e in European countries, as opposed to the more fragmented U.S. banking system, is well suited to propel the introduction of smart-card-based electronic banking.
The power of smart cards lies in their ability to store and manipulate data, to handle multiple applications on one card, and to perform secure transactions. A typical smart card stores 3 KB of data, which is about 80 times more than what a magnetic-stripe card can hold. Some can store up to 8 KB.
The devices come in several varieties, from simple memory cards to those carrying their own microprocessors. The four categories are listed below.
Unprotected memory cards.
These cards act as a storage medium for tokens. They carry an application code and a simple mechanism to specify the issuer of the card,
but they can't perform off-line processing. Unprotected memory cards are used as prepaid phone cards in France, the Netherlands, and Germany.
Wired-logic memory cards.
Smart cards at the next-highest level use either EPROM or EEPROM and are used for access-control systems in offices or research labs. The cards contain "hard-wired" data protection, providing a higher level of security. They can, for instance, be reloaded with monetary value. Examples include the new-generation phone cards that are increasingly being used in the Benelux countries.
Microprocessor cards.
Typical microprocessor cards have an 8-bit microprocessor with an OS in ROM and 96 to 512 KB of RAM, along with 3 to 16 KB of ROM. Many smart-card processors have 8-bit data registers and are compatible with the Motorola 6805 or Intel 8051 architecture. But more 16-bit-data-register processors, such as Hitachi's H9/300, are being used. For nonvolatile memory, they use EEPROM technology, with capaciti
es ranging from 1024 bytes to 16 KB.
Contactless cards.
When applications require high throughput -- in mass transit, where people pass by a smart-card reader, for example -- contactless cards are optimal. They contain an antenna that picks up an electromagnetic signal that emanates from the reader. This signal powers the card and transmits the data.
Loose-coupled cards
work with distances up to 1 mm, while proximity smart cards accept distances of 1 to 10 cm.
Contactless cards add an analog front end to the smart card's logic and memory components. Today's semiconductor technology enables digital and analog components to reside on a single chip without electromagnetic interference. But the card's antenna is embedded in the plastic. Industry observers say the next generation of smart cards will integrate contactless and contact technology, allowing one card to work with all types of readers.
Private- or Public-Key Encryption?
Some micropro
cessor cards have an additional cryptography coprocessor with extra RAM to perform the computation in a secret environment. The computation time of a public-key Rivest-Shamir-Adleman (RSA) encryption with, for example, 512-bit keys, varies from 200 milliseconds to 1.7 seconds. These cards are the best -- but also the most expensive -- architecture.
Public-key encryption is considered more convenient for smart-card applications than private-key encryption because of its easy key-distribution system. It allows for large-scale key management, including certification and digital signatures. But most smart cards on the market use private-key encryption because this scheme is easier to implement and requires fewer system resources. Some experts say that public-key encryption is more secure because of longer key lengths. Since microprocessor cards with an additional cryptography coprocessor are becoming more widely deployed, public-key systems using RSA or DSS algorithms are the best choice for most vendors.
"It's virtually impossible to take a smart-card chip apart and read the OS down to the bit or byte level," comments Gerald Hubbard, vice president of CP8 Transac (Louveciennes, France), a worldwide Groupe Bull subsidiary that focuses on smart-card security. A properly designed system can also detect fraud quickly and then securely distribute new keys throughout the system.
Many ISO Standards
A smart card's OS handles the complete resource-allocation process as well as access control and data management. According to David Glassman of Aladdin Knowledge Systems (Tel Aviv, Israel), a company that designs development tools for smart cards, the OS also includes libraries for several applications as well as life-cycle definitions that limit the number of times the card can be used.
There's no such thing as a standard for smart-card OSes. Today's smart-card community uses more than two dozen different systems -- some of which are more or less widespread, whereas others are appropr
iate only in niche applications.
International-standardization work has been under way for more than a decade, and the ISO now covers several aspects of the technology. For example, ISO 7816-1, established in 1987, specifies the physical properties of smart cards, such as width, strength of materials, and water resistance. ISO 7816-2 (1988) specifies the position of the contacts on the card for power supply, ground, clock, and reset. Transmission protocols between the chip and the outside world are defined in ISO 7816-3 (1989). Finally, ISO 7816-4 (1995) covers command sets for reading and writing to the chip.
"This doesn't mean interoperability, though," cautions Jelte van der Hoek, chief software technology officer at DigiCash (Amsterdam, The Netherlands). "The cryptography functions used to access the control mechanisms can still be totally different. The ISO standards just improve the chances of interoperability."
To define a command set for payment applications, the Europay, MasterCard,
and Visa credit-card companies have been working jointly on the so-called EMV protocol, which is based on the ISO standards. EMV compatibility allows different types of cards and cards from different vendors to be accepted at all terminals. Says Andre Jacques Selezneff, marketing manager with Philips Smart Cards & Systems (Paris), "EMV doesn't require a standard OS because it works as an interface handler that accepts cards from different parties."
One of three suppliers chosen by Visa for the first phase of the EMV project is Schlumberger Smart Cards & Systems (Montrouge Cedex, France). According to Nadaradjane Ramatchandirane, Schlumberger's strategic development director for smart cards, the EMV project has far-reaching implications for the worldwide debit-/credit-card business and the smart-card industry in general. It will provide a secure means of authorizing transactions, deliver an effective barrier against fraud, and fuel a completely new generation of financial services based on smart cards.
Smart Cards for GSM
In the European mobile-communications arena, which is familiar with well-defined standards, so-called SIMs (subscriber identity modules) provide security and intelligence functions (see
"GSM's Extraordinary Growth,"
March BYTE). The OS on these cards is based on the European Telecommunications Standards Institute (ETSI) TE9 standard.
As a result of pan-European cooperation, these cards have become a key element in digital mobile telecommunications. "They enable service subscription through the card you own, not through the phone you're using," says Wietse Jan Hilverda, Benelux sales manager for Gemplus, a French producer of smart-card applications.
Cards conforming to the Global System for Mobile Communications (GSM) standard are also being used to support such services as frequently dialed telephone-number directories and short-message storage. "Because subscriber-related data is on the card, rather than in the telephone handset, someone in Fr
ance can call you on your Italian-made GSM phone in Germany while you have a GSM card from a Dutch telephone operator," Hilverda explains.
With the internationally accepted ETSI standard in place, telecommunications operators, such as PTT Telecom in the Netherlands, are also introducing multifunctional smart cards for use with other applications. "The advantage of standards is that the specifications are freely accessible and that you can choose from among the various suppliers of smart cards and applications," explains PTT Telecom spokesperson Tanno Massar. "This will result in a dramatic reduction of the costs of large-scale introductions."
Contact or Contactless?
"Contactless card applications will gain significance toward the end of the 1990s," says Ulrich Hamann of Siemens (Munich). Experts estimate that 50 percent of the contactless smart cards produced by the year 2000 will be used for transportation-related applications. The rest are expected to be used in industrial app
lications (30 percent) and access control (15 percent).
"Big metropolitan areas with large populations, such as Hong Kong, Singapore, London, Paris, and Amsterdam, are candidates for automatic-fare-collection contactless smart cards," predicts Hamann.
Many applications in place today use the smart card as a replacement for cash. The banking community will increasingly deploy microprocessor cards instead of standard credit cards because of the smart card's built-in higher level of security. The smart card is also convenient for merchants and retailers because it doesn't involve expensive on-line transactions.
Smart cards enable sophisticated banking applications via PCs or screen phones (see
"Smart Telephony,"
January BYTE). Most of today's screen phones already have smart-card readers. Readers also ship in PC Card format. Many proponents expect the next generation of PCs to come equipped with built-in smart-card readers because these devices provide an easy and safe way to handle ca
sh transactions over the Internet.
Smart cards have the ability to carry multiple applications. "A single card could access your savings account and include your credit-card and driver's-license numbers, as well as high-level medical information," says Mary Buckley, vice president of stored value products for Visa International (Baltimore, MD).
Smart cards are also part of the emerging world of network-based computing. Smart cards authorize access -- by either the user or a third party -- to personal files on the Web. In addition, the cards will be able to encrypt all the messages going over a network from an Internet terminal. In this case, the cryptography chip will be on the smart card, so users won't have to trust the public Web terminal.
Where to Find
Aladdin Knowledge Systems
Tel Aviv, Israel
Phone: +972 3 537 5795
Fax: +972 3 537 5796
E-Mail:
aladdi
n@aladdin.co.il
Internet:
http://www.aks.com
A Computer in Your Wallet
