Page 1 of 201 UNITED SERVICES AUTOMOBILE ASSOCIATION
` Exhibit 1003
`
`

`
`Integrated circuit cards are about to cause a
`
`
`
`revolution in everyday life.
`They will play a key part in:
`• vending and payment systems
`• personal access control
`• security documents such as driving
`
`
`licences and passports
`This book is based on a major R & D
`
`investigation at the National Physical
`Laboratory.
`Expert contributions cover:
`
`• hardware and software
`• typical applications from banking to
`
`medical records
`• economic and consumer issues
`• electronic coins
`
`
`The bo9k is written by a team of specialist
`
`contributors from the UK and the USA, and
`edited by Peter Hawkes of the British
`Technology Group, Donald Davies FRS,
`formerly of the National Physical Laboratory
`and Wyn Price, leader of the NPI:s Data
`Security Group. The book will be an
`invaluable
`
`source of information for all
`
`electronics engineers involved in designing
`
`the systems that will accept integrated
`
`
`circuit cards, and in designing the cards
`themselves.
`
`It will also be of interest to card
`
`providers and users and to data security
`experts.
`
`Page 2 of 201
`
`

`
`Integrated Circuit Cards,
`
`Tags and Tokens
`
`Page 3 of 201
`
`

`
`;\
`
`Page 4 of 201
`
`Page 4 of 201
`
`

`
`Integrated Circuit Cards,
`
`Tags and Tokens
`
`New Technology and Applications
`Edited by
`P. L. Hawkes, D. W. Davies
`and W. L. Price
`
`BSP PROFESSIONAL BOOKS
`
`OXFORD LONDON EDINBURGH
`BOSTON MELBOURNE
`
`Page 5 of 201
`
`

`
`Copyright © P. L. Hawkes 1990
`
`
`BSP Professional Books
`
`Electric Chapter 3 © 1990 by The General
`
`
`
`
`A division of Blackwell Scientific
`Company plc
`
`Publications Ltd
`
`Editorial Offices:
`All rights reserved. No part of this
`
`
`
`Osncy Mead, Oxford OX2 OEL
`
`
`publication may be reproduced, stored
`
`(Orders: Tel. 0865 240201)
`
`
`in a retrieval system, or transmitted,
`
`8 John Street, London WClN 2ES
`in any form or by any means, electronic,
`
`
`
`EH3 6AJ 23 Ainslie Place, Edinburgh
`
`
`mechanical, photocopying, recording
`
`
`3 Cambridge Center, Suite 208, Cambridge
`
`
`or otherwise without the prior
`MA 02142, USA
`
`
`permission of the copyright owner.
`107 Barry Street, Carlton, Victoria
`
`
`3053,
`Australia
`
`
`
`First published 1990
`
`British Library
`
`
`
`
`Cataloguing in Publication Data
`
`Set by Setrite Typesetters Limited
`
`Printed
`and bound in Great Britain by
`MacKays of Chatham PLC, Chatbam,Kent
`
`Integrated circuit cards, tags and tokens.
`
`
`
`1. Smart cards
`I. Hawkes, P. (Peter)
`
`
`II. Davies, D.W. (Donald Watts),
`
`III. Price, W. L.
`004.5'6
`
`ISBN 0-632-01935-2
`
`Page 6 of 201
`
`

`
`Contents
`
`Preface
`Acronyms
`List of Trademarks
`
`and Tokens to Integrated Circuit Cards, Tags
`
`1 Introduction
`
`
`for Automatic Identification
`1 . 1 Introduction
`1.2 Basic form and function
`1.3 Generic applications
`1.4 Systems
`1.5 Software and protocols
`1.6 Security threats and their containment
`1.7 Other developments
`1.8 Future prospects
`
`2 Smart Card Technology - A US Pioneer's
`Viewpoint
`2.1 Introduction
`2.2 Early development
`2.3 New generation
`smart cards
`
`2.4 Financial uses
`
`2.5 Agricultural uses
`2.6 Security uses
`2.7 Medical uses
`
`2.8 Insurance sales aid
`2.9 Travel and related financial services
`2.10 Future development
`
`IX
`xiii
`XV
`
`1
`2
`3
`4
`6
`6
`11
`11
`
`12
`13
`15
`17·
`19
`19
`20
`22
`23
`24
`
`3 A Contactless
`Smart Card and its Applications
`3.1 Introduction
`
`
`3.3 Security features
`3.4 Applications
`
`29
`
`3.2 The GEC intelligent contactless (integrated circuit) card 30
`32
`34
`
`
`
`Page 7 of 201
`
`

`
`vi
`
`Contents ·
`
`3.5 The future
`
`4 Low Frequency Radio Tags and their Applications
`4.1 Introduction
`4.2 Elements of a coded tag system
`
`4.3 Benefits of low frequency
`
`4.4 Principle of operation
`4.5 Tag construction
`4.6 Antenna considerations
`4. 7 Control equipment
`4.8 Applications
`for LF tags
`4.9 Conclusion
`
`5
`Electronic Coins
`
`5.1 Introduction
`5.2 Basic system requirements
`
`
`5.3 Applications of electronic tokens
`5.4 Low value transactions
`5.5 System considerations
`
`Secure Transactions with an Intelligent Token
`
`6
`
`
`6.1 Introduction
`6.2 Design principles
`of the token }
`
`6.3 Realisation.of the token design principles
`
`6.4 The prototype token
`6.5 Miniaturisation
`6.6 Biometrics
`6.7 Future developments
`
`38
`
`39
`40
`41
`44
`46
`49
`52
`56
`63
`
`65
`67
`69
`70
`79
`
`81
`83
`84
`85
`89
`89
`90
`
`Methods for Use with Smart
`Automated Personal Identification
`7
`Cards
`7.1 Introduction
`7.2 Physical features
`
`7.3 Behavioural characteristics
`7.4 Performance
`7.5 Instrumentation
`7.6 Current R and D activity
`7.7 Conclusions
`7.8 Appendices
`
`92
`98
`103
`116
`118
`119
`120
`120
`
`8
`
`
`Cryptography and the Smart Card
`8.1 Introduction
`8.2 Protection
`from passive and active attacks
`8.3 Cryptography
`
`136
`. 137
`139
`
`Page 8 of 201
`
`

`
`Contents
`
`vii
`
`8.4 Data integrity
`8.5 User authentication
`8.6 The future of cryptography in the smart card
`
`
`9 Smart Cards - the User's View
`9.1 Introduction
`9.2 Reaction to debit rather than credit
`9.3 Reaction to convenience
`9.4 Reaction to informatio
`
`9.5 Reaction to security
`9.6 Reaction to expanded
`service
`9. 7 Reaction to technology
`9.8 Special market sectors
`9. 9 The future
`
`Index
`
`151
`158
`163
`
`165
`167
`168
`168
`169
`170
`171
`172
`173
`
`177
`
`Page 9 of 201
`
`

`
`(
`
`Page 10 of 201
`
`Page 10 of 201
`
`

`
`Preface
`
`Amongst the ·many paradoxes bedevilling the whole subject are the
`
`The 'smart' card single chip computer in a plastic· credit card shape is
`
`
`widely promoted by its numerous suppliers and their agents as the
`
`ultimate microcomputer destined to be carried by everyone everywhere
`sometime soon.
`Why, where, when, questions from prospective card holders amongst
`
`
`
`
`the public and the key intermediaries like the bankers, retailers, medical
`
`
`
`profession, public administrators and telephone companies do not always
`
`receive straight answers. The benefits of using smart cards are less tangible
`
`
`than the early costs of introducing systems based on these intriguing
`devices. In this book we attempt to help the reader resolve the many
`
`
`
`paradoxes associated with the smart card and its close relatives, the radio
`
`tag, the integrated circuit digital memory card, the token and electronic
`coin.
`
`following.
`Most of the tens of millions o( smart cards now produced annually are
`
`
`
`
`not 'smart', more usually they are the humbler relative called the integrated
`circuit digital memory card. Most of these are used for vending appli­
`
`cations like public payphones where an equally cost effective result can
`
`
`
`apparently be achieved with an optical recording card.
`The commonest smart cards produced have on one face of the card
`
`
`
`
`electrical inter-connections to the read/write authorisation units. This
`
`
`type of card is the subject of international standards work. However, for
`
`
`many applications these contact smart cards are being challenged by the
`radio linked cards such as those available
`new contactless
`from GEC and
`AT&T.
`But even these new contactless radio linked cards are not as new as
`
`
`
`they seem. They are predated by the well established radio tag used in
`
`the access control field to identify animals, people or goods.
`
`
`to design an electronic Mars Electronics have shown that it is possible
`
`
`coin having the shape and size of a conventional coin but functioning as a
`
`Page 11 of 201
`
`

`
`X
`
`·
`Preface
`
`stored value device. There are many other prospective designs of smart
`
`'card' where non-card· shapes are preferable for good mechanical and
`
`
`economic reasons. We thus have the paradox that the only real justification
`
`for the smart card being· card shaped and sized is the transient problem of
`devising a terminal which will read both magnetic strip and embossed
`cards as well as smart cards.
`Another paradox lies in the claims for smart card security. The card is
`
`
`hailed as the ultimate in security for both access control and as an
`
`
`
`instrument in financial transactions. In the latter application the smart
`
`
`value card is capable of dispensing and recording as data transferred
`
`(equals money). Card stored or emitted files of data, the equivalent of
`
`
`
`
`money, obviously require protection from deliberate or accidental misuse
`
`both from the authorised card holder breaking the rules and from thieves.
`
`To protect card stored data and emitted messages requires data protection
`
`measures. These are best based on the applied mathematical techniques
`
`some of the of cryptography. The chapter by Dr D. W. Davies describes
`
`basics of this most important software area .
`
`. Given satisfactory software and economic and durable hardware most
`
`
`application systems based on smart cards remain vulnerable to misuse of
`
`
`a valid card by unauthorised card holders who have stolen or worse still
`
`borrowed genuine cards from the authorised holders.
`Establishing the cardholder's right to use a given card is currently based
`
`
`
`
`
`
`on the holder producing the appropriate, personal identity number (PIN)
`or password. Both PINs and passwords can be readily extorted or other­
`
`mind or records. Thus although the wise obtained from the cardholder's
`
`
`smart card itself may �e secure against many types· of misuse limiting use
`holder can be a real problem. Dr J. R. Parks describes
`to the authorised
`
`
`the new technology of biometrics which seeks to reduce current depen­
`
`
`of the dence on PINs by making measurements on some characteristic
`
`person such as voice print, fingerprint or handwriting
`style in order to
`
`confirm that he/she is indeed the authorised cardholder.
`
`Some limitations of smart card systems can be overcome by using them
`
`
`in on-line systems where every transaction must be authorised by real­
`
`
`time checks on centrally held lists of stolen and barred cards. The com­
`
`
`munications infrastructure for a totally on-line system is very expensive.
`
`
`
`Arlen Lessin's chapter describes one of the new super-smart cards which
`operate off-line.
`For many large scale applications smart cards remain impossibly expens­
`
`
`
`ive. To reduce the burden of cost a multifunction smart card has been
`
`
`suggested with a master card issuer franchising space on his card for other
`
`
`card service providers. However, implementing such a system for new
`
`
`payment services such as satellite subscription
`
`TV poses substantial ad­
`
`
`ministrative and security problems which may delay the commercialisation
`of such concepts.
`
`\
`
`Page 12 of 201
`
`

`
`Preface
`
`xi
`
`In the field of patents smart card ideas have been patented by inventors
`
`in a number of countries as well as France. The early use of smart cards
`
`
`
`will require careful attention to the possible need for licences under some
`
`
`
`of these patents. Both suppliers and card issuers will need to be meticulous
`
`in their study of the published patents and their validity.
`
`
`Notwithstanding all the above it seems inevitable to the authors that
`some form of portable personal data carrier will soon come into wide­
`
`spread use in many paJts of our society. Whether the smart card as we
`
`know it or alternatives such as the optical card, the high density magnetic
`card or other similar devices will dominate remains to be seen. It is hoped
`
`that readers will find answers to_ some of their questions in this book and
`
`that the references given by the authors of the various chapters will lead
`
`
`them. to the basic sources of new information on this increasingly important
`subject area.
`
`P L Hawkes
`London
`May 1989
`
`,.
`
`Page 13 of 201
`
`

`
`1 '
`
`.j
`!
`
`•
`
`Page 14 of 201
`
`Page 14 of 201
`
`

`
`Acronyms
`
`Artificial Intelligence
`
`
`
`Institute American National Standards
`
`Personal Identification
`Automatic
`
`
`AQlerican Standard Code for Information
`Interchange
`
`Automatic Teller Machine
`
`
`
`British Technology Group
`
`
`
`Cipher Block Chaining
`·
`Cipher Feedback
`
`Complementary Metal Oxide �emiconductor
`
`AI
`ANSI
`API
`ASCII
`
`ATM
`
`BTG
`
`CBC
`CFB
`CMOS
`
`DARPA
`DES
`
`
`
`Defense Advanced Research Project Agency
`
`Data Encryption Standard
`
`ECG
`EDI
`EFfPOS
`EPROM
`
`Electrocardiogram
`
`Electronic Data Interchange
`
`Funds Transfer at the Point of Sale
`Electronic
`
`
`Electrically Programmable Read Only
`Memory
`
`FAR
`FIPS
`FRR
`
`False Alarm Rate
`
`
`
`
`False Rejection Rate
`
`Federation of !�formation Processing Societies
`
`Integrated Circuit
`
`IC
`
`Identity; Identification
`ID
`
`
`International
`INTAMIC
`Input/Output
`I/0
`
`
`International Standards Organisation
`ISO
`
`Initialisation Variable
`IV
`
`Association for the Microchip Card
`
`Page 15 of 201
`
`

`
`XIV
`
`KB
`
`LED
`LF
`LMK
`LPC
`LTS
`
`MAA
`MAC
`
`NPL
`
`OFB
`OSI
`
`PAN
`
`PC
`PI
`PIN
`POS
`PTI
`
`Q
`QR
`
`RAM
`RF
`
`RSA
`
`SD
`SM
`SIN
`SRI
`
`uv
`VDU
`
`Acronym$
`
`Kilobytes
`
`Light Emitting Diode
`
`Low Frequency
`Local Master Key
`
`Linear Predictor Coefficient
`Long-Term Spectra
`
`Message Authentication Algorithm
`
`Message Authentication Code
`
`
`
`
`
`National Physical Laboratory
`
`Output Feedback
`Open Systems Interconnection
`
`Personal Access Number; Personal Account
`
`
`
`Number
`Personal Computer
`
`Personal Identification
`
`Personal Identification
`Point of Sale
`
`
`
`�umber
`
`National Public Communications Authority
`
`Q factor of a circuit
`
`Quadratic Residue
`
`Random Access Memory
`Radio Frequency
`
`Public Key Cryptoalgorithm (Rivest, Shamir and
`
`
`
`
`Adleman)
`
`Standard Deviation
`
`
`Similarity Measure
`Serial Number
`
`
`Stanford Research Institute
`
`Ultraviolet
`Visual Display Unit
`
`Page 16 of 201
`
`

`
`List of Trademarks
`
`
`The following trademarks
`have be.en used in the text:
`
`CARL
`Co tag
`ldentikit
`ldentimat
`Innovatron
`Magna Card
`Qsign
`SIGMA/IRIS
`SuperCard
`SuperSmart
`System 7.5
`Talisman
`UltiCard
`UltraSmart Card
`UNO
`watermark
`
`Page 17 of 201
`
`

`
`Page 18 of 201
`
`Page 18 of 201
`
`

`
`Chapter 1
`
`Introduction to Integrated
`Circuit Cards, Tags and Tokens
`for Automatic Identification
`
`P·. L. HAWKES
`
`
`
`(British Technology Group)
`
`
`
`In which we discover that the smart card is one of a large family of chip-based
`
`artefacts for automatic identification.
`
`1.1 INTRODUCTION
`
`Choosing
`a title for this book was not easy. People want information on
`
`
`
`
`the smart card and its applications. Manufacturers' sales literature is a
`
`
`good starting point but is inevitably biased. .
`
`A smart card is commonly understood to be a single chip integrated
`
`
`circuit microcomputer built into a plastic credit card. However most of
`
`the smart cards in actual use today are not true microcomputers but
`
`nearer memory devices. Many are not single chip, chip cards and some of
`
`
`
`
`
`the best and cheapest of these are not even card shaped!
`In fact the smart card is but one of many integrated circuit-based data
`
`
`used in a wide variety
`carriers
`of computer systems to help identify
`
`
`
`
`
`
`people, animals, plants, things, messages, events and places. Indeed it is
`
`
`
`easier to define what is not a chip-based portable data carrier than to
`
`
`
`
`produce an overall definition. Concentrating on automatic identification
`seems to the author as good a basis as any.
`Another surprise is that the history of automatic identification via a
`
`
`
`
`
`
`
`
`personal portable data carrier based upon a digital integrated circuit
`
`
`
`device goes back to 1968 or earlier. The various designs now available
`
`
`
`
`and their prime concerned 1 reflect the different origins of the data carriers
`
`
`
`
`
`applications -anti-shoplifting tags, magnetic stripe identity cards, vending
`
`cards, pocket calculators etc.
`The achievement of M. Moreno and his French licensees and partners
`
`
`
`
`
`
`has been to focus worldwide commercial attention of one particular class
`
`
`artefacts memory cards. This is the class of miniature
`of integrated circuit
`
`
`shaped like a standard plastic credit card, having the same dimensions
`
`Page 19 of 201
`
`

`
`2
`
`
`
`Integrated Circuit Cards
`
`and containing hardwired or programmed logic as well as digital storage,
`
`
`
`
`
`
`
`i.e. the so-called 'smart' or 'intelligent' memory card. In the early 1980s
`
`
`
`
`
`Roy Bright introduced the adjective 'smart' to describe succinctly the es­
`
`
`
`sential characteristics of the single chip microcomputer card. His more re­
`
`
`cent definition distinguishes between the 'active' smart card and 'passive'
`
`
`
`smart cards. The important features of the former are described in
`Chapter 2.
`
`In this initial chaptt:r, I will attt:mpl to survey all the silicon
`chip-based
`
`
`
`
`technologies and the perceived needs propelling their creation and uses.
`
`'i
`
`1.2 BASIC FORM AND FUNCTION
`
`Integrated circuit cards, tags and tokens are components in distributed
`
`
`
`
`
`
`
`
`
`computer and telecommunications systems. Basically they exploit the low
`
`
`
`
`
`cost high density digital storage capacity of integrated circuit memory
`
`
`
`
`
`chips usually, although not invariably, in association with control circuitry
`known as logic.
`As our children are probably now taught in school, integrated electronic
`
`
`
`
`
`
`circuits are more or less complex arrays of transistors, diodes and other
`
`
`
`circuit elements and their wiring interoonnections formed by printing,
`
`
`
`
`diffusion and other processes within a single die or chip of silicon or other
`
`semiconducting crystal.
`1
`By selective contact printing and etching device, structures down to a
`
`
`
`
`
`
`
`
`few ten millionths of an inch wide are created and enable the resulting
`
`
`chip to record information and process it very rapidly.
`
`With rapid and continuing progress since the early 1970s, integrated
`
`
`
`circuit making has progressed until today, a single chip IC some half inch
`
`
`square by a few thousandths of an inch thick, can record up to several
`
`
`
`million bits of digital data as an electronic charge pattern. The micro­
`
`
`
`logic equivalent can process data at 20 million or more oper­
`computer's
`ations a second.
`Further increases in information recording density and data processing
`
`
`
`
`
`
`
`speed are expected. Made in arrays on six inch diameter wafers, the chip
`
`itself sells for a dollar or two.
`Like its competitors, magnetic discs and cards and optical discs and
`
`
`
`
`
`cards, the IC chip presents the technologist with a new information
`memory as the basic
`
`
`recording medium. Using low cost integrated circuit
`
`
`medium, the system designer has a new tool or instrument with which to
`
`disseminate and record information
`in a system.
`The basic functions enabled by the IC memory chip are the storage of a
`
`
`
`
`
`100,000 or more bytes (characters) of text or data and their emission or
`recording
`
`
`
`in less than a second. Unlike the optical and magnetic media,
`
`
`
`on-chip logic permits memory access to be controlled autonomously from
`
`Page 20 of 201
`
`

`
`
`
`Automatic Identification
`
`3
`
`
`
`within the chip. The implications of this are far reaching as will be
`
`
`
`described below.
`
`1.3 GENERIC APPLICATIONS
`
`At the present state-of-the-art, the basic form and functions of various IC
`
`
`
`
`
`
`cards, tags and tokens can conveniently be classified as shown in Table
`1.1. The exact form of memory used in these devices varies widely from
`
`
`
`
`
`U'v or electrically reprogrammable memory devices to battery backed
`
`
`RAM (random access memory). Particular products and designs cate­
`
`
`in Table 1.1 are best suited to specific applications. These ar�
`gorised
`
`summarised in Table 1.2.
`
`
`
`
`
`Table 1.1 Integrated circuit cards, tags and tokens
`
`Type
`
`Typical System End-user/card
`
`capacity interface (s) holder interface
`(bits)
`
`Radio tag
`
`64
`
`RF coupling Via system
`interface
`
`Memory only card
`
`Via system
`16K-1M 6-8 electrical
`contacts interface
`
`Via system
`Wired logic 'smart' card 256 up 6-8 electrical
`
`contacts interface
`
`Via system
`Programmable logic 'smart' 8K up 6-8 electrical
`contacts interface
`
`
`card
`logic 8K up RF coupling Via system
`RF programmable
`interface
`
`'smart' card
`
`Active smart card
`8K up Direct by Direct by
`(a) Smart Card International
`
`contacts or onboard display
`'UltiCard'
`
`indirect by and keyboard
`•
`card user
`(b) Visa 'Supercard' 8K up Direct by Direct by
`
`contacts or onboard display
`
`indirect by and keyboard
`card user
`(c) NPL 'Talisman'
`token for 30K up Direct by Direct by
`
`contacts or onboard display
`RSA messages
`
`indirect by and keyboard
`card user
`
`Page 21 of 201
`
`

`
`4
`
`
`Circuit Cards
`Integrated
`
`Table 1.2 Typical applications of integrated
`
`circuit cards, tags and tokens
`
`Type
`
`Radio tag
`
`Memory only card
`
`
`
`Wired logic 'smart' card
`
`Programmable logic
`
`
`'smart' card
`
`RF programmable
`logic
`
`'smart' card
`
`
`
`'Active' smart card
`
`
`
`Actual or proposed application
`
`•)
`
`Identification of specific people, animals,
`
`
`
`places or goods
`
`Distribution medium for computer programs
`
`
`
`and data
`
`Vending card for making calls from public
`
`
`telephones, etc.
`
`General purpose including credit and debit
`
`card for use in on line and off line payment
`
`
`systems and 'electronic wallet'
`
`As above
`
`(a) off line payment systems
`
`(b) patient data cards in medicine
`
`
`
`(c) signing and encryption of electronic mail
`documents
`
`(d) metering of the use of gas, water,
`
`
`electricity, TV, public transport etc.
`(e) logging of events e.g. accesses to
`premises
`
`1.4 SYSTEMS
`
`The smart card, tag or token is an instrument, usually the 'key' instrument in
`
`
`
`a complete system designed to provide a service to the end user, i.e. the
`person carrying the instrument.
`The service provider operates and sometimes designs the system. The
`
`
`appropriateness of the particular card, tag or token for a particular
`
`
`service is measured in terms of speed and ease of use, security and cost.
`
`Cost reflects both purchase price and cost of use.
`
`Systems are classifiable into two main types - public and private (see
`Table 1.3). Private systems are intended for use by a closed user group,
`the employees of the organisation operating the system. An
`typically
`
`access control system for a company's premises is a common example.
`
`Public systems are designed for use by meq1bers of the general public,
`
`qualified only by a virtue of being customers of a particular bank or users
`
`of a particular public service such as the payphone system.
`The important public systems are those like credit cards and charge
`
`
`cards which operate internationally as well as nationally. The relevant
`
`Page 22 of 201
`
`

`
`
`
`Automatic Identification
`
`5
`
`Table 1.3 Public and private IC card, tag and token systems
`
`Terminal
`Card/terminal Role of
`Class Card
`population ratio
`
`standards security and
`price
`
`up) Useful
`Private tens to
`low (10:1
`system thousands
`Public millions high .(50:1 up)
`Bulh generally
`Quiulessenlia1
`low
`system
`
`Both high
`
`are therefore evolving from suppliers' and service providers'
`
`
`
`standards
`
`
`
`into international ones via the appropriate national standards
`standards
`
`bodies, INTAMIC and similar bodies.
`
`Cards, tags and tokens appropriate for public systems tend to be ultra
`
`
`
`and generally Low cost is also essential simple to allow customer activation.
`
`
`because of the large number of standard units involved. This
`possible
`
`
`
`makes them attractive candidat�s for use in those private systems where
`
`
`the functional limitations can be tolerated.
`Operating generally on a single site, over a restricted geographical area
`
`
`
`
`
`
`
`
`or via private networks, private systems can usuaJly afford to have on line
`real-time
`
`
`
`telecomunications with each card terminal in constant touch
`
`with the system's control centre. This makes the management of card
`
`
`
`security relatively easy compared with public systems. However, some
`
`
`
`'open' sites like hospitals and hotels present particular difficulties associated
`
`
`with the ever changing authorised user population and the risk of attack
`
`by criminals and vandals.
`Public systems for payment (revenue collection) and the disbursement
`
`
`
`
`
`of money (revenue distribution.) are obviously subject to misuse both by
`
`
`
`legitimate card holders and imposters. This makes on line real-time noti­
`fication of lost or stolen cards and of account abuse highly desirable.
`
`
`
`Quick circulation nationally or internationally of 'hot card' lists is how­
`
`
`ever expensive so most systems incorporate a degree of off line operation.
`
`This is also of course vital to allow the authorised card holder to obtain
`
`
`some element of usage even if there is a telecommunications failure. Just
`imagine a bank which told its current account holders they could not use
`
`their cheque books because the bank's computer network had problems!
`
`Terminal security and cost are big issues in both types of system. Many
`
`
`
`of today's terminals are in well protected environments e.g. ATMs on
`
`
`
`
`bank premises. Their operation by customer activation can therefore be
`
`
`
`trusted, This will not be true of many retail shop terminals. Recent scares
`
`
`
`about computer program 'viruses' demonstrate widespread concern in the
`
`
`
`
`industry about the difficulty of trusting personal computer-based terminals.
`
`Page 23 of 201
`
`

`
`6
`
`
`
`
`
`Integrated Circuit Cards
`
`needs and precautions This may cause a re-evaluation of the security
`
`
`
`taken when designing, installing and operating PC-based card systems.
`
`
`
`
`
`A good solution may appear with the new 'active' or super-smart cards
`
`(Table 1.1). Having their own keyboard and display this class of device
`
`need not rely on a trusted tenninal for most of its operations.
`
`1.5 SOFfWARE AND PROTOCOLS
`
`Software includes the programs governing the operation of a program­
`
`
`mable electronic device such as the 8-bit single chip microcomputer in a
`
`
`typical 'conventional' smart card. Also included is the operational data
`
`
`
`which 'personalises' a card, tag or token to the individual authorised end
`
`
`user and the service providing organisation. This data may be programmed
`
`into the various types of memory mentioned above, expressed as a wiring
`
`pattern (masked programmed) or via fusible electrical links.
`
`
`Protocols are essentially the rules of conduct by which the card, tag or
`
`
`token communicates with its system or other similar devices. They can be
`designed in as hardware or software.
`Much of the available on-chip memory can be consumed by a stored
`
`
`
`program for control of the operation of a programmable device. Thus for
`
`
`consumes any very large scale application a bespok�, hardwired solution
`
`
`less chip area and is therefore ·cheaper. The pay telephone card is a prime
`example.
`
`1.6 SECURITY THREATS AND THEIR CONTAINMENT
`
`Since the basic purpose of an IC card, tag or token is to identify
`
`the
`
`
`
`bearer to a· system, security lies at the heart of all applications. It is
`
`
`
`therefore not surprising that improved security against misuse by card
`
`
`
`
`holders, authorised as well as unauthorised, is often the main selling point
`
`
`for these components. This emphasis has reached the point where the
`smart card for example is sometimes presented as a panacea for all
`manner of retail banking and access control systems.
`A project sponsored by the author's employers and carried out by the
`
`
`
`
`Data Security Team at the National Physical Laboratory, Teddington, has
`
`
`examined the security of smart cards and systems, 'identified threats from
`
`the likely sources and devised appropriate new hardware and software
`
`
`technology to contain the dangers. A prototype version of NPL's 'Talis­
`evice was developed with the help of Texas Instruments
`man'
`Ltd. Full
`
`
`circuit details are given in Chapter 6. It is described as an integrated
`
`'token' rather than a super-smart card because the recommended size is
`greater than a credit card and the shape can differ to suit the application.
`
`·d
`
`Page 24 of 201
`
`

`
`
`
`Automatic Identification
`
`7
`
`The main points relating to smart cards used by people are as follows.
`
`
`
`
`The card is essentially used to support the card bearer's identity claim.
`
`
`
`Once read in an authorisation unit (terminal) and accepted as valid the
`
`
`
`system allows the card bearer to complete a requested transaction. The
`
`relevant transactions include:
`
`• Purchase of goods or services
`
`and data resources or computer • Access to private premises
`
`
`
`
`
`
`• Sending or receiving telecommunicated messages of value
`
`The threats come from misuse by the authorised card holder, misuse by
`
`
`
`
`
`an unauthorised card holder or where there is collusion between such
`parties.
`Abuse cannot be entirely stopped except at uneconomic cost so a well
`
`
`
`
`
`
`designed smart card application must contain it. This can be done for
`
`
`example by denying future services to an authorised card holder who has
`
`
`
`abused his privileges or by catching a thief either in the transaction or
`
`later via an audit trail.
`The main basic security weakness of the conventional smart card is that
`
`
`
`
`
`it can be stolen and used by an unauthorised card holder.
`
`
`The. established way to guarq against this is to only allow card activated
`
`where these are _supported by the card holder. producing a
`transactions
`
`
`
`valid PIN (Personal Identity Number). However this PIN must be entered
`
`
`
`tenninal. As already stated this via the keyboard of an authorisation
`
`
`
`terminal may not always be trustable. If it is bugged a criminal can
`
`.knowledge, copy or
`
`discover the secret PIN without the card holder's
`
`steal his smart card and then obtain access to money, goods, services etc.
`
`
`from his account with the card issuing organisation.
`
`
`IC token is to provide a NPL's solution to this with its 'Talisman'
`
`
`
`
`keyboard on the token itself. With a trusted display on the token this
`
`
`
`
`keyboard makes the token's use less vulnerable to untrustworthy ter­
`
`
`minals. Similar solutions are being pursued by Visa and Smart Card
`
`
`(see Table 1.1. above) under the tenninology 'active' smart
`International
`card.
`For many applications of smart cards and tokens, messages need to be
`
`
`
`
`sent fro� the card to a remote mainframe over an i�secure network. To
`
`
`
`
`prevent eavesdroppers abstracting, del�ying, altering or inserting messages
`
`needs to be employed. Chapter 8 describes
`
`the technique of cryptography
`these.
`The Talisman token incorporates encryption means for generating a
`
`
`
`
`
`
`
`cryptographic version of messages sent from the token to remote computers
`or other tokens such that the message cannot be read by any but the
`
`
`
`intended recipient and he can authenticate that the message must have
`come from that token and no other.
`
`Page 25 of 201
`
`

`
`8
`
`
`
`
`
`Integrated Circuit Cards
`
`PIN details and other confidential data stored in a smart card, passive
`
`
`
`
`
`or active, or in an IC token can be discovered or altered by unauthorised
`
`
`
`investigation of the IC memory and its data contents. Data alteration is
`
`
`especially likely for smart cards and tokens used as 'electronic wallets',
`
`
`
`'cheque books' or meters. Attacks can be logical (via the contacts etc.),
`
`
`
`
`electrical (in the same way or by radiation detection) or physical by
`
`
`
`opening up the unit and reading the data stored therein. Tamper proofing
`
`
`
`
`is possible but very costly so most commercial products are best described
`
`
`
`
`
`as. 'tamper resistant'. Known means include sensitive 'triggers' which wipe
`
`
`
`Easily broken are detected. out card stored data when tamper attacks
`wires buried in a resin potted chip module are one example of triggers.
`
`
`
`These can be rendered ineffective by deep freezing so they are not a
`panacea.
`Another area of vulnerability is the PIN itself which can be guessed as
`
`
`
`
`
`well as stolen. This has led NPL and others to investigate the uses of so­
`
`
`
`called 'biometric' techniques whereby some measurement is made of a
`
`
`
`personal trait of the authorised card holder and compared with an authenti­
`cated card stored reference.
`The operation of a biometric device is anaiogous to the 'eyeball' com­
`
`
`
`
`
`
`
`parison of a handwritten master signature on for example, a conventional
`
`
`credit card with a new specimen produced on demand for a bank cashier
`
`or shop assistant. Not surprisingly then . automatic signature verification
`
`
`
`
`De La Rue, from NPL, SRI/Visa, has received a good deal of attention
`
`
`
`
`Thomson and others.lt is a well accepted and legally binding commitment to
`
`
`
`
`a transaction. All these designs exploit handwriting timing and rhythm as
`
`
`
`
`
`well as signature outline. Such invisible 'dynamic' signature characteristics
`
`
`are very difficult for a forger to reproduce and quite easy for a computer
`
`
`
`to analyse given an accurate handwriting encoder.
`
`
`
`Chapter 7 describes the current state-of-the-art in biometrics including
`
`
`
`
`dynamics, hand geometry, fingerprints, retinal and hand blood
`signature
`
`
`
`vessel scanning and speaker