Smart Card Content Security

Smart Cards are often touted as “secure” portable storage devices. A complete, high-level design metodology has been proposed for embedded information systems based on smart card devices. However, this metodology takes as granted that informations stored on the card will be really securely stored, and access control will be correctly maintained. Unfortunately, standards and specifications, created by hardware and software vendors for both the card hardware and the micro operating system which runs it have been repeatedly proven not as secure as they are commonly supposed to be. In this paper we try to analyze the faults in existing standards and implementations of content security for smart card embedded information systems, and we try to suggest possible ways (both hardware and software) to prevent security leaks. This paper does not provide breaking news, but rather tries to sum up the known techniquest to attack smart card devices. 1 SMART CARD CONCEPTS 1.1 CARD TYPES. WHAT IS SMART ? The International Organization for Standardization (ISO) standard 7810 "Identification Cards – Physical Characteristics" defines physical properties such as flexibility, temperature resistance, and dimensions for three different card formats (ID-1, ID-2, and ID-3). There are different types of ID-1 format cards, each specified by a different substandard: Embossed cards: embossing allows for textual information or designs on the card to be transferred to paper by using a simple and inexpensive device. ISO 7811 specifies the embossed marks, covering their form, size, embossing height, and positioning. Transfer of information via embossing may seem primitive, but the simplicity of the system has made worldwide proliferation possible. Magnetic Stripe: the primary advantage that magnetic stripe technology offers over embossing is a reduction in the flood of paper documents. Parts 2, 4, and 5 of ISO 7811 specify the properties of the magnetic stripe, coding techniques, and positioning. The stripe’s storage capacity is about 1000 bits and anyone with the appropriate read/write device can view or alter the data. Integrated Circuit cards (smart cards): these are the newest and most clever additions to the ID-1 family, and they also follow the details laid down in the ISO 7816 series. These types of cards allow far greater orders of magnitude in terms of data storage – cards with over 20 Kbytes of memory are currently available. Also, and perhaps most important, the stored data can be protected against unauthorized access and tampering. Memory functions such as reading, writing, and erasing can be linked to specific conditions, controlled by both hardware and software. Another advantage of smartcards over magnetic stripe cards is that they are more reliable and have longer expected lifetimes. Memory Cards: though often also referred to as smartcards, memory cards are typically much less expensive and much less functional than microprocessor cards. They contain EEPROM and ROM memory, as well as some address and security logic. In the simplest designs, logic exists to prevent writing and erasing of the data. More complex designs allow for memory read access to be restricted. Since they cannot directly manipulate data they are dependent on the card reader (also known as the card-accepting device) for their processing and are suitable for uses where the card performs a fixed operation. Typical memory card applications are pre-paid telephone cards and health insurance cards. Contactless Smartcards: though the reliability of smartcard contacts has improved to very acceptable levels over the years, contacts are one of the most frequent failure points any electromechanical system due to dirt, wear, etc. The contactless card solves this problem and also provides the issuer an interesting range of new possibilities during use. Cards need no longer be inserted into a reader, which could improve end user acceptance. No chip contacts are visible on the surface of the card so that card graphics can express more freedom. Still, despite these benefits, contactless cards have not yet seen wide acceptance. The cost is higher and not enough experience has been gained to make the technology reliable. Nevertheless, this elegant solution will likely have its day in the sun at some time in the future. Optical Memory Cards: ISO/IEC standards 11693 and 11694 define standards for optical memory cards. These cards look like a card with a piece of a CD glued on top which is basically what they are. They can carry many megabytes of data, but can only be written once and never erased with today’s technology. Today, these cards have no processor in them (although this is coming in the near future). While the cards are comparable in price to chip cards, the card read and write devices use non-standard protocols and are still very expensive. However such cards may find use in applications such as health care where large amounts of data must be stored.