Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by: Dr. Hakim Fourar-Laidi CIS - Prince Sultan University

Similar presentations


Presentation on theme: "Presented by: Dr. Hakim Fourar-Laidi CIS - Prince Sultan University"— Presentation transcript:

1 Presented by: Dr. Hakim Fourar-Laidi CIS - Prince Sultan University
Smart Card Technology Presented by: Dr. Hakim Fourar-Laidi CIS - Prince Sultan University

2 Agenda Overview Classification of Smart Cards Architecture
API and Access functions PC/SC Operating Systems MPCOS-EMV JAVA CARD Applications of smart card Smart cards & Cryptography Companies, Work groups, Links Questions

3 What is a Smart Card? Communication through electrical contacts
Contact Smart Card ISO/IEC 7816 Communication through electrical contacts

4 A piece of silicium on a plastic body
What is a Smart Card? A piece of silicium on a plastic body Chip A very secure way of storing a small amount of sensitive data

5 Applicative memory (where you store your data)
What’s In The Chip? Applicative memory (where you store your data) Chip Operating System

6 Classification Memory vs. microprocessor Memory cards
simply store data read and write to a fixed address on the card Straight Memory Cards Protected Cards: configured to restrict access through a password Stored Value Memory Cards: such as a telephone card, the chip has memory cells, one for each telephone unit. A memory cell is cleared each time a telephone unit is used. Microprocessor cards Miniature Computer with microprocessor chip, input/output port, OS, ROM, EEPROM, RAM Add, delete, manipulate information in its memory Built-in security features multiple functions and/or different applications reside on the card

7 Classification Contact vs. contactless Contact smart card
are inserted in a smart card reader making physical contact with the reader Contactless smart cards smart cards that employ a radio frequency (RFID) between card and reader without physical insertion of the card Combi card combines the two features

8 The Chip Operating System COS
Predefined file structures: Binary files, Secret Key files, … A set of dedicated commands: Read, Write, Update Cryptographic capabilities: 3DES, RSA, ...

9 Platform Small processors Very small memory Communication 8 or 16 bits
8k, 16k, 32k, 64k, 128K of ROM Between 1 and 32 Kb of EEPROM Between 256 bytes and 4Kb of RAM Communication through RS232 serial and USB ports, PCMCIA slots, floppy disk slots, parallel ports, infrared IRDA ports, …

10 Life Cycle Fabrication phase Pre-personalisation Phase
Utilisation Phase End-of-Life Phase

11 Examples GPK 8000 MPCOS-EMV compatible with ISO7816-4 8Kb EEPROM
3DES, RSA/DSA (up to 1024 bits), SHA-1, MD5 GemSafeXpresso 32K Java Card platform compatible with ISO /2/3/4 32K EEPROM RSA ( bits), 3DES algorithms SIM Back-up cards Capacity: 254 phone numbers & names Capacity: 30 text messages Dedicated to personal data storage

12 PC/SC Smart card readers
USB What is PC/SC? Standardizes communication compatible with the ISO-7816 between computer software and smart cards Developed by smart card and computer manufacturers Promoted by Microsoft Serial PC Card PS/2

13 PC/SC What is PC/SC Facilitate Smart Card Integration into PC Environment Smart Card Reader and Smart Card Interoperability at Different Levels Application and Vendor Neutral Platform Independent Specifications

14 PC/SC Core Members of the PC/SC Workgroup

15 PC/SC PC/SC Architecture ICC ICC ICC - - - Aware Application
PC/SC Service Provider Reference Interfaces Service Providers Provider Service Service Service Service Providers Providers Service Service Providers Providers Provider Provider PC/SC RM Interface Resource Manager Microsoft Resource Manager PC/SC IFD Handler Interface IFD IFD IFD IFD IFD IFD Drivers Handler Handler Handler Handler Handler Handler IFD IFD IFD IFD IFD IFD Smart Card Readers Smart Cards ICC ICC ICC ICC ICC ICC

16 PC/SC The interfaces of PC/SC use the COM interface model!
Smart Card Aware Applications Smart Card User Interface Smart Card Service Providers SCardDlg . dll scardssp . dll and others WinSCard . dll Smart Card Resource Manager SCardSvr .exe

17 PC/SC Smart Card and Reader Access Functions SCardEstablishContext
GetOpenCardName() / SCardUIDlgSelectCard() SCardConnect() SCardListCards() SCardListReaders() SCardGetStatusChange() SCardIntroduceCardType() SCardStatus() SCardTransmit() SCardReconnect() SCardLocateCards() SCardReleaseContext SCardDisconnect()

18

19

20 ReturnCode = connectToCard(DlgStruct->hSCardContext,
DlgStruct->lpstrRdr, SCARD_SHARE_SHARED, SCARD_PROTOCOL_T0, &(DlgStruct->hCardHandle), &(DlgStruct->dwActiveProtocol)); if(ReturCode != SCARD_S_SUCCESS) printf("Failed connection to the card0X%0X.\n",ReturnCode);

21

22

23 The application exchanges
PC/SC The application exchanges a Select File APDU and displays the results B

24 Operating Systems Fixed File Structure Dynamic Application System
Multi-application Payment Chip Operating System EMV (MPCOS-EMV) The card is treated as secure computing and storage device Files and permissions are set in advance by the issuer ideal for a fixed type of card structure and functions that will not change in the near future Dynamic Application System Java Card, MULTOS enables developers to build, test, and deploy different applications securely OS and applications are more separate Example SIM card for mobile GSM

25 MPCOS-EMV Communication
send and receive data under the T=0 communication protocol format according to the ISO standard T=1 or T=14 communication protocol can be activated Baud Rates supported with 3.68 MHz Reader: 9 600 baud baud baud baud baud

26 Initial File Structure
MPCOS-EMV Files Initial File Structure

27 MPCOS-EMV Files Public key files, secret code files, Purse files... File Descriptors When we create a file, the crlFile command generate a File descriptor DF Descriptor EF Descriptor

28 MPCOS-EMV Data Access Management Files can be secured by secret codes
Secret codes are stored in Elementary files (Efsc) Each EFsc can store to eight secret codes, (0 to 7) Access Control Allowed without any restriction Possible after PIN verification Forbidden PIN Management PIN has been presented PIN has not been presented or was presented incorrectly PIN is blocked

29 MPCOS-EMV Cryptography
3DES Algorithm 16 bits secret key Encrypting /decrypting Computing signatures Secure messaging (Authentication)

30 MPCOS-EMV Commands Command Format Response Format Header Body
CLA INS P1 P2 Lc Parameters/data Le Body Trailer Data SW1 , SW2

31 MPCOS-EMV Commands Administration commands, Payment commands
Create File, Read Binary, Select File, Read File, Write Binary, Update Binary, Read Record, Verify Pin, Select File, Read Record, Internal authenticate, external authenticate Payment commands E.g., Credit a purse, Debit a purse, Read Balance …

32 What’s Java Card 2.2 A set of specifications
Issued by Sun Microsystems Promoted by the JavaCard Forum Based on the Java language Three parts The Java Card API Subset of Java API The Java Card Run-time Environment (JCRE) Subset of JRE The Java Card Virtual Machine (JCVM) Subset of JVM

33 Java Card Architecture
Pure Java Card. Applet 1 Pure Java Card. Applet 2 Pure Java Card. Applet 3 Card Manager Java Card 2.1 API Java Card 2.1 VM Native layer Microprocessor + Memory + I/O

34 Java Card 2.2 PC CARD JC Applet .java JC Applet .class JC Applet .cap
Specification JC Applet .java Compilation JC Applet .class JC Conversion JC Applet .cap Load / Install Java Card PC CARD Client / Host Application Run !

35 Applet Interaction Java Card applets can only interact with
JCRE through APDUs (Application Protocol Data Units) Methods( ) Applet 1 Applet 2 Applet i Data JCRE CAD APDU

36 APDU commands 2 types of APDU can be sent to the card:
OS/Administrative commands Available in JCRE and CM eg: INSTALL, LOAD, SELECT … Applicative commands specific to the JC applets loaded in the card eg: debit, credit, getbalance for an e-purse applet CLA INS P1 P2 Lc "data" Le SW1 SW2

37 Applet Life Cycle OFF-CARD ON-CARD Applet loaded CAP file Bytecode
Install / Register CAP file Bytecode Load / Remove Applet activated Class file bytecode Select / Deselect Process Applet Processing APDUs Applet selected Java Card source code

38 Applet structure 1. PREPARATION: package com.psu.applet.TestAuth;
import javacard.framework.* ; import javacard.security.*; import javacardx.crypto.*; public class MyBaseApplet extends javacard.framework.Applet { private final static byte CONSTANT = 0x.. ; private static final int myVariable = ... ; private int counterValue ; MyBaseApplet() { super() ; counterValue = ... ; } 2. INITIALIZATION: public static void install( byte[] param, short offs, byte length ) { MyBaseApplet myApplet = new MyBaseApplet() ; myApplet.register() ; } public boolean select() { return true ; }

39 Applet structure 3. COMMAND DISPATCHING:
public void process( APDU apdu ) { switch(apduBuffer[ISO7816.OFFSET_INS]) { case INS_BIN_READ: case INS_BIN_UPDATE: ProcessFileCommand(apdu); break; case INS_SET_STATUS: ProcessSetStatus(apdu); case INS_VERIFY_PIN: VerifyPIN(apdu); case INS_PUT_KEYS: PutKeys(apdu); …………. default: ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED); }

40 Applet structure 4. PRIVATE METHODS:
private void ProcessFileCommand(APDU apdu) {byte[] buffer = apdu.getBuffer(); // check for the P1 complience to ISO specification of format if((buffer[ISO7816.OFFSET_P1] & (byte)0xE0) != (byte)0x80) ISOException.throwIt(ISO7816.SW_WRONG_P1P2); ………………………………….. apdu.setOutgoing(); apdu.setOutgoingLength( (short)nbr2ReadOrWrite ); apdu.sendBytesLong(Files[file].Data, (short)offset, (short)nbr2ReadOrWrite); } private void VerifyPIN( APDU _apdu ) { ... } // get the APDU buffer and the OFFSET_LC byte[] buffer = apdu.getBuffer(); ………………….

41 APDU commands 4 Cases Case 1 Case 2 Case 3 Case 4
No command data, no response data Case 2 No command data, sends response data Case 3 Card Receives command data, no response data Case 4 Card Receives command data, sends response data

42 APDU messages No Data sent No Data received ! Case 1 commands
Header Bytes No Data sent CLA INS P1 P2 P3 Status word No Data received ! 1st parameter 2nd parameter Length = 0 Command class Instruction code SW1 SW2

43 Case 1 commands INS is examined Applet performs the request
process() method is called INS is examined Applet performs the request process() returns CLA INS P1 P2 O Process( ) INS = V1 INS = Vx INS =V2 Method1( ) Methodx( ) SW1 SW2 Method2( ) SW1 SW2 SW1 SW2

44 APDU messages No Data sent Case 2 commands Header Bytes 1st parameter
CLA INS P1 P2 P3 Outgoing data Status word 1st parameter 2nd parameter Command class Instruction code Length expected SW1 SW2

45 Case 2 commands INS is examined Le obtained from P3 setOutgoing
process() method is called INS is examined Le obtained from P3 setOutgoing setOutgoingLength(short le_bytes) sendBytes(short Offset,short le_bytes) process() returns CLA INS P1 P2 Le Process( ) INS = V1 INS =V2 INS = Vx Methodx( ) Method1( ) Data1 Datax SW1 SW2 SW1 SW2 Method2( ) Data2 SW1 SW2

46 APDU messages Data prepared for later retrieval ...
Case 4 commands -1st part Header Incoming data CLA INS P1 P2 P3 Data prepared for later retrieval ... Status word 1st parameter 2nd parameter Command class Instruction code Length sent SW1 SW2

47 APDU messages “Get Response” command for data retrieval
Case 4 commands -2nd part Header “Get Response” command for data retrieval CLA INS P1 P2 P3 Outgoing data Status word 1st parameter 2nd parameter Command class Length expected SW1 SW2 GET RESPONSE Instruction code

48 Smart card Applications
Loyalty, financial, healthcare, Storage: medical information government Identification, electronic money, computer access Access to physical items (e.g., buildings, cell phones) parking meters, subway use

49 Smart Cards & Cryptography
Symmetric: DES, 3DES, AES Public-key: RSA, DSA Physically secure storage device: Passwords or keys Personal Information

50 Cryptography Provides
Privacy Authentication Integrity Non-repudiation

51 2 different security schemes...
Secret Key Algorithm = Symmetric Algorithm Public Key Algorithm = Asymmetric Algorithm 1 Key Same key for all operations One key for encryption & signature verification One key for decryption & signature generation 2 Keys Private Public My public key is

52 Encryption Decryption Plaintext block Plaintext block c c=e(m, k) m=e-1(c, k) ciphertext block m m

53 f f-1 RSA: DSA: M M’ signature generation & verification
encryption & decryption messages DSA: signature only f f-1 M M’ Encryption Decryption Plaintext block Plaintext block c c=e(m, k1) m=e-1(c, k2) ciphertext block m m

54

55

56

57

58 Ensuring Integrity & Privacy
Append the signature to the document Sign the hash with the sender’s PRIVATE key Compute hash digest (mathematical summary) Document Send Encrypt the signed document with a one-time symmetric key Encrypt the one-time symmetric key with the receiver’s PUBLIC key

59 Ensuring Integrity & Privacy
Receive Unwrap the one-time symmetric key with the receiver’s PRIVATE key Decrypt the document Verify the signature using the sender’s PUBLIC key Compute the expected hash from the received message ?

60 Web access security HTTP Client Server ?

61 Web access security HTTPS (SSL) Authentication Privacy Server
Client (optional) Privacy HTTPS (SSL) Client Browser security management Workstation Cryptographic Module Authentication & access control management Server HTTPS Cryptographic module SSL Channel

62 Web access security Servers Client Client

63 S/MIME Digital Signatures: electronic mark Provide:
Identify the signer Ensure data integrity Provide: Authentication (signature generation/verification) Privacy (encryption / decryption)

64 Thanks for Listening Any Smart Questions?


Download ppt "Presented by: Dr. Hakim Fourar-Laidi CIS - Prince Sultan University"

Similar presentations


Ads by Google