Smart Cards & RFID
Name: Yousef Yahya
Foad ajjawi
Dr. Lo’ai Tawalbeh
What is the Smart Card?
• A smart card is a card that is embedded with either a
microprocessor and a memory chip or only a memory chip
with non-programmable logic. The microprocessor card can
add, delete, and otherwise manipulate information on the
card, while a memory-chip card (for example, pre-paid phone
cards) can only undertake a pre-defined operation.
• Smart Cards example For RFID ISO-Standards
How Does It Work?
• Smart Card inserted into Card Acceptor Device
(CAD), card reader
• Communicated with CAD through half duplex
serial lines with a data rate of up to 9600 bits per
second
• Commands follow standard ISO 7816
specifications
• Smart Card can get information from host
computer, provide identification, do
encryptions/decryption , etc.
Where Are They Used?
• All over the place, more so outside the US
• Medical applications: In Germany 80 million
people can use smart cards when they go to the
doctor
• Voting: In Sweden you can vote with your smart
card
• Entertainment: Most DSS dishes in the U.S. have
smart cards
• Telecommunications: Many cellular phones come
with smart cards
Smart Card Readers

• Dedicated terminals
Usually with a small screen,
keypad, printer, often also
have biometric devices such as
thumb print scanner.
Computer based readers
Connect through USB or
COM (Serial) ports
Terminal/PC Card Interaction
• The terminal/PC sends commands to the card
(through the serial line).
• The card executes the command and sends back
the reply.
• The terminal/PC cannot directly access memory of
the card
– data in the card is protected from unauthorized
access. This is what makes the card smart.
Fields of Smart Card Usage (1)
• Health Applications
 For example in Germany health insurance companies will
issue an electronic health card
 cards for the health professionals
• electronic passport (ePass, ICAO-specifications)
 No need to say that BSI is active in this field…
• eGovernment / eCard
 Goal: to fit as many applications as possible onto one card
in order to avoid multiple cards for every citizen
 BSI is very active to promote this concept in Germany
 Social insurance also related to this
Fields of Smart Card Usage (2)
• Digital Signatures
 As you know CC evaluation is required here
by law in Germany and other countries
• Digital Tachographs
 Smart cards will be used in trucks in Europe
instead of paper disks in order to store driving
times and similar data
• Access Control in companies and
organizations
• Public Transport
Some developers
• Hardware-Vendors: ATMEL, Philips, Renesas
(former Hitachi), Infineon (former Siemens),
Samsung, ST microelectronics
• Smart-Card-Vendors: Oberthur, Gemplus,
AXALTO (former Schlumberger), IBM, Sony, ORGA
Card Systems, T-Systems (Telesec), ASK, Gieseke
& Devrient, Austria Card, Siemens
• Other software/application issuers are mainly
related to the banking/payment field: Soc.
T.Europienne de Monnaie Electronique (a French
electronic purse society), Mondex, other banks
and credit card companies
Physical Structure & Life Cycle
• Physical structure specified by ISO Standard 7810, 7816
• Printed circuit provides five connection points for power
and data
• Capability of Smart Card defined by IC chip
– Microprocessor
– ROM
– RAM
– EEPROM
Life Cycle
• OS and security keys inside each smart card
which have different visibility rules
• Hence life cycle as card passes from
manufacturer to application provider to user
Massachusetts Bay Transit Authority
(MBTA).
• The MBTA aims to provide a safe, available,
and inexpensive service to its customers while
respecting its customers' basic rights to
privacy.
• Currently, the MBTA is pursuing a plan of
automated fare collection that will entail the
use of RFID smartcards.
Smart Cards vs. RFID
• Contactless Smart Cards
Identify people
Store information
• RFID
Identify or track objects
RFID Privacy and Smartcard Privacy
RFID = Radio Frequency Identification
• Transponder (RFID-Tag, RFID-Label)
• Antenna
•
Integration in Information Systems (i.e. Server, Services, Back Office …Example: inventory
control system)
RFID and Identity
RFID has 3 identity types
–ID linked to Person:
• direct identification: personal data on chip (biometrics)
• personal data in database (employee badge)
–ID linked to Service:
• In combination with person ID (banking, season cards)
• Anonymous (one time public transportation paper tickets)
–ID linked to Object / Product:
• product information in database (retail products, library books)
• direct identification (car keys)
Combining Object/Product ID with Individual is additional step, covered by
existing privacy principles
Privacy-enhancing solutions for RFID
(PETs)
System-solutions
• Encryption
• Tag/Reader Authentication
• Range reduction
• Antenna size/design
Consumer-in-Control Solutions
• “Kill-switch”
• Removable tags
• Blocker tags
• Shielding
• User interface (NFC-device)
• Security Evaluation
• Users (e.g. Banks) want high security
assurance
• for smart cards.
• Standard security evaluation procedure:
• – Common Criteria evaluation: EAL 4 or
EAL 5
• – Evaluation is very expensive
Determining Privacy Risk
When Privacy Risk is:
• –High: use smart cards + PETs
• –Medium: use smart cards, smart tag + PETs
• –Low: use smart tag (PETs optional)
Ways of protecting privacy
• “Privacy by Design” (technological)
– examples: encryption, kill command, read range
–main actors: technology providers, standardization bodies
– influencing factors: cost, usability
– public policy: R&D-funding, Launching customer
• “Privacy by Design” (organizational)
– examples: system design, business model
–main actors: system integrators, end-users (business)
– influencing factors: business opportunities, customer trust
– public policy: privacy principles, guidelines, best-practices
• Rule-based protection
– examples: self-regulation, law
–main actors: government, business, stakeholders
– influencing factors: administrative burdens (cost), market development
– public policy: compliance verification (“Trust but Verify”)
Contactless Smart Cards and Privacy
Data security
–Personal data (may be) stored in chip’s memory
–Password protection
–Mutual authentication chip and reader
–Advanced encryption (3DES, AES, PKI)
–Extremely short operating range: < 10 cm
–Advanced system design and sensor technology to prevent tempering
Multi-application smart cards
–Several applications on a single card
–Exclusivity Clear separation of applications and data (as if different
cards were used)
Back office and system design
– Full application of current privacy and data protection laws
Contactless Card
RFID/EPC tags and privacy
ICC Principles of Fair RFID/EPC use
–RFID-use should be legal, honest, decent
• No personal data stored in RFID-tag
–Consumer information and choice
• Labeling
• How to remove / disable tags
–Privacy statement including RFID/EPC use
• What data is collected via RFID
• Purposes of collection/use
• Data disclosures (if any)
–Data security
– Individual’s right of access to data in RFID-enabled ITsystem
Recommendations
• Do not legislate RFID-technology, but only its
applications and use
–Address privacy risks of the entire system
–Current OECD Privacy Principles already apply to
system design, applications and data collection
and –management
• Use Privacy-Enhancing Technologies only where
relevant
–Stimulate R&D, standardization and
use/acceptance of PETs
RFID is the enabling technology !
Sample Applications of RFID Systems
• Logistics Chains
• Enterprise Resource Planning Systems
• Inventory Control
Some Benefits
• reducing the sources of errors(for instance
reduction of inventory inaccuracies)
• minimizing out of stocks
• reduction of labor costs
• simplification of business processes
RFID -Areas of Applications
From a cross-industry viewpoint, the following areas of
applications can be distinguished:
• identification of objects
• document authentication
• maintenance and repair, recall campaigns
• theft-protection and stop-loss strategies
• access authorization and routing control
• environmental monitoring and sensor technology
• supply chain management: automation, process
control and optimization
Also: Convenience Tools, Magic, New Learning Tools,
New Dimension of Gaming
RFID –Basic Services
• Identification
Example: Which bag is it?
• Localization (to a certain extent)
Example: Where is the bag? => Hint: Location of
the reader (active RFIDs: GPS receiver)
• Capturing State
Example: monitor the temperature of perishable
goods
• Mapping into Information Systems
Examples: Automatic Stocktaking, Customer
Relationship Management
RFID: Technology and Standards
(A) Active vs. Passive
(B) „Smart“ vs. „Dumb“
(C) Near Field vs. Far Field
(D) Closed Systems vs. Open Systems
Passive
•
•
•
•
no internal power supply
antenna induces minute electrical current
durable
Need an external antenna which is 80 times
bigger than the chip in the best version thus far
• Typical: tags embedded in labels
Active
• Own internal power source
• Transmit at higher power levels than passive tags
(Re-)writable
• (Larger) memory (for example 1 MB)
• Communication ranges of 100 meters or more
• Example: Monitoring the security of ocean
containers or trailers stored in a yard or terminal
„Smart“ vs. „Dumb“
Smart:
Microprocessor and Smart Card OS (up to
Dual-Interface-Cards with Crypto CoProcessor)
vs.
Dumb:
Always the same ID number or State Machine
Closed Systems vs. Open Systems
Closed Systems:
•
•
•
•
One application case
Optimized and reduced functionality
No need for interoperability and compatibility
Example: proprietary RFID enhanced library
Open Systems:
•
•
•
•
•
Each antenna can read each tag
Internet of Things/Objects
Simple Components and Protocols
Interoperability and Compatibility important
Example: Electronic Product Code (EPCglobal)
RFID: Some Properties
• Radio: no intervisibility, often contactless
=> no choice to prevent reading event, no
consent
• Fix Address (EPC: unique worldwide)
=> Recogmition and intersection attack
• Embedded pot. Invisible
=> no choice to decline
• RFIDs are resource weak (in general)
=> well known and standard PETsnot applicable