Smart Cards & RFID

Name: Yousef YahyaFoad ajjawi

Dr. Lo’ai Tawalbeh

What is the Smart Card?• A smart card is a card that is embedded with either a

microprocessor and a memory chip or only a memory chip with non-programmable logic. The microprocessor card can add, delete, and otherwise manipulate information on the card, while a memory-chip card (for example, pre-paid phone cards) can only undertake a pre-defined operation.

• Smart Cards example For RFID ISO-Standards

How Does It Work?

• Smart Card inserted into Card Acceptor Device (CAD), card reader

• Communicated with CAD through half duplex serial lines with a data rate of up to 9600 bits per second

• Commands follow standard ISO 7816 specifications

• Smart Card can get information from host computer, provide identification, do encryptions/decryption , etc.

Where Are They Used?• All over the place, more so outside the US• Medical applications: In Germany 80 million

people can use smart cards when they go to the doctor

• Voting: In Sweden you can vote with your smart card

• Entertainment: Most DSS dishes in the U.S. have smart cards

• Telecommunications: Many cellular phones come with smart cards

Smart Card Readers Computer based readers

Connect through USB or COM (Serial) ports

• Dedicated terminalsUsually with a small screen, keypad, printer, often alsohave biometric devices such as thumb print scanner.

Terminal/PC Card Interaction

• The terminal/PC sends commands to the card (through the serial line).

• The card executes the command and sends back the reply.

• The terminal/PC cannot directly access memory of the card – data in the card is protected from unauthorized

access. This is what makes the card smart.

Fields of Smart Card Usage (1)• Health Applications For example in Germany health insurance companies will

issue an electronic health card cards for the health professionals

• electronic passport (ePass, ICAO-specifications) No need to say that BSI is active in this field…

• eGovernment / eCard Goal: to fit as many applications as possible onto one card

in order to avoid multiple cards for every citizen BSI is very active to promote this concept in Germany Social insurance also related to this

Fields of Smart Card Usage (2)• Digital Signatures As you know CC evaluation is required here

by law in Germany and other countries• Digital Tachographs Smart cards will be used in trucks in Europe

instead of paper disks in order to store driving times and similar data

• Access Control in companies and organizations

• Public Transport

Some developers• Hardware-Vendors: ATMEL, Philips, Renesas

(former Hitachi), Infineon (former Siemens), Samsung, ST microelectronics

• Smart-Card-Vendors: Oberthur, Gemplus, AXALTO (former Schlumberger), IBM, Sony, ORGA Card Systems, T-Systems (Telesec), ASK, Gieseke & Devrient, Austria Card, Siemens

• Other software/application issuers are mainly related to the banking/payment field: Soc. T.Europienne de Monnaie Electronique (a French electronic purse society), Mondex, other banks and credit card companies

Physical Structure & Life Cycle• Physical structure specified by ISO Standard 7810, 7816

• Printed circuit provides five connection points for power and data

• Capability of Smart Card defined by IC chip– Microprocessor– ROM– RAM– EEPROM

Life Cycle

• OS and security keys inside each smart card which have different visibility rules

• Hence life cycle as card passes from manufacturer to application provider to user

Massachusetts Bay Transit Authority (MBTA).

• The MBTA aims to provide a safe, available, and inexpensive service to its customers while respecting its customers' basic rights to privacy.

• Currently, the MBTA is pursuing a plan of automated fare collection that will entail the use of RFID smartcards.

Smart Cards vs. RFID

• Contactless Smart CardsIdentify peopleStore information• RFIDIdentify or track objects

RFID Privacy and Smartcard PrivacyRFID = Radio Frequency Identification

• Transponder (RFID-Tag, RFID-Label)• Antenna

• Integration in Information Systems (i.e. Server, Services, Back Office …Example: inventory control system)

RFID and IdentityRFID has 3 identity types–ID linked to Person:• direct identification: personal data on chip (biometrics)• personal data in database (employee badge)

–ID linked to Service:• In combination with person ID (banking, season cards)• Anonymous (one time public transportation paper tickets)

–ID linked to Object / Product:• product information in database (retail products, library books)• direct identification (car keys)

Combining Object/Product ID with Individual is additional step, covered by existing privacy principles

Privacy-enhancing solutions for RFID (PETs)

System-solutions• Encryption• Tag/Reader Authentication• Range reduction• Antenna size/design

Consumer-in-Control Solutions• “Kill-switch”• Removable tags• Blocker tags• Shielding• User interface (NFC-device)

• Security Evaluation

• Users (e.g. Banks) want high security assurance

• for smart cards.

• Standard security evaluation procedure:

• – Common Criteria evaluation: EAL 4 or EAL 5

• – Evaluation is very expensive

Determining Privacy Risk

When Privacy Risk is:• –High: use smart cards + PETs• –Medium: use smart cards, smart tag + PETs• –Low: use smart tag (PETs optional)

Ways of protecting privacy• “Privacy by Design” (technological)– examples: encryption, kill command, read range–main actors: technology providers, standardization bodies– influencing factors: cost, usability– public policy: R&D-funding, Launching customer

• “Privacy by Design” (organizational)– examples: system design, business model–main actors: system integrators, end-users (business)– influencing factors: business opportunities, customer trust– public policy: privacy principles, guidelines, best-practices

• Rule-based protection– examples: self-regulation, law–main actors: government, business, stakeholders– influencing factors: administrative burdens (cost), market development– public policy: compliance verification (“Trust but Verify”)

Contactless Smart Cards and PrivacyData security–Personal data (may be) stored in chip’s memory–Password protection–Mutual authentication chip and reader–Advanced encryption (3DES, AES, PKI)–Extremely short operating range: < 10 cm–Advanced system design and sensor technology to prevent tempering

Multi-application smart cards–Several applications on a single card–Exclusivity Clear separation of applications and data (as if different

cards were used)

Back office and system design– Full application of current privacy and data protection laws

Contactless Card

RFID/EPC tags and privacyICC Principles of Fair RFID/EPC use–RFID-use should be legal, honest, decent

• No personal data stored in RFID-tag–Consumer information and choice

• Labeling• How to remove / disable tags

–Privacy statement including RFID/EPC use• What data is collected via RFID• Purposes of collection/use• Data disclosures (if any)

–Data security– Individual’s right of access to data in RFID-enabled IT-

system

Recommendations• Do not legislate RFID-technology, but only its

applications and use–Address privacy risks of the entire system–Current OECD Privacy Principles already apply to

system design, applications and data collection and –management

• Use Privacy-Enhancing Technologies only where relevant

–Stimulate R&D, standardization and use/acceptance of PETs

RFID is the enabling technology !

Sample Applications of RFID Systems• Logistics Chains • Enterprise Resource Planning Systems• Inventory Control

Some Benefits• reducing the sources of errors(for instance

reduction of inventory inaccuracies)• minimizing out of stocks• reduction of labor costs• simplification of business processes

RFID -Areas of ApplicationsFrom a cross-industry viewpoint, the following areas of

applications can be distinguished:• identification of objects• document authentication• maintenance and repair, recall campaigns• theft-protection and stop-loss strategies• access authorization and routing control• environmental monitoring and sensor technology• supply chain management: automation, process

control and optimization

Also: Convenience Tools, Magic, New Learning Tools, New Dimension of Gaming

RFID –Basic Services• Identification Example: Which bag is it?• Localization (to a certain extent) Example: Where is the bag? => Hint: Location of

the reader (active RFIDs: GPS receiver)• Capturing State Example: monitor the temperature of perishable

goods• Mapping into Information Systems Examples: Automatic Stocktaking, Customer

Relationship Management

RFID: Technology and Standards

(A) Active vs. Passive(B) „Smart“ vs. „Dumb“(C) Near Field vs. Far Field(D) Closed Systems vs. Open Systems

Passive• no internal power supply• antenna induces minute electrical current• durable• Need an external antenna which is 80 times

bigger than the chip in the best version thus far • Typical: tags embedded in labels

Active• Own internal power source• Transmit at higher power levels than passive tags

(Re-)writable• (Larger) memory (for example 1 MB)• Communication ranges of 100 meters or more• Example: Monitoring the security of ocean

containers or trailers stored in a yard or terminal

„Smart“ vs. „Dumb“Smart: Microprocessor and Smart Card OS (up to

Dual-Interface-Cards with Crypto Co-Processor)

vs. Dumb:Always the same ID number or State Machine

Closed Systems vs. Open SystemsClosed Systems:• One application case• Optimized and reduced functionality• No need for interoperability and compatibility• Example: proprietary RFID enhanced library Open Systems:• Each antenna can read each tag• Internet of Things/Objects• Simple Components and Protocols• Interoperability and Compatibility important• Example: Electronic Product Code (EPCglobal)

RFID: Some Properties • Radio: no intervisibility, often contactless=> no choice to prevent reading event, no consent• Fix Address (EPC: unique worldwide)=> Recogmition and intersection attack• Embedded pot. Invisible => no choice to decline• RFIDs are resource weak (in general)=> well known and standard PETsnot applicable