapplications of electronic purses include replacing conventional means of payment (banknotesand coins), shopping via global networks and pay-per-view television

Smart cards are by nature particularly suitable for payment system applications Theycan easily and securely store data, and their convenient size and robustness make them easyfor everyone to use Since smart cards can also actively perform complicated computationswithout being influenced by external factors, it is possible to develop totally new approaches

to performing payment transactions This is very clearly illustrated by electronic purses in theform of smart cards, which are possible only with this medium

Electronic payment systems and electronic purses offer significant benefits to everyone volved For banks and merchants, they reduce the costs associated with handling cash Offlineelectronic purses largely eliminate the costs of data telecommunications for payment transac-tions The risk of robbery and vandalism is reduced, since electronic systems contain no cash

in-to be sin-tolen For merchants, the fact that transactions are processed more quickly is also a suasive argument, since it means that cash management can be optimized Vending machinesand ticket dispensers can be made simpler and cheaper, since assemblies to test coins andbanknotes are not needed Electronic money can be transferred via any desired telecommuni-cations channel, so it is not necessary to regularly collect money from the machines Customersalso benefit from the new payment methods, although to a lesser degree It is not necessary toalways have change on hand, and it is possible to pay quickly at a vending machine or ticketdispenser

per-Ultimately, the success or failure of a payment system is determined by its potential users Ifthe benefits for them are too marginal, they will not use the system and will choose other means

1 As of the summer of 2002

Smart Card Handbook, Third Edition W Rankl and W Effing

2004 John Wiley & Sons, Ltd ISBN: 0-470-85668-8

674 Smart Cards in Payment Systems

of payment After all, an electronic purse is just a new means of payment that complementsrather than replaces other existing means of payment, such as credit cards and cash There is

no reason to fear that these means of payment, which have provided reliable service for manyyears, will be entirely supplanted by electronic purses in the form of smart cards

12.1 PAYMENT TRANSACTIONS USING CARDS

The simplest approach to using cards for payment transactions is to use magnetic-stripe cardsholding data for online authorization After the user’s card has been checked against theblacklist and solvency has been verified, funds can be transferred directly from the cardholder’sbank account to that of the merchant With smart cards, the scenario is slightly different, but

in principle it remains the same The smart card is logically linked to a bank account, andafter unilateral or mutual authentication of the background system and the card, a previouslyentered amount is transferred Naturally, PIN verification is also performed in the smart card

or background system during the transaction

Both of these scenarios are based on a background system that makes all of the decisions.They do not by any means fully exploit the capabilities of smart cards However, there areother means and methods of making payments that can be implemented by exploiting thesecapabilities Some of them are described in this chapter

12.1.1 Electronic payments with smart cards

There are three fundamental models for electronic payments using smart cards: (a) credit

cards, in which payment is made after a service is rendered (pay later), (b) debit cards, in which payment is made when the service is rendered (pay now) and (c) electronic purses,

in which payment is made before the service is rendered (pay before).2 These models aredescribed below, as well as a variation on them

Payment cards

credit cards debit cards electronic purse cards

Figure 12.1 Classification of payment cards

Credit cards

The original idea of using a plastic card to pay for goods or services comes from credit cards.The principle is simple: you pay using the card, and the corresponding amount is later debitedfrom your account The cost of this process is borne by the merchant, who usually pays a

2 This classification can be augmented by the category ‘pay never’, which relates to fraud

12.1 Payment Transactions using Cards 675

fee that depends on the amount of the transaction This fee is usually around 2 to 5 % of thepurchase price

Up to now, most credit cards have not included chips The disadvantage of such cards isthat they have a relatively low level of protection against forgery Consequently, card issuersexperience significant losses due to counterfeit cards, since the merchant is guaranteed payment.Evidently, up to now, these losses have been lower than the cost of introducing cards with chips.However, credit cards will probably be supplemented with chips in the not too distant future,

in order to reduce the steadily increasing cost of fraud

Debit cards

The country in which debit cards are most widely used is Germany A debit card, which may

be a magnetic stripe card or a smart card, allows the amount of the payment to be transferred

to the account of the merchant or service provider as a direct part of the payment process.With both debit cards and credit cards, the actual payment process is normally authorized by

a credit check via a background system There is usually a threshold level above which thismust occur, so it is not always necessary to make a connection to the background system forsmall purchases The threshold level is on the order of€200

Electronic purses

With an electronic purse, ‘electronic money’ is loaded into the card before any payment ismade This can be done in exchange for cash or using a cash-free process When a purchase isactually made, the balance in the card is reduced by the amount of the payment, and at the sametime the balance of the electronic purse of the second party (who is usually the merchant) isincreased by the corresponding amount The merchant can later submit the electronic moneyreceived in this manner to the operator of the electronic purse system and be credited withthe corresponding amount of real money The user of an electronic purse thus exchanges realmoney for an electronic form of money that is loaded in his or her smart card When a purchase

is made, the cardholder exchanges this electronic money for goods or services

This system has three significant drawbacks for the user The first is that when the card isloaded, the user receives electronic money in exchange for real money Financially, the userthus gives the operator of the purse system an interest-free loan, since it could take severalweeks for the user to actually spend the electronic money, while the real money immedi-ately becomes the property of the system operator The amount of interest may be small for

an individual user, but in total it represents a substantial source of supplementary incomefor the operator of the purse system In many field trials conducted up to now, it has beenfound that in industrialized countries the average amount in an individual electronic purse isaround 75 euros The total average amount of money in an electronic purse system is calledthe ‘float’ Assuming that 10 million cards are in use and the interest rate is 5 %, the totalannual interest on the float amounts to 37.5 million euros, without any offsetting costs In thisexample, the amount of interest lost by an individual cardholder is only 3.75 euros, which he

or she will not regard as a major disadvantage In addition to the interest income from thefloat, the purse system operator receives additional income in the form of unspent electronic

676 Smart Cards in Payment Systems

money, due to cards that end up in collections and defective cards that are not returned forrefund

A second drawback is that a real problem arises if the purse operator goes bankrupt This

is because the card user has exchanged real money, whose value is guaranteed by the statewithin certain limits, for electronic money in a smart card If the purse operator goes bankrupt,the electronic money can suddenly become worthless, and the user will have lost his or hermoney Consequently, efforts are now being made in some countries to restrict the operation

of electronic purse systems to banks and similar institutions At minimum, lodging a securitydeposit with a government agency is required, so that the amount of money loaded in the smartcards is covered in the event that the card issuer goes bankrupt

There is yet a third significant drawback for the user What can the holder of an electronicpurse do if it no longer works? If the purse is anonymous, not even the purse system operatorcan determine the amount of money that was last loaded into the card The purse holder willalso find it practically impossible to provide convincing proof of how much money was still

in the card If the chip is ruined, the electronic money is thus irrevocably lost Unfortunately,

a smart card is much less robust than banknotes or coins, for understandable reasons

In practice, a compromise is presently used to deal with this problem Since the last amountloaded into the card online is known, as well as the purse balance at the time of this transaction,the approximate amount in the purse can be calculated This amount is then paid to the client.However, if a particular client frequently makes claims due to faulty smart cards, the systemoperator will curb his goodwill The customer, who ultimately bears the risk, is thus deniedany further compensation in the hope that he or she will take better care of the smart card inthe future

Open and closed system architectures

A distinction must be made between open and closed architectures for electronic paymentsystems An open system is fundamentally available to multiple application providers, and

it can be used for general payment transactions among various parties In contrast, a closedsystem can be used only for payments to a single system operator

The technical aspects of this can be briefly illustrated using a telephone card with a memorychip as an example With memory cards, all that happens when a payment is made is that acounter is irreversibly decremented The terminal does not have to keep an exact account ofthe number of units that have been deducted; it only has to ensure that the counter in the card

is always properly decremented whenever the service is used (that is, whenever a call is madeusing the card) In this case, the terminal is a sort of machine for destroying units of electronicmoney Of course, in practice a balance is kept for each terminal, but the deducted amountsare only booked to the internal accounts of the purse system operator Fraud in settlement ofthe deducted amounts between the terminal owner and the purse system operator is impossible

in principle, since both parties are part of the same organization (in this case, the telephonecompany)

In an open system, the terminal owner and purse system operator can be completely differentbodies The purse system operator must therefore be able to verify that the accounts for theterminal receipts are correct and not manipulated This must be taken into consideration fromthe very beginning in the system design, since otherwise account settlement between the

12.1 Payment Transactions using Cards 677

terminal owner and purse operator will be very difficult or impossible In the above exampleusing a memory card, the system concept makes it impossible for the terminal operator toconvincingly guarantee the purse system operator that the claimed amount is correct This

is because the terminal operator can only present an invoice for a certain number of units,instead of forgery-proof signatures for the amounts paid, as would be possible with a genuineelectronic purse system

System architecture and terminal connections

The system architecture of an electronic payment system using smart cards can be eithercentralized or decentralized With payment systems in particular, system security is the mostimportant issue There is thus frequently a tendency to use centralized systems, since this givesthe system operator complete control of the system

However, these advantages are offset by several major disadvantages In many countries,telecommunication charges are so high that it is not reasonable for merchants to have permanentlinks to background systems or to dial up a background system for each transaction In someareas, the telephone network is not sufficiently reliable to allow an online link to the higher-levelcomputer to be established at any desired time

Due to their active nature, smart cards are excellent for use in decentralized systems, sincethey contain part of the system security ‘in house’ This is also their main advantage rel-ative to passive magnetic-stripe cards, which cannot force the system to perform specificprocedures

678 Smart Cards in Payment Systems

In particular, using electronic purses with automated equipment, such as vending machinesand ticket dispensers, compels the use of a decentralized system, since electronic purses canoperate completely independently for weeks or months and do not have any means to connect to

an existing communications system A decentralized system is thus often preferred In addition,

a decentralized system has significantly better characteristics with regard to robustness If thebackground system fails in a centralized system, all electronic payments are blocked In adecentralized system, by contrast, the consequences of a temporary failure usually do not evenreach as far as the merchant terminals

Decentralized systems also have certain disadvantages, primarily in the area of systemmanagement This is because online connections can only be established at certain times, and

as a rule only by the terminals However, it is essential for system security that the terminalsalways use the current blacklist This is one of the reasons why many systems require eachterminal to establish an online connection to the background system at least once a day This

is used to transmit the accumulated transaction data to the background system, with varioustypes of administration data being transmitted to the terminal in return Some examples of thisadministration data are new terminal software, new key sets, the current blacklist and data to

be loaded into customers’ cards

is required for payments above a certain amount, which can usually be set individually foreach smart card by the system operator; (b) the number of offline transactions and the amount

of time since the last online transaction can be used to decide whether to go online; (c) arandom number generator can be used to force a certain percentage of all transactions to takeplace online Some systems also have a special button on the terminal that forces an onlinetransaction This button can be pressed by the sales staff if they suspect that the customer isusing a manipulated card

All of these criteria ensure that on average, every card makes a direct connection to the ground system within a defined and statistically computable time interval The system operatorthus recovers direct control over the system, which he initially lost by using a decentralized

back-12.1 Payment Transactions using Cards 679 Table 12.1 Typical actions and conditions that trigger an online connection between a smartcard and the background system

Number of offline transactions performed since the last online transaction 10

Accumulated offline amount since the last online transaction 500 euros

Payment amount exceeding a configurable threshold value 200 euros

system Terminals and automated machines having only a small turnover can be excludedfrom these online constraints, since even in the case of fraud only small losses can occur Thissaves the cost of a link to a communications network, since data exchange can be performedmanually by service personnel

12.1.2 Electronic money

Electronic money must have certain properties if it is to be used with the same flexibility asnormal money If these properties are wholly or partially absent, the capabilities of electronicmoney are necessarily more or less limited The essential properties necessary to minimize thedifference between electronic money and real money are described below

Processable

An important, although in principle trivial, property of electronic money is that it can becompletely and automatically processed by machines This is the only way in which largesystems can be operated economically

680 Smart Cards in Payment Systems

is available in a sufficient number of different denominations that normal purchases can bemade using a small number of coins and banknotes

to make payments directly from one purse to another one The property of allowing directpayments between purses (purse-to-purse transactions) is sometimes called ‘transferability’

Monitorable

Despite the demand for anonymity, electronic money must allow the purse system operator tomonitor the system, since this is the only way in which manipulations and security gaps can

be recognized and eliminated This is exactly the same as the situation with normal money,

in which every citizen is obliged to immediately report counterfeit money to the appropriateauthorities In the case of electronic money, the purse system operator is responsible forguarding against fraud and forgery, and he can and must monitor the consistency of paymentflows

Anonymous

Anonymity means that it is impossible for anyone to associate payments with particular sons The value of this requirement is very much a question of perspective From a technicalperspective, the purse issuer desires a system with as little anonymity as possible, so he canmonitor the system in the best possible manner The possibility of fraud is very limited in non-anonymous systems, since anyone who commits a fraud can quickly be identified Government

per-12.1 Payment Transactions using Cards 681

agencies, such as the police and tax authorities, have similar interests Non-anonymous tronic money would give them considerably more scope for monitoring financial transactionsthan they have enjoyed up to now with normal money

elec-The position of purse users is diametrically opposite elec-They consider current payment ods using normal money to represent an excellent state of affairs, and they regard completeanonymity and non-traceability of payment transactions as the optimum solution

meth-Particularly with regard to anonymity, operators of electronic purse systems often choose acompromise solution in the interest of system security For instance, in most systems paymentsare anonymous, but loading electronic purses is not This allows the system to be monitoredreasonably well in a simple manner at a relatively low cost

At first sight, some of these properties appear to be contradictory For instance, in manycases complete anonymity and optimum system monitoring are mutually exclusive However,this field is in the early stages of development, and there are already systems being planned inwhich these two properties can definitely be realized simultaneously

There are two properties of real money that are not mentioned above, although they arehighly significant The first is that real money is legal tender that must be accepted by everyone

in a particular country In almost all countries, vendors of goods or services are obliged toaccept the legal currency of that country as a means of payment The second property relates

to the stability of the currency Except for a few countries with high rates of inflation, the legalcurrency in circulation has a stable value If this is not the case, people resort to barter or usingforeign currencies

12.1.3 Basic system architecture options

Electronic payment systems based on smart cards can be constructed in a wide variety ofmanners For economic reasons, they are often based on existing systems, most of which arebased on magnetic-stripe cards However, there is no single basic model that applies to allpayment systems, since the requirements vary too widely We can therefore only describe thebasic principles of such systems in terms of their essential components

Large smart card payment systems basically consist of four different components Theseare the background system, the network, the terminals and the cards

Background system

The background system consists of two parts: clearing and management The clearing

sub-system maintains the accounts of all of the banks, merchants and cardholders participating inthe system, and it books all incoming transaction data It also provides the system monitoringfunctions A simple example of such a function is maintaining a running balance to checkwhether the total of the amounts submitted to the clearing system exceeds the total amount

of money in the electronic purses If it does, an attacker has loaded money into smart cardswithout the knowledge of the background system

The management part of the background system controls all administrative processes, such

as distributing new blacklists, switching to new key versions, sending software updates to theterminals and so on This subsystem also generates data sets for personalizing smart cards

682 Smart Cards in Payment Systems

The background system has complete control of the electronic payment system, regardless

of the system architecture Even with systems that work completely offline, the backgroundsystem establishes the global system parameters and monitors the security and operation ofthe system

Network

The network links the background system to the terminals The connections may becircuit-switched (e.g ISDN) or packet-switched (e.g X.25) As a rule, the network is to-tally transparent to the data traffic, which is passed unmodified from the sender to thereceiver

Terminals

The various types of terminals can be classified as either loading terminals or payment minals, according to their functions with respect to payments They can also be classified asautomated terminals or attended terminals The classic example of an automated terminal is

ter-a cter-ash dispenser (ATM) In electronic purse systems, ter-automter-ated terminter-als ter-are primter-arily usedonly to load cards It would naturally also be conceivable to allow an electronic purse to beemptied using such a terminal, with the balance being paid out in cash Attended terminals aretypically located at supermarket checkouts and in retail shops They are always used to pay forgoods In some systems, terminals in banks can also be used to load smart cards in exchangefor cash payments

Smart cards

Smart cards are the most widely distributed component of the system They can be used aselectronic purses, but they can also be used as security modules in various types of terminals.Another use is transporting data between various system components Cards for this purpose,which are called transfer cards, are used to manually transfer transaction data from a terminalthat works completely offline to one that works online (such as a cash dispenser)

The example system shown in Figure 12.4 illustrates the system components and their logicalconnections The background system, which may be the background system of a differentoperator or a component of the system itself, is connected to the other components via atransparent network

Electronic purses are must commonly loaded using cash dispensers, most of which operateonline, although they can also operate offline for a limited time in the event of a network failure.For this reason, they have their own security modules, which hold all of the keys necessary fornormal operation and key derivation

There are also electronic purse payment systems that operate fully offline Two examplesare parking meters and terminals in taxis In such cases, transfer cards can be used to transportthe transaction data from the security modules to a cash dispenser, from which they reach the

12.1 Payment Transactions using Cards 683

network

other financial transaction

systems

online

manual function

transfer card

concentrator

cash register SAM

Figure 12.4 Example architecture of an electronic purse system (SAM= security module)

background system via the network In exchange, the terminals receive current administrationdata, such as blacklists and software updates

A second type of payment terminal is one that is connected to the network via an onlineconnection that is established as necessary This type of terminal normally works offline, but

it periodically connects to the background system in order to exchange any available billingand administrative data

A third type of payment terminal has no direct connection to the network For example, itcould be connected to a supermarket cash register that in turn is connected to a concentratorlocated in the facility This concentrator, which is normally a PC acting as a server, mightconnect to the background system once a day via the network The necessary data exchangesoccur during this connection

The Quick electronic purse system in Austria and the Geldkarte system in Germany aresimilar to the example system just described, and many parts of the Visa Cash electronic pursesystem correspond to what has just been described For large applications, it is quite common

to use a distributed system architecture consisting of several different background systemsoperating in parallel With such an architecture, several different purse systems with more thanone system operator can be operated with mutual compatibility