DOJ EX. 1035
`
`1/29
`
`DOJ EX. 1035
`
`

`

`dnaS.wIUanGreAdnmmN
`Space Admlmsiration
`
`Goddard Space Flight Center
`Greenbelt, Maryiand 20771
`
`G02 I027
`
`2/29
`
`DOJ EX. 1035
`
`

`

`.SdE3CLir.amS
`
`
`
`..!.-lt..11..u/..
`
`3/29
`
`DOJ EX. 1035
`
`

`

`For a complete listing
`
`.mTwWHsflCMrAemf0
`turn to the back of this book
`
`HummaC
`
`icatzons Library,
`
`G02 I029
`
`4/29
`
`DOJ EX. 1035
`
`

`

`Smart Cards
`
`00JTJ
`rwrw
`
`
`
` HmmMWmmuaLM
`
`Artech House
`
`Boston as London
`
`G02 1030
`
`5/29
`
`DOJ EX. 1035
`
`

`

`Library of Congress Cataloging-in—Publication Data
`Zoreda, José Luis.
`Smart cards 1 Jose Luis Zoreda
`Includes bibliographical references and index.
`ISBN 0-89006687-6
`1. Smart cards. I. Otén. Jest‘: Manuel.
`TK7895.S62086
`1994
`‘
`OO6—dc20
`
`II. Title.
`
`A catalogue record for this book is available from the Brifish Library
`
`© 1994 ARTECH HOUSE, INC.
`685 Canton Street
`Norwoud, MA 02062
`
`All rights reserved. Prmtcd and bound in the United States of America. No part of this book may be
`reproduced or utilized in any form or by any means, electronie or mechanical. including photocopy- 1
`ing, recording, or by any information storage and retneval system, without permission in writing “
`from the publisher.
`
`International Standard Book N_umI:1er: o-39005-537-5
`Library of Congress Catalog Card Number: 94-7671
`
`10937654321
`
`G02 I {)3 l
`
`6/29
`
`DOJ EX. 1035
`
`

`

`.-i‘,4.1-,-A-...
`
`G02 1032
`
`Contents
`
`Preface
`
`Chapter 1 Old Cards and New Cards
`1.1
`Contents of the Book
`1.2 Basic Card Types
`1.2.1 Magnetic Stripe Cards
`1.2.2 Optical Cards
`1.2.3 Chip Cards
`Communicating With Cards
`Plastic Cards and Magnetic Stripe Cards
`1.4.1 Origin of Plastic Credit Cards
`1.4.2 Automatic Teller Machines
`
`»
`Electronic POIIIIIS pf Sale
`1.4 3
`1.4.4 On-Line and Off-Line Systems
`1.4.5
`Interchangeability
`1.4.6
`Point-of-Sale Dilemma
`1.5 Costs
`1.6 Conclusions
`
`_
`
`>4
`
`\D®‘--JG\G'\Lll-P-L»-li..nJ-—--Z:
`
`Chapter 2 Data Storage Cards
`2.1 Magnetic Stripe Cards
`2.1.1
`Coercivity
`2.1.2 Magnetic Stripe Encoding
`2.1.3 Magnetic Stripe Reading
`2.1.4 High-Coercivity Stripes
`2.1.5
`Fraud in Financial Magnetic Stripe Cards
`2.1.6 Magnetic Stripe Security
`2.I.7 Nonfinancial Magnetic Stripe Cards
`Optical Cards
`2.2.1 Optical Card Standards
`
`vii
`
`
`
`
`
` .i..:&:':.£'::a.=s?..;.@e'»;_«"_,.'.T'?.'¢E‘¢#l..’.5'-
`
`
`
`- -
`
`P.
`
`._Lg.
`
`
`
`7/29
`
`DOJ EX. 1035
`
`

`

`2.2.2 Writing and Reading Optical Cards
`2.2.3
`Formatting Optical Cards
`2.2.4
`Error Correction in Optical Cards
`2.2.5 Optical Card Applications
`2.2.6
`Erasable Optical Cards
`Chip-Based Storage Cards
`Conclusions
`
`2.3
`2.4
`
`Chapter 3 Chip Cards
`3.1
`Origin of Chip Cards
`3.1.1
`First Chip Card Manufacturers
`3.1.2
`Early Experiences
`3.1.3 Chip Cards for Public Phones
`Card Security
`3.2.1
`PIN in Magnetic Stripe Cards
`3.2.2 Message Encryption and Decryption
`3.2.3
`Secret Codes in Smart Cards
`3.2.4 Cryptography in Smart Cards
`Chips for Cards
`1
`3.3.1
`Integration Scale in Microelectronics
`3.3.2 Card Chip Security
`3.3.3 Card Chip Manufacturers
`Smart Cards and Sinan Devices
`3.4.1
`Reduced-Size Cards
`3.4.2
`Smart Keys
`3.4.3
`Smart Disks
`3.4.4 Contactless Cards
`Conclusions
`
`3.5
`
`Chapter 4 Anatomy of a Smart Card
`4.1
`Inside a Card
`4.2
`Memory
`4.2.1 Volatile Memory
`4.2.2 Nonvolatile Memory
`4.2.3 UserlApplication'Memory
`CPU and Operating System
`4.3.1 Card Mask
`4.3.2 Wired Logic and Microprocessors
`Other Circuits
`4.4.1
`Reset Circuit and ATR
`4.4.2 Clock and Synchronization Circuits
`4.4.3 Communication Circuits
`
`G02 1033
`
`8/29
`
`DOJ EX. 1035
`
`

`

`Design and Manufacturing: an Example
`4.5.1 Chip Design
`4.5.2 Chip Manufacturing
`Contacts and Embedding
`4.6.1 Contact Manufacturing and Location
`4.6.2 Contact Function
`
`4.6.3 Chip Card Body
`4.7 Conclusions
`
`The Language of Smart Cards
`Chapter 5
`5.1
`Instruction Set and Smart Card Operating System
`5.2 Answer to Reset
`5.2.]
`First ATR Character, Elementary Time Unil
`5.2.2
`Second ATR Character, Interface and Historical Characters
`5.2.3
`Extra Interface Characters
`5.2.4 Global Interface Bytes
`5.2.5 Historical Characters
`5.2.6
`TCK Character, End of ATR
`Protocol Type Selection
`Protocol Type T = 0
`5.4.!
`Command Structure
`
`Procedure Byte
`5.4.2
`5.4.3 Communications Protocol in 78I6f4
`5.4.4 Other Protocols
`
`Memory Structure
`5.5.1
`Structure ofRAM
`
`Structure of Nonvolatile Memory
`5.5.2
`5.5.3 Memory Zones
`5.5.4 Hierarchical Memory Structure
`Security
`5.6.1 Cryptographic Algorithms
`5.6.2 Keys
`5.6.3 Key Functions
`5.6.4
`Security in ISO 7816/4
`5.7 Conclusions
`
`Programming 21 Smart Card
`Chapter 6
`6.1
`Software Functions
`
`6.2 WritingfReading Unit
`GUTI GC2 Smart Card
`6.3.1
`EEPROM Structure
`6.3.2 Answer to Reset
`
`9/29
`
`DOJ EX. 1035
`
`

`

`Chapter 4
`
`Anatomy of a Smart Card
`
`-33-
`~.
`'ifi§‘_._In this chapter. we will take a fascinating trip through the microscopic world of card
`. microekectronics. We W111 give you the ability to peer into the lCs‘1ncluded in a smart
`_; card and into their functional blocks. Some details on microcircuit nianufacturing are also
`: reviewed. ISO standards, as far as hardware 15 concerned. will-Be included here and there
`. throughout the chapter.
`.
`-
`'
`L
`'
`Smart cards are the main subject of this book. However, it seems interesting to
`include here some references to non—ISD related devices sharing the same manufacturing
`'- technolog1es, but having different applications. Technologies of data banks, memory
`.‘cartridges. and similar storage devices on the one hand and battery-powered chip cards
`3' on‘ the other hand are mentioned below.
`
`~.
`-.-
`
`4.: INSIDE A CARD
`
`_ Chip cards from the outside can be easily distinguished from common credit cards by a
`_dnne-sized golden plate located near the edge. The plate is divided into eight areas (some
`.. cards, such as McCorquodale and Gemplus. have only six; see Section 4 6). These are
`the:__contacts employed by the microcircuit to communicate with the outer world. If the
`contacts were transparent, a dark. shiny,
`l—mm’ gadget couldbe seen behind them. -This
`isithe microcircuit. Looking inside (see Figure 4.1), several connected large and small
`' rectangular blocks may be found:
`"
`'0 "Memory areas;
`"“‘ II -Central processing unit (CPU);
`‘‘ 9 Protection circuits;
`at Reset circuit;
`1'-0 Clock;
`4 4" Input-output area.
`
`G02 1095
`
`10/29
`
`DOJ EX. 1035
`
`

`

`
`."*7"-‘-J-iw-_'.-‘-‘t=:‘..'-In-aRHr.'a...:._'~.--'
`
`
`"V-‘ML‘ér¥uf‘-A1-lrfl"I'r‘1‘-in-l!'\.'."I%ill.‘-J33hH‘nu’!-.-:.-«.1.-:-r.‘.-'....'-.:-.-._g.--v--.-....-‘>1~‘=v--»«-
`
`
`
`
`
`‘r-x‘:-rt"-”--v"-..-oi-.
`
`vknlxvh-r'1h‘."rr-_'..,¢;..-‘\J_~1=*-
`
`
`
`-.'-i.'5sv:~'~r'
`1-...9',z\.:(-up
`
`-_
`
`Figure 4.1 inside a smart card. behind contacts, a rrtic rocircuit divided into several blocks with different functions
`maybefound.
`-
`'
`'
`'
`‘
`.
`'
`‘
`The specific areas found inside the chip depend on the card model. Memory cards have
`no CPU. whereas other cards may lack reset circuitry or clock.
`
`4.2 NIEMORY
`
`Therlargest microcircuit areas are- occupied by different kinds of memory. Cards must
`hold data, code, and other permanently stored information in ‘order to perform their tasks. ‘
`In standard deslctop computers, data and instructions managed by CPUs are stored iii 1.
`electronic lCs, where theycan be randomly accessed: under this form; data are compiled:
`4
`modified, read. written‘, and moved. This data crunching is at'Lhe ‘very heart-of computing:
`Once the task is finished. however, intermediate results are no longer needed andmust
`be erased to allow space for the next task. Hence, the internal memory of computers is .
`erasable. Moreover, it is usually dynamic; that is, data are lost upon power removal. When ‘
`the power is on. the memory must be refreshed every now and then (every few.mi_1liseconds.
`in fact) to keep data stored in their place.
`I
`Support for permanent data backup in computers is given by external peripherals,
`usually hard disks, floppy disks, or similar magnetic media. Fast, inexpensive _dynamic :3;
`, .
`
`"‘Q-‘.7-n-w
`
`G02 I096
`
`11/29
`
`DOJ EX. 1035
`
`

`

`__.,
`'-
`
`'
`
`memory and magnetic permanent media make a perfect team for handling data in comput-
`It is worth mentioning that, in practice, magnetically stored code cannot be directly
`_‘
`- executed by microprocessors (i.e., a magnetic stripe card could not store an executable
`-
`; 53;“ program, though it could store the program code); besides, the seek access time of hard
`
`disks is measured in milliseconds whereas the access time ofdynamic memory is measured
`
`innanoseconds, some million times faster.
`,
`'
`Smart and memory cards usually need permanent or nonvolatile memory for most
`» ‘,3 applications and memory zones. Small chunks of volatile memory may also be included
`_.
`"as intermediate memory storage for direct code execution and scratch pad data handling
`(Figure 4.2). The use of dynamic memory is not realistic for permanent storage, even in
`_ artery-powered cards. Instead, nonvolatile IC technologies for internal card memory are
`
`.
`
`G02 [G97
`
`storage devices share this technology. An important difference. however, arises from
`storage capacity. Smart cards require at most a few kilobytes of storage memory. Some
`IC memory cards, such as PCMCIA cards, require several megabytes. These devices are
`
`(Oerating system)
`
`E5
`
`I
`E
`
`RAM
`(Scrath pad)
`7
`eepnomrspsom
`(Nonvolatile)
`'
`7 ..._._....-_..._.
`
`\\“
`
`h___
`
`,
`
`LIL
`
`12/29
`
`DOJ EX. 1035
`
`

`

`used as nonerasable (read-only) data banks or even as high-density removable storage for
`smaller and smaller portable computers.
`.
`-
`-
`-
`IC memory technologies, like most electronic systems, are based on silicon. Several
`silicon technologies are currently used in cards. Volatile Memory includes dynamic random
`access memory (DRAM) and static random access memory (SRAM). Nonvolatile Memory
`includes read-only memory (ROM) and erasable, programmable read—only - memory
`(EPROM). The nonvolatile categories are actually a bunch of different technologies sharing
`nonvolatility and little else. Details are discussed in the following sections.
`
`4_.2.1'_vo1atiIe Memory
`
`Dynamic and static RAM may be«employed.inside a‘ card for several uses. Unless the
`card is battery powered, the contents of these types of memory are lost in the sh_ort; or
`long term (usually 1n the short _term). The difference between dynamic and static RAM
`is that static RAM need not be refreshed, allowing data storage with very low power
`consumption. Nevertheless, data are lost if power is removed (i.c., if the battery runs out).
`SRAM may be used in cards containing batteries to keep some relevant though noncritical
`data such as time and date.
`‘
`DRAM is employed in cards as a working area (scratch pad) when the card is
`inserted into a reader (i.c., it __has an external power supply). Cards use that volatile memory
`in a RAM stack where intennediate results of calculations_ or_data encryption processes
`are stored. After finishing every step, data are erased and DRAE/l"is used in new ical'cula'4
`Lions. DRAM is preferred over-_ SRAM for itssimpler, more reliable design (a bit is made .
`of a single metal oxide siliconZtransistorlanached to a capacitor}. _SRAM features low fl
`voltage and power consumption,--but its iirEj._hitecture»(fodr transistors, two ii-esistorsper
`’
`cell) reduces storage density andlincreascs the cost—per—bit ratio.
`'
`Although RAM is usually associatedwith volatile memory,_ ‘new technologies for '
`achieving nonvolatile RAM are being-developed. For e;rarrrple,"'ferroclectronic RAM
`(based on ferroelectric materials like‘-leat'l_ ziirconate titanate) might be a breakthrough in
`memory technologies by combining the .pe_i‘fonnance of‘DIR.AM with the nonvolatility
`goal.
`-
`—
`--
`-
`‘
`‘
`‘
`'
`
`4.2.2 Nonvolatile Memory
`
`Most memory zones in cards are based on nonvolatile memory. Data stored in this memory
`are not lost when power is removed (e.g., when the card is unplugged from the writing]
`reading unit). Storage, however, need not be permanent: in fact, many memory zones
`must be updated when the card is operating; other zones must always keep the same
`information (e.g., the card mask; see below). Several nonvolatile memory technologies
`may be found in cards to account for these different needs.
`.-
`-
`
`‘
`
`*
`'
`
`G02 [G98
`
`13/29
`
`DOJ EX. 1035
`
`

`

`Pennanent information can be stored in ROM. Either the information is recorded
`at the same time as the chip is created or is included in a further prograriuning step.
`In the first case, the information (data, code, program, etc.) is included in the same
`photolithographic masking process used to manufacture the chip (hence the name masked
`ROM). Strictly speaking, this is the only ROM; memory created by other ROM technolog-
`ies is written at least once. Masked ROM is an inexpensive, reliable, and high-density
`technology. Its major drawback comes from its own irreversibility: code errors and revi-
`sions imply costly modifications in the manufacturing chain.
`The above situation is avoided by the use of write—once, read—many technologies.
`Programmable ROMS (PROM) allow customer programming by blowing specific fuses
`in the assembled chip. Again, the memory is permanent; once the information is written,
`it remains in the chip forever. A further step in flexibility (and a new letter in the acronym)
`_is offered by EPROMs. In this case, the PROM may be erased by an extemal action,
`iisually ultraviolet light exposure. This memory is easily identified in acompiiter mother
`-- board by its small
`transparent windows on the top of the chip. A major advance in
`-, nonvolatile technologies notwithstanding, ERROMS and PROMS are functionally identical
`‘
`in a chip card. For one thing. it is quite difficult to expose an embedded chip to ultraviolet
`‘ radiation without destroying‘ the card! The use of EPROMs in cards derives from other
`reasons, mainly reliability and simplicity (one transistor technology).
`1'
`" Finally, let us look at electrically erasable, programmable ROM (El-EPROM). A
`tvvo-transistor technology, EEPROM provides nonvolatile memory that is erasable and
`rewritable by electric signals. EEPROM may be used as RAM. Though its higher cost
`precludes its application in desktop computers, it is a perfect candidate for accomplishing
`most memory requirements in IC cards. A minor problem of El-3PROMs is that erasing
`and writing operations usually require higher voltage than reading. ISO standards include
`a‘ 2lV power supply for these ‘operations; though current cards often disregard this facility.
`r The regular power supply (5V) is used instead, its voltage being internally increased as
`needed.
`-
`‘
`
`’_
`
`
`
`"..r.r.
`
`..
`
`'~'Flash memory is a simpler EEPROM technology (one dual gate transistor per cell),
`“
`and is an alternative to classical EEPROMS. It features higher density, lowercost, and
`greater ‘reliability. Besides. writing and erasing can be obtained at lower voltages than
`standard EEPROM. Its drawback is that sing1e—bit erasure is not possible: flash memory
`must be block-erased. Hence,
`this memory may be used in memory zones where the
`information is modified as a whole; it cannot be employed when the updating of a single
`'piece of data is required.
`'- " ' Memory complexity affects the size of the memory cells as well. Using a ROM
`cell as area unit, EPROM arid EEPROM cells would cover two and six units. respectively.
`_ This is ‘not as bad as SRAM. with sixteen units.
`
`.
`
`4.2.3 UserlApplication Memory
`
`Several kinds of memory are used in a single IC card. From the issuer or user point of
`view, however, the most important (perhaps the only important) memory is the user!
`
`( ‘:02 I099
`
`14/29
`
`DOJ EX. 1035
`
`

`

`application memory (UAM). UAM is EPROM or EEPROM that holds the specific informa-
`tion on every application. The irifon-nation is usually a data set including user data, issuer
`data, and operations (transactions) performed by the card. In some applications, UAM
`may also contain executable functions (EXEC functions). Code is included in UAM, for
`example, when the.standard ROM program (the mask; see next section) is not able to
`perform some operations, or simply when the issuer .wants to take advantage ,0f-‘l.l'llS
`option for security or speed. UAM size in cuirent cards varies from 1K to 16K (some,
`' manufacturers are developing 64K UAMS)..
`UAM is protected by the microprocessor, which filters data flow, manages data
`storage and reading, and runs the preprogramrned executable functions, if any. -A number,
`of cards have UAM divided into several zones. Memory zones are in turn divided into
`files and recordsand are protected by special hardware. A typical partition is given below
`(Figure 4.3).
`‘
`The Manufacturer zone. includes microcircuit andfor card ID data, which are stored
`during manufacture and hardware-protected against further access.,
`_.
`In the Secret zone the data cannot be accessed from the outside. Only the microproces-
`sor can take advantage of them: This z.one_holds. for example, secret codes such as the
`issuer key and the user PIN. Protection is provided via hardware, as in the previous case,
`or by means of an internal program
`_
`.
`__
`The Status zcmelcontains access attempts to the card. either through user PIN or
`through issuer key. Other secret codes may also be _included. Attempts are sequentially;
`stored, allowing __the card _to.decide its._self-blocking ior self-destruction accorg:Iing'
`to
`preprogranuned‘cr'iteria.‘Fpllowing the issuer instnictions. for example, the card may self:
`block after three consecutive wrong user. Pl'Ns_or may ffcomn'u'_t suicide," after an-single
`wrongjssuer key._
`-
`r.
`.
`Older [C cards requlrecithe separation offree access data zones and protected diota .
`zones (e.g., by PIN or_ issuer k_ey)..At present, many cards permit the definitionof every
`file. either free or protected by any key combination. Therefore. free and confidential
`zones are currently found in the same memory_ zone. Definition of file attributes _'is
`customarily performed by the issuer and protected by the issuer key.
`The Transaction zone contains most variable data (c.g., commercial transactions,
`hence the name). Data format, files, and record structure depend on the application.
`Typically, a secret code is required to access the zone. New card models allow different '
`protection for reading and writing in the same _file. For example, some data may be freely ‘
`read, but permission is required to modify them This feature is quite interesting in a
`number of instances (e.g., in electronic purses). Actually, there is no difference between .'
`transaction, free. and confidential zones. They are usually separated for historical reasons.
`since old cards had a fixed memory arrangement where these zones were predefined.
`
`_
`
`.
`
`_ 4.3 CPU AND OPERATING SYSTEM
`
`Microciicuits of current smart cards are almost complete computer systems without key-
`board and display. In fact, some non-ISO active cards such as super smart cards include
`
`.
`
`.
`
`‘
`
`G02 I 100
`
`15/29
`
`DOJ EX. 1035
`
`

`

`
`
`..40...um.
`
`....mo.u§_&<w3:
`
`_.
`
`
`
`
`
`.Hanna.S$uuBmEo_E
`
`
`
`nHi.n_L..._.fl4....!Lr:T...F..k.,
`
`Hum
`
`0“???
`
`
`
`amuoumuu._n_
`
`
`
`.nI...1|.....aT..|l...:..
`
`
`
`
`
`__m_..EmUm:oU_...u...E:wEmax._o=$_
`
`uB_a.2Z555
`
`»._.E5&..§E
`
`m.E%3:0
`
`
`
`_.0oEoE:o_Eu._umm.uum=nomucus_mu§__.._.n.vuunufi
`
`
`
`
`
`16/29
`
`DOJ EX. 1035
`
`

`

`
`
`
`
`.-....-..-.;.....~.—-;-..-..-.»i.a-.....i-7..71..
`
`
`
`
`
`keyboard; display, and battery inside the same ca_rd_~sized device. The core of_ the card
`microcircuit is the microprocessor, usually called CPU. This CPU is able to execute an
`instruction set that ultimately defines the capabilities of the card. The instruction set is
`permanently wired into the card. Card chip manufacturers (see Section 3.3.3) use only a
`few architectures in smart card CPUs: H813 10 (Hitachi). 62'?xx (Oki). ST8 {Thomson},
`8051 (Inte_1),_ and 6805 (Motorola). All of them employ 8-bit instructions and have a 16-
`bit data bus: Quite recently. Gemplus has introduced a reduced instruction set computer
`(RISC) processor for smart cards. Higher level functions are alsqperrnanently stored in
`the card rneinory, indicating to the_ CPU what to do, when, and how to do it.' These’
`functions could belconsidered the smart card operating system (ASCOS). The S§'3Q'S allows
`the CPU to manage the UAM according to external commands the user invokes from_ an
`interface device. When a card is provided with a microprocessor. it always takes care of
`memory management and _dara security by itself. Any external access to card memory; or
`functions is performed through the CPU. The SCOS is also used to define EXEC functions
`eventually stored in the UAM.
`-I
`1
`
`4.3.1 Card Mask
`
`F
`
`From the ’oLitside. 'card behavior;is greatly determined by its SCOS. Different SCéSs
`applied to the same CPU results in cards with different capabilities. whilelthe opposite"
`situation, providing that CPUs of similar perfonnance are used, may remain unnoticed.
`In the cards‘ world, the SCOS is t1fadi_tioi'ially known as the card mask.
`The 'CPU1_and SCOS_togetlier make quite a powerful team. These cards are.- in
`practice, independent computing systems. Programmed logic allows the card to make; its
`own decisions concemingaccess to stored data‘ (readirig and__writing), no—answer condition‘
`in uncertain sitiiatidns. or self-bldcking. In summary, smart cards are characterized by:
`0 _ High Securify. Data a'cEess is‘;‘ih'c:iroughly controlled by the CPU, and is only permitted
`7 when predefined conditions are met.
`‘
`..
`.
`.
`.
`.
`-
`'
`or High Flexibility. Data management may be altered depending on external require-
`ments. thus allowing specific tailoring of the application.
`‘
`'
`'
`‘ '
`Multiple Seryices. Several applications (services) may share the same card. The
`CPU controls each application by itself or through EXEC functions. The applications
`may be independent or related and may be prepared by the same issuer oriby
`different ones.
`\
`'
`'
`
`The SCOS is stored in ROM, a safe place to avoid eventual modificatioiis. {The
`SCOS is sometimes called standard ROM program.) ROM is manufactured or prepared
`at the same time as the chip itself (see above). It can only be accessed and used by the
`card CPU._Being aconstant part of the riiicrocircuit for every smart card, card masks {are
`usually identified by their ROM design. ROM size typically varies from 2K to 16K. Some
`cards employ EEPROM for the SCOS zone; these are usually used for the design and
`development of new functions and applications. They also offer higher security against
`
`G02] 10?.
`
`17/29
`
`DOJ EX. 1035
`
`

`

`electronic scanning microscopy, since EEPROM information is erased by electron beams.
`In most cases these cards are not commercially available. The highest flexibility in
`commercial cards is currently demonstrated by several manufacturers who have developed
`selectable SCOSs (different operating systems for the same card).
`Besides ROM, the CPU employs other kinds of memory for different uses. Most
`important for CPU internal data handling is a volatile RAM called RAM stack. RAM size
`in current smart cards varies from 128 to 768 bytes. Intermediate results and encryption
`processes are temporarily stored in this memory. The memory is freed afterwards for the
`next task. The contents of this memory are lost when power is removed.
`
`4.3.2 Wired Logic and Microprocessors
`
`Many cards lack a microprocessor and many applications are nicely accomplished by not-
`so—smart cards. When designing an application where cards are involved, the first question
`to ask is how sma.rt the cards need to be. IC cards are divided into three fundamental
`
`categories, ultimately depending on the way data are protected from fraudulent access.
`A sorted list for increasing IQ might be (1) dumb cards‘, (2) wired logic cards, and (3)
`smart cards.
`
`Dumb cards have a memory circuit and are provided with reading and writing functions,
`but lack access control. Communications with external peripherals are usually synchronous.
`Advanced models of these cards are equipped -with EEPROM (rewiitable) memory ranging
`from 256 bytes to tens of kilobytes. Moreover; many data cartridges and memory banks
`should be included in this category, since they have no control over their stored data.
`‘
`The second group, wired logic cards, features an access control unit, but card
`capabilities‘are limited to some prerecorded functions. Several types, ‘described below,
`can be found, depending on the way access control is achieved.
`'
`Memory in EPROM cards is split into two or more zones, according to memory
`addresses. Data reading is allowed in every zone; however, one of the zones (read-only)
`does not allow writing. Protection of this zone is achieved by blowing an internal metallic
`or logic fuse. The issuer stones hisfher data in the proiectable zone and blows the fuse.
`creating soirie logic states (specific voltages) in the protection circuit gate. This action
`precludes any further writing and addressing of the zone. However, the circuit allows
`reading orders. These cards are chiefly employed in public telephone services or for ID
`purposes.
`-
`A certain device (e.g., a diode array) inside programmable logic array (PLAJ cards
`is programmed with an access logic. The FLA compares a keyed access code with an
`intemal code recorded in amemory zone. Access is allowed when matching is found.
`Some memory zones (e.g., where the code is stored) are restricted. Several applications
`may share the card, each one having its own FLA. For example, a memory zone may
`contain the issuer key and the user PIN. A logic may be defined in the PLA in such a
`way that the zone can never be rewritten, but can be read when the issuer key is introduced.
`
`G02 I l(]3
`
`18/29
`
`DOJ EX. 1035
`
`

`

`
`
`
`
`“s...‘:...'¢..\
`
`
`
`""'r.9!*‘ac.-.—-...._:.-«—..-_-.-:.----uu5.=_-w|xn-mt~-—~-e.-I.t-umnt..:.-t':.-'.:.:..—.
`
`Similarly, another zone may be written via PIN, whereas reading is reserved for die issuer
`key.
`-
`-
`'
`.Some. other cards (hybrid cards) combine both protection systems; An area of the
`memory is protected by a fuse; whereas other zones are-free or protected by PLAs. In
`these cards, the fuse-protected zone is usually-employed to store user and issuer codes and
`application ID, while the PLA zone-programmed with all possible access combinations--is
`used for transactions. Memory in these cards may be EPROM or EEPROM.
`The third group. smart cards, includes a microprocessor in the chip. The presence
`of the microprocessor opens new possibilities for memory management, as mentioned
`above. New cards allow a floppy-disk-like memory management, including directories,
`files, and records. The memory may contain data andfor executable code (EXEC functions).
`Moreover, the microprocessor allows asynchronous corrimunication between the card and
`its interface device (writing/reading unit), increasing the system security.
`
`-—l
`
`4.4 OTHER cincurrs
`
`__;.\,.tcd=~at’».'*~*-.md-.-~ii-_.-..,
`
`i,t.:_v...-_a--.--
`3..~-
`
`#5V‘.,
`P..
`+\- '.'
`is tr:
`3'J
`'2
`3
`
`In our journey around the card chip, several other circuits may also be seen. Besides
`metallic fuses for data protection (see previous section), the card may have protection
`circuits to avoid electric damage of card parts or counterfeiting. For example; it may be’
`protected against voltage fluctuations in power supply or signals beyond the ranges allowed
`by the ISO standards; Moreover, the card requires extra circuits for three basic tasks:
`reset, -synchronisation, and communications.
`
`4.4.1 Reset Circuit and ATR
`
`Any computing system performs a reset operatioriwhen switched on. Through reset, the
`computer comes to'life- and realizes its own electronic existence. In cards, this operation
`is performed through an internaispeeific reset signal, triggered by an external command
`from the interface device. The reset signal may be either the same signal sent by the
`external command or a new signal generated by an internal reset circuit. In the second
`case, the external reset asks the internal reset circuit to generate the signal and to set up
`the different devices-included in the card.
`'
`'
`-
`The most important fact in reset operations is that the command, either internal or
`external. also produces a specific answer, called answer to reset (ATR), which is sent
`back to the interface device. ATR is defined by a standard protocol (ISO 7816/3). It
`includes enough information identifying the card type and sometimes the card model and
`the application (Hello, I'm a standard card manufactured by Z22, I have a microprocessor,
`my working frequency is XXX. etc.). Any ISO card, therefore, can be properly identified
`by any reader, regardless of its brand and application. This feature is most useful for the
`external system in order to decide whether the card belongs to an application or not;
`
`G02 I
`
`I 04
`
`19/29
`
`DOJ EX. 1035
`
`

`

`
`
`“‘1-"-W"-“wt-“-~_-'"':"<'aEl-3-||l9III'"-'rvw--B1'11.‘-\'\¢'I'i""‘vr<
`
`
`
`
`
`furthermore, the same writinglreading unit may be simultaneously used for several applica-
`tions and services using cards from different manufacturers.
`
`4.4.2 Clock and Synchronization Circuits
`log between the card and the interface device, require signal
`ATRs, as well as any other dia
`ard‘ 5 internal operations and
`synchronization. Timing signals are used to synchronize the c
`communications. These timing signals may come from an external clock provided by the
`interface device. The card is directly driven by the clock or through internal timing and
`buffer circuits (buffers are needed to avoid delays within the microcircuit devices).
`Alternatively. the card may be provided with an internal clock. The internal clock
`frequency need not be the same as that employed in reset. In fact, the ATR signal provides
`the specific clock frequency of the card. This information may be used to select the
`e usual frequency of current cards ranges from
`frequency for eventual communications. Th
`5 to 14 MHz
`
`4.4.3 Communication Circuits
`Communications to and from the card are performed by an inputloutput (I/0) port, which
`makes use of one of the contacts (Le. a bidirectional bitw_ise U0 port). The port may
`work in synchronous or asynchronous mode. There is_ some spurious electrical resistance
`in the circuit for signal flow from the card to the outside and vice versa. Indeed. the
`electrical continuity is performed by the interface device contacts pressing on the golden
`card contacts. Dirtiness in contacts produces ohmic resistance. To avoid signal degradation
`and electrical noise. the I/O port may include an internal amplifier.
`
`4.5 DESIGN AND MANUFACTURING: AN EXAMPLE
`
`ed to manufacture IC cards
`There are no substantial differences in the techniques employ
`y other general-purpose microelectronic lCs, except for hardware protec-
`compared to an
`tions and sensors discussed in the previous chapter. Detailed descriptions of IC manufactur-
`ing processes are beyond the scope of this book. Instead. we will describe the design
`steps of a specific card and will browse through hardware manufacturing.
`
`4._S.1 Chip Design
`Let us design a simple card for prepaid public telephone calls. First, we must define card
`capabilities and performance. In this case. the following characteristics are needed.
`9
`It should allow storage of data related to the phone company (issuer), charge unit
`price, card serial number. and so forth.
`
`G02 I I05
`
`20/29
`
`DOJ EX. 1035
`
`

`

`
`
`'1-=_=;:~:-we.--=-r-r-=;*_'-_=_--_.
`
`
`
`
`
`'
`
` ._____
`
`The above information must be protected; that is, it may not be altered after being
`recorded by the issuer.
`Data access should be controlled.
`A memory zone is needed to store credit! (number of allowable c_all units) and used
`units. This zone, obviously. must be accessed for reading and writing.
`Finally, there must be a predefined working logic. In this case, (a limited number
`of instructions is required: reset. bitwise reading and writing, and bit addressing’.
`The nei-it step is a block (functional) design based on the above characteristics. Figure
`4.4 shows the block diagram of our card. The blocks are:
`’
`"
`0 An EPROM consisting of 256 one-bit ,words. Words are addressed by a binarivi
`counter controlling row and column decoders. Our memory is_ thus addressed_as a
`16 X 16 matrix, where every element is accessed by its row and column coordinates.
`to A small instruction decoder which generates card control signals. In our case. the
`required signals are writing and reading bit operations, counter increments. and
`FCSEI.
`
`._
`
`EPROM
`
`Free
`Read—only
`
`Total '
`
`160 bits
`96 bits
`
`255 bits
`
`Figure 4.4 Electronic components of a PLA memory card
`
`
`
`
`
`<*‘'.'r1*§'€'I':‘a-tia«‘§'a:'¢"r."i¢:a‘I4'.'R'.73-tiri":'~,l';‘5.2.-ma.
`
`G02 l I06
`
`21/29
`
`DOJ EX. 1035
`
`

`

`Two memory zones are defined inside the memory. The first zone has 160 read!
`write bits, whereas the second zone has 96 read-only bits. A protection block is
`added for detection and inhibition of writing operations in the protected zone.
`A timing circuit that produces two signals. Both are used to adapt the voltage levels
`of memory cells before reading.
`A writing/reading amplifier to send data from