Smart cards in wireless

[email protected] 1

Smart cards in wireless

Guided By Miss Jagruti Goswami G.

Submitted By KANANI RAVIKANT ID NO : Y00 IT - 001 6TH I.T.

C.U.SHAH COLLEGE OG ENGG. & TECH. WADHWAN CITY 363 030

WADHWAN CITY
DIST : SURENDRANAGAR

CERTIFICATE

This is to certify that Mr. / Ms. _____KANANI RAVIKANT G. ______

is / are studying in Sem VI of B.E. Information Technology having Roll No. 19 has / have completed his / her / their seminar on the following topic successfully.

Topic Name : SMART CARDS IN WIRELESS

[email protected] 2

Smart cards in wireless

Staff Incharge

Head of Dept. (Miss Saroj

Bodar) Date : _________________

INDEX

TOPIC

PAGE NO.

1. introduction

3
2. overview

3
3. introduction to Smart Cards in wireless communications

5
4. easing logistical issues

6
[email protected] 3

Smart cards in wireless 5. Providing Value-Added services

6
6. Factors driving Smart Card acceptance

7
7. Smart Card ?

8
8. Classification of Smart Cards

9
9. Operating systems

12
10. Programming

12
11. Applications on Linux

14
12. Smart Card uses

15
13. Technology and players

16

[email protected] 4

Smart cards in wireless 14. Smart Card advantages

18
15. Marketing Opportunities

22
16. Drive toward cashless society

24
17. Smart card as a payment system

26
18. Smart Networking

27
19. Integrated and customized services

28
20. Agreeing upon standards : The last hurdle

32
21. Will Smart Card take off ?

34
22. Looking Ahead

35

[email protected] 5

Smart cards in wireless 23. The relation of Smart Cards with PKI

37
24. Further Information

39
25. To Do

40
26. Summary

40

1. Introduction
[email protected] 6

Smart cards in wireless Internet technologies, through intranet and extranet applications, have proven themselves to be efficient and effective in streamlining existing processes from supply chain management to manufacturing logistics, from marketing to customer asset management, and by creating new value chains and businesses. Nevertheless, these changes and benefits signal only an evolutionary shift in the way we do business. The Internet-enabled economy resembles the conventional physical market in many aspects. Some of the new technologies and applications may even be unnecessary. American consumers, for example, regard smart cards as a redundant payment mechanism when checks, credit cards and ATM cards do an adequate job for current needs. What is the use of smart cards? Do we really need them? Will they ever take off?

2. Overview
Today, the SIM cards basic functionality in wireless communications is subscriber authentication and roaming. Although such features may be achieved via a centralized intelligent network (IN) solution or a smarter handset, there are several key benefits that could not be realized without the use of a SIM card, which is external to a mobile handset. These benefitsenhanced security, improved logistics, and new marketing opportunitiesare key factors for effectively differentiating wireless service offerings. This tutorial assumes a basic knowledge of the wireless communications industry and will discuss the security benefits, logistical issues, marketing opportunities, and customer benefits associated with smart cards.

2.1. Smart Card Overview

The smart card is one of the latest additions to the world of information technology (IT). The size of a credit card, it has an embedded silicon chip that enables it to store data and communicate via a reader with a workstation or network. The chip also contains advanced security features that protect the cards data. Smart cards come in two varieties: microprocessor and memory. Memory cards simply store data and can be viewed as small floppy disks with optional security. Memory cards depend on the security of a card reader for their processing. A microprocessor card can add, delete, and manipulate information in its memory on the card. It is like a miniature computer with an input and output port, operating system, and hard disk with built-in security features. Smart cards have two different types of interfaces. Contact smart cards must be inserted into a smart-card reader. The reader makes contact with the card modules electrical connectors that transfer data to and from the chip. Contactless smart cards are passed near a reader with an antenna to carry out a transaction. They have an electronic microchip and an antenna embedded inside the card, which allow it to [email protected] 7

Smart cards in wireless communicate without a physical contact. Contactless cards are an ideal solution when transactions must be processed quickly, as in mass transit or toll collection. A third category now emerging is a dual interface card. It features a single chip that enables a contact and contactless interface with a high level of security. Two characteristics make smart cards especially well suited for applications in which security-sensitive or personal data is involved. First, because a smart card contains both the data and the means to process it, information can be processed to and from a network without divulging the cards data. Secondly, because smart cards are portable, users can carry data with them on the smart card rather than entrusting that information on network storage or a backend server where the information could be sold or accessed by unknown persons (see Figure). Figure. Information and Personalization

A smart card can restrict the use of information to an authorized person with a password. However, if this information is to be transmitted by radio frequency or telephone lines, additional protection is necessary. One form of protection is ciphering (scrambling data). Some smart cards are capable of ciphering and deciphering, so the stored information can be transmitted without compromising confidentiality. Smart cards can cipher into billions of foreign languages and choose a different language at random every time they communicate. This process ensures that only authenticated cards and computers are used and makes hacking or eavesdropping virtually impossible. The top five applications for smart cards throughout the world currently are as follows: [email protected] 8

Smart cards in wireless 1. public telephonyprepaid phone memory cards using contact technology 2. mobile telephonymobile phone terminals featuring subscriber identification and directory services 3. bankingdebit/credit payment cards and electronic purse 4. loyaltystorage of loyalty points in retail and gas industries 5. pay-TVaccess key to TV broadcast services through a digital set-top box The benefits of using smart cards depend on the application. In general, applications supported by smart cards benefit consumers where their lifestyles intersect with information access and payment-related processing technologies. These benefits include the ability to manage or control expenditures more effectively, reduce fraud and paperwork, and eliminate the need to complete redundant, time-consuming forms. The smart card also provides the convenience of having one card with the ability to access multiple services, networks, and the Internet.

3. Introduction to Smart Cards in Wireless Communications

Smart cards provide secure user authentication, secure roaming, and a platform for value-added services in wireless communications. Presently, smart cards are used mainly in the Global System for Mobile Communications (GSM) standard in the form of a SIM card. GSM is an established standard first developed in Europe. In 1998, the GSM Association announced that there are now more than 100 million GSM subscribers. In the last few years, GSM has made significant inroads into the wireless markets of the Americas. Initially, the SIM was specified as a part of the GSM standard to secure access to the mobile network and store basic network information. As the years have passed, the role of the SIM card has become increasingly important in the wireless service chain. Today, SIM cards can be used to customize mobile phones regardless of the standard (GSM, personal communications service [PCS], satellite, digital cellular system [DCS], etc.). Today, the SIM is the major component of the wireless market, paving the way to value-added services. SIM cards now offer new menus, prerecorded numbers for speed dialing, and the ability to send presorted short messages to query a database or secure transactions. The cards also enable greeting messages and company logotypes to be displayed. Other wireless communications technologies rely on smart cards for their operations. Satellite communications networks (Iridium and Globalstar) are chief examples. Eventually, new networks will have a common smart object and a universal identification module (UIM), performing functions similar to SIM cards. [email protected] 9

Smart cards in wireless

4. Easing Logistical Issues

All subscribers may easily personalize and depersonalize their mobile phone by simply inserting or removing their smart cards. The cards functions are automatically enabled by the electronic data interchange (EDI) links already set between carriers and secure personalization centers. No sophisticated programming of the handset is necessary. By placing subscription information on a SIM card, as opposed to a mobile handset, it becomes easier to create a global market and a distribution network of phones. These noncarrier-specific phones can increase the diversity, number, and competition in the distribution channel, which can ultimately help lower the cost of customer acquisition. Smart cards make it easier for households and companies to increase the number of subscriptions, thereby increasing usage. They also help to create a market for readyto-use preowned handsets that require no programming before use. Additionally, managing fraud is also eased by smart cards. In a handset-centric system, if a phone is cloned, the customer must go to a service center to have the handset reprogrammed, or a new phone must be issued to the customer. In a smart cardbased system, the situation can be handled by merely issuing a new card; customers can continue using their current phones. The savings in terms of cost and convenience to both carrier and customer can be substantial.

5. Providing Value-Added Services

One of the most compelling benefits of smart cards is the potential for packaging and bundling various complementary services around basic mobile telephony services. These services can greatly reduce churn and increase usage and brand recognition (see Figure).

[email protected] 10

Smart cards in wireless Figure Service Bundling with Smart Cards

The SIM cards chip can be programmed to carry multiple applications. The activation of new applications can be downloaded to the card over the air, in real time, thereby reducing the time (and cost) to market. Providing value-added services such as mobile banking, Web browsing, or travel services creates a high cost of exit for the customer. Long-distance companies have successfully used joint programs with airline companies to ensure the long-term loyalty of their customers. The more services a customer receives, the more difficult it is for the customer to leave the service provider. Smart cards provide an excellent vehicle for surrounding the core wireless service with these other valuable services, and packaging- and service-bundling opportunities are numerous. Examples of such opportunities are as follows:

GSM Cellnet and Barclaycard, Europes largest credit-card issuer, developed a wireless, financial-services smart card. The SIM card activates the users Cellnet GSM phone and also provides a Barclays services menu. The services available via this alliance include the following: o access to Barclays credit-card information o access to Barclays checking-account information o access to Barclays customer care Initially, the Barclaycard services will be provided via live customer service representatives who will answer calls from customers. Future enhancements will enable users to pay household bills, shop, and access financial information services while on the move.

[email protected] 11

Smart cards in wireless

Swedish bank PostGirot implemented a utility billpayment application in the Telia Mobitel SIM card. Mobile phone users accessed the service by simple menu navigation and keying information such as origin and destination bank-account numbers, date of payment, and amount, which enables them to pay their utility bills away from home.

6. Factors Driving Smart-Card Acceptance

6.1 Other Industries and Institutions
Certain industries, in particular information technology (IT), government, and financial services, will lead the way to mass-market acceptance of smart cards. Large IT players are deploying public key infrastructure (PKI) to provide secure logical access to information. PKI is becoming the way to secure messaging and browsing of private information, leading the way to secure electronic commerce. Smart cards are the ideal vehicle to transport the digital certificate associated with the trusted third parties of PKI infrastructures. They provide secure certificate portability and can combine other security applications such as disk file encryption and secure computer log-on. The inclusion of smart-card readers in the equipment listed in the PC99 recommendation has already driven large computer manufacturers to integrate smart-card readers into their product offer (for example, Hewlett Packard and Compaq). Government agencies around the world are relying on smart-card technology to secure off-line portable information, including identification documents and electronic benefit transfer systems. A Brazilian province has issued its drivers licenses on smart cards to allow the police to view securely stored ticket information immediately. The U.S. government is a major early adopter of smart cards. It has instituted numerous smart card identification programs for its defense department and recently announced that it will further explore the nationwide use of smart cards for electronic benefit transfers as a fraud reduction tool. In the financial industry, large players such as Barclays and Citibank currently use SIM cards to provide banking information to mobile users via their GSM phones. Electronic purse systems based on VisaCash, Mondex, Proton, and other schemes are deployed around the world and account for tens of millions of cards in Asia, Europe, and Latin America. Major U.S. banks are considering or conducting trials of smart card-based systems. The push by these major financial services firms will serve to accelerate consumer acceptance.

6.2 Consumers Primed to Use Smart Cards

[email protected] 12

Smart cards in wireless Research conducted by the Smart Card Forum, an interindustry association dedicated to advancing multiapplication smart cards, has generated the following statistics:

45 percent of consumers are favorably disposed to using smart cards 25 percent of households would actually obtain these smart cards 44 percent of consumers are likely to use identification-type smart cards (telephone cards, gas cards, automated teller machine [ATM] cards, etc.)

7 Smart Card?
A smart card is a credit-card sized plastic card embedded with an integrated circuit chip that makes it "smart". This marriage between a convenient plastic card and a microprocessor allows an immense amount of information to be stored, accessed and processed either online or offline. Smart cards can store several hundred times more data than a conventional card with a magnetic

stripe. The information or application stored in the IC chip is transferred through an electronic module that interconnects with a terminal or a card reader. A contactless smart card has an antenna coil which communicates with a receiving antenna to transfer information. Depending on the type of the embedded chip, smart cards can be either memory cards or processor cards.

8. Classification of Smart Cards

Due to the communication with the reader and functionality of smart cards, they are classified differently. [email protected] 13

Smart cards in wireless

8.1. Contact vs Contactless

As smart cards have embedded microprocessors, they need energy to function and some mechanism to communicate, receiving and sending the data. Some smart cards have golden plates, contact pads, at one corner of the card. This type of smart cards are called Contact Smart Cards. The plates are used to supply the necessary energy and to communicate via direct electrical contact with the reader. When you insert the card into the reader, the contacts in the reader sit on the plates. According to ISO7816 standards the PIN connections are below:
,----, | C1 | '----' ,----, | C2 | '----' ,----, | C3 | '----' ,----, | C4 | '----' ,----, | C5 | '----' ,----, | C6 | '----' ,----, | C7 | '----' ,----, | C8 | '----' C1 C2 C3 C4 : : : : Vcc = 5V Reset Clock RFU C5 C6 C7 C8 : : : : Gnd Vpp I/O RFU

I/O : Input or Output for serial data to the integrated circuit inside the card. Vpp : Programing voltage input (optional use by the card). Gnd : Ground (reference voltage). CLK : Clocking or timing signal (optional use by the card). RST: Either used itself (reset signal supplied from the interface device) or in combination with an internal reset control circuit (optional use by the card). If internal reset is implemented, the voltage supply on Vcc is mandatory. Vcc : Power supply input (optional use by the card).

The readers for contact smart cards are generally a separate device plugged into serial or USB port. There are keyboards, PCs or PDAs which have built-in readers like GSM cell phones. They also have embedded readers for GSM style mini smart cards. Some smart cards do not have a contact pad on their surface.The connection between the reader and the card is done via radio frequency (RF). But they have small wire loop embedded inside the card. This wire loop is used as an inductor to supply the energy to the card and communicate with the reader. When you insert the card into the readers RF field, an induced current is created in the wire loop and [email protected] 14

Smart cards in wireless used as an energy source. With the modulation of the RF field, the current in the inductor, the communication takes place. The readers of smart cards usually connected to the computer via USB or serial port. As the contactless cards are not needed to be inserted into the reader, usually they are only composed of a serial interface for the computer and an antenna to connect to the card. The readers for contactless smart cards may or may not have a slot. The reason is some smart cards can be read upto 1.5 meters away from the reader but some needs to be positioned a few millimeters from the reader to be read accurately. There is one another type of smart card, combo card. A combo card has a contact pad for the transaction of large data, like PKI credentials, and a wire loop for mutual authentication. Contact smart cards are mainly used in electronic security whereas contactless cards are used in transportation and/or door locks.

8.2. Memory vs Microprocessor

The most common and least expensive smart cards are memory cards. This type of smart cards, contains EEPROM(Electrically Erasable Programmable Read-Only Memory), non-volatile memory. Because it is non-volatile when you remove the card from the reader, power is cut off, card stores the data. You can think of EEPROM, inside, just like a normal data storage device which has a file system and managed via a microcontroller (mostly 8 bit). This microcontroller is responsible for accessing the files and accepting the communication. The data can be locked with a PIN (Personal Identification Number), your password. PIN's are normally 3 to 8 digit numbers those are written to a special file on the card. Because this type is not capable of cryptography, memory cards are used in storing telephone credits, transportation tickets or electronic cash. Microprocessor cards, are more like the computers we use on our desktops. They have RAM, ROM and EEPROM with a 8 or 16 bit microprocessor. In ROM there is an operating system to manage the file system in EEPROM and run desired functions in RAM.

[email protected] 15

Smart cards in wireless

---------------| 8 or 16 bit | Reader <===| microprocessor |-----+ ---------------| | |---> RAM NON-CRYPTOGRAPHIC | CARD |---> ROM | +---> EEPROM

As seen in the diagram above all communication is done over the microprocessor, There is no direct connection between the memory and the contacts. The operating system is responsible for the security of the data in memory because the access conditions are controlled by the OS.
----------------------| 8 or 16 bit | | Crypto | Reader <===| microprocessor |-----------| Module | ---------------| -------| |---> RAM CRYPTOGRAPHIC | CARD |---> ROM | +---> EEPROM

With the addition of a crypto module our smart card can now handle complex mathematical computations regarding to PKI. Because the internal clock rate of microcontrollers are 3 to 5 MHz, there is a need to add a component, accelerator for the cryptographic functions. The crypto-cards are more expensive than non-crypto smart cards and so do microprocessor card than memory cards. Depending on your application you should choose right card.

8.3. PC cards
While any IC-embedded card may be called a smart card, its distinguishing feature is its use for personal activities. For example, PC cards (also known as PCMCIA cards) have the same characteristics as a smart card but they are used as peripheral devices such as modems or game cartridges. These PC cards are seldom called smart [email protected] 16

Smart cards in wireless cards since they are extension devices without personalization. In this sense, a smart card is a processor card that allows persons to interact with others digitally to conduct transactions and other personal activities.

9. Operating Systems

New trend in smart card operating systems is JavaCard Operating System. JavaCard OS was developed by Sun Microsystems and than promoted to JavaCard Forum. Java Card OS is popular because it gives independence to the programmers over architecture. And Java OS based applications could be used on any vendor of smart card that support JavaCard OS. Most of the smart cards today use their own OS for underlying communication and functions. But to give true support for the applications smart cards operating systems go beyond the simple functions supplied by ISO7816 standards. As a result porting your application, developed on one vendor, to another vendor of smart card becomes very hard work.Another advantage of JavaCard OS is, it allows the concept of post-issuance application loading. This allows you to upgrade the applications on smart card after delivering the card to the end-user. The importance is, when someone needs a smart card he/she is in need of a specific application to run. But later the demand can change and more applications could be necessary. Another operating system for smart cards is MULTOS (Multi-application Operating System). As the name suggests MULTOS also supports multi-applications. But MULTOS was specifically designed for high-security needs. And in many countries MULTOS has achieved "ITSec E6 High" in many countries. And also Microsoft is on the smart card highway with Smart Card for Windows. In a point of view the above Operating Systems are Card-Side API's to develop cardlets or small programs that run on the card. Also there is Reader-Side API's like OpenCard Framework and GlobalPlatform.

10. Programming
10.1. CT-API
[email protected] 17

Smart cards in wireless This API depends on the card terminal used, but supplies generic functions that allow communication with memory cards and processor cards. This API is a low level interface to the reader. But still used because it complies with the ISO7816 standards and have a simple programming logic resembling assembly. You just send code byes along with the data packets and receive the response.

10.2. PC/SC
PC/SC Workgroup is responsible for the development of the PC/SC Specifications. Under Windows, MacOS and Linux corresponding APIs could be found. Under Linux, pcsc-lite suit could be downloaded from http://www.linuxnet.com/.

10.3. OpenCard
OpenCard Framework, OCF, is an object-oriented framework for smart card communications. OCF uses Java's inter-operability between environments to deploy architecture and APIs for application developers and service providers.

10.4. GlobalPlatform
GlobalPlatform was formed in 1999 by organizations those were interested in issuing multiple application smart cards. The major goal of GlobalPlatform is to define the specifications and infrastructure for multi-application smart cards.

10.5. To Sum Up
As you could understand from above, the standardization period of smart cards is not finished. The demand on smart cards is growing on the basis of end-user and developer. In my opinion, if you are a developer or in a decision making position, you should carefully analyse all the standards as well as the companies manufacturing smart cards. As a developers point of view, in the near future I think, Java will evaluate itself as the standard because of portability and crossplatform uses in spite of its slowness and fast evolution.

[email protected] 18

Smart cards in wireless

11. Applications on Linux

In this section there will be applications that uses smart cards for some reason on Linux environment. If you are a developer of a software and your development environment is Linux please let me know. I will add you in the list.

11.1. scas
SCAS is a simple program that checks the code inside the card with the code inside the computer. As an example of showing a way of authentication with memory cards scas is very good.

11.2. smartcard
smartcard is a general smart card utility in Linux which uses CT-API. With smartcard utility you can read/write data from/into smart cards. As long as your reader can be accessed via CT-API, smartcard can be used to control the reader. Currently smartcard could only be used with memory cards using I2C or 3W protocols. There is also a GTK+/Gnome graphical front end which support all functions of smartcard utility.

11.3. ssh-smart
ssh-smart is a basic proof-of-concept of ssh identity on smart card, as the author says. ssh-smart uses smartcard utility to communicate with the smart card. Basically, ssh-smart-add tool (perl script) call ssh-keygen to generate RSA public and private keys. Than puts the private key on the memory card. Later the ssh-smart-addagent tool can be used to extract the private key from the card to use with ssh-agent.

11.4. smarttools-rsa
This is another PAM Module for Unix systems but supports RSA authentication through your private key on the smart card. You must have a Schlumberger [email protected] 19

Smart cards in wireless Cyberflex Access card or Schlumberger Cryptoflex for Windows Card and a working reader to use this tool.

11.5. smartsign
This utility is some-complete PKI integration with the smart cards. To use you must establish a working OpenCA and have Schlumberger's "Cyberflex Access 16K" smart cards. During the certification process of OpenCA, private key and public certificate can be stored on the smart card and private key, later, could be used with Netscape to sign outgoing mails and news. Also smartsign supports authentication of local users via a PAM Module through a public key authentication. Smartsign comes with gpkcs11, a PKCS#11 implementation, smastsh, a command line shell that allows browsing smart card contents, sign_sc/verify_sc to sign and verify any file with smart card.

11.6. CITI Projects

At CITI, Center for Information Technology Integration of Michigan University, there are some new projects. For example, Webcard is a web server running on a Schlumberger Cyberflex Access Java Card. Features a stripped TCP/IP stack that supports HTTP only. The system is designed to have a router which frames IP packets in ISO7816 and a Java Virtual Machine in the card. Detailed technical report can be found at http://www.citi.umich.edu/projects/smartcard/webcard/citi-tr99-3.html

12. Smart Card Uses

Literally, billions of smart cards are already in use. Worldwide smart card sales could reach 1.6 billion units in 1998, up 23% from 1.3 billion units in 1997. Western Europe accounts for about 70% of the current smart card uses, followed by South America and Asia with about 10% each, while North America languishes at less than 5%. However, most smart cards issued today are memory cards (see Table) with limited processing capabilities. Still, hundreds of millions of processor cards are already in use today.

Smart Cards Issued in 1996 (in million units) ____________________________________

[email protected] 20

Smart cards in wireless

Phone cards 605 Health cards 70 Banking 40 ID/access cards 20 Pay TV cards 20 GSM cards (mobile phone) 20 Transportation 15 Metering/vending 10 Others 10 -----------------------------------Total 810 ____________________________________ Source: Smart Card Industry Association

Phone cards have become ubiquitous in Western Europe and Asia where coinoperated public phones are becoming nearly obsolete. These pre-paid cards increase payphone operator revenues, allow more sophisticated transactions via public phones, and have become advertising devices as well as collector's items. Although the popularity of phone cards contributed to a widening acceptance of smart cards by consumers, however, processor cards are projected to be the fastest growing smart card uses by the year 2000.

Projected Growth of Smart Cards

Source: The Smart Card Cyber Show

[email protected] 21

Smart cards in wireless

13. Technology and Players

For smart cards to carry out applications, several components must come together. The technology of smart cards include four critical segments.

13.1. Card Manufacturers

A smart card begins with a micro-controller produced by semiconductor manufacturers such as Siemens, Motorola and Thomson. This integrated circuit chip is attached to an electronic module by inserting into a cavity on the module. Then, terminals between the chip and the electronic module are interconnected. Finally, the chip-embedded electronic module is glued to a plastic card. The global leader in card manufacturing is Schlumberger who sold about half of all smart cards in use in 1997. A close second is Gemplus followed by Bull and De La Rue of France.

13.2. Card Terminals and Readesr

Smart cards may be read by conventional card reader or by wireless terminals. New devices similar to a floppy disk allow smart cards to be read by PC disk drive. Suppliers of POS and ATM card readers have expanded into smart card readers for their product lines, where some worldwide consolidation is occurring. For example, a market leader Grupe Ingenico is buying another player De La Rue of France.

13.3. Interface between Card and Terminal (API)

Electronic modules embedded in smart cards have contacts by which messages are exchanged between the card's IC chip and the card reader. International standards such as ISO 7816 have specified which contact handles what type of data but applications must be programmed to manage message exchanges that can be used by networked processors. An interoperable and multi-platform application programming interface (API) is critical for smart cards to carry out diverse functions. Open standards such as Java smart card API provides one of several proposed interfaces. Java Card API in particular offers a development tool for flexible, multi-platform applications"Write Once, Run Anywhere"for devices ranging from Network Computers, Web TV, smart phones and other consumer appliances. The industry leader Schlumberger, for example, has introduced EasyFlex and FastOS based on Java API. [email protected] 22

Smart cards in wireless

13.4. Applications
The ultimate utility of smart cards is in the functions they carry outfor example, payment process, identification, network computing, health care management, benefits distribution and so on. Application programs handle data read by smart card readers and forward them to central computers located at the other end of the smart card infrastructure such as payment servers in banks, traffic control centers or mobile phone centers, credit card companies, transit authorities, governments, Microsoft and other service providers. Market players and stake holders in this end game for smart cards include a wide variety of firms and institutions including card issuers, content providers, Visa and MasterCard, banks, government agencies, security implementers such as Lucent Technologies, electronics manufacturers such as NEC, and service providers who want to exploit advantages of smart card technologies.

14. Smart Card Advantages

[email protected] 23

Smart cards in wireless Compared to conventional data transmission devices such as magnetic-stripe cards, smart cards offer enhanced security, convenience and economic benefits. In addition, smart card-based systems are highly configurable to suit individual needs. Finally, the multifunctionality as payment, application and networking devices renders a smart card as a perfect user interface in a mobile, networked economy.

14.1. Customer Benefits

14.1.1 Full Portability of Services The smart card effectively breaks the link between the subscriber and the terminal, allowing the use of any properly equipped terminal and helping to realize the wireless promise of any-time, anywhere communications. In fact, subscribers need not be constrained to using voice terminals only. A variety of other mobile communications devices such as personal digital assistants (PDAs) and personal intelligent communicators (PICs) are available that may have voice communications added as an integral part of their capabilities. If these other devices are equipped for smart cards, the potential for communications is increased. Similarly, data communications applications could benefit from the security features inherent in smart cards. 14.1.2 International Roaming Wireless customers often require the ability to place and receive calls when traveling abroad. For these customers, international roaming enabled by smart cards is quite valuable. For example, Ameritech, AT&T, and GTE have all instituted international roaming programs using GSM phones and smart cards. The program uses co-branded smart cards, which corporate customers bring with them when they travel abroad. Customers are given a telephone number from a GSM carrier, which allows them to be contacted in any of the countries that have international roaming agreements. 14.1.3 Intersystem Roaming The incompatibility of different communications radio interfaces and authentication protocols (time division multiple access [TDMA], code division multiple access [CDMA], GSM, personal digital cellular [PDC], mobile satellite systems, etc.) requires subscribers to make choices that constrain them to use only one particular type of handset that works with only one radio interface. With a smart card, it becomes possible for subscribers to use one handset for different interfaces and protocols. This feature is already implemented among the three frequencies used by the GSM platform (900, 1800, and 1900 MHz). American National Standards Institute (ANSI) telephone industry price index (T1P1).3 has recommended [email protected] 24

Smart cards in wireless standards for a user identity module, a smart card that can be used with the major radio access methods. Thus, it becomes conceivable to have current GSM smart cards modified so that they can work with a CDMA handset. For example, North American GSM operators have designed a process to which the SIM holds both the GSM and advanced mobile phone service (AMPS) authentication algorithm and data to provide authentication on both networks in interroaming situations. 14.1.4 Multiple Services on a Single Card As mentioned earlier, maximum value is realized by the subscriber when multiple applications are stored on a single card (see Figure). A multiapplication smart card could provide access to airline reservation and ticketing systems and information networks, as well as a mobile telephone service. Considering the many cards that the average person carries these days (i.e., numerous credit cards, debit cards, employee ID cards), integrating more applications into a single card (or at least fewer cards) has obvious appeal and benefits. It is important to note that there is clear interest on the part other industries to package their services with mobile telephony. For example, research by Citibank indicates clearly that a substantial percentage of the company's customers would like to be able to conduct its banking on a variety of platforms, including wireless. Such services are already available using a standardized toolbox for smart-card application creation.

14.1.5 Separation of Business and Personal Calls The smart card allows customers to be billed separately for personal and business calls made on a single phone. For example, Airtel, a Spanish GSM operator, uses a SIM card with two sets of subscription informationone for corporate and the other for personal use. Airtels dual SIM cards have been well received in the corporate market. [email protected] 25

Smart cards in wireless

14.2 Enhanced Security Benefits

SIM cards have several features that enhance security for wireless communications networks. Smart-card supporters point to the potential of limiting or eliminating fraud as one of their strongest selling points. SIM cards provide a secure authentication key transport container from the carriers authentication center to the end-users terminal. Their superior fraud protection is enabled by hosting the cryptographic authentication algorithm and data on the cards microprocessor chip. SIM cards can be personal identification number (PIN) protected and include additional protection against logical attacks. With added PIN code security, SIM cards offer the same level of security used by banks for securing off-line payments. Because the home networkauthentication algorithm also resides in the card, SIM cards make secure roaming possible. They can also include various authentication mechanisms for internetwork roaming of different types. Complete fraud protection (with the exclusion of subscription fraud) can only be provided in the context of a complete security framework that includes terminal authentication, an authentication center, and authentication key management. Smart cards are an essential piece of this environment, but only the complete architecture can allow fraud reduction and secure roaming. Finally, it should be noted that biometric smart-card applications such as voice or fingerprint recognition could be added to provide maximum fraud prevention. Smart cards could then combine the three basic security blocks of possession, knowledge, and characteristics (see Figure ).

[email protected] 26

Smart cards in wireless

14.3 Convenience
One use of the old fashioned memory cards is to replace various identification cards. Smart cards will combine paper, plastic and magnetic cards used for identification, automatic teller machines, copiers, toll collection, pay phones, health care and welfare administration. Universities, firms and governments rely on smart identification cards since they can contain more detailed data and enable many services to be integrated. Health care cards, for example, reduce document processing costs by allowing immediate access to personalized patient information stored in smart cards. Most other smart card uses combine identification function with specialized purposes as in military PX cards, government's Electronic Benefit Transfer cards, and university ID cards that are also used to pay for food and photocopies.

14.4 Economic Benefits

Smart cards reduce transaction costs by eliminating paper and paper handling costs in hospitals and government benefit payment programs. Contact and contactless toll payment cards streamline toll collection procedures, reducing labor costs as well as delays caused by manual systems. Maintenance costs for vending machines, petroleum dispensers, parking meters and public phones are lowered while revenues could increase, about 30% in some estimates, due to the convenience of the smart card payment systems in these machines.

14.5 Customization
A smart card contains all the data needed to personalize networking, Web connection, payments and other applications. Using a smart card, one can establish a personalized network connection anywhere in the world using a phone center or an information kiosk. Web servers will verify the user's identity and present a customized Web page, an e-mail connection and other authorized services based on the data read from a smart card. Personal settings for electronic appliances, including computers, will be stored in smart cards rather than in the appliances themselves. Phone numbers are stored in smart cards instead of phones. While appliances become generic tools, users only carry a smart card as the ultimate networking and personal computing device.

14.6 Multifunctionality
The processing power of a smart card makes it ideal to mix multiple functions. For example, government benefit cards will also allow users access to other benefit [email protected] 27

Smart cards in wireless programs such as health care clinics and job training programs. A college identification card can be used to pay for food, phone calls and photocopies, to access campus networks and to register classes. By integrating many functions, governments and colleges can manage and improve their operations at lower costs and offer innovative services.

15 Marketing Opportunities

In addition to the value-added services they can provide, smart cards provide many marketing opportunities to network operators.

15.1 Brand Recognition

Smart cards provide a means for greater brand exposure and reinforcement. The cards can be considered mini-billboards, providing frequent opportunities for the customer to be exposed to a brand name. Compared to other advertising media, they provide a cost-effective vehicle for achieving a high number of brand exposures to a targeted audience. Network operators with limited brand recognition can co-brand their cards with companies with greater brand equity to strengthen their market positions.

15.2 Customer Loyalty Programs

Smart cards can play an extremely valuable role in a carriers customer retention efforts. The data on a smart card is a digital representation of the customers habits; i.e., number of calls, services accessed, merchandise purchases, etc. This rich database of customer information makes it possible for network operators to develop highly targeted or one-to-one marketing. Carriers are then able to provide services and offerings particularly suited to their customers, increasing customer loyalty to the carrier.

15.3 Direct Marketing

With their convenient form factor, smart cards can be used in direct-mail campaigns to sell wireless subscriptions, both for prospecting and subscription renewal. Using temporary or prepaid smart cards, network operators have a low-cost channel for [email protected] 28

Smart cards in wireless selling their services. In addition, subscription changes, renewals, and upgrades are easily handled by sending new cards in the mail (see Figure 4). Figure 4. A Direct Marketing Scenario

15.4 Advertising
Two services, used in conjunction with smart cards, provide network operators with possibilities for highly targeted advertising. Short message service (SMS) and cell broadcast leverage smart cards to send advertising or informational messages that appear on the handset display to wireless users.

15.5 Trial Subscriptions

Smart cards are an ideal vehicle for trial subscriptions. Programmed as prepaid cards, they can attract new customers to try wireless services with limited, defined financial risk for both the network operator and the consumer.

15.5 Incidental Revenues

[email protected] 29

Smart cards in wireless Network operators issuing smart cards can generate additional revenue by selling memory space on the card to other companies. For example, available space can be sold to gas stations so that the smart card can also be used as a debit card for gas purchases. The cards surface can also be used for imprinting the participating companys brand, for which the carrier can receive fees for space advertising.

16. Drive Toward Cashless Society

Smart cards were first developed as a payment method to simplify small value transactions. Commonly called as a stored-value card, the data contained in a smart card represents a monetary value that can be added or reduced as transactions are carried out. This has proven to be useful in Western Europe and Asia where public transportation and public phones are widely used. In North American, the popularity of checks, credit cards and debit cards makes smart cards a less attractive alternative. But in countries where the public phone system is less than optimal, a smart card-based payment system offers convenience without increasing investment in phone infrastructure. In some countries, the increasing use of smart cards is also leading to advancements in banking services and the acceptance of credit and debit cards by consumers.

16.1 Benefits
A cost effective, secure and convenient alternative to cash transactions is needed as cash is still the most important payment method in terms of number of transaction. Over 80% of transactions are made in cash. Smart cards offer several advantages over checks and credit cards:

Reduced handling costs Improved ease of use Lowered costs in infrastructural supports such as banking system and phone networks Versatility of combining credit, debit and stored value cards in one convenient platform Lower transaction costs Ability to carry out offline, online and peer-to-peer transactions

[email protected] 30

Smart cards in wireless

16.2 Mondex International and Mondex Cards

The world leader in smart card payment system is Mondex International which is the international franchising organization that licenses its right to a local Mondex originator in each country. A Mondex originator then creates electronic cash units serving as a given nation's currency. In each country, several Mondex issuers actually issue, distribute and resell cards to consumers. The Mondex card functions as an electronic purse that downloads and stores cash values. Mondex cards are read at time of transaction verified either through telephone line, on site through Mondex wallets which allow transfers between cards, or via the Internet by inserting the card into a standard smart card reader connected to a PC.

Mondex is one of several electronic cash payment systems. Other systems such as DigiCash are purely a form of electronic cash developed for online transactions. However, differences between pure electronic cash and smart card (stored value) based payment system are increasingly less obvious since electronic cash can be stored in a smart card and exchanged offline and a Mondex card reader can be connected to a personal computer allowing online transactions.

[email protected] 31

Smart cards in wireless

17. Smart Cards As a Payment System

A payment function is an integral part of most smart card applications because most services accessible by smart cards must be paid one way or the other. But before smart cards are widely used as a preferred payment method in electronic commerce, two outstanding issues must be resolved:

legal protection for loss and fraud demand and supply for microtransactions

17.1 Legal Protection and Liability

Currently, a cash balance stored in Mondex is not insured or protected against loss or theft. In comparison, a credit card user is liable only to a minimum determined by legislation such as Regulation E. Being a cash equivalent, however, a stored value on a Mondex card is not recoverable if the card is lost or stolen. Several electronic cash payment systems guard against such losses by an elaborate encryption mechanism or a required authentication in each transaction. They, however, add significant transaction costs minimizing their advantages over cash or checks. A cost effective guarantee or assurance on stored values must be established to protect consumers. But legal opinions regarding the liability and rights of issuers and users of electronic cash vary widely. In general, online stored value systems which do not rely on smart cards may be protected by existing Federal Reserve regulations as long as the funds are considered to be in consumer deposit accounts. Offline systems are left to voluntary arrangements between card issuers or financial institutions and consumers.

17.2 Microtransactions and Micropayments

A more convenient, low-cost payment method is necessary for low-value transactions. There are many examples of micropayments already in use: toll and bus fare collections, copy machine payments, parking meters and vending machines. Coins and tokens used in all of these examples can be substituted by smart cards. However, will there be substantial demand for microtransactions and micropayment methods in electronic commerce? The answer will depend on how information and other digital products are sold online. Bundling and subscription plans are based on [email protected] 32

Smart cards in wireless aggregating small charges into a periodic bill that is large enough to utilize conventional credit card payments. If sellers and consumers prefer to aggregate products and services, there will be little need for a flexible payment system. On the other hand, unbundling and customizing products require a payment system which can facilitate small charges, for example one or two cents for a Web page. Before smart cards and electronic cash are used widely, the demand for, and supply of, microproducts and microtransactions must precede. Even when these issues are resolved and smart cards become a preferred payment method for electronic commerce, the excitement over smart card technologies and the ready embrace by many developers of these technologies are due more to the explosion of applications than to being a convenient form of payment. The smart card platform has already expanded into the mainstream computing and commercial arena as a versatile technology to implement innovative services in a mobile network.

18. Smart Networking

A smart card as an interoperable computing device has become the ultimate utility of processor cards. Today's networked societies revolve around accessing the worldwide information superhighways. As more people log-in to the network and more and more activities take place through networks, online security is of utmost importance. Smart card technologies provide strong security through encryption as well as access control based on identification technologies such as biometrics. Information kiosks and phone booths equipped with smart card readers will become network centers. Smart cards are the worlds smallest mobile computers. Mobile Communications By the year 2000, global mobile networks will enable a real time connection to anywhere, anytime. Global networks based on low earth orbiting satellites such as Teledesic and Iridium are in the works or already in operation. Mobile phones are gearing up to be a truly global communications network via Global Services for Mobiles (GSM) system. Phones come equipped with a smart card slot to enable integrated services. For example, Schlumberger's SIM (Subscriber Identification Module) card can take care of call personalization, payment, security and other services such as linking your phone with your PC using [email protected] 33

Smart cards in wireless a GSM phone. A smart network can also operate through a reader terminal installed at home or in offices, at a convenient store or a gas station, at an information kiosk in libraries or a phone center at airports or even on a remote hiking trail.

19. Integrated and Customized Services

Smart cards go beyond replacing existing cards. Smart cards are interface devices that allow users to digitally interact with firms, consumers and products in the networked world. Smart cards are closer to a personal mobile computer. Electronic Ticketing Traffic management and fare collection systems often impose heavy operating costs in public transit systems and toll highways. Prepaid cards have proven to be very effective and popular in saving time and resources in managing traffic and passenger flows and improving services. Contactless smart cards send data via radio frequency waves eliminating long lines. The amount of information on smart cards also allow new type of services which are customized for specific groups of users, and the user data can be collected and analyzed by a central server further improving services. Such ticketing systems can also be used in sports arenas, concert halls, amusement parks and other venues processing admissions.

[email protected] 34

Smart cards in wireless

Smart Vending Smart card vending systems are used for petroleum dispensors, various vending machines and parking meters. Smart card-based vending systems not only simplify payment processes but also enable customized services. For example, a smart parking meter can charge a fraction of a minute or levy different amounts depending on the customer profile, time of day or zones. Smart vendors also provide marketing incentives such as discounts and coupons to reward loyal customers based on purchasing behaviors. Smart vending thus allows a total integration of payment, marketing and services in a networked enterprise. Example: "The Smart Village" [email protected] 35

Smart cards in wireless The Smart Village envisioned by Schlumberger, the largest smart card seller, illustrates the vision of a networked world where smart card-based services and products inhabit our every day lives. This smart marketplace includes: GSM payphones and mobile telecommunication, private site smart pay phones, smart ticket vending machines at transit terminals, smart pay and display units at parking lots, smart fuel dispenser at gas stations, contactless, remote and prepaid card terminals in retail locations, smart health care management and network access based on secured, personalized smart cards.

Example: Resort and Park Management Smart resort cards issued and managed by Leapfrog Smart Products Inc. are smart cards that allow cashless transactions in RV parks for in-park transactions that include admission and usage fees as well as vending and laundry services. Cards are also used to record annual membership payments, to grant physical access to the [email protected] 36

Smart cards in wireless park, and to store information such as medical records for emergency usage. Several loyalty programs such as coupons and reward vouchers are also stored and managed on the cards. The infrastructure required for such an integrated service is relatively simple: doors and gates, POS terminals in each RV park, vending machines and washers are retrofitted to accept 8K Gemplus cards which cost about $10.75 each. Operational benefits, as elaborated by Leapfrog, include:

increased gross revenues decreased pilfering and fraud decreased administrative cost increased security streamlined accounting procedures increased overall profit

Example: Performance Art Revue [email protected] 37

Smart cards in wireless When customer profiles, product information and payment data are combined, a simple smart card becomes a versatile operating, marketing and management tool. One Yellow Rabbit Performance Theatre of Calgary, Canada, has introduced smart card-based season tickets. Using StarGenix smart cards, the season pass is a convenient and cost-saving ticketing and stored-value system. The card contains ticket, performance, reservation and cardholder information as well as a stored-value component redeemable for bar service and the theatre's products sold at its stores.

20. Agreeing upon Standards: The Last Hurdle

[email protected] 38

Smart cards in wireless The key ingredient for smart cards to succeed is interoperability and standardization in hardware and applications. Without such standards, potential card issuers and users take a severe risk in investing in new technologies that may not be compatible with future generation technologies. Hardware standards have been an integral part of smart card development in the last few years while application specific standards have only begun to emerge.

20.1 Hardware Standards

Hardware standards specify physical and communications dimensions of smart cards. International Standard Organization (ISO) 7816 is a global standards which lay out physical characteristics of cards and contacts, transmission protocols, interindustry commands for interchange and rules for applications and data elements. ISO 10536 specifies similar characteristics for contactless cards. Several other ISO standards have been developed or under review which control local and global interchange message specifications, card accepting devices and security architecture.

20.2 Application Standards

Application-centered standards are developed to resolve communications and data exchange conflicts between the cards and the institutions which process these data. By limiting to specific solutions, these standards often include both hardware and application standards. For example, electronic purse standards (CEN, Mondex or EMV) describe card's physical characteristics, data and application interfaces and transaction procedures that involve financial institutions. Payment standards such as Secure Electronic Transaction (SET) or Chip-Secure Electronic Transaction (CSET) are protocols which facilitate exchanging and validating transaction data. For mobile communications based on smart cards, European ETSI standards provide a basic framework under Global Services for Mobiles (GSM) based on Subscriber Identification Module (SIM).

20.3 Local Standards

As more industry-specific applications appear, local standards are evolving to manage integrated transactions between end users' smart cards and processing institutions. Such standards eliminate the need for expensive and inflexible custom interfaces and allow industry-wide integration. For example, health care card standards intend to create a common computing framework to identify patients, [email protected] 39

Smart cards in wireless query their medical data, process payments and allow health care management in a distributed environment. The health care industry is also developing Electronic Medical Record standards to facilitate technological developments and applications. Smart card technologies are only a harbinger of things to come. To maximize their usefulness and promote wider acceptance by users, standards across industry users must be available whether it is for traffic management, electronic benefit transfers, health care or travel services.

20.4 Network Computing Standards

With the exponential growth in computing power and a drive toward miniaturization, smart cards will ultimately function as a mobile networking interface for personal use. A group of technology companies under the OpenCard Framework is now working to extend industry standards for network computer into smart cards. A smart card in this capacity is inserted to Network Computers, public phone booths, networked information

kiosks and LAN terminals to become your personal computer. A key element in allowing smart cards as a computing platform is an interoperable operating system or an application programming interface which can be incorporated into smart cards' processors. A leading candidate is Sun Microsystems' Java smart card API which allows developers to create multi-platform applications. The much-hyped Network Computers could become terminals that accept Java-enabled smart cards.

21 Will Smart Cards Take Off?

Unlike European and Asian consumers, Americans seem to be reluctant to swap their credit cards and ATM cards with smart cards. An average consumer in the U.S. uses his or her ATM cards 15 times per month according to a Star Systems, Inc., survey, and the increased use of cards at POS terminals is the single most important factor in this trend. Compared to this growing trend toward using plastic cards, the reluctance in using smart cards stems primarily from the public's perception of smart cards as an electronic payment system. Although ATM card holders report "some interest" in using smart cards, security is the primary concern in storing money on their cards. Several pilot programs, however, are introducing the versatility of smart cards to consumers. [email protected] 40

Smart cards in wireless

21.1 Smart Card Pilots

Several large scale pilot projects are aimed at testing the future acceptance of smart cards. The most publicized try-out during the 1996 Atlanta Summer Olympics had a mixed result. Regardless, transit authorities in San Francisco, Washington, D.C., and Finland are rolling out smart card systems for transit management. 120,000 members of Quebec Soccer Federation of Canada will soon be using smart cards for registration at tournaments, at McDonald's restaurants, and for several promotional and reward programs. States of Ohio and Wyoming are testing smart card technologies to deliver government benefit payments.

21.2 Long-Term Benefits of Smart Cards

Despite growing interests, smart card-based systems are not entirely cost effective compared to many alternatives when one considers only the immediate costs and benefits. For example, a welfare benefit distribution program using magnetic-stripe cards cost less than smart card-based systems due to initial capital investment and the cost of cards. Nevertheless, long-term benefits are substantial. Ohio expects to reduce its monthly cost of benefit distribution from $3.84 to $2.89 per household by using smart cards. In addition, transaction data associated with smart cards allow the state to cut down benefit frauds and abuses substantially.

Larger and more important benefits are less obvious at this stage of smart card technologies. Most smart card applications available today seem only to duplicate functions carried out successfully and effectively by existing methods. The advanced banking and financial systems and efficient communications networks in the U.S. work against adopting smart cards. Like cellular phones which may be useful in less developed countries with limited phone lines and high communications costs, smart cards are readily accepted in countries where consumers and businesses do not trust checks and other debt instruments, or there is a high incidence of inflation, fraud, crime and other factors favoring cash. For smart cards to gain a wider acceptance, interoperable hardware, simple user interface and more applications must appear to satisfy consumers who expect to use the same card in different retail outlets and for different purposes. Considering that Java smart card API was introduced in 1996, smart card technologies do have enormous potential to become the next killer application for the digital economy.

[email protected] 41

Smart cards in wireless

22. Looking Ahead

The future prospect for smart cards critically depends on introducing multifunctional cards and overcoming the simplistic view of smart cards as a payment medium. The Internet as a distributed and interoperable computing network provides a perfect setting for smart cards to become the ultimate network computing platform. Further developments in mobile networks and digitally-interfaced consumer appliances all point to smart cards playing the role of the ultimate personal computing and communications devices. In the networked economy where smart cards provide a smart infrastructure, physical products become smart products. Opportunities largely depend on the developments in applications and a standardized user interface that allow users to interact with smart products over a network.

22.1 Smart Products

Smart products, like smart cards, are made smart by marrying physical products with computing power. However, the nature of smart products is changing from a product with a lot of computing power embedded within the product itself to a product with a smart interface. For example, a smart highway is equipped with sensors that interact with smart automobiles which come with their own on-board computers and sensors. Nevertheless, this involves a significant cost to upgrade millions of miles of highways. The marriage between information superinfrastructure and physical highways seems impractical. The solution is not to equip highways and automobiles with powerful computers but to engineer them to interact with smart devices. With an accurate global positioning system,

sensors need not be embedded in highways. The location of a vehicle can be determined by interfacing an automobile's computer with a satellite. Much of the automobile's computing is done through smart cards and remotely connected servers. Similarly, consumer appliances can be equipped with smart card readers instead of installing product-specific computers. For example, cellular phones interact with smart cards to access personal information instead of storing it in each [email protected] 42

Smart cards in wireless phone. In essence, smart network computers and smart products can be less powerful and more standardized when interfaced with smart cards.

22.2 Portfolio Products

The future of production and consumption is based on customization which often involves unbundling and re-bundling different products, changing contents and pricing individually. Unlike the economy where mass produced goods help reduce production costs, the economy of customization is concerned with increasing choices for consumers. Managing such an economy is challenging as the number of products explodes and transactions become extremely complex. A smart card-enabled system offers a versatile management tool in such an economy. For example, smart credit cards issued by American Express can be loaded up with airline tickets and hotel reservations. A travel plan may also include rental cars, admissions to concerts and amusement parks, long distance phone bills, food and drinks. Arrangements may change in real time necessitating coordination and adjustments among different vendors. Such an integrated product or service has to be managed by computers and requires spontaneous interactions with all parties involved. Instead of carrying a personal computer to do the job, all transactions within such an integrated (portfolio) service plan can be managed through a single smart card by inserting it into a public or mobile phone or a network terminal at business locations.

23. The Relation of Smart Cards with PKI

As we already know smart cards are secure place to hold sensitive data, such as money and identity. And if the identity is the subject we should talk about PKI, Public Key Infrastructure, and smart cards. Think that, you are working in a company with many branch offices and many facilities. In such large companies often employers have access permissions to different physical places. Also you access the servers inside the company for various purposes like sending mail, uploading the web pages and accessing the databases of the company. Just think, one password for each server and one key for each door and some money in your wallet to buy food or drink from the local restaurant. Actually you could just use a smart card. If you use a microprocessor card and a the cards operating software or Java cardlets permit, you could use only one card for all these. For this scenario to work, the company must establish a local CA, Certificate [email protected] 43

Smart cards in wireless Authority. Below there is a diagram showing the structure of a PKI simply, as described in RFC 2459.
+---+ | C | +------------+ | e | <-------------------->| End entity | | r | Operational +------------+ | t | transactions ^ | | and management | Management | / | transactions | transactions | | | PKI users | C | v | R | -------------------+--+-----------+---------------| L | ^ ^ | | | | PKI management | | v | entities | R | +------+ | | e | <---------------------| RA | <---+ | | p | Publish certificate +------+ | | | o | | | | s | | | | I | v v | t | +------------+ | o | <------------------------------| CA | | r | Publish certificate +------------+ | y | Publish CRL ^ | | | +---+ Management | transactions | v +------+ | CA | +------+

end entity: user of PKI certificates and/or end user system that is the subject of a certificate; RA: registration authority, i.e., an optional system to which a CA delegates certain management functions; (in some implementations, where you register your self to the system) CA: certification authority; (Your public key, can be issue when you register yourself or can be self-issued, is signed and your certificate is issued to you at CA) repository: a system or collection of distributed systems that store certificates and CRLs, Certificate Revocation Lists, and serves as a means of distributing these certificates and CRLs to end entities.

In fact, this is just a simplified view of the entities PKI. The employer or the end entity just applies to the CA or RA to get a certificate A certificate is just a public [email protected] 44

Smart cards in wireless key digitally signed with the issuer's, CA, private key. By signed with the CA's private key, all which trust the CA, can also trust the end entity. Your digital ID is ready. Just write your digital ID and private key to your smart card. Or a better way, new smart cards are deployed with embedded functions that generate public and private keys inside the card which means your private key is not exported to anywhere. New deployed cards are capable of PKI functions which you do not need to export the private key to the application you use. For example when you want to send a signed mail, your mail applications first generates a hash of the document you just wrote and starts the communication with the card. Your application sends the hash value to the card which is than signed with your private key inside the card. By this way your private key is never exported to the public, your computer. Also, while accessing your remote shell account you could use ssh, secure shell, client. In man page of OpenSSH, an authentication method for ssh protocol 2 is described. Main purpose of the method is true identification of the person trying to access the account and secure connection between the host, if the user is accepted. Theoretically, only you can know your private key. Although your private key is only readable by yourself, this could be a security risk. But if your private key is inside a smart card, this is an increased security. Of course, a smart card can get lost. But at this point another security subject is on the line, your PIN. Generally speaking, smart card's security comes from two things, one you know and one you own. SSH is not the only application that smart cards can be used. Other applications like, money transactions on the net, identification of yourself to the website you connect can be done with smart cards. The system is more or less the same. Your identification is checked via your private key and secure session is started with your keys. Than application specific part comes which is designed and deployed by the service provider of the application. Some money transactions are just done inside the smart card but some applications just ask the card for your banking account number. There could be more methods. Electronic locks that can communicate with a smart card can be found on the market. PKI can support, in addition to the mutual authentication between the card and the reader, access accounting in the building. Just mutual authentication can be used or the lock ask to a local server that keeps the user data and checks if the user is permitted to go behind the door. And whether the permission is granted or not the server keeps the tracks of the access trials.

[email protected] 45

Smart cards in wireless With integration of smart cards into PKI world, many more applications could be built. These application are mostly security specific or to ease the life of the customers.

24. Further Information

In this section there are places to visit for more in-depth information.

24.1. News groups

Some news groups are:

alt.technology.smartcards sci.crypt.research sci.crypt.random-numbers

24.2. Mailing Lists

From the MUSCLE Project, <[email protected]>, Smart Card Developers mailing list. The subject of the list is smart card development under Unix and Mac OS. Just send <[email protected]> with subscribe linux in the body of your mail. Also you can reach the archives at The Mail Archive. See linuxnet.com mailing list page for more information.

24.3. Web Sites

There are a huge number of informative web sites available. They could change and get outdated. A good starting point is Movement for the Use of Smart Cards in a Linux Environment home page, an information central for documentation, project pages and much more. Also, USENIX Workshop on Smartcard Technology can take your interest. [email protected] 46

Smart cards in wireless Please let me know if you have any other leads that can be of interest.

25. TODO
As all HOWTOs should be, this document will retain in "Under Development" phase as long as smart card technology is not obsolete.

The part about the physical characteristics of smart cards should be reorganized. In the "Programming" section there must be more information about the standards of programming smart cards. A new section of examples must be added. Scenario section (e.g. Building a Corporate PKI) should be added with indepth information. (I will add some time in a few weeks :)) There could be a section about the tamper resistance of smart cards. How tamper resistance is supplied and how secure is smart cards against new high-tech gamers. (I have found some references and information but they must be organized before adding.)

Wow, it seems like I have many things to add :))

26 Summary
By the year 2000, an estimated 2.8 billion smart cards will be issued annually in the world. But 70% of these cards will be in use in Western Europe and Asia while North America will account for only about 12% of the business. Nevertheless, even in North America, the prospect for processor cards is not as gloomy as phone cards. If the current trend will persist, there will be over 100 million processor cards in use in North America. These smart cards allow merchants to integrate products, payment and customer service and customize pricing and marketing efforts based on real user behaviors in real time. Smart cards as a secure payment system has garnered the keenest attention in the marketplace. However, smart cards are an indispensable commercial infrastructure in a networked marketplace which combine the functions of purses, credit cards, ID cards, tickets, coupons and tokens with data for personalized settings. The electronic persona in the digital world will be indeed in the form of a smart card and no enterprise solutions should ignore its potential impacts on business.

[email protected] 47

Smart cards in wireless

Bibliography
1. Books
Smart Card handbook by Wolfgang Rankl Smart Cards : A guide to building and managing Smart Card applications by J. Thomas Monk Java Card technology for Smart Cards : Architecture and Programmers by Zhiqun Chen

2. Websites
www.iec.org www.bitpipe.com www.MoTechno.com www.iosoftware.com www.cryptocard.com www.Globalcard2000.com www.digitcrypto.com www.dta.co.uk

[email protected] 48