The smart card we know today began with the silicon integrated circuit chip. Invented by Robert Noyce in 1959, this concept led to the idea of incorporating it onto a plastic card in the late 1960’s. These cards use, since then, MOS integrated circuit chips and MOS memory (flash memory and EEPROM).
There were several developments that took this concept until what is known today and the first one took place in Germany were 2 engineers, Mr. Gröttrup and Mr. Dethloff, introduced and integrated circuit chip onto a plastic card in the late 1960’s. Gröttrup had the idea patented in 1967, in West Germany, and its initial idea was to provide individual copy-protected keys for unmanned gas stations. Later on, they patented it several other countries.
Other developments were made that matched this idea, but it was Roland Moreno, a French inventor, that created the first integrate chip card in 1974. This consisted of a card that contained a secured memory.
In 1977, Michel Ugon invented the first microprocessor smart card that contained 2 chips, one microprocessor and one memory and in 1978 he went even further, by inventing the self-programmable one-chip microcomputer. This defines the necessary architecture to program the chip. This was used by Motorola, which produced the first microchip embedded smart card.
A smart card is a physical electronic authorization device that’s used to control access to a specific resource. These have an embedded integrated circuit (IC) chip were information is stored.
There are different technologies we can find within the smartcard concept and they can be divided into 2 major groups, Contact and Contactless. Within these, we can find some cards that are considered as Dual interface cards, these consist in smartcards that englobe both Contact and Contactless technologies.
We can find the following smart card technologies available:
What is it?
Cards with Contact technology are the most common you can find around the world, as you can find it in most credit, ATM and SIM cards.
This method requires contact between the chip and an exterior machine to be able to exchange the information required for the process it is used in.
For example, when used in a payment situation, this type of card needs direct contact with the payment terminal to be able to process the transaction.
How does it work?
The contact needed for the smart card to communicate with the network, is provided by a contact area of approximately 1 cm2. This area is composed by several gold-plated contact pads that provide electrical connectivity, when inserted into a reader, between the card and the host (as cards have no own power supply, they withdraw energy from the terminal to power it’s functions)
The standards for this type of cards are established by ISO/IEC 7810 and ISO/IEC 7816. These define:
Financial cards are the same as the ones used in SIM cards, just programmed differently and embedded in a different piece of PVC. For this being, chip manufacturers are producing to the more demanding GSM/3G standards and this makes a difference, for example, when speaking of the cards energy supply.
EMV standards allow a card to draw 50 mA from a terminal, although cards are normally well below the 6mA consumption (that’s the telephone industry’s limit). This means that financial card terminals can be smaller and cheaper.
Contacts technology can be used in:
What is it?
With the current situation that our world is going through, Contactless smartcards became even more popular, as they help prevent unnecessary contact situations.
Contactless technology allows access to data stored in the cards chip, as the name suggests, without any means of contact.
How does it work
These cards feature an integrated chip and antenna that provides communication when near a proper terminal.
Like contact cards, contactless cards do not have batteries, so they use an inductor to capture some of the incident radio-frequency signal, rectify it and use it to power the card’s electronics.
These can be made of PVC, paper/card and PET finish, depending on the requirements faced, such as performance, cost and durability.
Contactless technology can be used in:
Contactless cards use RFID (Radio Frequency Identification) or NFC (Near Field Communication) technologies, which is a subset of RFID. The terminal produces a certain frequency that enables communication with the card antenna.
Different frequencies can be used for contactless technology implementation, and they can be divided into Low Frequency (LF), High-Frequency (HF) and Ultra-High frequency (UHF).
As usual, this technology also needed to have standards defined for their impletmentation, so ISO established the standards for NFC use in proximity cards that are described in ISO/IE 14443.
Smart cards usually are resistant to attacks, they are often used in applications that require high security protection and authentication.
The communication between a smart card and a card accepting device (CAD) is possible due to small data packets called APDUs (Application Protocol Data Units). The communication has 3 major characteristics:
- Small bit range (9600 bit per second) using bi-directional transmission line (ISO 7816/3)
- Half duplex mode for sending data (data only travels in one direction at a time)
- Communication follows the Communication Protocol.
The protocol consists in:
- The smart card and CAD use a mutual active authentication protocol to identify each other. The card generates a random number and sends it to the CAD, which encrypt the number with a shared encryption key before returning it to the card. The card then compares the returned result with its own encryption. The pair may then perform the operation in reverse.
- Once communication is established, each message between the pair is verified through a message authentication code. This is a number that is calculated based on the data itself, an encryption key, and a random number. If data has been altered (for any reason, including transmission errors) message must be re-transmitted. Alternatively, if the chip has sufficient memory and processing power, the data can be verified through a digital signature.
All data and passwords on a card are stored in the EEPROM (Electrically-Erasable Programmable Read-Only Memory) and can be erased or modified by an unusual voltage supply. Therefore, some security processors implemented sensors for environmental changes. However, since it is difficult to find the right level of sensitivity and there is a voltage fluctuation when the power is supplied to the card, this method is not widely used. Other successful attack methods include heating the controller to a high temperature or focusing the UV light on the EEPROM, thus removing the security lock. Invasive physical attacks are the most destructive when the card is cut and the processor removed. Then the layout of the chip can be reverse-engineered.
Several technologies have already been developed to protect Smart Cards and keep the data that is stored in it safely.
The data stored in the smart card is organized into a tree hierarchy. This is basically a system that contains one master file (MF) that contains several elementary files (EF) and several dedicated files (DF). DFs and the MF correspond to directories and Efs correspond to files. This system is similar to what we can find on any common OS for PCs.
Each header of these files contains security attributes that function as user rights on a PC. This means that access can be restricted in a way that any application can transverse the file tree but it to move to a node it to have the proper rights.
When several incorrect attempts of inserting the PIN occur, the OS blocks the card. Once blocked the card can only be unblocked with a specific PIN that’s stored in the card, but even this PIN can be blocked when wrong attempts occur. In this case the blockage is irreversible.
Software producers also contribute to the smartcard security – they should provide their products with properly encrypted data and transfers. To help them achieve this goal, hardware-based or OS-based instructions and libraries supporting advanced cryptographic algorithms have been developed.
Meanwhile, looking at the contactless security, researchers have found that the cardholder’s name, credit card number and expiration date may be transmitted by these cards without any sort of encryption.
Contactless cards usually have a payment limit on a single transaction, that depends on the economic space (country) and some of them even have a certain number of times before customers are asked for the PIN. Cards that hold this technology use the same chip-PIN network as older cards and are protect by the same fraud guarantees.