Smart-card Security AspectsCopyright (C) 06/1995 by Howard Fuhs
Plastic cards have been introduced in an increasing number of areas over the past couple of years. These cards are not only supposed to make life easier but also to provide increased security. Most people associate plastic cards with credit or cheque cards, but their first applications were actually in security, to provide access control to buildings, rooms or equipment. Particularly in high security areas owned by military forces, govermnents or by industry and research organisations, access control using plastic cards was introduced. A magnetic stripe was applied to those plastic cards, just as to the credit cards of today. On the magnetic stripe it is possible to store certain information. It is probably widely known that the magnetic stripe principle is not particularly secure, because anyone with suitable read/write equipment can read the information off the card, and reproduce it as often as desired. The reason for this is that the magnetic stripe plastic card is a passive data medium. lt cannot actively do anything to prevent unauthorised access to and modification of, the data it carries.
These problems do not exist with smart cards. The most important property of a smart card is its security. For this reason smart cards are introduced into more and more areas, where the security of the data stored on the card is of considerable importance. This e.g. true for the medical sector, where personal information is stored on the cards, and for the financial sector, where fraud prevention is the goal. As opposed to the magnetic strip card, the smart card is able actively to prevent unauthorised access to and modification of the data stored on the card. The chip embedded in the smart card is able to invoke countermeasures against tampering, e.g. by deleting the data stored on the card, which renders it useless.
Nor is the falsification of a smart card easy. Whereas all you need to falsify a magnetic strip card is a plastic carrier of the same size as the original card, to which a magnetic strip is bonded, falsification of a smart card poses problems of a completely different order of magnitude. To manufacture chip cards you must possess a level of technological sophistication unavailable to your average cracker. Even if a forger should be able to steal finished chips from the production line of a chip card manufacturer, these have to be integrated with cards to be of any use. Even this bonding process requires equipment that you are hardly going to find in the backroom workshop of your average counterfeiter. In order to falsify smart cards from scratch you need considerable technological know-how plus a complete chip manufacturing plant.
By using a secure product design it is also possible to prevent reverse engineering of smart cards. E.g. the cards can be designed so that the contents of their EEPROM memory is erased in case it is examined by means of an electron microscope. Very secure smart cards unite processor and memory on a single chip to prevent signals transmitted through wires between processor and memory from being tapped from outside the card, thus revealing how the software on the card works.
The software running a smart card can normally not be altered, because it is stored in ROM, and only data in EEPROM. Furthermore, data are protected by Personal Identification Numbers, or by serial numbers or personalisation numbers automatically embedded during the manufacturing process and only known to the manufacturer.
The most important paths of attack on the comparatively secure smart card systems are offered by the equipment used to handle the cards, e.g. the card readers, as well as the further processing of the card information. E.g. if smart cards are used as a means of payment, several possible attacks exist that intercept the data between the point of sale and the bank, and change the information or simply read and record it. Because communication paths across the public telephone network cant easily be secured it is particularly important that data are exclusively transmitted in enciphered form. This ensures that unauthorised persons are unable to use the data, even if they are capable of intercepting it.
Also the Computers entrusted with the processing of the smart card data may be subject to attacks by outsiders. In case of a successful attack data may be read, changed or deleted. Also in this case effektive countermeasures are available. Technically, it is possible to protect Computers against illegal access without noticeably reducing their functionality. It is of overriding importance to sufficiently secure connections to the extemal world.
A further possible way to bypass the security measures inherent to a smart-card would be to emulate the smart-card functions by means of a portable computer. The principle is to manufacture a plastic card carrying the type of connectors normally used to connect a smart-card to a smart-card reader, but instead of connecting these to a chip on the plastic card, thin wires are used to route the connections to a portable computer running a program that emulates a smart-card chip. Although this possibility is of a rather theoretical nature, this type of emulation Computers for relatively simple smart-card chips have been confiscated by the American authorities in the 1980s. Emulation programs can only be produced in cases where the full functionality of the chip is known. With steadily increasing complexity of internal chip functions the complexity of suitable emulation programs grows, leading again to increased programming effort and expertise. Because the emulation principle requires a wired connection between the contacts in the card reader and the external computer, this type of attack can be prevented by relatively simple countermeasures, e.g. the reader must be designed not to allow any part of the card to extend during operation. Insertion of the card must furthermore include a vertical movement upwards or downwards, and a door must close behind the card, cutting wires extending from the card. The readers used in smart-card telephone booths are relatively good examples of this technology.
As these examples illustrate, the security built into the smart-cards is only insufficient if the other system components fail to be designed to the same high level of security as the cards themselves.
Introduction of smart-cards is intended to facilitate a security increase in certain areas. The most simple security aspect is the possession of the card. This method is not particularly secure against theft, and the current minimum requirement is security through a combination of possession and knowledge. It is no longer sufficient simply to possess the card; a password or a combination of digits (a PIN - Personal Identification Number) must also be known. Because of the intelligence designed into the smart-cards, additional token ID devices may be used to generate PINs that are only valid for a few minutes, or transaction numbers valid only for a single transaction.
To make sure that a smart-card is actually used by its authorised owner a number of additional measures may be brought into use to ascertain the connection between user and card. These are the techniques currently in use:
- Fingerprint analysis
- Hand geometry analysis
- Voice analysis
- Retina analysis
- Analysis of handwriting
- Analysis of characteristic facial features
Several of these methods are always combined with temperature and/or pulse analysis to prevent e.g. thumbs from being cut off the rightful owner of a smart-card and used for fingerprint analysis without the rest of the individual willingly participating in the verification procedure...
Because all of these methods are based on the availability of previously stored personal data, using smart-cards is the safest solution. This way the necessary personal data are stored only on the smart-card. In case this principle is used e.g. to provide controlled access to a highly secured part of a building, the security control computer is only given information about persons demanding access through the contents of their smart-cards. Whether or not to grant access to a particular person is based only on algorithmic methods using general rules and the information stored on the smart-card presented by the person. This way there is no central repository for important personal information that can be hacked or abused. Only the proper owner of the smart-card carries with him the confidential personal information pertaining to himself.
A number of points do detract from the overall good qualities of smart-card based systems. Precisely while the smart-cards are so secure it is very difficult to verify which data are in fact stored on the card. Even if users were given free access to readers to control the personal data stored on the card, they would not be able to ensure that they were told the truth, because due to the complexity of the smart-cards only the information would be given that the manufacturer or the corporation operating the smart-card system had decided to give. Thus, it is very simple to split the information storage in a smart-card up into two compartments: one for public consumption and one that could be used to store data without the knowledge of the card holder, which would only be accessible to a few persons, e.g. in the security or personnel department of a corporation.
Yet a new privacy issue caused by use of computer technology.