Smart Cards, Tokens, Security and Applications (eBook)

Founders Message 6
Foreword 7
Preface 9
Structure of the book 9
Acknowledgements 12
Contents 13
List of Figures 21
List of Tables 25
List of Contributors 27
List of Reviewers 32
An Introduction to Smart Cards 33
1.1 Introduction 33
1.2 What is a Smart Card? 34
1.2.1 Magnetic Stripe Cards 34
1.2.2 Chip Cards 37
1.2.3 Microprocessor Chip Cards 38
1.2.4 Contact-less Smart Cards and RFIDs 38
1.2.5 Smart Tokens 39
1.3 Smart Card Chips 40
1.4 Tamper Resistance 43
1.5 Smart Card Characteristics 44
1.6 Issuer Control 45
1.7 Current Applications for Smart Cards 46
1.7.1 Mobile Telephony 47
1.7.2 Banking 49
1.7.3 Transport 49
1.7.4 Identity and Passports 50
1.7.5 Entitlement and Health 50
1.7.6 Physical and IT Access Control 51
1.7.7 Satellite TV 52
1.8 Smart Card Application Development 52
1.9 Development, Roll-Out and Lifecycle Management Issues 54
1.10 In Conclusion 55
Acknowledgement 56
References 56
Smart Card Production Environment 58
2.1 Introduction 58
2.2 Smart Card Production Steps 60
2.2.1 Overview 60
2.2.2 Card Body Manufacturing 60
2.2.3 Personalization and related Services 66
2.2.4 Security and Quality 75
2.2.5 Current Trends 77
2.3 In Conclusion 79
Useful Websites 79
Glossary 80
References 81
Multi Application Smart Card Platforms and Operating Systems 82
3.1 Introduction 82
3.1.1 Smart card Platform Evolution 83
3.2 Java Card 86
3.2.1 Java Card Forum 86
3.2.2 Java Card Technology 87
3.3 GlobalPlatform 95
3.3.1 The GlobalPlatform Association 95
3.3.2 The GlobalPlatform Card Specification 96
3.4 Multos 103
3.4.1 The MULTOS Consortium 103
3.4.2 MULTOS Specification 104
3.4.3 The Multos Card Architecture 104
3.4.4 Multos Executable Language (MEL) 104
3.4.5 The Application Abstract Machine 106
3.4.6 Application Loading and Deletion 106
3.4.7 Communicating with a Multos Smart Card 107
3.4.8 Multos Files 107
3.4.9 Multos Security Features 107
3.5 Smartcard.NET Card 108
3.6 BasicCard 109
3.7 WfSC 109
3.8 Conclusions 110
Acknowledgement 111
References 111
Smart Cards for Mobile Communications 115
4.1 Introduction 115
4.2 SIM/USIM Standards 117
4.3 Subscriber Identity and Authentication 119
4.3.1 So how does SIM Authentication Work? 121
4.3.2 3G/USIM Authentication/Ciphering 122
4.3.3 SIM/USIM Authentication Algorithms 126
4.4 General Added Features 127
4.4.1 Phone Book 127
4.4.2 Roaming list 128
4.4.3 SMS Settings and Storage 128
4.4.4 Last Dialled numbers 129
4.4.5 Access Control Class 129
4.4.6 GPRS Authentication and encryption files 129
4.5 File Types 129
4.6 SIMs and USIMs Some Practical Comparisons 130
4.7 (U)SIM Value Added Services 133
4.8 The (U)SIM as a Handset Security Module 137
4.9 The Future Evolution of the (U)SIM 138
4.10 Conclusions 141
References 142
Smart cards for Banking and Finance 144
5.1 Introduction 144
5.2 Payment Card Technologies 145
5.2.1 Magnetic Stripe Cards 147
5.3 Smart Cards and EMV 149
5.3.1 Card Authentication 150
5.4 Cardholder Not Present Transactions 154
5.4.1 Purchase from a Genuine Merchant Using Someone Else’s Payment Details 155
5.4.2 Genuine Purchaser Buying from a Rogue Merchant 155
5.4.3 Third Party Attacker 156
5.5 Dynamic Passcode Authentication 157
5.6 Could a Mobile Phone be a Token Reader? 160
5.7 Token Authentication Examples 161
5.8 E-Commerce Solutions 162
5.8.1 3D-Secure 162
5.8.2 Thoughts on 3D Secure 165
5.9 Just Wave Your Card to Pay 165
5.10 Concluding Remarks 166
References 166
Security For Video Broadcasting 168
6.1 Introduction 168
6.2 Digital Video Basics 170
6.3 Scrambling 171
6.4 Synchronisation 172
6.5 Key Delivery 173
6.6 Access Requirements 174
6.7 Key Hierarchy 175
6.8 Implementation 176
6.9 In Conclusion 181
References 182
Introduction to the TPM 184
7.1 Introduction 184
7.2 Trusted Platforms 185
7.2.1 Fundamental Features of a Trusted Platform 186
7.2.2 Additional Features 188
7.3 TPM Features 189
7.3.1 TPM Components 189
7.3.2 I/O Block 189
7.3.3 Non-Volatile Storage 190
7.3.4 Attestation Identity Keys 191
7.3.5 Platform Configuration Registers 192
7.3.6 Programme Code 192
7.3.7 Execution Engine 192
7.3.8 Random Number Generator 193
7.3.9 SHA-1 Engine 193
7.3.10 RSA Key Generation 193
7.3.11 RSA Engine 194
7.3.12 Opt-In 194
7.3.13 Other Features 196
7.4 TPM Services 196
7.4.1 Roots of Trust 196
7.4.2 Boot Process 197
7.4.3 Secure Storage 197
7.4.4 Attestation 198
7.5 In Conclusion 200
References 200
Common Criteria 202
8.1 Introduction 202
8.2 Evolution of National and International Standards 203
8.2.1 International Recognition 204
8.2.2 The need for security benchmarks 205
8.3 Evaluation Practicalities 206
8.3.1 Types of evaluation 207
8.3.2 Evaluation Assurance Levels 208
8.3.3 Augmentation of Assurance Levels 208
8.4 Evaluation Roles 209
8.4.1 Performing Evaluations 210
8.5 Developing Protection Profiles and Security Targets 211
8.5.1 Establish the security environment 211
8.5.2 Establish Security Objectives 212
8.5.3 Establish Security Requirements 212
8.5.4 Establish TOE Summary Specification 213
8.5.5 Establish Rationale 213
8.5.6 Claiming Compliance with Protection Profiles 214
8.6 An Example 214
8.6.1 Establish the Security Environment 215
8.6.2 Establish security objectives 215
8.6.3 Establish Security Requirements 216
8.6.4 Establish TOE summary specification 217
8.6.5 Establish Rationale 218
8.7 Deliverables 218
8.8 Evaluation Composition 219
8.9 In Conclusion 221
Useful Websites 221
Glossary 222
References 222
Smart Card Security 224
9.1 Introduction 224
9.2 Cryptographic Algorithms 226
9.2.1 Data Encryption Standard 226
9.2.2 RSA 228
9.3 Smart Card Security Features 231
9.3.1 Communication 231
9.3.2 Cryptographic Coprocessors 232
9.3.3 Random Number Generators 233
9.3.4 Anomaly Sensors 234
9.3.5 Chip Features 234
9.4 Side Channel Analysis 236
9.4.1 Timing Analysis 236
9.4.2 Power Analysis 237
9.4.3 Electromagnetic Analysis 242
9.4.4 Countermeasures 243
9.5 Fault Analysis 245
9.5.1 Fault Injection Mechanisms 246
9.5.2 Modelling the Effect of a Fault 247
9.5.3 Faults in Cryptographic Algorithms 247
9.5.4 Countermeasures 250
9.6 Embedded Software Design 251
9.6.1 PIN Verification 251
9.6.2 File Access 253
9.7 In Conclusion 254
References 254
Application Development Environments for Java and SIM Toolkit 258
10.1 Introduction 258
10.2.1 Limitations 260
10.2 Smart Cards Characteristics 259
10.3 SIM Cards 261
10.4 Java Card 262
10.4.1 The Java Card Framework 264
10.5 Java SIM 267
10.5.1 sim.toolkit 268
10.5.2 sim.access 271
10.6 Application Development Tools 272
10.6.1 Compilers & Integrated Development Environments
10.6.2 Simulators 273
10.6.3 Protocol Analysis (Spy) Tools 274
10.6.4 Utilities 275
10.7 Mobile Phone Applications and the (U)SIM 276
10.7.1 SATSA 277
10.7.2 A Word on Testing 279
10.7.3 SIM Dongle Example 280
10.8 Looking To The Future 282
10.9 Concluding Remarks 282
References 283
OTA and Secure SIM Lifecycle Management 285
11.1 Introduction 286
11.2 The SIM Card As A Managed Platform 286
11.2.1 Common Stored and Managed Data 287
11.2.2 SIM Application Toolkit Interface SAT 288
11.2.3 Main Differences Between a SIM and a UICC/USIM Card 292
11.3 OTA - Over-The-Air Management 293
11.3.1 OTA Server Capabilities 295
11.4 Limitations and Improvements 296
11.4.1 Customer Managed Applications 298
11.5 SIM Lifecycle Management 299
11.6 In Conclusion 302
References 303
Smart Card Reader APIS 304
12.1 Terminology: Smart Card Reader, IFD, CAD and Terminal 304
12.2 OCF: OpenCard Framework 306
12.2.1 Overview 306
12.2.2 Example 308
12.3 PC/SC 309
12.3.1 Overview 309
12.3.2 Architecture 309
12.3.3 Various Implementations 312
12.3.4 Wrappers 315
12.3.5 Examples 316
12.4 STIP 318
12.5 In Conclusion 318
Acknowledgement 319
References 319
RFID and Contactless Technology 321
13.1 Introduction 321
13.2 Contactless Technology 322
13.2.1 Applications 325
13.3 Radio Frequency Interface 327
13.3.1 Communication Theory 328
13.3.2 Inductive Coupling 331
13.4 Standards 337
13.4.1 ISO 14443 337
13.4.2 ISO 15693 343
13.4.3 ISO 18000 345
13.4.4 ISO 18092/NFC 346
13.5 Conclusion 347
References 347
ID CARDS AND PASSPORTS 349
14.1 Introduction 349
14.2 ID Cards 350
14.2.1 Requirements and Constituents of Modern National ID Cards 350
14.2.2 International Standards for ID Cards 357
14.2.3 Optical Personalisation of ID Cards 359
14.2.4 Countries and Their ID Cards 363
14.3 E-Passports 365
14.3.1 Introduction 365
14.3.2 Constituents of Passports 367
14.3.3 EU and ICAO Requirements 369
14.3.4 Security Protocols 370
14.4 Conclusion 371
References 371
Smart Card Technology Trends 372
15.1 Trends In Smart Card Technology – Today And The Future 372
15.1.1 History 373
15.1.2 Technology Choices 376
15.1.3 Technology Drivers 380
15.1.4 Technology Trends 389
15.1.5 Emerging Applications 395
15.2 Conclusions 401
References 402
Source Code for Chapter 12 405
A.1 C Language 405
A.2 Perl Language 409
Index 411