Smart Cards

1. INTRODUCTION burnished identicalness humour is single and scarcely(a) of the greatest achievements in the unrestricted of reading engine room. Similar in coat to todays formative recompense peak, the shining billhook has a micro carry withor or reminiscence nick embedded in it that, when coupled with a reader, has the affect billet to serve some(prenominal) diametric industrys. As an admission fee-control bend, unfermented gameboard game shag be utilise to important course emcee remotely over the net income and they stack make mortalal and business entropy available al ace to the appropriate practicers. saucy visiting phone tantalise game succeed entropy port king, protection, convenience and the same. agree to Gemplus (ref. 19), brightness vizor game evoke be categorized into the following . stock and micro extremityor- store tease s call for hive a guidance info and squirt be great dealed as a small lax disk with optio nal protective covering. A microprocessor add-in, on the newfangled(prenominal)(a) hand, mickle add, delete and manipulate selective information in its w beho victimisation on the twit. Contact and turn over little Contact flip separate be inserted into a alacrity beak reader, making physical clashing with the reader. However, contactless wise(p) nibs render an preliminary embedded in lieu the card that enables communion with the reader without physical contact. A combi card combines the two features with a in truth high level of bail. stylishness cards help businesses evolve and expand their products and run in a changing global commercializeplace. The scope of imposes for a anguish card has expanded for each one year to ask diligences in a variety of markets and disciplines. In recent years, the information age has introduced an array of warranter and privacy effs that hurl banded for advanced talented card certification applications. lea rn to the global village,that is how the suffer control board has been described. saucy card game go forth act big changes to the way people allow for and receive information and the way they spend coin. They go forth pass water a profound impingement on retailing and service deli genuinely.A sassy beleagueris resembling an electronic wallet. It is a hackneyed credit card-sized plastic intelligent minimal within which a micro cow dung has been embedded within its automobile trunk and which makes it lustrous. It erects non merely retrospection capacity, tho computational cap aptitude as wellhead and thus the routine is capable of processing info. It has aureate contacts that allow many another(prenominal) devices to communicate with it. This run away live ons a variety of information, from stored (monetary) assess employ for retail and vending mechanisms to adeptinformationandapplicationsfor high-end op intenttions such(prenominal)(prenomina l)(prenominal) as health check/healthc atomic number 18 records.New information and applications thoroughly deal be added depending on the divide capabilities. chicness tease corporation store several hundred fourth dimensions to a greater extent data than a conventional bill sticker with amagnetic runand append be programmed to reveal barely the relevant information. For Example, it could tell a device in a store that in that location is sufficient oddment in an account to pay for a transaction without revealing the balance amount. The marriage amongst a expedient plastic card and a microprocessor allows information to be stored, cominged and processed either online or offline.Therefore, un give c be the read-only plastic card, the processing baron of Smart card game gives them the versatility readed to make payments, to configure your cell phones, TVs and video players and to get unitedly to your computing devices via telephone, satellite or the internet anytime, anywhere in the world. 2. HISORICAL PERSPECTIVE Smart card was invented at the end of the mid-s eventideingties by Michel Ugon (Guillou, 1992). The French group of bankcards CB (Carte Bancaire) was created in 1985 and has allowed the diffusion of 24 billion devices (Fancher, 1997). For the physical characteristics the counterbalance draft proposal was registered in 1983.A long discourse resulted in the quantityization of the contact location. Next was the standardization of signals and protocols which resulted in standards ISO/IEC 7816/1-4. uniform warrantor came next, as it was clear from the beginning that there was a indigence for cryptographic capabilities, though this was a bit difficult due to the hold computing power and the a couple of(prenominal) bytes of wad available at that time (Quisquater, 1997). Nowadays, insolent cards atomic number 18 utilize in several applications. The engine room has its historical origin in the seventies when inventor s in Germany, Japan, and France single filed the original patents. slice inventors in the U.S. , Japan and Austria, were issued patents, it was the French who put up big bills to push the engineering science. They did this in the 1970s, during a period of major depicted objective investing in upstartizing the nations engineering infrastructure. Due to several factors most work on Smart cards was at the research and discipline level until the mid-eighties. Since whence, the application has been growing at tremendous commit is shipping more(prenominal) than one billion (1,000,000,000) cards per year (since 1998). The genuine world population of Smart posters of more or less 1. 7 billion is set to increase to 4 billion or more cards within the next 3-4 years.A descry completed by bug Technology Magazine (http//www. cardtechnology. com) indicated that the industry had shipped more than 1. 5 billion sassy cards worldwide in 1999. all over the next five years, the ind ustry get out experience steady growth, specially in cards and devices to conduct electronic commerce and to enable secure rile to figurer networks. A study by informationquest in March, 2000, predicts just about 28 million smart card shipments (microprocessor and estimator remembering) in the U. S. According to this study, an yearbook growth rate of 60% is expected for U. S. smart card shipments betwixt 1998 and 2003.Smart Card Forum Consumer Research, published in early 1999, provides additional insights into consumer attitudes towards application and use of smart cards. The market of smart card is growing quickly due to its wide range of applications. The worldwide smart cards market forecast in millions of dollars and billions of units as sh proclaim in figure 1 3. bodily structure OF THE SMART fluff The main fund argona in such cards is normallyEEPROM (Electrically Erasable Programmable hold-Only Memory),which trick fork up its content updated, and which retains current contents when outside power is removed.Newer Smart Card nicks, whatever clock, withal take a crapmath co-processors integrate into the microprocessor balk, which is able to work out quite complex encryption routines relatively quickly. The separate association is either via direct physical contact or remotely via a contact less electromagnetic interface. Its chip therefore characterizes a Smart Card uniquely with its ability to store much more data(currently up to about 32,000 bytes)than is held on amagnetic stripe,all within an passing secure surroundings.Data residing in the chip provide be saved against external inspection or alteration, so effectively that the vital secret get winds of the cryptographic corpses utilize to protect the fairness and privacy of card-related communications can be held safely against all moreover the most sophisticated forms of attack. The cultivateal architecture of a GSM (Global system of wandering(a) communication) syst em can be broadly divided intothe runny Station, the habitation Station Subsystem, and the Network Subsystem. Each subsystem is comp startd of functional entities that communicate through the different interfaces exploitation specified protocols.The subscriber carriesthe mobile stakethe base station subsystemcontrols the radio splice with the Mobile Station. The network subsystem,the main part of which is the Mobile services Switching Center, performs the switching of calls between the mobile and other unyielding or mobile network substance ab drug substance absubstance abusers, as well as way of mobile services, such as hallmark. Fig 3. 1. 1 Smart Card Construction. Fig 3. 1. 2 Smart Card Construction. Mostly all chip cards be built from layers of differing materials, or substrates, that when brought together properly gives the card a peculiar(prenominal) life and functionality.The typical card today is do from PVC, Polyester or Poly carbonate. The card layers argon printed first and accordingly(prenominal) laminated in a large press. The next step in construction is the blanking or split cutting. This is followed by embedding a chip and then adding data to the card. In all, there whitethorn be up to 30steps in constructing a card. The total components, including packet and plastics, may be as many as 12 crystalise items all this in a unified package that appears to the user as a simple device. 3. 1 Types of smart cardsToday, there argon essentially three categories of Smart Cards A microprocessor chip can add, delete and otherwise manipulate information in its memory. It can be viewed as a miniature computing machine with an excitant/output port, in operation(p) system and heavily disk. Microprocessor chips be available 8, 16, and 32 bit architectures. Their data terminus capacity ranges from 300 bytes to 32,000 bytes with larger sizes expected with semiconductor technology advances. 3. 1. 2 unified Circuit (IC)Microprocessor C ards Fig 3. 1. 1 An Integrated Circuit utilize in Smart Cards.Microprocessor cards (generally referred to aschip cards) suggest greater memory storage and credential of data than a conventional magnetic stripe card. Their chips may as well be called asmicroprocessors with inner memorywhich, in addition to memory, embody a processor controlled by acard operational system,with the ability to process data onboard, as well as carrying small programs capable of topical anaesthetic execution. The microprocessor card can add, delete, and otherwise manipulate information on the card, enchantment a memory-chip card (for example, pre-paid phone cards) can only undertake a pre- dod operation.The current generation of chip cards has aneight-bitprocessor, 32KB read-only memory, and 512 bytes of haphazard-access memory. This gives them the equivalent processing power of the originalIBM-XTcomputer, albeit with slightly less memory capacity. 3. 1. 2. 1. Uses These cards atomic number 18 apply for a variety of applications, especially those that have cryptography built in, which deals employment of large numbers. Very much the data processing power is use to encrypt/ trace data, which makes this emblem of card very unique person identification point.Data processing permits besides the dynamic storage management, which enables realization of negotiable multifunctional card. and so, chip cards have been the main computer programme for cards that hold a secure digital identity. Hence they are capable of whirl advanced security mechanism, topical anaesthetic data processing, complex calculation and other moveive processes. Most stored- take account cards integrated with identification, security and information conceptions are processor cards. Some examples of these cards are * Cards that hold money(stored encourage cards) Card that hold money equivalents (for example,affinity cards) * Cards that provide secure access to a network * Cards that secure cel lular phones from fraud * Cards that allow set-top boxes on tele day-dreams to perch secure from piracy 3. 1. 3 Integrated Circuit (IC)Memory Cards Memory cards can just store data and have no data processing capabilities. These have amemory chip with non-programmable logic,with storage space for data, and with a reasonable level of built-in security. IC memory cards can hold up to1 4 KBof data, but have no processor on the card with which to manipulate that data.They are less expensive than microprocessor cards but with a corresponding decrease in data management security. They depend on the security of the card reader for processing and are ideal when security trainments permit use of cards with low to medium security and for uses where the card performs a fixed operation. There is overly a special pillowcase memory cards called theWired Logic (or Intelligent Memory)cards, which contain in like manner or so built-in logic, usually apply to control the access to the memory of the card. 3. 1. 3. 1 UsesMemory cards represent the bulk of the Smart Cards sold originally for pre-paid, disposable-card applications like pre-paid phone cards. These are habitual as high-security substitute(a)s to magnetic stripe cards. 3. 1. 4 ocular Memory Cards Optical memory cards look like a card with a piece of a CD glued on top which is basically what they are. Optical memory cards can store up to4 MBof data. Butonce scripted, the data can non be changed or removed. 3. 1. 4. 1 Uses Thus, this type of card is ideal for record keeping for example checkup files, driving records, or travel histories. 3. 1. Fundamentals of Card Operation Todays Smart Cards need electrical power from outside, plus a way for data to be read from, and some measure to be transmit to, the chip. They interact with anaccepting device,usually known as acard reader, which exchanges data with the card and usually involves the electronic transfer of money or individual(prenominal)ized infor mation. The information or application stored in the IC chip is transferred through an electronic module that interconnects with a storehouse or a card reader. There are two general categories of Smart CardsContactandContactlessSmart Cards. Fig 3. 1. 5. 1 Contact Smart Card. ThecontactSmart Card has a set of gold- plated electrical contacts embedded in the surface of the plastic on one side. It is operated by inserting the card (in the ripe orientation) into a s divide in a card reader, which has electrical contacts that connect to the contacts on the card face thus establishing a direct connection to a conductive micro module on the surface of the card. This card has a contact plate on the face, which is a small gold chip about 1/2 in diameter on the front, instead of a magnetic stripe on the back like a credit card.When the card is inserted into a Smart Card reader, it makes contact with an electrical connector for reads and writes to and from the chip it is via these physical c ontact points, that transmitting of commands, data, and card status takes place. Such a card is traditionally utilise at the retail point of sale or in the banking environs or as the GSM SIM card in the mobile phone. Fig 3. 1. 5. 2 Contactless Smart Card (This diagram shows the top and bottom card layers which organise the antenna/chip module. ) AcontactlessSmart Card looks just like a plastic credit card with a computer chip and an antenna coil embedded within the card.This antenna allows it to communicate with an external antenna at the transaction point to transfer information. The antenna is typically 3 5 turns of very thin wire (or conductive ink), affiliated to the contactless chip. This aerial coil of the antenna is laminated into the card and allows communication even whilst the card is retained within a wallet or handbag. The same energizing method applies to watches, pendants, baggage tags and buttons. Thus no electrical contacts are inevitable and it is therefore c alled as contactless.Such Smart Cards are utilise when proceedings mustiness(prenominal) be processed quickly, as in mass-transit toll aggregation or wherever the cardholder is in motion at the moment of the transaction. fold up proximity, typically two to three inches for non-battery powered cards (i. e. an air-gap of up to 10cms) is needed for such transactions, which can decrease transaction time while increase convenience as both the reader and the card have antenna and it is via this contactless link that the two communicate. Most contactless cards also derive the internal chip power source from this electromagnetic signal.Radio frequency technology is utilize to transmit power from the reader to the card. ii novel categories, derivedfrom the contact and contactless cards arecombicards andhybridcards. AhybridSmart Card hastwo chips,each with its respective contact and contactless interface. The two chips are non connected, but for many applications, this Hybrid serve s the needs of consumers and card issuers. Fig 3. 1. 5. 3 Combi Card (This shows both the contact and contactless elements of the card. ) Thecombicard (also known as thedual-interfacecard)is a card with both contact and contactless interfaces.With such a card, it becomes possible to access the same chip via a contact or contactless interface, with a very high level of security. It may incorporate two non-communicating chips one for each interface but preferably has a single, dual-interface chip providing the many advantages of a single e-purse, single operating(a) architecture, etc. The mass transportation and banking industries are expected to be the first to take advantage of this technology. 4. SMART bankers bill APPLICATION The self-containment of Smart Card makes it resistant to attack, as it does not need to depend upon potentially vulnerable external resources.Because of the security and data storage features, Smart Cards are rapidly being embraced as the consumer sign of choice in many areas of the human beings sector and commercial worlds and are often apply in different applications, which require strong security protection and enfranchisement. Many of the applications of Smart Cards require sensitive data to be stored in the card, such as biometrics information of the card owner, personal medical history, and cryptographic identifys for enfranchisement, etc. Smart Cards are being deployed in most sectors of the public and clannish marketplaces.Here are somepopular application areas whereSmart Cards are being used in todays world * Loyalty * Financial * instruction Technology * Government * Healthcare * Telephony * Mass Transit * identification on internet 4. 1 Some of the major applications of the Smart Cards, as adoptn round the world, are * There are over 300,000,000 GSM mobile telephones with Smart Cards, which contain the mobile phone security and subscription information. The passet is personalized to the soulfulness by inserti ng the card, which contains its phone number on the network, billing information, and frequently call numbers. Various countries with champaign field health care programs have deployed Smart Card systems. The largest is the German beginning which deployed over 80,000,000 cards to every person in Germany and Austria. * There are over 100 countries worldwide who have trim nap or eliminated coins from the pay phone system by issuing Smart Cards. Germany, France, UK, Brazil, Mexico, and China have major programs. * Almost every small saucer TV satellite receiver uses a Smart Card as its removable security element and subscription information. They are used as a credit/ account bankcard, which allows them for off-line transactions and store the credit and debit functions of financial institutions. * They can be used in retail subjection schemes and corporate staff systems. Other applications for Smart Cards involve computer/internet user documentation and non-repudiation, retail er loyalty programs, physical access, resort hotel cards, mass transit mass transit slateing schemes, electronic toll, product tracking, national ID, drivers license, pass ports, and the list goes on. . 2 Automating Transportation function With billions of transport transactions occurring each day, Smart Cards have tardily found a place in this rapidly growing market. A fewer of the numerous examples of Smart Cards in transportation are * Mass Transit Ticketing Using contactless Smart Cards allows a rider to ride several buses and trains during his daily commute to work while not having to worry about complex fare structures or carrying change. * Urban place You dont need to carry the correct change anymore ust a prepaid contact Smart Card. * Electronic Toll show As you drive through the toll gate of a bridge, a Smart Card, inserted into an RF transponder within your car, electronically pays the toll without you ever filet * Airline Application Your frequent flyer miles are added onto your airline Smart Card as your ticket is removed from it at the gate, eliminating paperwork 4. 3 Internet The role of the Internet has developed to include the game of electronic commerce. It was intentional for the free exchange of information, and as such, t is a rich preparation of academic, product and service information. But how does an Internet shopper go from looking at the product to actually buying it? The Smart Card is the ideal support for payment over the Internet, whether in cash or as credit. However, the Internet shopper needs to connect his smart payment card to his computer and through the computer to the Internet. Smart Card readers are inexpensive, low-power devices which can be substantially added to existing computers. The additional cost of building them into future computers or peripherals is extremely low.The Internet is focusing the need for online identification and corroboration between parties who cannot otherwise know or trust each othe r, and Smart Cards are intrustd to be the most efficient way of enabling the new world of e-trade. Smart Cards can act as an identification card, which is used to prove the identity of the cardholder. Besides using Smart Cards for payment over the Internet, the possibilities are endless likecarrying your favorite addresses from your own personal computer to your friends Network reasonr and downloading your airline ticket and boarding passes, telepayments of the goods bargain ford online and such others. . SMART CARD TERMS AND CONCEPTS 5. 1 Memory Management Smart card is a device with major ironware constraints low-power CPU, low data rate serial I/O, little memory etc. Today, card technology utilizes 8 bit processors (mainly of the 6805 or 8051 family) whose memory sizes are about a few tens of kilobytes (Urien, 2000), typically 1-4 kb RAM (Random Access Memory), 32-128 kb ROM (Read Only memory) and 32-64 kb EEPROM (Electrically Erasable Programmable Read Only Memory) at least, with options on FLASH and FRAM (Ferroelectric Random Access Memory) as well.As the demand for smart cards matures the standard memory of 32 or 64 Kbytes can prove a beneficial limitation. A solution to this is to look at some of the design issues and techniques to incorporate multiple memory chips in a single smart card. Gemplus had already produced a opposite number card, incorporating two unconnected chips in a single card. Other accesses include the use of PC in conjunction with smartcard. For instance, Blaze (1996) proposes the use of a powerful PC with a smart card for symmetric list encryption because the PC provides higher encryption bandwidth. plank 1 below shows storage capacity needed for various communication rates. Communication rate entrepot capacity P C (Pentium IV) 120 Mbps 10 K Bytes streamer smart card 9600 bps 64 K Bytes Multiple chip card 20 Mbps 224 M Bytes Table 5. 1. 1 Communication rate and storage capacity According to Junko (2002), the EEPROM us ed in current smart cards is reaching its scalability limits, particularly for smart card devices built in 0. 13-micron technology and beyond. For this reason, companies like Philips agree on the need for alter domestic non-volatile memory for future smart cards.Currently Philips is leaning toward magnetic RAM as an alternative to EEPROM. other meaning(a) application that requires memory management is the application of biometrics. The use of biometrics within the card itself will mean that biometric features (fingerprint, retina, articulate etc) can reliably identify a person. With enhancement in memory system, it will soon be possible to authorize the use of electronic information in smart card using a spoken word. The use of some of these features has already been implemented in many applications. Malaysias national ID, for instance, is a multipurpose smart card with a fingerprint biometric.The card is first of its kind in the world as it combines many applications such as dri ving license, passport, healthcare, and non-government applications such as an e-purse. (See http//www. jpn. gov. my/ or www. iris. com. my for details). Table 2 below gives the required bytes for various biometrics. Additional information about biometric technology and standards can be found from the following organizations The Biometric Consortium (www. biometrics. org), International Biometric perseverance Association (www. ibia. rg), or Bio API Consortium (www. iapi com) Biometric Bytes Required riffle scan 300-1200 Finger geometry 14 Hand geometry 9 Iris recognition 512 Voice hindrance 1500 Face recognition 500-1000 Signature verification 500-1000 Retina recognition 96 Table 5. 1. 2 Required Bytes for Biometrics 5. 2 security system Issues security department is ever a big concern for smart cards applications. This naturally gives rise to the need for reliable, efficient cryptographic algorithms. We need to be able to provide enfranchisement and identification in online-s ystems such as bank machine and computer networks, access control and the like.Currently such facilities allow access using a token however, it is vital that the holder of the token be the decriminalise owner or user of the token. As smart card is handicapped or highly restricted in their input/output (unable to interact with the world without outside peripherals), this orchestrates to the involvement of many parties in its applications. Some of the parties involve Cardholder, Data Owner, Card Issuer, Card Manufacturer, Software Manufacturer, and Terminal Owner as mentioned in (Schneier, 1999).It is there for essential to ensure that none of the above mentioned parties is flagellum to one another. To achieve this, there is need for further investigation in the design and analysis of smart card authentication and identification protocols. For this reason, Gobioff (1996) proposes that smart cards be equipped with additional I/O rut such as buttons to alleviate these shortcomings. Further, there are numerous impact techniques able to tamper with smart cards and other similar temper-resistant devices as presented in (Anderson, 1997).This also indicates the need for effective intrusion detection/ streak techniques. 5. 3 throw Architecture Existing smart card standards depart from traffickers too much room for interpretation. To achieve wider implementation, there is need for an devote standard that provides for inter-operable smart cards solutions across many hardware and software system platforms. Open Platform, as defined by Global Platform (www. GlobalPlatform. org) is a comprehensive system architecture that enables the fast and easy development of globally interoperable smart card systems.It comprises three elements card, terminal and systems, each of which may include specifications, software and/or chip card technology. Together these components define a secure, flexible, easy to use smart card environment. Development environment in use today inc lude Java, Visual C, Visual Basic, C++, and the like. The development of standards like GSM, EMV, CEPS, PC/SC, OCF, ITSO and IATA 791 represents an opportunity for manufacturers to produce products on an economic scale and give stability to systems designers. According to a report by Data card Group (White paper version1. ), True open smart cards will have the following characteristics * They will run a non-proprietary operating system widely implemented and supported. * No single vender will specify the standards for the operating system and the cards use. * The cards will support a high-level application scheduling oral communication (e. g. , Java, C++) so issuers can supply and support their own applications as well as applications from many other vendors. * Applications can be written and will operate on different vendors multi-application smart cards with the same API (Application Programming Interface).To cover the problem of lack of standardization, U. S. organizations ha ve developed an add-on piece of smart card software meant to overcome communication problems between chip cards and readers from different vendors. They would like to see this technology, which they call a card capabilities container, used worldwide, making it an industry standard that would allow U. S. agencies to buy cards and readers from many vendors, sure that they would work together (Cathy, 2002).Another move is the development of a new organization called Smart Card Alliance, formed by Smart Card Industry Association (SCIA) and Smart Card Forum (SCF) to act as a single voice for the US smart card industries. Even in biometrics, each vendor has its own methods for enrolling individuals and later checking someones identity against the stored image. However, there are efforts underway to create biometric standards, largely driven by the U. S. government. In a major step, the American National Standards Institute approved Bio API as a standard way for biometric devices to exchan ge data with ID applications.ANSI now is preparing to propose Bio API to ISO for toleration as an international standard (Donald, 2002). 5. 3. 1 Operating Systems Todays smart card operating systems and application frameworks are intrinsically local and mono application. Moreover, smartcard communicates with the outside world through a serial link. As the chip has a single bi-directional I/O pin, this link can only support haft-duplex protocol. The majority of chips work at the speed of 9600 baud, although the ISO standard 7816 has defined a maximum data rate of 230400 baud.A new type of SPOM (Self-Programmable One-Chip Microcomputer), named ISO/USB has been introduced in 1999 it provides a direct connection between a SPOM and the terminal via an USB port (Urien, 2000). According to USB specification, a data throughput from 1. 2 to 12 Mbits/s may be obtained between the chip and the terminal. The vision of smart card as an application platform rather than a simple security token is a paradigm shift for smartcard operating systems.According to Jurgensen (2002), the current operating system model cannot completely support the needs or the vision of Universal Integrated Circuit Card (UICC). The move is now towards the development of Next Generation Smart Card Operating Systems (COSng), which will be able to handle multi-applications and support future requirements. 5. 4 surgical process Performance and speed are very authorised factors that need to be considered in most smart card application.To achieve this, transistor scaling or the reduction of the gate length (the size of the switch that turns transistors on and off), must be taken into consideration. This idea not only improves the cognitive operations of chips but also lowers their manufacturing cost and power consumption per switching event. Recently, IBM have built a working transistor at 6 nano meters in length which is per beyond the projection of The Consortium of International Semiconductor Compa nies that transistors have to be little than 9 nano meters by 2016 in order to continue the performance trend.The ability to build working transistors at these dimensions could allow developers to put 100 times more transistors into a computer chip than is currently possible. The IBM results will lead to further research into small, high-density silicon devices and allow scientists to introduce new structures and new materials. Details are available from IBM Research News 9thDecember 2002, available online http//www. research. ibm. com/. 5. 5 Reader Requirements As the needs and uses of smart card increases, the need for a Smart Card reader that is not portable, small or light, but also easy to connect and access has arrived.However, some developers like Browns (http//www. brownsbox. com/) believe that the need for a reader is a problem, meaning extra expenditure, and, when working with a laptop, is a waste of a port. In view of this, an tone-beginning toward a device that can be attached to a PC (internally or externally) has arrived. To solve this problem, Browns developed a method that turns a floppy disk drive into a smart card reader. Another popular approach in Europe is the smarty smartcard reader/writer the size of a 3. 5-inch floppy disk by Smart Disk Corp.The device does not require a serial, parallel, or USB port, instead it works directly from a floppy drive. Smarty supports all smart card a protocol, including ISO 7816 and it works under different operating systems. Details are available from http//www. smartcomputing. com/. This idea of smart diskette was initially proposed by Paul (1989) as shown in figure 3. A similar approach involves the development of gravestoneboard with integrated card reader, and/or lynchpinboard with integrated fingerprint sensor and card reader by Cherry(http//www. access linchpinboards. co. uk/cherry. tm). 5. 6 Portability As mentioned earlier, portability or convenience of handling is one of the most important ch aracteristics of smart cards. Since the smartness of smart card relies on the integrated traffic circle embedded in the plastic card, it is possible that the future smart cards might look like other everyday objects such as rings, watches, badges, glasses or earring because that same electronic function could be performed by embedding it in these objects. What remain is for developers and researchers to look into the best way of implementing it if the need arises. 6.SMART CARD VS BIOMETRIC One of the primary reasons that smart cards exist is for security. The card itself provides a computing platform on which information can be stored hard and computations can be performed firm. Consequently, the smart card is ideally suited to function as a token through which the security of other systems can be enhanced. Most of todays systems need proper user authentication/identification as it is a crucial part of the access control that makes the major building block of any systems security . Three methods are currently in use what the user has (e. . smart card), what the user knows (e. g. word of honor), and what the user is (biometrics). Each of these methods has its own merits and demerits especially when used alone. When a single method is used, we believe smartcard is the best choice. Passwords can easily be forgotten, attacked, and guessed. Similarly, biometric schemes alone are not good enough to ensure user authentication, as they are also vulnerable to attacks. First, we look into some of the benefits in using biometric schemes and then analyze some of their limitations.The primary advantage of biometric authentication methods over other methods of user authentication is that they use real military personnel physiological or behavioral characteristics to manifest users. These biometric characteristics are (more or less) perpetual and not changeable. It is also not easy (although in some cases not principally impossible) to change ones fingerprint, iris or o ther biometric characteristics. Further, most biometric techniques are found on something that cannot be lost or forgotten.This is an advantage for users as well as for system administrators because the problems and costs associated with lost, reissued or temporarily issued tokens/cards/ discussions can be avoided, thus saving some costs of the system management. However, as reported in (Luca 2002), the major gamble posed by the use of biometric systems in an authentication process is that a malicious subject may interfere with the communication and intercept the biometric usher and use it later to obtain access. Likewise, an attack may be commit by generating a template from a fingerprint obtained from some surface.Further, performance of biometric systems is not ideal. Biometric systems still need to be improved in term of accuracy and speed. Biometric systems with the false rejection rate under 1% (together with a passably low false sufferance rate) are still rare today. A lthough few biometric systems are fast and accurate (in wrong of low false acceptance rate) enough to allow identification (automatically recognizing the user identity), most of current systems are suitable for the verification only, as the false acceptance rate is too high. Moreover, not all users can use any given biometric system.People without hands cannot use fingerprint or hand-based systems. Visually impaired people have difficulties using iris or retina based techniques. Some biometric sensors (particularly those having contact with users) also have a limited lifetime. While a magnetic card reader may be used for years (or even decades), the visual fingerprint reader (if heavily used) must be regularly cleaned and even then the lifetime need not exceed one year. Biometric data are not considered to be secret and security of a biometric system cannot be based on the secrecy of users biometric characteristics.The server cannot authenticate the user just after receiving his/h er correct biometric characteristics. The user authentication can be successful only when users characteristics are fresh and have been collected from the user being authenticated. This implies that the biometric input device must be trusted. Its authenticity should be verified (unless the device and the link are physically secure) and users likeness would be checked. The input device also should be under human supervision or tamper-resistant. The fact hat biometric characteristics are not secret brings some issues that traditional authentication systems need not deal with. Many of the current biometric systems are not aware of this fact and therefore the security level they offer is limited. Users privacy may be violated by biometric schemes. Biometric characteristics are sensitive data that may contain a lot of personal information. The DNA (being the typical example) contains (among others) the users preposition to diseases. This may be a very interesting piece of information for an insurance company.The body odour can provide information about users recent activities. It is also mentioned in (Jain, 1999) that people with asymmetric fingerprints are more credibly to be homosexually oriented, etc. Use of biometric systems may also imply loss of anonymity. While one can have multiple identities when authentication methods are based on something the user knows or has, biometric systems can sometimes link all user actions to a single identity. Furthermore, biometric systems can potentially be quite troublesome for some users. These users find some biometric systems meddling or personally invasive.In some countries people do not like to touch something that has already been touched many times (e. g. , biometric sensor), while in some countries people do not like to be photographed or their faces are completely covered. Lack of standards may also poses a serious problem. Two similar biometric systems from two different vendors are not likely to interoperate at present. Although good for user authentication, biometrics cannot be used to authenticate computers or put acrosss. Biometric characteristics are not secret and therefore they cannot be used to sign messages or encrypt documents and the like.On the other hand, smart cards provide tamper- resistant storage for protecting unavowed keys, account numbers, passwords, and other forms of personal information. Smart cards can also serve to isolate security- detailed computations involving authentication, digital soupcons, and key exchange from other parts of the system that do not have a need to know. In addition, smart cards provide a level of portability for securely moving cloistered information between systems at work, home, or on the road. A better approach for the utilization of biometrics is to combine biometrics with smartcards.The advantages of this may include all attributes of the smartcards will be maintained, counterfeiting attempts are reduced due to enrolment process th at verifies identity and captures biometrics. It will be extremely secure and provide excellent user-to-card authentication. 7. THREATS TCG does not really address security from a user point of view as the model is centered on platforms. User identification and authentication mechanisms, including owner, are rather rudimentary. Basically, cogent evidence of intimacy of a secret value allotd between the owner and the TPM is proof of ownership.In the case of the owner proof of knowledge is even proof of identity. To some extent, the pair (object UUID, Authorization Data) corresponds to a capability associated to a TPM-protected object. Threats are actually similar to those applying to capability-basedmodels. For example, the access empowerment to a TPM-protected object is given very early, when the permit data is associated to the object and not when the access is attempted. But more important authentication data can be freely duplicated and the user has to find some way to prote ct them.Like for every sensitive piece of information the key issue with permission data is storage protection. Because it is impossible for an operator to remember a 20-byte random value, most of the TPM administration products available today implement a simple password-based technique. The authentication data Auth Data is computed from a password value using SHA-1 hash algorithm. Auth Data= SHA( password)Of course, all the well-known weaknesses of password-based authentication apply to such a mechanism One-factor only authentication, Easy to guess, subject to lexicon attacks, Easy to snoop, visible in the clear when keyed or transmitted to the straying party, Easy to lose and forget, Easy to write down and to share with others This type of implementation is so uncouth that TPM manufacturers had to implement countermeasures like lockout or response degradation in order to protect from vocabulary types of attacks. Another natural solution would be to securely store the aut horization data directly on the platform hard drive. This type of solution is considered subject to attacks 9 and raises a lot of side issues.For example, the authorization data must be stored on an opaque container that is generally protected by a password and hence prone to mental lexicon attacks. Outside of the platform owner, who just plays an administrative role, regular platform users have also to be taken into account. In every day operations, platforms interact with users and user identity is a decisive piece of the security and trust puzzle. For that matter all platform operating systems implement user identification and authentication mechanisms.How users fit in this visualize is not completely in the scope of TCG specification. As a consequence, authentication data are not as write to specific users. Even though this is not a threat in itself, there is lot of concrete cases where TPM-protected keys have to be assigned to specific users only. For example, the file encryp tion keys used by one user on a platform must be kept separated from the other platform users. 8. SMART CARD-BASED drug user AUTHENTICATION Smart card-based authentication is a first step towards the TPM and-smartcard concerted model introduced in section 2.The principle is to use a smart card during the execution of the user side of the TCG authorization protocols. The most critical piece of information in TCG authorization protocol is the Authorization Data that is either stored locally on the platform or computed from an external inseminate secret such as password. This model raises many issues. Since smart cards another hardware tokens, are used to address this type of user authentication issues in environments like corporate IT or banking, smart card-based authentication can be the answer to the threats identified in section 3. 4.For instance, as smart cards are physically secure and cannot beckoned, the duplication of an authorization data becomes impossible. Likewise, smar t cards allow the engagement of truly random authorization data, offering a particularly efficient protection against a dictionary attack. To offer a higher protection level, access to the authorization data can be protected by a personal Identification Number (PIN). In the context of user authentication, smart cards will also provide Two-factor authentication, Tamper-resistant storage for protecting authentication data and other user personal information. Isolation of security-critical computations involving the authentication data from other parts of the system that do not have a need to know. Portability of security and other private information between computers. But the desegregation of smart cards within TCG authorization protocols has an impact in terms of smart cards capabilities. 8. 1 Smart cards requirements In a smart card-based authentication scheme, the smart card will be primarily used to physically protect the Authorization Data. This means that the smart card must be able to 1.Store the Authorization Data, 2. Process the user side of the authorization protocol computation that requires the Authorization Data. Storing the Authorization Data in a smart card presents no particular difficulty. Every smart card, including the most basic one like simple memory card, has the capability to store a 20-bytevalue. On another hand, how much of the authorization protocol can be processed by a smart card is directly linked with the card cryptographic capabilities. In order to perform the entire user side of the protocol a smart card will have to be able to Generate random values, Compute a shared secret using a SHA-1-based HMAC, Compute and verify authentication values using SHA-1 andSHA-1-based HMAC operations, Encrypt authentication data using a XOR Most of cryptographic smart cards today have robust Random Number Generator and support SHA-1 in native mode, but smartcards offering HMAC in native mode are less common. A solutions to simply impleme nt a Java Card applet providing these features. pursuance sections describe three, incrementally secure, possible implementation of smart card-based authentication. . 2 Importance of Smartcards to information processing system Security 8. 2. 1 Importance of Smartcards as a Design utensil for Computer Networks This section highlights the fundamental security challenges that face us in this increasingly computer network oriented world, and how smartcards can provide key advantages towards security. 8. 2. 2 Fundamental Security Challenges Because computers and networks are becoming so telephone exchange to our lives in this digital age, many new security challenges are arising. This is the era of full connectivity, both electronically and physically.Smartcards can facilitate this connectivity and other value added capabilities, while providing the necessary security assurances not available through other means. On the Internet, smartcards increase the security of the building block s Authentication, Authorization, Privacy, Integrity, and Non-Repudiation. Primarily, this is because the private signing key neer snuff its the smartcard so its very difficult to gain knowledge of the private key through a compromise of the waiter computer system. In a corporate enterprise system, multiple disjointed systems often have their security based on different technologies.Smartcards can bring these together by storing multiple certificates and passwords on the same card. Secure telecommunicate and Intranet access, dial-up network access, encrypted files, digitally signed wind vane forms, and building access are all improved by the smartcard. In an Extranet spatial relation, where one company would like to administer security to business partners and suppliers, smartcards can be distributed which allow access to certain corporate resources. The smartcards importance in this situation is manifest because of the need for the strongest security possible when permitting anyone through the corporate firewall and proxy defenses.When distributing credentials by smartcard, a company can have a higher assurance that those credentials cannot be shared, copied, or otherwise compromised. 8. 2. 3 The Smartcard Security Advantage Some reasons why smartcards can enhance the security of modern day systems are 8. 2. 3. 1 PKI is better than passwords smartcards enhance PKI Public get word Infrastructure systems are more secure than password based systems because there is no shared knowledge of the secret. The private key need only be known in one place, rather than two or more.If the one place is on a smartcard, and the private key never leaves the smartcard, the crucial secret for the system is never in a situation where it is easily compromised. A smartcard allows for the private key to be usable and even never appear on network or in the troops computer system. 8. 2. 3. 2 Smartcards Increase the Security of Password Based Systems though smartcards have ob vious advantages for PKI systems, they can also increase the security of password based systems. One of the biggest problems in typical password systems is that users write down their password and attach it to their monitor or keyboard.They also tend to elect weak passwords and share their passwords with other people. If a smartcard issued to store a users multiple passwords, they need only remember the PIN to the smartcard in order to access all of the passwords. Additionally, if a security officer initializes the smartcard, very strong passwords can be chosen and stored on the smartcard. The end user need never even know the passwords, so that they cant be written down or shared with others. 8. 2. 3. 3 Two Factor Authentication, and more Security systems benefit from multiple factor authentications.Commonly used factors are Something you know, something you have, something you are, and something you do. Password based systems typically use only the first factor, something you kno w. Smartcards add an additional factor, something you have. Two factor authentications have proven to be much more effective than single because the Something you know factor is so easily compromised or shared. Smartcards can also be enhanced to include the remaining two features. Prototype designs are available which accept a thumbprint on the surface of the card in addition to the PIN in order to unlock the services of the card.Alternatively, thumbprint template, retina template, or other biometric information can be stored on the card, only to be checked against data obtained from a separate biometric input device. Similarly, something you do such as typing patterns, handwritten signature characteristics, or voice inflection templates can be stored on the card and be matched against data accepted from external input devices. 8. 2. 3. 4 Portability of Keys and Certificates Public key certificates and private keys can be utilized by web browsers and other popular software packages but they in some sense identify the workstation rather than the user.The key and certificate data is stored in a proprietary browser storage area and must be export/imported in order to be moved from one workstation to another. With smartcards the certificate and private key are portable, and can be used on multiple workstations, whether they are at work, at home, or on the road. If the lower level software layers support it, they can be used by different software programs from different vendors, on different platforms, such as Windows, UNIX, and Mac. 8. 2. 3. 5 Auto-disabling PINs Versus Dictionary AttacksIf a private key is stored in a browser storage file on a hard drive, it is typically protected by password. This file can be dictionary attacked where commonly used passwords are attempted in a savage force manner until knowledge of the private key is obtained. On the other hand, a smartcard will typically lock itself up after some low number of consecutive bad PIN attempts, for example 10. Thus, the dictionary attack is no longer a feasible way to access the private key if it has been securely stored on a smartcard. 8. 2. 3. 6 Non RepudiationThe ability to deny, after the fact, that your private key performed a digital signature is called repudiation. If, however, your private signing key exists only on a single smartcard and only you know the PIN to that smartcard, it is very difficult for others to impersonate your digital signature by using your private key. Many digital signature systems require hardware distinctiveness on Repudiation, meaning that the private key is always protected within the security perimeter of hardware token and cant be used without the knowledge of the proper PIN.Smartcards can provide hardware strength Non Repudiation. 8. 2. 3. 7 Counting the Number of nonpublic Key Usages So many of the important things in our lives are classic by our handwritten signature. Smartcard based digital signatures provide benefits over handwritt en signatures because they are much more difficult to forge and they can lend oneself the integrity of the document through technologies such as hashing. Also, because the signature is based in a device that is actually a computer, many new benefits can be conceived of.For example, a smartcard could count the number of times that your private key was used, thus giving you an accurate measure of how many times you utilized your digital signature over a given period of time. Figure 8. 2. 3. 7. 1 Smartcard Electrical Contacts Table 8. 2. 3. 7. 2 Description of Contacts correct TECHNICAL ABBREVIATION FUNCTION C1 VCC Supply Voltage C2 RST Reset C3 CLK time Frequency C4 RFU Reserved for future use C5 GND Ground C6 VPP External programming voltage C7 I/O Serial input/output communications C8 RFU Reserved for future use 9.SMART CARD ENABLED PRODUCTS This section lists popular security products and explains how smartcards can be used to enhance their security. 9. 1Web Browsers (SSL, TLS) Web browsers use technology such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to provide security while browsing the World Wide Web. These technologies can authenticate the client and/or server to each other and also provide an encrypted channel for any message traffic or file transfer. The authentication is enhanced because the private key is stored securely on the smartcard.The encrypted channel typically uses a symmetric cipher where the encryption is performed in the host computer because of the low data transfer speeds to and from the smartcard. Nonetheless, the randomly generated seance key that is used for symmetric encryption is wrapped with the partners public key, meaning that it can only be unwrapped on the smartcard. Thus it is very difficult for an eavesdropper to gain knowledge of the session key and message traffic. 9. 2 Secure Email (S/MIME, Open PGP) S/MIME and Open PGP allow for email to be encrypted and/or digitally signed.As with SSL, smartca rds enhance the security of these operations by protecting the secrecy of the private key and also unwrapping session keys within a security perimeter. 9. 3 Form sign Web based HTML forms can be digitally signed by your private key. This could prove to be a very important technology for internet based business because it allows for digital documents to be hosted by web servers and accessed by web browsers in a paperless fashion. Online expense reports, W-4 forms, purchase requests, and group insurance forms are some examples.For form signing, smartcards provide portability of the private key and certificate as well as hardware strength non repudiation. 9. 4Object Signing If an organization writes code that can be downloaded over the web and then executed onclient computers, it is best to sign that code so the clients can be sure it indeed came from areputable source. Smartcards can be used by the signing organization so the private key cantbe compromised by a rogue organization in order to impersonate the reasoned one. 9. 5 Kiosk / Portable PreferencesCertain applications operate best in a kiosk mode where one computer is shared by a number of users but becomes tack together to their preferences when they insert their smartcard. The station can then be used for secure email, web browsing, etc. and the private key would never leave the smartcard into the environment of the kiosk computer. The kiosk can even be configured to accept no mouse or keyboard input until an authorized user inserts the proper smartcard and supplies the proper PIN. 9. 6 File EncryptionEven though the 9600 baud serial interface of the smartcard usually prevents it from being a convenient mechanism for bulk file encryption, it can enhance the security of this function. If a different, random session key is used for each file to be encrypted, the bulk encryption can be performed in the host computer system at fast speeds and the session key can then be wrapped by the smartcard. Then, the only way to easily decrypt the file is by possessing the proper smartcard and submitting the proper PIN so that the session key can be unwrapped. 9. 7 Workstation LogonLogon credentials can be securely stored on a smartcard. The normal login mechanism of the workstation, which usually prompts for a username and password, can be replaced with one that communicates to the smartcard. 9. 8 Dialup Access (RAS, PPTP, RADIUS, TACACS) Many of the common remote access dial-up protocols use passwords as their security mechanism. As antecedently discussed, smartcards enhance the security of passwords. Also, as many of these protocols evolve to support public key based systems, smartcards can be used to increase the security and portability of the private key and certificate. . 9 Payment Protocols (SET) The Secure Electronic proceedings (SET) protocol allows for credit card data to be transferred securely between customer, merchant, and issuer. Because SET relies on public key technology, sma rtcards are a good choice for storage of the certificate and private key. 9. 10 Digital hard cash Smartcards can implement protocols whereby digital cash can be carried around on smartcard. In these systems, the underlying keys that secure the architecture never leave the security perimeter of hardware devices.Mondex, VisaCash, EMV ( Europay-Mastercard-Visa), and Proton are examples of digital cash protocols designed for use with smartcards. 9. 11 Building Access Even though the insertion, processing time, and removal of a standard smartcard could be a hassle when entree a building, magnetic stripe or proximity chip technology can be added to smartcards so that a single token provides computer security and physical access. 10. PROBLEM WITH SMART CARD Even though smartcards provide many obvious benefits to computer security, they still havent caught on with great popularity in countries like the United States.This is not only because of the prevalence, infrastructure, and acceptabi lity of magnetic stripe cards, but also because of a few problems associated with smartcards. Lack of a standard infrastructure for smartcard reader/writers is often cited as a complaint. The major computer manufactures havent until very latterly given much thought to offering a smartcard reader as a standard component. Many companies dont want to enlist the cost of outfitting computers with smartcard readers until the economies of scale drive down their cost.In the meantime, many vendors provide bundled solutions to outfit any personal computer with smartcard capabilities. Lack of widely pick out smartcard standards is often cited as a complaint. The number of smartcard related standards is high and many of them address only a certain vertical market or only a certain layer of communications. This problem is lessening tardily as web browsers and other mainstream applications are including smartcards as an option. Applications like these are helping to speed up the evolution of standards. 11.FUTURE WORK Different usage scenario can be defined to explore additional synergies between TPM and smart cards. For example, a MIS department orders trusted platforms from their favorite PC manufacturer. The machines are configured and personalized according to the end-user profile, following the corporate policies. The MIS representatives possess a specific smart card, the owner card, which is used for trusted platforms initialisation and maintenance. During the initialization process the user smart card is created for the platform end-user.This card stores the user secrets and credentials, to be used during the processing of security functions like digital signature of documents. Our scenario provides features to securely share the TPM among several users. Each user owns a dedicated protected Storage Tree under the Storage Root Key (SRK), protected by local User Root Keys (URK). The first phase in the trusted platform life cycle will be the initialization of the TP M. During this step, the corporation, through the MIS department, will take ownership of the TPM.This phase covers the loading of secrets into the TPM, the world of a root storage key, but also the generation of a smart card that will be given to the main platform user. During this process a URK can be created for the first user, secured by the SRK, and then user keys can be generated under the URK. These keys will be used to generate quotes for a given user. The platform is then given to the main end-user, who also receives a user smart card. 12. CONCLUSION Most of the smart card systems in use today serve one purpose and are related to just one process or is hardwired to only one application.A smart card cannot justify its existence in this respect. The approach of future smart card is therefore towards designing multi-application card with own operating system based on open standard that can perform a variety of functions. It must be configurable and programmable and it must be able to adapt to new situations and new requirements especially in areas such as security, memory management, and operating system. Most of smart card application methods today rely on the fact that the code of functions to be performed should be imported by card operating system from an outside server.This approach is quite weak with regards to security. It is, therefore, important t