`Case No. IPR2016-00156
`Volkswagen Group of America, Inc. - Petitioner
`West View Research, LLC - Patent Owner
`
`
`
`1
`
`
`
`MARC VANKUS
`
`Electronlc money:
`toward a virtual wallet
`
`BY TEKLA S. PERRY
`
`Hard currency is disappearing from many
`everyday transactions along the road to elec-
`tronic money.
`
`Future of electronic money:
`a regulator's perspective
`BY EDWARD W KELLEYJR.
`
`The way electronics will fit into the evolu-
`tion of moncy—from acting as a niche
`player to wreaking major changes in pay-
`ment systems—-has yet to be detennined.
`
`electronic payments
`
`Credits and debits
`on the Internet
`
`BY MARVIN A. SIRBU
`
`CyberCash, First Virtual, CC Tech, Net-
`Bill—these and other systems have been
`developed to enable electronic transfers of
`payments across the lntemet.
`
`‘Minting' electronic cash
`BY DAVID CHAUM 8: STEFAN BRANDS
`
`Electronic cash can offer transaction pri-
`vacy to honest users, affords convenient
`storage and transportation, and protects
`against loss.
`
`35 Traceable e-cash
`
`BY PETER 5. CEMMELL
`
`One method of making electronic cash
`transactions private for honest users but
`traceable by law enforcement agencies
`involves the use of trustees.
`
`Crime and prevention:
`a treasury viewpoint
`BY STANLEY E. MORRIS
`
`The speed and anonymity of electronic
`payment systems make them attractive to
`those pursuing illicit activities.
`
`Locking the e-safe
`BY ROBERT W. BALDWIN
`at C. VICTOR CHANG
`
`Existing encryption-based security mecha-
`nisms can be combined to minimize a wide
`range of threats to electronic commerce.
`
`In your pocket: smartcards
`BY CAROL HOVENCA FANCHER
`
`A wallet full of cash, credit, and identifica-
`tion cards may, in the future. be replaced
`with two or three smartcards, each con-
`taining an IC, as a recent flurry of market
`tests and smartcard rollouts demonstrates.
`
`Departments
`
`1
`
`6
`
`Newslog
`
`Forum
`
`10 Books
`
`13 calendar
`
`Continued on p.4 b
`
`sort!" or MAIIONAI
`
`In the world of finance and commerce to
`come, cash will be stored, not in a bank
`vault, but as bits in a computer.
`Cover illustration: Rob Magiera
`
`More information regarding articles in IEEE
`Spectrum is available on Spectrum’: home page
`on the Web: http://www.spectrum.ieee.org
`
`MA
`
`Audi Bureauof Ortuaouns
`Manner
`
`IEEE SPECTRUM (ISSN 0018-9235) is published monthly by The Institute of Electrical and Electronics Engineers, Inc. All rights reserved.
`0 1997 by The Institute of Electrical and Electronics Engineers Inc., 345 East 47th St., New York, NY 10017, U.S.A. Canadian Post
`international Publications Mall (Canadian Distribution) Sales Agreement No. 0338087. Cable address: ITRIPLEE. Fax: 2l2-735-7453.
`INTERNEI‘. m.slovickoleee.org. ANNUAL SUBSCRIPTIONS. IEEE Members: $11.50 Included in dues. Llbrarlesllnstltutlons and nonmem-
`bers S175. POSTMASTER: Please send address changes to IEEE Spectrum, do Coding Department, IEEE Service Center, 445 Hoes Lane,
`Box 1331, Piscataway, NJ 08855. Periodicals postage paid at New York, NY, and additional mailing offices. Canadian GST #12563-1l88.
`Printed at W224 N3322 Duplainville Rd.. Pewaultee. WI 53072-4195. U.S.A. IEEE Spectrum is a member of the Audit Bureau of
`Circulatlons. the Magazine Publishers of America. and the Society of National Association Publications.
`
`2
`uses SPECTRUM FEBRUARY :99:
`
`2
`
`
`
`COIIRQNRS
`
`SECURITY FIET TECHNOLOGIES
`
`bankingllnvostlng
`
`Banking in cyberspace:
`an investment in itself
`
`BY MICHAEL C. MCCHESNEY
`
`While home banking has been around for some
`time, Internet banking is a new concept, and has a
`number of advantages.
`
`Technology takes to
`securities trading
`BY STEVEN M. H. V/ALLMAN
`
`From stock offering; conducted entirely over the
`Internet,
`to the automation of traditional ex-
`changes, technology is changing the way stock
`markets work.
`
`Nasdaq's technology floor:
`its president takes stock
`BY ALFRED R. BERKELEY III
`
`This screen-based stock market has been particu-
`larly sensitive to the effects of new computer and
`communications capabilities.
`
`Implications
`
`The economics of e-cash
`
`BY MIKE TER MAAT
`
`Electronic cash can create profits for its issuers,
`and launch competition for today's government-
`controlled currency systems.
`
`Money and the Internet:
`a strange new relationship
`BY HOWARD ANDERSON
`
`This visionary sees the e-money revolution as
`inevitable, with "e-mail for money" becoming as
`ubiquitous in the future as e-mail messages are
`already today.
`
`MARC VANIU5
`
`To probe further
`
`Departments
`
`14 Software reviews
`
`81 EB‘ tools & toys
`
`16 Innovations
`
`85 Faults 8: failures
`
`‘I7 Technically speaking 98 Coming in Spectrum
`
`4
`
`staff
`PUBUSHER:An_thony J. Ferraro
`EDITOR and ASSOCIATE PUBLISHER: Murray Slovick
`ISSUE EDITOR: Tekla 5. Perg
`MANAGING EDITOR: Alfred Rosenblatt
`
`TECHNICAL EDITOR: Gadi Kagan
`SENIOR ENGINEERING EDITOR: Michael J. Riezemnan
`SENIOR EDITORS: Trudy E. Bell, Richard Cornerford,
`Tekla S. I:e_r_ry,VWiIIiam Sweet,
`semen ASSOCIATE EDITORS: Robertzataharn. Linda Gepp_ert
`HEADQUARTERS: New York Cl
`, 2 I Z-705-7555
`BUREAU: SAN FRANCISCO. Tek a 5. Perry, 415-328-7570
`CORRESPONDENTS: John Blau (Dusseldorf); Chris Brown
`(Taipei); Peter Gwynne (Belgium); Robert lngersoll (Bonn);
`John I/Iason (Barcelona); Roger Milne (London);
`Kim Nak~Hieon (Seoul); Roger Schreiller (Tokyo);
`Bradford Smith (Paris): Axel de Tristan (Rio de Ianeiro);
`Christopher Trump (Toronto)
`CHIEF COPY EDITOR: Margaret Eastman
`COPY EDITOR: Sally Cahur
`EDITORIAL RESEARCHER: Alan Gardner
`CONTRIBUTING EDITORS: John Adam. Dave Dooling,
`John R. Hines. Ronald K. Iurgen, Sue J. Lowe. Kevin Sell
`EDITORIAL SUPPORT SERVICES:
`Rita Holland (Manager)
`EDITORIAL ASSISTANTS:
`Ramona Foster Desiree Noel
`ART DIRECTOR: Mark Montgomery
`ELECTRONIC PUBLISHING EDITOR: Craig E. Engler
`BUSINESS MANAGER: Robert 1'. Ross
`PRODUCTION DIRECTOR: Alan B. Schaler
`ADVERTISING PRODUCTION (908) 562-6334
`ADVERTISING PRODUCTION MANAGER: Martin Barbiori
`ADVERTISNG PRODUCIION COORDINATOR: Feicia Spagnoll
`EDITORIAL PRODUCTION MANAGER: Roy Carubia
`ELECTRONIC LAYGJT ARTIST: Paul Miller
`TECHNICAL GRAPHIC ARTIST: Jim Hankard
`ASSOCIATE PUBLISHER: William K. Saunders
`ADVERTISING MANAGER: Michael Triunfo
`ADVERTISING SALES: (212) 705-7760
`ADMINISTRATIVE ASSISTANT: Christine Demchak
`MAIL UST SALES; Shelly Newman (Manager)
`Elizabeth iMIIiams (Secretary)
`MANAGER, CIRCULATION 8: PRQAOTIONI Elk Sonntag
`ASSOCIATE PROMOTION MANAGER: Theresa Fitzpatrick
`ADMNISTRATNE ASSISTANT: Nang T. Hanunan
`BUSINESS SECTION E-MAIt
`Martin Barbieri
`Christine Demthak
`Theresa Fitzpatrick
`Shelly Newman
`William R Saunders
`Alan B. Schafer
`Eric Sonntag
`Felicia Spagnoli
`Michael Triunto
`Elizabeth Williams
`EDITORS BY E~MAl.:
`Trudy E. Bell
`Robert Braham
`Richard Comerlord
`Craig E. Engler
`Linda Geppert
`Gadi Kaplan
`Tekla 5. Perry
`Michael I. Riezenman
`Alfred Rosenhlatt
`Murray Slovirk
`William Sweet
`
`tbeIIOieee.org
`cbrahamcieeeorg
`r.comerfortIOieee.org
`cenglerfiieeeorg
`I.geppertGieee.org
`g.kapIanOieee.org
`tperryoleeeorg
`m.riez2nman0ieee.org
`a.rosenbiattOIeee.org
`m.slovi(|(6ieee.org
`w.sweetDieee.org
`
`m.barbieri9ieee.org
`c1:IernchakOieee,org
`t.litzpatn'dtOieee.org
`s.newmanOieee.org
`w.saundersOIeee.org
`a.schafer6ieee.org
`e.sonntagOieee.org
`lspagnolloleeeorg
`rn.triunfo6ieee.org
`e.a.wiIIiarnsflieee.org
`
`editorial board
`CHAIRMAN: Murray Slovick
`Teruakl Aoki. Diana J. Bendz, Vnnton G. Cerf, Barbara A.
`Chappell, Peter Cochrane, Kenneth R. Foster. John L
`Goodlet lr.. Karl Hess, Charles IC Kao, YOl(hI Kaya. Okyay
`Kaynak. Luis G. Kun. Raymond S. Larsen. Ruby 8. Lee.
`Ted G. Lewis. Ralph D. Masiello, M. Granger Morgan,
`Suzanne R. Nagel, W. David Sincoslzie, Stephen H.
`Unger, J. Daan van Wyk, Andrew Ifiterbl.
`Victor Wouk. Ellen Yofia
`
`3
`IEEE SPECTRUM FEBRUARY I997
`
`3
`
`
`
`ELECTRONIC PAYMENTS
`
`smartcards
`
`The worldwide boom in
`
`smartcard deployment is
`
`accelerating their evolution
`
`alce a look in your wallet and what do
`you find? ln all likelihood, bills and
`coins. A variety of credit cards. A driver's
`license. A transit pass. A voter registration
`card. A library card. A video rental card. lnsurance
`cards. Frequent flyer and car rental cards. A telephone
`charge card.
`By the end of the century, all of these documents might
`be replaced by just two or three smartcards. Because they
`can store and protect relatively large amounts of data, smart-
`cards are being used in a number of ways around the world, replacing a
`wallet's contents bit by bit Stored-value cards were in place last year in
`Atlanta, Ca., at Olympic venues standing in for coins and bills A health
`card identifying the holder's insurance provider and account number has
`been issued to every citizen of Germany, and plans are in place to add such
`medical information as the name of the holder's doctor, blood type, allergic
`reactions, medications, next of kin, and instructions in case of emergency.
`Smart social security cards in Spain interface with a kiosk system that can
`provide updated infomiation on benefits and eligibility, as well as pertinent
`job opportunities.
`Today, most smartcards handle a single application, but will realize their
`true value when a single card can address multiple applications. For exam-
`ple, a credit card could have a stored-value function for small purchases, in
`
`CAROL HOVENCA FANCHER, Motorola Inc.
`
`IEEE SPECTRUM FEBRUARY I907
`
`nous-9135197/sit;uu©i9';7IEEE
`
`4
`
`
`
`[1] An area in the smartcard has
`been defined to hold the module
`containing the integrated circuit.
`The smartcard complies with the
`magnetic-stripe and embossing
`areas defined in the ISO 7313
`standard for financial-transaction
`cards. This module provides
`contact with the card reader.
`
`Conventional
`credit card
`
`Sma rtca rd
`
`Card reader‘
`Reset
`
`.
`Request card authenticate T
`l‘ Readerautlientlcation.da}a .
`
`Writed'ateand'time_of
`transaction to accessfile
`
`Magnetic
`stripe on
`card back
`
`Embossing
`area
`
`IC chip
`
`
`
`SOURCESMART(AIDFOIUM
`
`[2] The interaction between the card reader and the smartcard ensures that both are
`authorized to undertake operations. When the reader has a card inserted in it. it resets the
`card, which responds with an answer to reset (ATR). its ATR provides specific information
`and often conforms to the ATR described in the ISO 7816 standard. Both the reader and
`the card use a random number in an algorithm to obtain a result that, when successfully
`compared, authorizes the card and the reader to continue with the desired operation.
`
`addition to frequent llyer and rental car in-
`fonnation. It might work with a cellular
`phone to connect the user to a home bank-
`ing servicc One step toward this goal \vas
`last fall's announcement by VcriFone lnc.,
`Redwood City, Calif, of a system called
`VenSman, which permits a smart phone or
`a PC to act as a "personal ATM" (automatic
`teller machine) in the home, loading cash
`value onto a smartcard
`The smartcard will also be a tool for
`addressing the "customer of one": applica-
`tions of special interest to the card holder
`will be loaded onto the card to make life
`easier. Eventually, people may customize
`generic cards themselves from a menu of
`applications. In a report on the smartcard
`industry, semiconductor industry analyst
`Dataqucst lnc., San Jose, Calif., recently
`wrote, "Although some standards issues,
`infrastructure issues, and software issues
`remain to be resolved, chip cards hold the
`promise of being one of the \vor|d's high-
`cst-volume markets for sciniconductoi‘s."
`As a single card comes to hold more in-
`fomiation and relates to more aspects of its
`holder's life, privacy concerns will have to
`be addressed. Note, however, that the
`infonnation stored in a smartcard is usually
`already available in some format or anoth-
`er, the smartcard merely makes that infor-
`mation portable and puts it at the disposal
`of the card carrier.
`The smartcard application that Will be
`most popular in North America may involve
`a portable tokenea card, a key, or some
`other familiar shape——for conducting trans-
`actions over the Internet, particularly for
`home shopping and home banking. Ho\v
`can such sensitive infonnation as financial
`transaction data be safely communicated
`across a hackers paradise like the lnterret?
`Advanced cryptographic functions will
`be required. Public key encryption (PKE)
`will be part of the solution in at least two
`ways [sec "Locking thi: c-safe," pp. 40-46].
`First, PKE (often a one-session key) will be
`used to encrypt data to be transferred with
`the receiver's public key. This data will be
`readable only by a receiver with the secret
`
`Defining terms
`Access card: a. machine-
`readable card that is used to
`a‘ciiieve,~cornputer_- access,
`physical ‘entry, orpassage;
`Eohtactless card: an. inte-
`.grated-circuit card that ‘en-
`ables energy to flow be-
`tween it and the .interlaciI1g_
`device without needing cori-
`tacts. lnstead, induction. or
`high-frequency transmission
`techniques are used through
`a radio frequency interlace.
`Electronic purse: a card
`
`application that stores value
`for small transactions. A card
`may be dedicated to the
`purse function-or contain
`Tmerriory and programs for
`-other applications. as well.
`Electronicwallet: in gener-
`al, an IC card or super smart-
`card that can execute a vari-
`ety of financial transactions
`and identification functions.
`More sophisticated than an
`electronic purse, an electron-
`ic wallet may serve debit,
`credit, prepayment (cash)
`
`card, and other functions.
`Integrated-circuit card‘
`(ICC), IC card, or micro-
`circuit card: a card contain-
`ing one-or more embedded
`integrated circuits. The te-
`gory includes both memory
`cards and smartcards.
`Memory card: an IC card
`that can store information
`but that lacks a calculating
`capability—that is. it lacks a
`microprocessor.
`Multi-application card or
`universal prepayment
`
`card: a card that can support
`a number of applications,
`which may be provided by
`different parties.
`Prepayment card, each
`card. stored-value card. or
`decrementing-value card:
`a card purchased complete
`with stored value, which is
`decremented whenever the
`card is used.
`smartcard: an IC card with
`
`memory and a microcon-
`troller. so that the card is
`capable of making decisions.
`
`48
`
`5
`IEEE SPECTRUM FEBRUARY I997
`
`5
`
`
`
`
`
`
`
`
`
`
`ple, can be combined with biometrics—
`
`
`
`
`
`information representing fingerprints, hand
`
`
`
`geometry, and so forlh—to uniquely "con-
`
`
`
`
`
`nect" the card holder's identity to the card.
`
`
`
`
`
`
`
`
`Cunent standards define the mechanical,
`
`
`
`
`physical, electrical, and handshake inter-
`
`
`
`
`faces between the card and the reader with-
`
`
`
`
`
`
`
`out restricting the silicon embeddetl in the
`
`
`
`
`
`
`cat'd to a particular application. Because
`
`
`
`
`
`5mat'tcards have global applications, stan-
`
`
`
`
`dards aI'e necessary to provide for future
`
`
`
`
`
`
`
`uses and for technological advances while
`
`
`
`
`
`
`also ensuring that the cards will be univer-
`
`
`
`
`
`
`
`sally accepted and that tomorrow's applica-
`
`
`
`
`
`tions can work together.
`
`
`
`
`Standards dealing with digital cellular
`
`
`
`
`
`telephones, Internet access, airline ticketing
`
`
`
`
`
`and frequent flyer programs, and financial
`
`
`
`
`
`
`applications are being addressed globally
`
`
`
`
`
`[Table I]. The EMV (Europay/Mastetu
`
`
`
`
`CardfVisa) standard addresses the use of
`
`
`
`
`
`
`
`
`
`
`
`
`srnartcards in financial payment systems,
`
`
`
`
`defining the basic protocols for communica-
`
`
`
`
`
`tion between caI'ds and readers.
`in 1996,
`
`
`
`
`
`
`Microsoft Corp, Redmond, \V.'/ash., an-
`
`
`
`
`nounced a joint effort in this area with
`
`
`
`
`
`
`
`
`Hewlett—Packarcl, Bull CPS, Schlumberger
`
`
`
`
`Electronic Transactions, and Siemens-Ni»
`
`
`
`dorf lnformationssysteme. Their aims: to
`
`
`
`
`
`promote the acceptance of smartcards in the
`
`
`
`
`
`
`
`PC environment, and to develop a set of
`
`
`
`
`
`
`
`
`open standards enabling PCs to work with
`
`
`
`
`
`
`
`such smartcard applications as network
`
`
`
`
`
`access and electronic commerce. Microsoft
`
`
`
`
`
`also announced its lntemet Security Frame-
`
`
`
`
`
`work, which uses digital certificates—either
`
`
`
`
`
`in software on a uset’s PC or on a smartcard
`
`
`
`
`
`
`
`
`
`
`device—to secure lntemet connections.
`
`
`
`
`
`
`Silicon in the card
`
`
`
`
`The microcontroller used in Smartcard
`
`
`
`
`
`applications [Fig 3] contains at a minimum
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`_
`
`Standard
`
`
`
`
`
`ISO 7310
`
`
`ISO 7811
`
`
`
`ISO 7812
`
`
`
`ISO 7813
`
`
`
`ISO 103?3
`
`ISO 7316
`
`
`
`ISO 10536
`
`ISO 14443
`
`
`
`
`
`
`
`Tiliefdescription
`
`
`
`
`
`'.
`Physical characteristics
`
`
`
`
`
`
`Recording techniques (six parts)
`
`
`
`
`
`Identification of issuer (two parts}
`
`
`
`
`
`
`Financial cards
`
`
`
`
`Test methods
`
`
`
`
`_
`
`IC-cards with contacts (six parts)
`
`
`
`
`
`
`
`
`Contactiess (close coupling} IC cards (CICCJ (four parts)
`
`
`
`
`
`
`
`
`
`Cuntactiess (remote coupling} IC cards (four parts)
`
`
`
`
`
`
`
`
`F’
`
`¢i&heifiuI'IsO*s§¢tizits*-§ti§ifiiiat’tlsj"r
`
`
`
`
`information technology —5ecurity techni'ques—Dlgital signature giving
`
`
`
`
`
`
`: ISO 9795
`
`
`TTIESSBQE FECOVEIY
`
`
`
`
`
`
`
`
`
`
`
`'
`
`'50 9992
`
`
`
`
`ISO 10202
`
`Z EMV
`
`-
`
`
`Financial transaction cards—Messages between the IC card and the
`
`
`
`
`
`
`
`
`
`card-accepting device. (two parts)
`
`
`
`
`Security architecture of financial transaction systems using it cards.
`
`
`
`
`
`
`
`
`{eight parts}
`
`
`IC card specifications for payment systems developed by Europay
`
`
`
`
`
`
`
`
`
`International SA. Mastercard International Inc., and Visa
`
`
`
`
`
`
`
`lntemationai Service Association {three parts)
`
`
`
`
`
`
`
`
`
`
`
`
`E
`
`ETSI GSM 11.11
`
`
`
`
`
`ETSI GSM 11.14
`
`
`
`
`ANSI T1 P1
`
`
`
`
`IATA JPSC }‘'91
`
`
`
`
`
`
`
`
`
`
`
`European Digital Cellular Telecommunications System {Phase 2): spec» ,
`ification of the Subscriber Identity Modu|e—Mobi|e Equipment (S|M-
`‘
`
`
`
`
`
`
`
`ME) Interface
`
`
`European Digital Cellular Telecommunications System {Phase 2+):
`
`
`
`
`
`
`
`- specification of the SIM-ME Interface for SIM Application Toolkit
`
`
`
`
`
`
`
`
`
`U.S. Telecommunications Standard
`
`
`
`international Airline Transportation Association {lATA) Joint
`
`
`
`
`
`
`Passenger Service Committee (JPSC) Smartcard specification
`
`
`
`
`
`
`Source: Smart Card Forum
`
`
`
`
`
`
`49
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`key. The second use will be for digital signa-
`
`
`
`
`
`
`
`tures: a piece of data encrypted by the
`senders private key, proving that only the
`
`
`
`
`
`
`authorized sender could have sent a mes-
`
`
`
`
`
`
`sage or that it has not been modified. PKE
`
`
`
`
`
`
`
`
`
`capabilities using Smartcards provide for
`
`
`
`
`
`portability, cutting the tie to any specific
`
`
`
`
`
`
`
`computer, phone, or other “site."
`
`
`
`
`
`These smartcard applications require
`
`
`
`the development of infrastructures that are
`
`
`
`
`
`global, interoperable, easy to update, and
`
`
`
`
`
`
`
`
`
`capable of supporting several applications
`concurrently. The Dataquest report on the
`
`
`
`
`
`smartcard market indicated that 156 mil-
`
`
`
`
`
`lion smartcard microcontroller devices
`
`
`
`would be shipped in I996, increasing to
`
`
`
`
`
`
`990 million in the year 2000. Suppliers of
`
`
`
`
`
`
`
`smartcard silicon include Motorola, SCS-
`
`
`
`
`Thornson, Philips, Siemens, and Hitachi.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`A smartcard primer
`Physically, a smartcaird resembles a cred-
`
`
`
`
`
`it card having one or more semiconductor
`
`
`
`
`
`
`
`devices attached to a module embedded in
`
`
`
`
`
`
`
`the card's top left corner, providing con-
`
`
`
`
`
`
`tacts to the outside world [Fig 1]. Also
`
`
`
`
`
`
`
`
`referred to as an integrated-circuit card, or
`
`
`
`
`
`
`
`ICC, the card can interface with a point-ol-
`
`
`
`
`
`
`sale terminal {P05}, an ATM, or a card
`
`
`
`
`
`
`reader integrated into a phone, a computer,
`
`
`
`
`
`a vending machine, or any other appliance.
`
`
`
`
`
`
`
`The semiconductor device embedded in
`
`
`
`
`
`a tme smartcard is a microcontroller. it is
`
`
`
`
`
`
`
`
`the microcontroller that makes a card smart
`
`
`
`
`
`
`and capable of undertaking a range of com-
`
`
`
`
`
`
`putational operations, protected storage,
`
`
`
`
`and decision—making. Other silicon chips,
`
`
`
`
`
`such as memory devices, can be embedded,
`
`
`
`
`
`
`
`too, but cards with these alone are called
`
`
`
`
`
`
`
`
`memory cards.
`
`Smartcards have two main advantages
`
`
`
`over magnetic-stripe cards. They can carry
`
`
`
`
`
`|0—i00 times as much information (current
`
`
`
`
`
`smartcards provide tip to SKB, about two
`
`
`
`
`
`
`
`
`
`
`
`
`
`typed pages) and hold it more robustly and
`securely than do typical magnetic—stripe
`
`
`
`
`cards. (Anyone with larceny in mind might
`
`
`
`
`
`
`want to know that most magnetic-stripe
`
`
`
`
`
`cards can be read and written with equip-
`
`
`
`
`
`
`
`ment readily available from many hobby
`
`
`
`
`
`stores.) in conjunction with a terminal,
`
`
`
`
`
`smartcards can also execute complex deci-
`
`
`
`
`
`sion-making tasks, including handshake
`
`
`
`
`routines that prove the cards validity to the
`
`
`
`
`
`
`
`
`terminal and the terminals validity to the
`
`
`
`
`
`
`
`card—a form of mtttual authentication that
`
`
`
`
`
`
`can reduce fraud and misuse [Fig 2].
`
`
`
`
`
`
`
`The main benefits of smartcards are in-
`
`
`
`
`
`
`creased data security, an active antifraud
`
`
`
`
`
`capability, flexibility in applications, a
`
`
`
`
`multipurpose capability, and off—line vali-
`
`
`
`
`dation. In practice, these features are inter-
`
`
`
`
`
`
`related, bttt perhaps the most important of
`
`
`
`
`
`
`
`them is a higher level of security than such
`
`
`
`
`
`
`
`
`
`alternative technologies as magnetic-stripe
`
`
`
`
`cards or simple memory cards can provide.
`
`
`
`
`
`
`
`This makes snrartcards viable in applica-
`
`
`
`
`
`tions involving money, proprietary secrets,
`
`
`
`
`and personal data. A smartcard, for exam-
`
`
`
`
`
`
`FANCHIER — IN YOUR POCKET-. S|\i.ARTCAR|)S
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`6
`
`
`
`
`
`
`
`
`
`
`
`
`a central processing unit (CPU) and blocks
`of memory, including RAM, ROM, and
`
`
`
`
`
`
`nonvolatile memory—usually electronically
`
`
`
`erasable programmable ROM (EE—PROM).
`
`
`
`
`The inclusion of a variety of memory
`
`
`
`
`
`
`
`
`
`
`
`types helps suit the smartcard microcon-
`troller to a range of applications. For exam-
`
`
`
`
`
`
`ple, RAM serves to calculate results and
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`stack memory, ROM to store the operating
`system, fixed data, standard routines, and
`
`
`
`
`
`
`
`
`
`
`
`
`lookup tables. The nonvolatile memory is
`the most versatile, EE—PROM, for instance,
`
`
`
`
`
`
`
`
`
`
`
`
`
`serves to store information that must not be
`lost when the card is not connected to a
`
`
`
`
`
`
`
`
`
`power source but that must also be alterable
`
`
`
`
`
`
`
`
`to accommodate data specific to individual
`
`
`
`
`
`
`cards or any changes possible over their life-
`
`
`
`
`
`
`
`times. This information might include a
`
`
`
`
`
`card identification number, a personal iden-
`
`
`
`
`
`tification number (PIN), authorization lev-
`
`
`
`
`
`
`
`
`
`
`
`els, cash balances, and credit limits. Typical
`features for today's applications include an
`
`
`
`
`
`
`8-bit CPU, 128-780 bytes of RAM,
`
`
`
`
`
`
`4—20Kb of ROM, and 1~16Kb of EE-
`
`
`
`
`
`
`PROM on a single die, plus, as an option, an
`
`
`
`
`
`
`
`
`
`on-chip hardware encryption module.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`With security in mind
`Although the smartcard microcontroller
`
`
`
`works like any microcontroller, it is funda-
`
`
`
`
`
`
`
`
`
`
`mentally different: while maintaining in-
`struction set compatibility, it is designed
`
`
`
`
`
`
`with security in mind. For example, the
`
`
`
`
`
`
`
`smartcard and nonsmartcard versions of
`
`
`
`
`
`the Motorola 681-ICO5 8-bit microcon-
`
`
`
`
`troller display several clear differences,..
`
`
`
`
`
`
`
`
`
`
`
`Probably the most obvious is the single
`l/O of the microcontroller in the smart-
`
`
`
`
`
`
`card, versus several 8-bit ports for a normal
`
`
`
`
`
`
`
`
`microcontroller. In fact, a smartcard device
`
`
`
`
`
`
`
`
`
`
`
`
`
`has only five standard pinouts: l/O, clock,
`power, ground, and reset, whereas other
`
`
`
`
`
`
`microcontrollers usually have at least 16
`
`
`
`
`
`
`pins and sometimes more than 50.
`
`
`
`
`
`
`Memory configurations are different,
`
`
`
`too: a smartcard uses only on-board mem-
`
`
`
`
`
`
`
`
`
`
`
`
`ory with relatively large amounts of non-
`volatile memory, usually EE-PROM. The
`
`
`
`
`
`EE—PROM is programmed by an on-chip
`
`
`
`
`
`
`
`
`
`
`
`
`
`charge pump controlled by the CPU and
`not accessible directly by external com‘-Y
`
`
`
`
`
`
`mand. A third difference is that the device
`
`
`
`
`
`
`
`
`appears stripped down as compared with
`
`
`
`
`
`
`nonsmartcard devices, since it contains no —’
`
`
`
`
`
`
`additional peripherals such as analog-to-
`
`
`
`
`
`
`
`
`digital converters, pulse-width modulators,
`and serial or parallel interfaces.
`
`
`
`
`
`Smartcard devices, which are very con-
`
`
`
`
`
`strained by die size, use very dense memo-
`
`
`
`
`
`
`
`ry elements. Surprisingly, this restricted die
`
`
`
`
`
`
`size does not automatically lead to the use
`
`
`
`
`
`
`
`
`of state-of-the—art fabrication geometries.
`
`
`
`
`First, cost is a great factor in smartcard ap-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`plications, which may involve issuing tens
`of millions of cards. Second, large volumes
`
`
`
`
`
`
`
`also require established and extensive fabri-
`
`
`
`
`
`cation facilities. Third, the need for securi-
`
`
`
`
`
`
`
`
`
`
`
`ty means that a well-defined, character-
`
`
`
`
`
`ized, and tried—and-true process is needed,
`
`
`
`50
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`since a new one might include some as-
`
`
`
`
`
`
`
`yet—undetected anomaly that could com-
`
`
`
`
`promise security. For these reasons, smart-
`
`
`
`
`
`card microcontrollers tend to be fabricated
`
`
`
`
`
`
`in 0.7—1.2-um CMOS technologies, mov-
`
`
`
`
`ing to finer geometries as they become less
`
`
`
`
`
`
`
`
`expensive and fully characterized.
`
`
`
`
`
`
`
`
`
`The use of smartcards in security-sensi-
`tive applications heavily influences the
`
`
`
`
`
`design and handling of the card-—-silicon
`
`
`
`
`
`
`and software-alike. Microcontrollers used
`
`
`
`
`
`
`
`
`
`
`
`V in smartcards are specifically designed to
`restrict access to stored informationland
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`to prevent thelcard from being used by
`unauthorized parties. To accomplish this,
`
`
`
`
`
`each microcontroller manufacturer in-
`
`
`
`
`
`
`
`
`
`
`cludes its own set of security features,
`many of which are never discussed since
`
`
`
`
`
`
`
`they are useful only if potential hackers
`
`
`
`
`
`
`
`do not know that they exist.
`
`
`
`
`
`
`
`
`
`
`
`Smartcard ‘devices are designed to work
`only in well—characterized operating envi-
`
`
`
`
`ronments, since one attack scenario in-
`
`
`
`
`
`volves attempts to force cafds to operate
`
`
`
`
`
`
`outside normal operating voltage or clock
`
`
`
`
`
`
`
`
`
`
`frequency ranges, in hopes of uncovering
`weaknesses that can be exploited. Most
`
`
`
`
`
`devices therefore detect and reset when-
`
`
`
`
`
`ever they are pushed outside their normal
`
`
`
`
`
`
`operating ranges. A card's reactions upon
`
`
`
`
`
`sensing attempt at fraudulent access range
`
`
`
`
`
`from ignoring the access request to lock-
`
`
`
`
`
`
`ing up the card from all future use. Other
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`features provide special functionality to
`areas of memory or make it difficult to ac-
`
`
`
`
`
`
`
`
`cess portions of memory or circuitry dir-
`
`
`
`
`
`
`ectly. Such techniques as memory-scram-
`
`
`
`
`
`
`
`
`
`bling, hidden layers, and dummy circuitry
`
`
`
`
`
`
`may be added to confuse hackers.
`No system can be considered entirely
`
`
`
`
`
`
`secure, all must constantly be evaluated and
`
`
`
`
`
`
`
`improved. Given enough resources, time,
`
`
`
`
`
`
`
`
`
`
`
`ingenuity, and perhaps luck, almost any sys-
`tem can be broken. But we are not without
`
`
`
`
`
`
`
`
`
`recourse. Security aims to make a system
`
`
`
`
`
`
`
`more difficult to break than the effort would
`
`
`
`
`
`
`
`
`be worth to criminals. As a result, we see
`
`
`
`
`
`
`
`
`
`different levels of security precautions, from
`
`
`
`
`
`
`simple PIN numbers to full biometrics, or
`
`
`
`
`
`
`
`
`
`
`
`
`
`from simple algorithms to Data Encryption
`Standard (DES) or Rivest, Shamir, Adelman
`
`
`
`
`
`
`(RSA) encryption. For example, in financial
`
`
`
`
`
`
`i cards, a device can use PIN numbers, or fin-
`
`
`
`
`
`
`
`
`gerprints or some other biometric, to verify
`
`
`
`
`
`
`
`users. The microcontroller's ability to per-
`
`
`
`
`
`form certain algorithms enables the card to
`
`
`
`
`
`
`verify the reader as well as the reader to ver-
`
`
`
`
`
`
`
`
`
`ify the card, frustrating such scenarios as oc-
`
`
`
`
`
`
`
`curred in a Washington, D.C., mall, where a
`
`
`
`
`
`
`
`fake ATM machine was set up to collect
`
`
`
`
`
`
`
`
`names plus account and PIN numbers for
`
`
`
`
`
`
`
`fraudulent use. The EE—PROM can record
`
`
`
`
`
`
`transaction data for later reconciliation,
`
`
`
`
`
`But any system is only as secure as its
`
`
`
`
`
`
`
`
`
`weakest link. Security must be regarded as a
`
`
`
`
`
`
`
`
`system-wide undertaking, for it is pointless
`
`
`
`
`
`
`to double-lock the front door if the back
`
`
`
`
`
`
`
`
`one is wide open. Also, technology is a
`
`
`
`
`
`
`
`
`wonderful thing but criminals, too, can use
`
`
`
`
`
`
`
`
`
`
`
`
`it: as new equipment and techniques be-
`
`
`
`
`
`
`come available or less expensive, the barri-
`
`
`
`
`
`
`ers to cracking a system may weaken. Re-
`
`
`
`
`
`
`
`cently Bellcore announced a paper, "Crypt-
`
`
`
`
`analysis in the presence of hardware faults"
`
`
`
`
`
`
`
`(available at www.bellcore.com), that pro-
`
`
`
`
`posed a theoretical method for breaking an
`
`
`
`
`
`
`asymmetric encryption code once a com-
`
`
`
`
`
`puter (or a smartcard microcontroller) had
`
`
`
`
`been forced into faulty behavior.
`
`
`
`
`
`The Smart Card Forum, a multi-industry
`
`
`
`
`
`
`membership organization headquartered in
`
`
`
`
`Tampa, Fla, has stated that it does not re-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`gard this approach as a real-world risk,
`since in smartcard applications more than
`
`
`
`
`
`
`one technique is used to protect the securi-
`
`
`
`
`
`
`
`ty of the entire system. But the Bellcore
`
`
`
`
`
`
`
`
`methodology for breaking algorithms—as
`
`
`
`
`well as similar theoretical approaches, such
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`as the one taken by two lsraeli researchers,
`Eli Biham and Adi Shamir—highlights the
`
`
`
`
`
`
`need to analyze and evolve the security of
`
`
`
`
`
`
`
`
`any system continually.
`
`
`
`
`
`
`
`
`Smaller chips avert cracking
`Although most smartcard microcon-
`
`
`
`trollers are based today on 8-bit machines,
`
`
`
`
`
`
`
`the only real limitation on the type of
`
`
`
`
`
`
`
`
`CPU, memory, or technology used comes
`
`
`
`
`
`
`from the fact that they must be embedded
`
`
`
`
`
`
`
`
`in a flexible plastic card. To prevent crack-
`
`
`
`
`
`
`
`ing, it is therefore desirable to minimize
`
`
`
`
`
`
`
`the size of the silicon die. Most references
`
`
`
`
`
`
`
`
`suggest a maximum of 25 mml, but an
`
`
`
`
`
`
`
`
`even smaller die is preferred. As lC feature
`
`
`
`
`
`
`
`
`geometries shrink, more processing power
`
`
`
`
`
`and memory can be fitted intoa given
`
`
`
`
`
`
`
`
`amount of silicon. Die thickness is also a
`
`
`
`
`
`
`
`
`factor, not only because it must fit within
`
`
`
`
`
`
`
`
`the cards thickness, but also because thin
`
`
`
`
`
`
`
`enough silicon actually bends with the
`
`
`
`
`
`
`card, again reducing the risk of cracking.
`
`
`
`
`
`
`
`Silicon used in future smartcards will
`
`
`
`
`
`
`be driven by the intended uses. Newer
`
`
`
`
`
`
`
`applications make ever-increasing de-
`
`
`
`mands for data management and for vari-
`
`
`
`
`
`
`ous algorithmic calculations involving
`
`
`
`
`security and data compression. Support
`
`
`
`
`
`for such encryption algorithms as an RSA
`
`
`
`
`
`
`
`public key for higher-security applications
`
`
`
`
`
`is another requirement. Multi-application
`
`
`
`
`cards will create additional demands for
`
`
`
`
`
`
`security and control on the silicon.
`
`
`
`
`
`
`Moreover, as the world moves toward
`
`
`
`
`
`
`more mobile electronic devices, such as
`
`
`
`
`
`
`portable phones, computers, and personal
`
`
`
`
`
`digital assistants (PDAs), the lower vol-
`
`
`
`
`
`tage/current drain lCs designed for them
`
`
`
`
`
`
`are affecting smartcards, too. The voltage
`
`
`
`
`
`
`
`
`level began at 5 V, has now reached 3 V
`
`
`
`
`
`
`
`
`for such applications as GSM (Global
`
`
`
`
`
`
`System for Mobile Communications, the
`
`
`
`
`
`European digital cellular telephone sys-
`
`
`
`
`
`tem), and will migrate to 1.8 V in future.
`
`
`
`
`
`
`
`
`Nonvolatile memory will eventually
`
`
`
`have to provide larger data storage capaci-
`
`
`
`
`
`
`ties for individual applications, such as
`
`
`
`
`
`
`health and ID cards, and for the migration
`
`
`
`
`
`
`
`
`to multi-application cards. With this in-
`
`
`
`
`
`7
`IEEE SPE