Introduction to Smart Cards
Note: A PDF copy of this article, along with proper figures and correct formatting for printing, is available at Rootshell.
Right now, inside your wallet, you probably have a couple of credit cards, an ID card, an ATM card and maybe a few other plastic cards. Without our realizing it, these plastic cards have become a very important part of our life. Consider a few scenarios where we use plastic cards these days:
• To identify ourselves.
• To obtain cash from the banks.
• As credit cards.
• Conventional Telephony.
• Access Control.
• Loyalty Programs.
Most of these plastic cards are usually magnetic stripe cards. In spite of their tremendous popularity, magnetic stripe cards suffer from one crucial weakness. Data stored on them can be easily read and modified by someone with access to the right kind of equipment. As a result, confidential information like PIN Number or a password can not be stored on them and a transaction host (POS device/ATM) will have to go online to verify the PIN and this in most European and Asian countries is time consuming and costly.
Enter Smart Cards. The development of smart cards along with rapid advances in cryptography has resulted in a solution to the above-mentioned problem. This article will introduce the reader to the various aspects of the Smart Card.
History of Smart Cards
Many people consider smart cards a recent invention. Nothing could be further from the truth. In 1968, German inventor Jurgen Dethloff along with Helmet Grotrupp filed a patent for using plastic as a carrier for microchips. In 1970, Japanese inventor, Kunitake Arimura, applied for a similar patent. Smart Cards were introduced in Japan in the same year. In 1974, Frenchman Roland Moreno registered his smart card patent in France.
Given that the majority of smart card research initially went on in Europe, it is not surprising that Europeans are among the largest users of smart cards. Europe currently accounts for nearly 80% of the smart card market. France and Germany have been leading the world in terms of introducing various applications on smart cards. Smart cards are already being used the world over for a variety of purposes and in future they will become even more pervasive.
Before we go into the details of Smart Cards, it might be a good idea to understand a little bit more about their predecessor, the Magnetic Stripe Card.
Magnetic Stripe Card
Turn your credit card around. Chances are you will see a black stripe, approximately half inch wide, running across it. This black stripe, consisting of three tracks of magnetic particles bonded to the card substrate, is the core of a magnetic stripe card. The magnetic stripe cards were introduced to:
• Store data in a machine-readable form.
• Minimize paper utilization in financial transactions.
• Allow for automation
As explained before, the magnetic stripe consists of three tracks. A track is divided into tiny domains, each domain being one-75th of an inch long. To store data on the magnetic stripe card, the particles in a domain are magnetized in a particular fashion (see Figure 1). If within a domain the polarization of the particles doesn’t change, then there is no flux reversal and it represents a 0. But if the polarization changes, then there is a flux reversal and it represents a 1.
[The arrows in the domains represent the polarization of the magnetic particles in the domain.]
When the magnetic stripe card is read, based on flux reversals the reader gets the data stored on it. The magnetic stripe shown in Figure 1 would be read as: 0 1 0 0 1 0
The length of a magnetic stripe is around 4 inches and it consists of three tracks. Each track is made of domains 1/75th of an inch long. Each domain represents one bit. Hence the total data carrying capacity of a magnetic stripe card is just 900 - 1000 bits.
The main problem with magnetic stripe cards is data can be easily read and altered by anyone with access to the right kind of equipment. Card Skimming is the name given to the process of reading data of a valid card and copying it bit for bit on another card. Readers for magnetic stripe cards cost around $100 while encoders (writers) come for as cheap as $1000. As a result of this drawback, these cards cannot be used for storing confidential information.
Smart Card Classification
Smart cards are the youngest members of the plastic card family. A Smart Card is defined as:
“A plastic card, usually similar in size and shape to a credit card, containing a microprocessor and memory (which allows it to store and process data) and complying with ISO 7816 standard”
In layman’s term a smart card can be defined as a card with a very tiny computer embedded in it.
Though they can be classified on basis of various parameters, we shall discuss the classification on basis of Card Components, Card Interface and Smart Card OS only in this article. This classification is better depicted in Figure 2.
Component Based Classification
When classified on basis of components they contain, smart cards can be put into two categories. Those with a processor are called chip cards or microprocessor cards and those without a chip are called memory cards.
These are the most common and least expensive cards. They contain:
• EEPROM: Electrically Erasable Programmable Read Only Memory. This is like a data storage device where all the application data gets written. Typical EEPROM size varies from 2KB to 8 KB. The EEPROM data can be locked with a PIN and it usually varies with time. For example, in a telephone card, the EEPROM might hold the talk time left.
• ROM: Read Only Memory. It stores data that does not change during the card life. It might hold card number, cardholder’s name etc.
Security logic controls access to the memory and enable read from and write to it. Regions of memory are accessible only after a secret code is provided. This code may be provided by the smart card reader device or the card-holder. A simplified architecture of a memory card is depicted in the Figure 3.
The simple technology of these cards enables them to be made very cheaply (around $1, when purchased in bulk). These cards can store data from a few 100 bytes to up to 8 KB. These cards find wide acceptance in the pre paid phone card segment because of their simplicity. Other possible areas where they can be used include vending machines, transport and ticketing, pre paid parking schemes and loyalty programs.
As the name implies, these are cards that incorporate a microprocessor. They are the ones that technically can be called smart cards. The important components of a chip card are:
• ROM: Read Only Memory. The ROM holds the cards operating system and is also known as the mask of the card. This is written to only once (usually during the card production phase). The size of ROM varies from a few KB to 32 KB, depending on which Operating System is being used by the card. Once written, it cannot be altered.
• EEPROM: The EEPROM holds the cards application programs and the application data. This data is not permanent and is often erased and rewritten. Typical EEPROM sizes range from 2 KB to 32 KB.
• RAM: Random Access Memory. This is the volatile memory used by the processor to run the desired functions. The memory is erased whenever the power is switched off. Surprising as it may sound, the typical size of RAM is around 256 bytes. This is because RAM occupies the maximum area per byte and the area of a smart card is restricted to 25 mm2.
• CPU: Central Processing Unit. This is the heart of a chip card. It is usually an 8-bit microprocessor based on CISC architecture with typical clock speeds of 5 MHz. This is slowly moving towards a 32-bit architecture due to Java Cards. The CPU is responsible for carrying out various instructions.
Chip cards are more expensive than memory cards. Their cost ranges from $2 to $20 depending on the features available. These cards can house multiple applications and provide robust security. Such cards are used in access control, electronic purses, credit and other financial cards, travel, ticketing and other applications where high security is required. A simplified version of the internal architecture of a memory card is shown in the Figure 4.
Interface Based Classification
Smart Cards are also classified on the basis of the method of their communication and data transfer with the reader device. Based on this criterion, the smart cards are classified as contact cards, contactless cards, and combi cards. Contact cards have to be inserted into the reader while contactless cards are powered by a Radio Frequency signal and don’t require insertion into a reader. Combi cards, also known as hybrid cards, can be powered by insertion or by a Radio Frequency Signal.
These cards require insertion into the card reader for being powered. Each such card contains 6-8 gold plated contacts that are in physical contact with the reader. The physical contact may be established either by sliding or by landing. The card receives power from the reader via these contacts. As per ISO-7816, the card contacts are numbered as shown in Figure 5 and the designation of the contacts, along with their functions are explained in Table 1.
Figure 5: Card Contacts as per ISO-7816
Contact cards have certain limitations. With age, these contacts get worn out. Electrostatic discharges, due to improper contact may damage the circuits. Cardholders some times pull out the cards from the reader before the transaction is completed, leading to what is known as Card Tearing. Rough handling and stresses during card insertion lead to damage of the card.
Contactless cards don’t require insertion into the reader. They just have to be passed near an antenna for the transaction to be carried out. The reading distance varies from a few cms to up to 50 cms. As there is no contact, these cards solve most of the limitations listed under the contact cards. Such cards are often used in places where the transaction has to be carried out very quickly. For example: mass transit, road tolling etc.
Contactless cards are costlier compared to contact cards. But they also have a greater life span and are more reliable.
Combi or Hybrid Cards
Combi cards are those which have both a contact as well as a contactless interface facilitating its use in either way. For example, a contact card could be slipped into a pouch that has a battery and an antenna and can communicate with a contactless reader. Other combi cards could be simpler with two interfaces, one for contact readers and another for contactless readers. The contactless chip is used for applications that require fast transaction times and the contact chip is used for those applications that require higher security.
OS Based Classification
Smart cards are also classified on the basis of their Operating System. There are many Smart Card Operating Systems available in the market, the main ones being:
Smart Card Operating Systems or SCOS as they are commonly called, are placed on the ROM and usually occupy lesser than 16 KB. SCOS handle:
• File Handling and Manipulation.
• Memory Management
• Data Transmission Protocols.
Advantages of Smart Cards
Compared to magnetic stripe cards, smart cards have many advantages:
• Smart cards can hold up to 32 KB of data while magnetic cards as seen earlier can hold only around 1000 bits. This allows the card-transaction participants (card company, acquiring bank, issuing bank, retailers etc.) to store a lot of additional information on the card.
• Data on a smart card can be protected against unauthorized viewing. As a result of this confidential data (PIN, Passwords) can be stored on a smart card. This means, merchants do not have to go online every time to authenticate a transaction.
• A single smart card can house multiple applications. Just one card can be used as your license, passport, credit card, ATM card, ID Card etc.
• Life of a smart card is longer.
• Smart cards cannot be easily replicated and are, as a general rule much more secure that magnetic stripe cards.
Given these advantages, smart cards have really caught on in the telephony segment. But unfortunately, they have not been as successful in the financial cards segment. The only thing holding back the widespread use of smart cards in this sector is the amount of money invested by various players in the magnetic stripe card infrastructure and the slightly higher cost of smart cards.
Smart Card Applications
Based on numbers, pre-paid telephone cards seem to be the most common smart card application. Often such applications are reloadable. Value can be added to a card by paying the dealer. This ensures repeated usage of the smart card. Along with conventional telephony, cellular phones also use smart cards. The SIM card that is inserted into a cellular handset is nothing but a smart card.
The advent of smart cards has allowed banks to replace their current cards [ATM, Debit, Credit Account, Travel and Entertainment Cards] with one card. Smart cards are also being used in quite a few countries as electronic purses. Along with banks, many retailers have started using smart cards as Loyalty Cards.
Health care is another sector where smart cards are making their mark. Versichertenkarte in Germany and Sesam Vitale in France are examples of schemes using Smart Cards in health insurance schemes. Over 80 million such cards have been issued.
Smart cards are currently being used for fast ticketing in public transport, parking and road tolling in many countries. South Korea issued 1.5 million cards for public transport and is the largest user of smart cards in public transport. Hong Kong, with its Octopus Cards is set to follow South Korea in this respect. In India, Indian Railways is also experimenting with smart cards for ticketing purposes.
Many universities and schools are using smart cards for ID purposes. These ID cards can also be used at the library, canteen, vending machines and other services on the campus.
Future of Smart Cards
Given the advantages of smart cards over magnetic stripe cards, there can be no doubt that the future of smart cards is very bright. If the current trends are anything to go by, the smart card market is set for exponential growth in the next few years.
Future for smart cards depends mainly on the introduction of multi-application cards and overcoming the simplistic mindset that smart cards are just a method of making a payment.
• Smart Card Handbook: W. Rankl & W. Effing
• Smart Card Security and Applications: Mike Hendry
• Smart Cards Case Study: IBM Redbook
• ISO 7816 Specifications
• EMV 2000 Specifications