`
`Integrated Circuit Cards,
`Tags and Tokens
`
`New Technology and Applications
`
`Edited by
`P. L. Hawkes': D‘. W. Daviesw
`and W. L. Price *‘
`
`BSP PROFESSIONAL BOOKS
`
`OXFORD LONDON EDINBURGH
`
`BOSTON MELBOURNE
`
`Page 1 0f 67
`
`PNC-JP MORGAN EXHIBIT 1011
`
`
`
`PNC-JP MORGAN EXHIBIT 1011
`
`Page 1 of 67
`
`
`
`7#4379
`
`BSP Professional Books
`A division of Blackwell Scientific
`Publications Ltd
`Editorial Offices:
`Osney Mead, Oxford OX2 DEL
`(Orders: Tel. 0865 240201)
`8 John Street, London WCIN 215$
`23 Ainslie Place, Edinburgh EH3 6A]
`3 Cambridge Center, Suite 208, Cambridge
`MA 02142, USA
`107 Barry Street, Carlton, Victoria 3053,
`Australia
`
`Set by Setrite Typesetters Limited
`Printed and bound in Great Britain by
`MacKays of Chatham PLC, Chatharn,Kent
`
`Copyright © P. L. Hawkes 1990
`Chapter 3 © 1990 by The General Electric
`Company plc
`
`All rights reserved. No part of this
`publication may be reproduced, stored
`in a retrieval system, or transmitted,
`in any form or by any means, electronic,
`mechanical, photocopying, recording
`or otherwise without the prior
`permission of the copyright owner.
`
`First published 1990
`
`British Library
`Cataloguing in Publication Data
`
`Integrated circuit cards, tags and tokens.
`1, Smart cards
`I. Hawkes, P. (Peter)
`H. Davies, D.W. (Donald Watts),
`III. Price, W. L.
`004.5'6
`
`ISBN 0—632—01935—-2
`
`Page 2 0f 67
`
`Page 2 of 67
`
`
`
`Contents
`
`7flags
`
`Preface
`Acronyms
`List of Trademarks
`
`1
`
`Introduction to Integrated Circuit Cards, Tags and Tokens
`for Automatic Identification
`1. 1
`Introduction
`1.2
`Basic form and function
`
`Generic applications
`1.3
`Systems
`1.4
`Software and protocols
`1.5
`Security threats and their containment
`1.6
`1.7 Other developments
`1.8
`Future prospects
`
`2 Smart Card Technology — A US Pioneer’s ViewPoint
`2.1
`Introduction
`
`2.2
`2.3
`2.4
`
`Early development
`New generation smart cards
`Financial uses
`
`2.5 Agricultural uses
`2.6
`Security uses
`2.7 Medical uses
`2.8
`Insurance sales aid
`2.9
`Travel and related financial services
`
`2.10 Future development
`
`3 A Contactless Smart Card and its Applications
`3.1
`Introduction
`
`The GEC intelligent contactless (integrated circuit) card
`3.2
`Security features
`3.3
`3.4 Applications
`
`ix
`xiii
`XV
`
`HHC\G\4>LD[\3H
`
`HH
`
`12
`13
`15
`17
`19
`19
`20
`22
`23
`24
`
`29
`30
`32
`34
`
`
`
`Page 3 0f 67
`
`
`
`Page 3 of 67
`
`
`
`vi
`
`Contents
`
`3.5
`
`The future
`
`Low Frequency Radio Tags and their Applications
`4.1
`Introduction
`
`Elements of a coded tag system
`4.2
`Benefits of low frequency
`4.3
`Principle of operation
`4.4
`Tag construction
`4.5
`4.6 Antenna considerations
`4.7
`Control equipment
`4.8 Applications for LF tags
`4.9
`Conclusion
`
`Electronic Coins
`5.1
`Introduction
`5.2
`Basic system requirements
`5.3 Applications of electronic tokens
`5.4
`Low value transactions
`
`5.5
`
`System considerations
`
`Secure Transactions with an Intelligent Token
`6.1
`Introduction
`
`6.2 Design principles of the token
`6.3
`Realisation. of the token design principles
`6.4
`The prototype token
`6.5 Miniaturisation
`6.6
`Biometrics
`
`6.7
`
`Future developments
`
`Automated Personal Identification Methods for Use with Smart
`Cards
`
`7.1
`7.2
`7.3
`7.4
`7.5
`
`7.6
`7.7
`
`Introduction
`Physical features
`Behavioural characteristics
`Performance
`Instrumentation
`
`Current R and D activity
`Conclusions
`
`7.8 Appendices
`
`Cryptography and the Smart Card
`8.1
`Introduction
`
`8.2
`8.3
`
`Protection from passive and active attacks
`Cryptography
`
`38
`
`39
`
`40
`41
`44
`46
`49
`52
`56
`63
`
`65
`67
`69
`70
`
`79
`
`81
`
`83
`84
`85
`89
`89
`
`90
`
`92
`98
`103
`116
`118
`
`119
`120
`
`120
`
`136
`
`137
`139
`
`
`
`Page 4 0f 67
`
`Page 4 of 67
`
`
`
`Contents
`
`8.4 Data integrity
`8.5 User authentication
`
`.
`
`8.6
`
`The future of cryptography in the smart card
`
`9 Smart Cards — the User’s View
`9. 1
`Introduction
`9.2
`Reaction to debit rather than credit
`9.3
`Reaction to convenience
`9.4
`Reaction to informatio
`
`9.5
`9.6
`9.7
`9.8
`9 .9
`
`Reaction to security
`Reaction to expanded service
`Reaction to technology
`Special market sectors
`The future
`
`Index
`
`vii
`
`151
`158
`163
`
`165
`167
`168
`168
`169
`170
`171
`172 .
`173
`
`177
`
`Page 5 0f 67
`
`
`
`Page 5 of 67
`
`
`
`
`
`Preface
`
`The ‘smart' card single chip computer in a plastic credit card shape is
`widely promoted by its numerous suppliers and their agents as the
`ultimate microcomputer destined to be carried by everyone everywhere
`sometime soon.
`
`Why, where, when, questions from prospective card holders amongst
`the public and the key intermediaries like the bankers, retailers, medical
`profession, public administrators and telephone companies do not always
`receive straight answers. The benefits of using smart cards are less tangible
`than the early costs of introducing systems based on these intriguing
`devices. In this book we attempt to help the reader resolve the many
`paradoxes associated with the smart card and its close relatives, the radio
`tag, the integrated circuit digital memory card, the token and electronic
`com.
`
`Amongst the many paradoxes bedevilling the whole subject are the
`following.
`'
`Most of the tens of millions of smart cards now produced annually are
`not ‘smart‘, more usually they are the humbler relative called the integrated
`circuit digital memory card. Most of these are used for vending appli—
`cations like public payphones where an equally cost effective result can
`apparently be achieved with an optical recording card.
`The commonest smart cards produced have on one face of the card
`electrical inter-connections to the read/write authorisation units. This
`
`type of card is the subject of international standards work. However, for
`many applications these contact smart cards are being challenged by the
`new contactless radio linked cards such as those available from GEC and
`AT&T.
`But even these new contactless radio linked cards are not as new as
`
`they seem. They are predated by the well established radio tag used in
`the access control field to identify animals, people or goods.
`Mars Electronics have shown that it is possible to design an electronic
`coin having the shape and size of a conventional coin but functioning as a
`
`Page 6 0f 67
`
`Page 6 of 67
`
`
`
`x
`
`Preface
`
`stored value device. There are many other prospective designs of smart
`‘card’ where non-card shapes are preferable for good mechanical and
`economic reasons. We thus have the paradox that the only real justification
`for the smart card being card shaped and sized is the transient problem of
`devising a terminal which will read both magnetic strip and embossed
`cards as well as smart cards.
`
`Another paradox lies in the claims for smart card security. The card is
`hailed as the ultimate in security for both access control and as an
`instrument in financial transactions. In the latter application the smart
`card is capable of dispensing and recording as data transferred value
`(equals money). Card stored or emitted files of data, the equivalent of
`money, obviously require protection from deliberate or accidental misuse
`both from the authorised card holder breaking the rules and from thieves.
`To protect card stored data and emitted messages requires data protection
`measures. These are best based on the applied mathematical techniques
`of cryptography. The chapter by Dr D. W. Davies describes some of the
`basics of this most important software area.
`Given satisfactory software and economic and durable hardware most
`application systems based on smart cards remain vulnerable to misuse of
`a valid card by unauthorised card holders who have stolen or worse still
`borrowed genuine cards from the authorised holders.
`Establishing the cardholder’s right to use a given card is currently based
`on the holder producing the appropriate personal identity number (PIN)
`or password. Both Ple and passwords can be readily extorted or other-
`wise obtained from the cardholder’s mind or records. Thus although the
`smart card itself may be secure against many types of misuse limiting use
`to the authorised holder can be a real problem. Dr J. R. Parks describes
`the new technology of biometrics which seeks to reduce current depen-
`dence on PINS by making measurements on some characteristic of the
`person such as voice print, fingerprint or handwriting style in order to
`confirm that he/she is indeed the authorised cardholder.
`
`Some limitations of smart card systems can be overcome by using them
`in on-line systems where every transaction must be authorised by real-
`time checks on centrally held lists of stolen and barred cards. The com— .
`munications infrastructure for a totally on-line system is very expensive.
`Arlen Lessin’s chapter describes one of the new super-smart cards which
`operate off-line.
`For many large scale applications smart cards remain impossibly expens—
`ive. To reduce the burden of cost a multifunction smart card has been
`
`suggested with a master card issuer franchising space on his card for other
`card service providers. However, implementing such a system for new
`payment services such as satellite subscription TV poses substantial ad—
`ministrative and security problems which may delay the commercialisation
`of such concepts.
`
`
`
`Page 7 0f 67
`
`Page 7 of 67
`
`
`
`Preface
`
`xi
`
`In the field of patents smart card ideas have been patented by inventors
`in a number of countries as well as France. The early use of smart cards
`will require careful attention to the possible need for licences under some
`of these patents. Both suppliers and card issuers will need to be meticulous
`in their study of the published patents and their validity.
`Notwithstanding all the above it seems inevitable to the authors that
`some form of portable personal data carrier will soon come into wide»
`spread use in many parts of our society. Whether the smart card as we
`know it or alternatives such as the optical card, the high density magnetic
`card or other similar devices will dominate remains to be seen. It is hoped
`that readers will find answers to some of their questions in this book and
`that the references given by the authors of the various chapters will lead
`them-to the basic sources of new information on this increasingly important
`subject area.
`
`P L Hawkes
`London
`
`May 1989
`
`Page 8 0f 67
`
`
`
`Page 8 of 67
`
`
`
`
`
`Acronyms
`
`Artificial Intelligence
`American National Standards Institute
`Automatic Personal Identification
`American Standard Code for Information
`
`Interchange
`Automatic Teller Machine
`
`British Technology Group
`
`Cipher Block Chaining
`Cipher Feedback
`Complementary Metal Oxide Semiconductor
`
`Defense Advanced Research Project Agency
`Data Encryption Standard
`
`Electrocardiogram
`Electronic Data Interchange
`Electronic Funds Transfer at the Point of Sale
`
`Electrically Programmable Read Only
`Memory
`
`False Alarm Rate
`
`Federation of Information Processing Societies
`False Rejection Rate
`
`Integrated Circuit
`Identity; Identification
`International Association for the Microchip Card
`Input/ Output
`International Standards Organisation
`Initialisation Variable
`
`AI
`ANSI
`API
`ASCII
`
`ATM
`
`BTG
`
`CBC
`CFB
`
`CMos
`
`DARPA
`DES
`
`ECG
`EDI
`EFI‘POS
`EPROM
`
`FAR
`FIPS
`FRR
`
`IC
`ID
`INTAMIC
`
`I/O
`ISO
`IV
`
`Page 9 0f 67
`
`Page 9 of 67
`
`
`
`xiv
`
`LED
`
`LMK
`LPC
`LTS
`
`MAA
`MAC
`
`NPL
`
`OFB
`OSI
`
`PAN
`
`PC
`PI
`PIN
`POS
`
`QR
`
`RAM
`
`RSA
`
`SD
`SM
`SIN
`SRI
`
`VDU
`
`Acronyms
`
`Kilobytes
`
`Light Emitting Diode
`Low Frequency
`Local Master Key
`Linear Predictor Coefficient
`
`Long-Term Spectra
`
`Message Authentication Algorithm
`Message Authentication Code
`
`National Physical Laboratory
`
`Output Feedback
`Open Systems Interconnection
`
`Personal Access Number; Personal Account
`Number
`
`Personal Computer
`Personal Identification
`Personal Identification Number
`Point of Sale
`
`National Public Communications Authority
`
`’ Q factor of a circuit
`Quadratic Residue
`
`Random Access Memory
`Radio Frequency
`
`Public Key Cryptoalgorithm (Rivest, Shamir and
`Adleman)
`
`Standard Deviation
`
`Similarity Measure
`Serial Number
`Stanford Research Institute
`
`Ultraviolet
`
`Visual Display Unit
`
`
`
`Page 10 0f 67
`
`Page 10 of 67
`
`
`
`
`
`List of Trademarks
`
`The following trademarks have been used in the text:
`
`CARL
`
`Cotag
`Identikit
`Identimat
`Innovatron
`
`Magna Card
`Qsign
`SIGMA/IRIS
`
`SuperCard
`SuperSmart
`System 7.5
`Talisman
`UltiCard
`UltraSmart Card
`UNO
`watennark
`
`Page 11 0f 67
`
`Page 11 of 67
`
`
`
`Chapter 1
`
`Introduction to Integrated
`Circuit Cards, Tags and Tokens
`for Automatic Identification
`
`P. L. HAWKES
`
`(British Technology Group)
`
`In which we discover that the smart card is one of a large family of chip-based
`artefacts for automatic identyication.
`
`1.1
`
`INTRODUCTION
`
`Choosing a title for this book was not easy. People want information on
`the smart card and its applications. Manufacturers’ sales literature is a
`good starting point but is inevitably biased.
`A smart card is commonly understood to be a single chip integrated
`circuit microcomputer built into a plastic credit card. However most of
`the smart cards in actual use today are not true microcomputers but
`nearer memory devices. Many are not single chip, chip cards and some of
`the best and cheapest of these are not even card shaped!
`In fact the smart card is but one of many integrated circuit—based data
`carriers used in a wide variety of computer systems to help identify
`people, animals, plants, things, messages, events and places. Indeed it is
`easier to define what is not a chip-based portable data carrier than to
`produce an overall definition. Concentrating on automatic identification
`seems to the author as good a basis as any.
`Another surprise is that the history of automatic identification via a
`personal portable data carrier based upon a digital integrated circuit
`device goes back to 1968 or earlier. The various designs now available
`reflect the different origins of the data carriers concerned and their prime
`applications — anti—shoplifting tags, magnetic stripe identity cards, vending
`cards, pocket calculators etc.
`The achievement of M. Moreno and his French licensees and partners
`has been to focus worldwide commercial attention of one particular class
`of integrated circuit memory cards. This is the class of miniature artefacts
`shaped like a standard plastic credit card, having the same dimensions
`
`Page 12 0f 67
`
`
`
`Page 12 of 67
`
`
`
`2
`
`'
`
`Integrated Circuit Cards
`
`and containing hardwired or programmed logic as well as digital storage,
`i.e. the so-called ‘smart' or ‘intelligent’ memory card. In the early 19805
`Roy Bright introduced the adjective ‘smart’ to describe succinctly the es—
`sential characteristics of the single chip microcomputer card. His more re-
`cent definition distinguishes between the ‘active’ smart card and ‘passive’
`smart cards. The important features of the former are described in
`Chapter 2.
`In this initial chapter, I will attempt to survey all the silicon chip-based
`technologies and the perceived needs propelling their creation and uses.
`
`1.2 BASIC FORM AND FUNCTION
`
`Integrated circuit cards, tags and tokens are components in distributed
`computer and telecommunications systems. Basically they exploit the low
`cost high density digital storage capacity of integrated circuit memory
`chips usually, although not invariably, in association with control circuitry
`known as logic.
`As our children are probably now taught in school, integrated electronic
`circuits are more or less complex arrays of transistors, diodes and other
`circuit elements and their wiring interconnections formed by printing,
`diffusion and other processes within a single die or chip of silicon or other
`semiconducting crystal.
`By selective contact printing and etching device, structures down to a
`few ten millionths of an inch wide are created and enable the resulting
`chip to record information and process it very rapidly.
`With rapid and continuing progress since the early 19703, integrated
`circuit making has progressed until today, a single chip IC some half inch
`square by a few thousandths of an inch thick, can record up to several
`million bits of digital data as an electronic charge pattern. The micro-
`computer’s logic equivalent can process data at 20 million or more oper-
`ations a second.
`
`Further increases in information recording density and data processing
`speed are expected. Made in arrays on six inch diameter wafers, the chip
`itself sells for a dollar or two.
`
`Like its competitors, magnetic discs and cards and optical discs and
`cards,
`the IC chip presents the technologist with a new information
`recording medium. Using low cost integrated circuit memory as the basic
`medium, the system designer has a new tool or instrument with which to
`disseminate and record information in a system.
`The basic functions enabled by the IC memory chip are the storage of a
`100,000 or more bytes (characters) of text or data and their emission or
`recording in less than a second. Unlike the optical and magnetic media,
`on-chip logic permits memory access to be controlled autonomously from
`
`
`
`Page 13 0f 67
`
`Page 13 of 67
`
`
`
`
`
`
`Automatic Identification .
`
`3
`
`within the chip. The implications of this are far reaching as will be
`described below.
`
`1.3 GENERIC APPLICATIONS
`
`At the present state-of—the-art, the basic form and functions of various IC
`cards, tags and tokens can conveniently be classified as shown in Table
`1.1. The exact form of memory used in these devices varies widely from
`UV or electrically reprogrammable memory devices to battery backed
`RAM (random access memory). Particular products and designs cate-
`gorised in Table 1.1 are best suited to specific applications. These are
`summarised in Table 1.2.
`
`Table 1.1 Integrated circuit cards, tags and tokens
`
`Type
`
`Radio tag
`
`Memory only card
`
`Typical
`capacity
`(bits)
`
`64
`
`16K- 1M
`
`Wired logic ‘smart’ card
`
`256 up
`
`System
`interface (5)
`
`End—user/card
`holder interface
`
`RF coupling
`
`Via system
`interface
`
`6—8 electrical
`contacts
`
`Via system
`interface
`
`6—8 electrical
`contacts
`
`Via system
`interface
`
`Programmable logic ‘smart’
`card
`
`8K up
`
`6—8 electrical
`contacts
`
`RF programmable logic
`‘smart’ card-
`
`8K up
`
`RF coupling
`
`Active sniart card
`(a) Smart Card International
`‘UltiCard’
`
`8K up
`
`(b) Visa ‘Supercard’
`
`8K up
`
`(c) NPL ‘Talisman’ token for
`RSA messages
`
`30K up
`
`Direct by
`contacts or
`
`indirect by
`card user
`
`Direct by
`contacts or
`
`indirect by
`card user
`
`Direct by
`contacts or
`
`indirect by
`card user
`
`Via system
`interface
`
`Via system
`interface
`
`Direct by
`onboard display
`and keyboard
`
`Direct by
`onboard display
`and keyboard
`
`Direct by
`onboard display
`and keyboard
`
`Page 14 0f 67
`
`Page 14 of 67
`
`(cid:9)
`(cid:9)
`(cid:9)
`(cid:9)
`(cid:9)
`
`
`4
`
`'
`
`Integrated Circuit Cards
`
`Table 1.2 Typical applications of integrated circuit cards, tags and tokens
`
`
`
` Type Actual or proposed application
`
`Radio tag
`
`Memory only card
`
`Wired logic ‘smart’ card
`
`Programmable logic
`‘smart’ card
`
`Identification of specific people, animals,
`places or goods
`
`Distribution medium for computer programs
`and data
`
`Vending card for making calls from public
`telephones, etc.
`
`General purpose including credit and debit
`card for use in on line and off line payment
`systems and ‘electronic wallet’
`
`RF programmable logic
`‘smart’ card
`
`As above
`
`‘Active’ smart card
`
`(a) off line payment systems
`(b) patient data cards in medicine
`(c) signing and encryption of electronic mail
`documents
`
`(d) metering of the use of gas, water,
`electricity, TV, public transport etc.
`(e) logging of events e.g. accesses to
`premises
`
`1.4 SYSTEMS
`
`The smart card, tag or token is an instrument, usually the ‘key’ instrument in
`a complete system designed to provide a service to the end user, i.e. the
`person carrying the instrument.
`The service provider operates and sometimes designs the system. The
`appropriateness of the particular card,
`tag or token for a particular
`service is measured in terms of speed and ease of use, security and cost.
`Cost reflects both purchase price and cost of use.
`Systems are classifiable into two main types — public and private (see
`Table 1.3). Private systems are intended for use by a closed user group,
`typically the employees of the organisation operating the system. An
`access control system for a company’s premises is a common example.
`Public systems are designed for use by members of the general public,
`qualified only by a virtue of being customers of a particular bank or users
`of a particular public service such as the payphone system.
`The important public systems are those like credit cards and charge
`cards which operate internationally as well as nationally. The relevant
`
`
`
`Page 15 0f 67
`
`Page 15 of 67
`
`(cid:9)
`(cid:9)
`
`
`Automatic Identification
`
`5
`
`Table 1.3 Public and private IC card, tag and token systems
`Class
`Card
`Card/terminal
`Role of
`Terminal
`
`population
`ratio
`standards
`security and
`
`price
`
`Private
`system
`
`Public
`system
`
`tens to
`thousands
`
`millions
`
`low (l0zl up)
`
`Useful
`
`Both high
`
`Both generally
`Quintessential
`high (50:1 up)
`low
`
`standards are therefore evolving from suppliers’ and service providers’
`standards into international ones via the appropriate national standards
`bodies, INTAMIC and similar bodies.
`Cards, tags and tokens appropriate for public systems tend to be ultra
`simple to allow customer activation. Low cost is also essential and generally
`possible because of the large number of standard units involved. This
`makes them attractive candidates for use in those private systems where
`the functional limitations can be tolerated.
`
`Operating generally on a single site, over a restricted geographical area
`or via private networks, private systems can usually afford to have on line
`real-time telecomunications with each card terminal in constant touch
`
`with the system’s control centre. This makes the management of card
`security relatively easy compared with public systems. However, some
`‘open‘ sites like hospitals and hotels present particular difficulties associated
`with the ever changing authorised user population and the risk of attack
`by criminals and vandals.
`Public systems for payment (revenue collection) and the disbursement
`of money (revenue distribution) are obviously subject to misuse both by
`legitimate card holders and impostcrs. This makes on line real—time noti—
`fication of lost or stolen cards and of account abuse highly desirable.
`Quick circulation nationally or internationally of ‘hot card' lists is how-
`ever expensive so most systems incorporate a degree of off line operation.
`This is also of course vital to allow the authorised card holder to obtain
`
`some element of usage even if there is a telecommunications failure. Just
`imagine a bank which told its current account holders they could not use
`their cheque books because the bank’s computer network had problems!
`Terminal security and cost are big issues in both types of system. Many
`of today’s terminals are in well protected environments e.g. ATMs on
`bank premises. Their operation by customer activation can therefore be
`trusted, This will not be true of many retail shop terminals. Recent scares
`about computer program ‘viruses‘ demonstrate widespread concern in the
`industry about the difficulty of trusting personal computer-based terminals.
`
`Page 16 0f 67
`
`
`
`Page 16 of 67
`
`
`
`6
`
`Integrated Circuit Cards
`
`This may cause a re-evaluation of the security needs and precautions
`taken when designing, installing and operating PC—based card systems.
`A good solution may appear with the new ‘active’ or super-smart cards
`(Table 1.1). Having their own keyboard and display this class of device
`need not rely on a trusted terminal for most of its operations.
`
`1.5 SOFTWARE AND PROTOCOLS
`
`Software includes the programs governing the operation of a program-
`mable electronic device such as the 8-bit single chip microcomputer in a
`typical ‘conventional’ smart card. Also included is the operational data
`which ‘personalises‘ a card, tag or token to the individual authorised end
`user and the‘service providing organisation. This data may be programmed
`into the various types of memory mentioned above, expressed as a wiring
`pattern (masked programmed) or via fusible electrical links.
`Protocols are essentially the rules of conduct by which the card, tag or
`token communicates with its system or other similar devices. They can be
`designed in as hardware or software.
`Much of the available on-chip memory can be consumed by a stored
`program for control of the operation of a programmable device. Thus for
`any very large scale application a bespoke, hardwired solution consumes
`less chip area and is therefore cheaper. The pay telephone card is a prime
`example.
`
`1.6 SECURITY THREATS AND THEIR CONTAINMENT
`
`Since the basic purpose of an IC card, tag or token is to identify the
`bearer to a system, security lies at the heart of all applications. It is
`therefore not surprising that improved security against misuse by card
`holders, authorised as well as unauthorised, is often the main selling point
`for these components. This emphasis has reached the point where the
`smart card for example is sometimes presented as a panacea for all
`manner of retail banking and access control systems.
`A project sponsored by the author’s employers and carried out by the
`Data Security Team at the National Physical Laboratory, Teddington, has
`examined the security of smart cards and systems, identified threats from
`the likely sources and devised appropriate new hardware and software
`technology to contain the dangers. A prototype version of NPL’s ‘Talis-
`mau’ device was developed with the help of Texas Instruments Ltd. Full
`details are given in Chapter 6. It is described as an integrated circuit
`‘token’ rather than a super-smart card because the recommended size is
`greater than a credit card and the shape can differ to suit the application.
`
`
`
`Page 17 0f 67
`
`Page 17 of 67
`
`
`
`
`
`
`
`Automatic Identification
`
`7
`
`The main points relating to smart cards used by people are as follows.
`The card is essentially used to support the card bearer’s identity claim.
`Once read in an authorisation unit (terminal) and accepted as valid the
`system allows the card bearer to complete a requested transaction. The
`relevant transactions include:
`
`0 Purchase of goods or services
`0 Access to private premises or computer resources and data
`0 Sending or receiving telecommunicated messages of value
`
`The threats come from misuse by the authorised card holder, misuse by
`an unauthorised card holder or where there is collusion between such
`
`.
`parties.
`Abuse cannot be entirely stopped except at uneconomic cost so a well
`designed smart card application must contain it. This can be done for
`example by denying future services to an authorised card holder who has
`abused his privileges or by catching a thief either in the transaction or
`later via an audit trail.
`
`The main basic security weakness of the conventional smart card is that
`it can be stolen and used by an unauthorised card holder.
`The established way to guard against this is to only allow card activated
`transactions where these are supported by the card holder producing a
`valid PIN (Personal Identity Number). However this PIN must be entered
`via the keyboard of an authorisation terminal. As already stated this
`terminal may not always be trustable. If it
`is bugged a criminal can
`discover the secret PIN without the card holder’s knowledge, copy or
`steal his smart card and then obtain access to money, goods, services etc.
`from his account with the card issuing organisation.
`NPL's solution to this with its ‘Talisman’ 'lC token is to provide a
`keyboard on the token itself. With a trusted display on the token this
`keyboard makes the token’s use less vulnerable to untrustworthy ter-
`minals. Similar solutions are being pursued by Visa and Smart Card
`International (see Table 1.1. above) under the terminology ‘active’ smart
`card.
`
`For many applications of smart cards and tokens, messages need to be
`sent from the card to a remote mainframe over an insecure network. To
`
`prevent eavesdroppers abstracting, delaying, altering or inserting messages
`the technique of cryptography needs to be employed. Chapter 8 describes
`these.
`
`The Talisman token incorporates encryption means for generating a
`cryptographic version of messages sent from the token to remote computers
`or other tokens such that the message cannot be read by any but the
`intended recipient and he can authenticate that the message must have
`came from that token and no other.
`
`Page 18 0f 67
`
`Page 18 of 67
`
`
`
`8
`
`Integrated Circuit Cards
`
`PIN details and other confidential data stored in a smart card, passive
`or active, or in an IC token can be discovered or altered by unauthorised
`investigation of the 10 memory and its data contents. Data alteration is
`especially likely for smart cards and tokens used as ‘electronic wallets’,
`‘cheque books’ or meters. Attacks can be logical (via the contacts etc.),
`electrical (in the same way or by radiation detection) or physical by
`opening up the unit and reading the data stored therein. Tamper proofing
`is possible but very costly so most commercial products are best described
`as ‘tamper resistant’. Known means include sensitive ‘triggers’ which wipe
`out card stored data when tamper attacks are detected. Easily broken
`wires buried in a resin potted chip module are one example of triggers.
`These can be rendered ineffective by deep freezing so they are not a
`panacea.
`Another area of vulnerability is the PIN itself which can be guessed as
`well as stolen. This has led NFL and others to investigate the uses of so-
`called ‘biometric’ techniques whereby some measurement is made of a
`personal trait of the authorised card holder and compared with an authenti-
`cated card stored reference.
`
`The operation of a biometric device is analogous to the ‘eyeball’ .com—
`parison of a handwritten master signature on for example, a conventional
`credit card with a new specimen produced on demand for a bank cashier
`or shop assistant. Not surprisingly then automatic signature verification
`has received a good deal of attention from NFL, SRI/Visa, De La Rue,
`Thomson and others. It is a well accepted and legally binding commitment to
`a transaction. All these designs exploit handwriting timing and rhythm as
`Well as signature outline. Such invisible ‘dynamic’ signature characteristics
`are'very difficult for a forger to reproduce and quite easy for a computer
`to analyse given an accurate handwriting encoder.
`Chapter 7 describes the current state-of—the-art in biometrics including
`signature dynamics, hand geometry, fingerprints, retinal and hand blood
`vessel scanning and speaker verification. To be used effectively with a
`smart card or token the biometric validity decision must be made by the
`on board microcomputer using locallystored reference data.
`Promising solutions leading perhaps to a biometric smart card are being
`worked on by a partnership between NPL, the British Technology Group
`and several equipment suppliers and card issuers. These solutions may
`soon result in a cost-effective biometric smart card or token. Meanwhile
`
`an interesting compromise is to store ‘mug shots’ in digitised form, in a
`smart card. Human operators of manual terminals can then compare the
`card stored ‘mug shot’ with the claimant’s appearance and then authorise
`or deny the requested transaction. This should prove a useful compromise
`for some markets like physical access control. Clearly it is inappropriate
`for markets like self-service banking and shopping.
`
`
`
`Page 19 0f 67
`
`Page 19 of 67
`
`
`
`Page 20 of 67
`
`(cid:9)
`(cid:9)
`(cid:9)
`(cid:9)
`(cid:9)
`(cid:9)
`
`
`Page 21 of 67
`
`
`
`Automatic Identification
`
`11
`
`1.7 OTHER DEVELOPMENTS
`
`Before the ISO standard smart cards are established internationally new
`designs are appearing with alternative or additional features to open up
`new applications.
`Chapter 3 describes the GEC ic card with its secure low cost RF coup-
`ling method for card to terminal interaction.
`'
`Two other developments worthy of note come from the opposite ends
`of the product spectrum of Table 1.1.
`The humble radio tag has now fully established itself as a viable solution to
`the access control problem (Table 1.4). There are over fifty suppliers
`worldwide. In this country Cotag and its competitors have delivered
`hundreds of systems to the smaller organisations with a need to restrict
`site entry to a few hundred employees and some authorised visitors. The
`systems work well and are cost-effective. John Falk of Cotag describes
`radio tags and their manifold uses in Chapter 4.
`
`1.8 FUTURE PROSPECTS
`
`As the still fiedging industry matures there seem to be two opposing
`tendencies. The first is to migrate towards very low cost standard devices
`manufactured on a huge scale.
`At the opposite end of the spectrum are the active devices like the
`NPL’s Talisman Token. In the author’s View these different approaches
`will coexist.
`
`There may also be scope for the integration of the identification and
`metering functions of the activesmart cards and tokens to be integrated
`as software into other products like conventional and portable terminals
`and telephones.
`
`Page 22 0f 67
`
`
`
`Page 22 of 67
`
`
`
`
`
`Chapter 6
`
`Secure Transactions
`
`with an Intelligent Token
`
`