Smart Cards

1
Smart Cards

• By Simon Siu and Russell Doyle

2
Overview

• Size of a credit card
• Small embedded computer chip
• Memory cards
• Processor cards
• Electronic purse cards (FSU ID card)
• Security cards
• Processor cards require a reader

3
History of Smart cards

• Patented in 1970s (several different designs)
• 1983 first mass use in France for pay phone
• 1992 second mass use again in France for debit
  cards
• 1993 Visa, MasterCard, Europay agreed on a
  standard (EMV)
• Contactless technology is the new trend

4
Hardware Chip is accessed electronically via
gold plate
5
Smart card vs. Magnetic strip card

• Smart card is more secure
• Data encryption ability
• Difficult to access data without terminal
• Smart card is more expensive
• Smart card is less durable

6
Usage

• Banking
• ATM
• Payment
• Like credit card
• Access control
• Certificate holder (able to do triple DES)
• Id
• Information storage

7
Prime examples

• Medical application Germany issues smart cards
  to all citizens
• India drivers licenses (becoming popular in
  other countries)
• China transit (GuongZhou)
• England tracking device in airports

8
Programming the Card

• OpenCard
• Java interface, Java Electronic Commerce
  Framework (JECF)
• PC/SC
• Windows based interface

9
Modeling Security Threats

• Breaking Up Is Hard To Do Modeling Security
  Threats for Smart Cards by Schneier and Shostack

10
Smart Cards handicap

• Functionality is split in unusual ways compare to
  a computer
• Unable to interact with the world without outside
  peripherals
• Multiple parties

11
Cardholder

• Holding the card
• May or may not control the info in card
• Does not control the protocols, software, or
  hardware in the card system

12
Data Owner

• May or may not control data in the card
• Digital certificates
• Amount of money in account

13
Terminal

• Control all I/O to and from the card
• Phone
• ATM
• Set-top box

14
Card Issuer

• Control operating system running on the card
• Initial data
• Card manufacturer
• Software manufacturer

15
Examples of Trust Splits in Smart card systems

• Digital Stored Value Card
• Cash card
• Mondex
• VisaCash
• Digital Check Card
• Similar to cash card
• Card owner is also the data owner
• Prepaid Phone Card
• Value card
• Account-based Phone Card
• Account number

16
Continues

• Access Token
• Key to login or authenticatio protocol
• Web Browsing Card
• Cash card
• Cardholder and terminal owner are the same

17
Continues

• Digital Credential Device
• Digital certificates or ther credentials
• Cardholder and data owner are the same
• Kerberos
• DSSA/SPX
• Key Storage Card
• Key
• Multi-Function Card

18
Threats

• Attack is an attempte by one or more parties
  involved in a smart card transaction to cheat
• Interfere with one or more parties
• Inside vs Outside Attacks
• One of the parties
• Outsider stealing a card

19
Motives for Attack

• Financial theft
• Impersonation attack gain access
• Privacy attack
• Publicity attack

20
Classes of Attack

• Attack by the Terminal against the cardholder or
  data owner
• Fake ATM machines
• Assume we trust the terminal
• Preventions
• Limit the time to modify
• Limit the amount of reduced at a given time
• Real prevention is monitering by back-end system

21
Continues

• Attack by the cardholder against the terminal
• Fake cards with rogue software
• Preventions
• Good protocol design
• Hard-to-forge physical aspects
• Hologram on Visa

22
Continues

• Attack by the cardholder against the data owner
• Pay-TV access cards
• Reverse-engineering
• Defeat tamper-resistance
• Fault analysis
• Attack by the cardholder against the issuer
• Randomly access an acount with account-based
  phone cards
• If there is a key, capture the key and use it

23
Continues

• Attack by the cardholder against the software
  manufacturer
• One application on a smard card to subvert
  another running on the same card.

24
Conclusion on Security

• Resistance
• Make specific attacks harder stronger
  cryptographic protocols, increase
  tamper-resistance
• Few splits to eliminate certain attacks altogeter
• Example cardholder is also the data owner which
  means no cardholder attacking data owner
• Adding screen and data entry to the card
• Increase the cost
• More Transparency
• Open publication leads to review and analysis
• Cleanly separating roles
• Example Mondex system with various terminals
• User can check his/her account in any one of them

25
Evolution of Smart cards or lack there of

• Why is it not popular in America yet?
• Social environment
• Split government systems
• Class differences
• Market forces
• Cost vs. Benefit

26
Future of smart cards

• Security of smart card is similar with the
  security of PC
• New technology help to further secure smart
  system
• Digital display on the card
• Contact vs. Contactless

27
References

• http//www.schneier.com/paper-smart-card-threats.p
  df
• http//en.wikipedia.org/wiki/Smart_card
• http//smartcard.nist.gov/faq.html