Smart Card Content Security

نویسنده

  • Stefano Zanero
چکیده

Smart Cards are often touted as “secure” portable storage devices. A complete, high-level design metodology has been proposed for embedded information systems based on smart card devices. However, this metodology takes as granted that informations stored on the card will be really securely stored, and access control will be correctly maintained. Unfortunately, standards and specifications, created by hardware and software vendors for both the card hardware and the micro operating system which runs it have been repeatedly proven not as secure as they are commonly supposed to be. In this paper we try to analyze the faults in existing standards and implementations of content security for smart card embedded information systems, and we try to suggest possible ways (both hardware and software) to prevent security leaks. This paper does not provide breaking news, but rather tries to sum up the known techniquest to attack smart card devices. 1 SMART CARD CONCEPTS 1.1 CARD TYPES. WHAT IS SMART ? The International Organization for Standardization (ISO) standard 7810 "Identification Cards – Physical Characteristics" defines physical properties such as flexibility, temperature resistance, and dimensions for three different card formats (ID-1, ID-2, and ID-3). There are different types of ID-1 format cards, each specified by a different substandard: Embossed cards: embossing allows for textual information or designs on the card to be transferred to paper by using a simple and inexpensive device. ISO 7811 specifies the embossed marks, covering their form, size, embossing height, and positioning. Transfer of information via embossing may seem primitive, but the simplicity of the system has made worldwide proliferation possible. Magnetic Stripe: the primary advantage that magnetic stripe technology offers over embossing is a reduction in the flood of paper documents. Parts 2, 4, and 5 of ISO 7811 specify the properties of the magnetic stripe, coding techniques, and positioning. The stripe’s storage capacity is about 1000 bits and anyone with the appropriate read/write device can view or alter the data. Integrated Circuit cards (smart cards): these are the newest and most clever additions to the ID-1 family, and they also follow the details laid down in the ISO 7816 series. These types of cards allow far greater orders of magnitude in terms of data storage – cards with over 20 Kbytes of memory are currently available. Also, and perhaps most important, the stored data can be protected against unauthorized access and tampering. Memory functions such as reading, writing, and erasing can be linked to specific conditions, controlled by both hardware and software. Another advantage of smartcards over magnetic stripe cards is that they are more reliable and have longer expected lifetimes. Memory Cards: though often also referred to as smartcards, memory cards are typically much less expensive and much less functional than microprocessor cards. They contain EEPROM and ROM memory, as well as some address and security logic. In the simplest designs, logic exists to prevent writing and erasing of the data. More complex designs allow for memory read access to be restricted. Since they cannot directly manipulate data they are dependent on the card reader (also known as the card-accepting device) for their processing and are suitable for uses where the card performs a fixed operation. Typical memory card applications are pre-paid telephone cards and health insurance cards. Contactless Smartcards: though the reliability of smartcard contacts has improved to very acceptable levels over the years, contacts are one of the most frequent failure points any electromechanical system due to dirt, wear, etc. The contactless card solves this problem and also provides the issuer an interesting range of new possibilities during use. Cards need no longer be inserted into a reader, which could improve end user acceptance. No chip contacts are visible on the surface of the card so that card graphics can express more freedom. Still, despite these benefits, contactless cards have not yet seen wide acceptance. The cost is higher and not enough experience has been gained to make the technology reliable. Nevertheless, this elegant solution will likely have its day in the sun at some time in the future. Optical Memory Cards: ISO/IEC standards 11693 and 11694 define standards for optical memory cards. These cards look like a card with a piece of a CD glued on top which is basically what they are. They can carry many megabytes of data, but can only be written once and never erased with today’s technology. Today, these cards have no processor in them (although this is coming in the near future). While the cards are comparable in price to chip cards, the card read and write devices use non-standard protocols and are still very expensive. However such cards may find use in applications such as health care where large amounts of data must be stored.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

A Study on Smart Card Security Evaluation Criteria for Side Channel Attacks

In the course of making electronic services and facilities more widely accessible and usable, more and more IT systems are incorporating smart cards as a component. We analyzes the side channel attacks for the smart card and similar security evaluation criteria for smart card protection profiles based on the common criterion. Futhermore, we proposes the smart card security evaluation criteria f...

متن کامل

Improving the Password-Based Authentication against Smart Card Security Breach

Password-based authentications using smart cards are very necessary between login users and a remote server. Smart card security breach threatens the security of password-based authentication schemes with smart cards. A password-based authentication scheme with smart cards against smart card security breach was proposed by C.T. Li et al. recently. However, it is noted that Li et al.'s scheme ne...

متن کامل

A Formal Security Model of a Smart Card Web Server

Smart card Web server provides a modern interface between smart cards and the external world. It is of paramount importance that this new software component does not jeopardize the security of the smart card. This paper presents a formal model of the smart card Web server specification and the proof of its security properties. The formalization enables a thoughtful analysis of the specification...

متن کامل

Smart card abstract pdf

smart card abstract pdf Smart cards are used in information technologies as portable integrated.Abstract: While mobile handheld devices provide productivity benefits, they also pose. Paper describes two novel types of smart card with unconventional form factors. smart card abstract ppt Pdf.ABSTRACT Over the past few years, smart cards have achieved a growing acceptance as a powerful tool for se...

متن کامل

Security Risks of Java Cards

As early as the 1980s, France issued smart cards for their Public Telephone and Telegraph (PTT) system. Only recently have smart cards begun penetrating the commercial market in North America. With the introduction of Java Card 2.0 (hereafter referred to simply as Java Card), interest in smart cards for commercial applications in North America appears certain to grow. The key innovation that Ja...

متن کامل

Java Card or How to Cope with the New Security Issues Raised by Open Cards?

In this paper, we aim to discuss various threats raised by Java Cards at various levels of the system. First, we address the Java Card platform security itself, from the chip security features to the Java Card virtual machine. Next, we expose how to deal with application security which is a standard problem for smart card manufacturers but a quite new one for third party Java developers beginni...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2002