Presentation is loading. Please wait.

Presentation is loading. Please wait.

Smart Card Technology Presented by: Dr. Hakim Fourar-Laidi CIS - Prince Sultan University.

Similar presentations

Presentation on theme: "Smart Card Technology Presented by: Dr. Hakim Fourar-Laidi CIS - Prince Sultan University."— Presentation transcript:

1 Smart Card Technology Presented by: Dr. Hakim Fourar-Laidi CIS - Prince Sultan University

2 Agenda nOverview nClassification of Smart Cards nArchitecture nAPI and Access functions nPC/SC nOperating Systems uMPCOS-EMV uJAVA CARD nApplications of smart card nSmart cards & Cryptography nCompanies, Work groups, Links nQuestions

3 What is a Smart Card? nContact Smart Card Communication through electrical contacts ISO/IEC 7816

4 What is a Smart Card?Chip A very secure way of storing a small amount of sensitive data

5 Whats In The Chip? Chip Operating System Applicative memory (where you store your data)

6 Classification nMemory vs. microprocessor uMemory cards 4 simply store data 4 read and write to a fixed address on the card Straight Memory Cards Protected Cards: configured to restrict access through a password Stored Value Memory Cards: such as a telephone card, the chip has memory cells, one for each telephone unit. A memory cell is cleared each time a telephone unit is used. uMicroprocessor cards 4 Miniature Computer with microprocessor chip, input/output port, OS, ROM, EEPROM, RAM 4 Add, delete, manipulate information in its memory 4 Built-in security features 4 multiple functions and/or different applications reside on the card

7 Classification nContact vs. contactless uContact smart card 4 are inserted in a smart card reader making physical contact with the reader uContactless smart cards 4 smart cards that employ a radio frequency (RFID) between card and reader without physical insertion of the card uCombi card 4 combines the two features

8 uPredefined file structures: Binary files, Secret Key files, … uA set of dedicated commands: Read, Write, Update uCryptographic capabilities: 3DES, RSA,... The Chip Operating System COS

9 Platform uSmall processors 4 8 or 16 bits uVery small memory 4 8k, 16k, 32k, 64k, 128K of ROM 4 Between 1 and 32 Kb of EEPROM 4 Between 256 bytes and 4Kb of RAM uCommunication 4 through RS232 serial and USB ports, PCMCIA slots, floppy disk slots, parallel ports, infrared IRDA ports, …

10 Life Cycle nFabrication phase nPre-personalisation Phase nPersonalisation Phase nUtilisation Phase nEnd-of-Life Phase

11 Examples nGPK 8000 uMPCOS-EMV compatible with ISO u8Kb EEPROM u3DES, RSA/DSA (up to 1024 bits), SHA-1, MD5 nGemSafeXpresso 32K uJava Card platform compatible with ISO /2/3/4 u32K EEPROM uRSA ( bits), 3DES algorithms nSIM Back-up cards uCapacity: 254 phone numbers & names uCapacity: 30 text messages uDedicated to personal data storage

12 PC/SC Smart card readers What is PC/SC? What is PC/SC? uStandardizes communication compatible with the ISO-7816 between computer software and smart cards uDeveloped by smart card and computer manufacturers uPromoted by Microsoft Serial Serial PC Card PC Card USB USB PS/2 PS/2

13 PC/SC nWhat is PC/SC uFacilitate Smart Card Integration into PC Environment uSmart Card Reader and Smart Card Interoperability at Different Levels uApplication and Vendor Neutral uPlatform Independent Specifications

14 PC/SC nCore Members of the PC/SC Workgroup

15 PC/SC nPC/SC Architecture ICC-Aware Application ICC-Aware Application ICC-Aware Application Service Providers Service Providers Service Provider Drivers Smart Card Readers Smart Cards PC/SC IFD Handler Interface PC/SC RM InterfacePC/SC Service Provider Reference Interfaces ICC-Aware Application ICC-Aware Application ICC-Aware Application ICC-Aware Application ICC-Aware Application ICC-Aware Application Resource Manager Microsoft Resource Manager Service Providers Service Providers Service Provider Service Providers Service Providers Service Provider IFD Handler IFD Handler IFD Handler IFD ICC IFD Handler IFD Handler IFD Handler IFD ICC

16 PC/SC nThe interfaces of PC/SC Smart Card Resource Manager Smart Card Aware Applications Smart Card User Interface Smart Card Service Providers WinSCard.dll SCardDlg.dll SCardSvr.exe scardssp.dlland others use the COM interface model!

17 PC/SC nSmart Card and Reader Access Functions uSCardEstablishContext uGetOpenCardName() / SCardUIDlgSelectCard() uSCardConnect() uSCardListCards() uSCardListReaders() uSCardGetStatusChange() uSCardIntroduceCardType() uSCardStatus() uSCardTransmit() uSCardReconnect() uSCardLocateCards() uSCardReleaseContext uSCardDisconnect()



20 ReturnCode = connectToCard(DlgStruct->hSCardContext, DlgStruct->lpstrRdr, SCARD_SHARE_SHARED, SCARD_PROTOCOL_T0, &(DlgStruct->hCardHandle), &(DlgStruct->dwActiveProtocol)); if(ReturCode != SCARD_S_SUCCESS) printf("Failed connection to the card0X%0X.\n",ReturnCode);



23 PC/SC The application exchanges a Select File APDU and displays the results B

24 Operating Systems nFixed File Structure uMulti-application Payment Chip Operating System EMV (MPCOS-EMV) 4 The card is treated as secure computing and storage device 4 Files and permissions are set in advance by the issuer 4 ideal for a fixed type of card structure and functions that will not change in the near future nDynamic Application System uJava Card, MULTOS 4 enables developers to build, test, and deploy different applications securely 4 OS and applications are more separate 4 Example SIM card for mobile GSM

25 MPCOS-EMV nCommunication usend and receive data under the T=0 communication protocol format according to the ISO standard uT=1 or T=14 communication protocol can be activated uBaud Rates supported with 3.68 MHz Reader: baud baud baud baud baud

26 MPCOS-EMV Files nInitial File Structure

27 MPCOS-EMV Files uPublic key files, secret code files, Purse files... uFile Descriptors When we create a file, the crlFile command generate a File descriptor EF Descriptor DF Descriptor

28 MPCOS-EMV nData Access Management uFiles can be secured by secret codes uSecret codes are stored in Elementary files (Efsc) uEach EFsc can store to eight secret codes, (0 to 7) nAccess Control uAllowed without any restriction uPossible after PIN verification uForbidden nPIN Management 1.PIN has been presented 2.PIN has not been presented or was presented incorrectly 3.PIN is blocked

29 MPCOS-EMV Cryptography n3DES Algorithm u16 bits secret key uEncrypting /decrypting uComputing signatures uSecure messaging (Authentication)

30 MPCOS-EMV Commands uCommand Format uResponse Format HeaderBody CLA INS P1 P2LcParameters/dataLe BodyTrailer DataSW1, SW2

31 MPCOS-EMV Commands uAdministration commands, 4 Create File, Read Binary, Select File, Read File, Write Binary, Update Binary, Read Record, Verify Pin, Select File, Read Record, Internal authenticate, external authenticate uPayment commands 4 E.g., Credit a purse, Debit a purse, Read Balance …

32 Whats Java Card 2.2 nA set of specifications uIssued by Sun Microsystems uPromoted by the JavaCard Forum uBased on the Java language nThree parts uThe Java Card API 4 Subset of Java API uThe Java Card Run-time Environment (JCRE) 4 Subset of JRE uThe Java Card Virtual Machine (JCVM) 4 Subset of JVM

33 Java Card Architecture Microprocessor + Memory + I/O Native layer Java Card 2.1 VM Java Card 2.1 API Card Manager Pure Java Card. Applet 3 Applet 3 Pure Java Card. Applet 1 Applet 1 Pure Java Card. Applet 2 Applet 2

34 Java Card 2.2Compilation JC Applet.class JC Applet.class Specification JC JC JC Conversion JC Applet.cap JC Applet.cap Load / Install Java Card Client / Host Application Run ! PC CARD

35 Applet Interaction nJava Card applets can only interact with uJCRE through APDUs (Application Protocol Data Units) Methods( ) Applet 1 Applet 2 Applet i Data JCRE CAD APDU

36 APDU commands n2 types of APDU can be sent to the card: Ê OS/Administrative commands 4 Available in JCRE and CM eg: INSTALL, LOAD, SELECT … Ë Applicative commands 4 specific to the JC applets loaded in the card eg: debit, credit, getbalance for an e-purse applet CLAINSP1P2Lc "data " Le SW1SW2

37 Applet Life Cycle Applet loaded Applet activated Applet selected Class file bytecode Java Card source code CAP file Bytecode Applet Processing APDUs Install / Register Select / Deselect Process Load / Remove ON-CARDOFF-CARD

38 Applet structure 1. PREPARATION: package com.psu.applet.TestAuth; import javacard.framework.* ; import*; import javacardx.crypto.*; public class MyBaseApplet extends javacard.framework.Applet { private final static byte CONSTANT = 0x.. ; private static final int myVariable =... ; private int counterValue ; MyBaseApplet() { super() ; counterValue =... ; } 2. INITIALIZATION: public static void install( byte[] param, short offs, byte length ) { MyBaseApplet myApplet = new MyBaseApplet() ; myApplet.register() ; } public boolean select() { return true ; }

39 Applet structure 3. COMMAND DISPATCHING: public void process( APDU apdu ) { switch(apduBuffer[ISO7816.OFFSET_INS]) { case INS_BIN_READ: case INS_BIN_UPDATE: ProcessFileCommand(apdu); break; case INS_SET_STATUS: ProcessSetStatus(apdu); break; case INS_VERIFY_PIN: VerifyPIN(apdu); break; case INS_PUT_KEYS: PutKeys(apdu); break; …………. default: ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED); }

40 Applet structure 4. PRIVATE METHODS: private void ProcessFileCommand(APDU apdu) {byte[] buffer = apdu.getBuffer(); // check for the P1 complience to ISO specification of format if((buffer[ISO7816.OFFSET_P1] & (byte)0xE0) != (byte)0x80) ISOException.throwIt(ISO7816.SW_WRONG_P1P2); ………………………………….. apdu.setOutgoing(); apdu.setOutgoingLength( (short)nbr2ReadOrWrite ); apdu.sendBytesLong(Files[file].Data, (short)offset, (short)nbr2ReadOrWrite); } private void VerifyPIN( APDU _apdu ) {... } // get the APDU buffer and the OFFSET_LC byte[] buffer = apdu.getBuffer(); …………………. }

41 APDU commands n4 Cases uCase 1 4 No command data, no response data uCase 2 4 No command data, sends response data uCase 3 4 Card Receives command data, no response data uCase 4 4 Card Receives command data, sends response data

42 APDU messages nCase 1 commands CLAINSP1P2P3 Command class Instruction code 1st parameter 2nd parameter Length = 0 Header Bytes SW1 SW2 Status word No Data sent No Data received !

43 Case 1 commands process() method is called nINS is examined nApplet performs the request process() returns CLAINSP1P2O SW1SW2 Method1( ) Method2( ) Methodx( ) Process( ) SW1SW2 SW1SW2 INS = V1 INS =V2 INS = Vx

44 APDU messages nCase 2 commands CLAINSP1P2P3 Command class Instruction code 1st parameter 2nd parameter Length expected Outgoing data Header Bytes SW1 SW2 Status word No Data sent

45 Case 2 commands process() method is called nINS is examined nLe obtained from P3 nsetOutgoing nsetOutgoingLength(short le_bytes) sendBytes(short Offset,short le_bytes) process() returns SW1SW2 Method1( ) Method2( ) Methodx( ) Process( ) SW1SW2 SW1SW2 INS = V1 INS =V2 INS = Vx CLAINSP1P2 Le Datax Data2 Data1

46 APDU messages nCase 4 commands -1st part CLAINSP1P2P3 Command class Instruction code 1st parameter 2nd parameter Length sent Incoming data Header SW1 SW2 Status word Dataprepared for later retrieval...

47 APDU messages nCase 4 commands -2nd part CLAINSP1P2P3 Command class GET RESPONSE Instruction code GET RESPONSE Instruction code 1st parameter 2nd parameter Length expected Header Outgoing data SW1 SW2 Status word Get Response command for data retrieval

48 Smart card Applications nLoyalty, nfinancial, nhealthcare, Storage: medical information ngovernment nIdentification, electronic money, computer access nAccess to physical items (e.g., buildings, cell phones) nparking meters, subway use

49 Smart Cards & Cryptography nSymmetric: DES, 3DES, AES nPublic-key: RSA, DSA nPhysically secure storage device: uPasswords or keys uPersonal Information

50 Cryptography Provides nPrivacy nAuthentication nIntegrity nNon-repudiation

51 2 different security schemes... Secret Key Algorithm = Symmetric Algorithm Public Key Algorithm = Asymmetric Algorithm 1 Key 2 Keys Same key Same key for all operations One key for encryption & signature verification One key for decryption & signature generation My public key is Private Public

52 c=e(m, k) EncryptionDecryption m=e -1 (c, k) Plaintext block Plaintext block m c m ciphertext block

53 f f -1 MM M c=e(m, k1) EncryptionDecryption m=e -1 (c, k2) Plaintext block Plaintext block m c m ciphertext block RSA: RSA: signature generation & verification encryption & decryption messages DSA: DSA: signature only





58 Ensuring Integrity & PrivacySend Compute hash digest (mathematical summary) Sign the hash with the senders PRIVATE key Append the signature to the document Document Encrypt the signed document with a one-time symmetric key Encrypt the one-time symmetric key with the receivers PUBLIC key

59 Ensuring Integrity & PrivacyReceive Unwrap the one-time symmetric key with the receivers PRIVATE key Decrypt the document Verify the signature using the senders PUBLIC key Compute the expected hash from the received message ? ?

60 Web access security HTTP Client HTTP Server ?

61 Web access security Client Browser security management Workstation Cryptographic Module SSL Channel HTTPS (SSL) Authentication & access control management Server HTTPS Server Cryptographic module nAuthentication uServer uClient (optional) nPrivacy

62 Web access security Client Client Servers

63 S/MIME Digital Signatures: electronic mark Digital Signatures: electronic mark uIdentify the signer uEnsure data integrity Provide: Provide: uAuthentication (signature generation/verification) uPrivacy (encryption / decryption)

64 Thanks for Listening Any Smart Questions?

Download ppt "Smart Card Technology Presented by: Dr. Hakim Fourar-Laidi CIS - Prince Sultan University."

Similar presentations

Ads by Google