RFID and Threat modelling

Lesson Title:
Contactless Smart Card Standards
Copyright © 2008, 2009 by Dale R. Thompson {d.r.thompson@ieee.org}
Dale R. Thompson
Computer Science and Computer Engineering Dept.
University of Arkansas
This material is based upon work supported by the National Science Foundation under Grant No. DUE-0736741.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not
necessarily reflect the views of the National Science Foundation (NSF).
What is a Contactless Smart Card?
• Components
– Secure embedded microcontroller
– Memory
– Antenna
– Contactless radio frequency interface
• Applications
– Travel documents such as E-passports
– Identification cards such as Federal PIV
– Finance contactless payment cards such as MasterCard’s PayPass
*The Smart Card Alliance prefers to distinguish contactless smart cards that have encryption and
follow the ISO/IEC 14443 or 15693 standards as being different from RFID, which are used for
simple identification as in the supply chain. However, we will use the term RFID for both
contactless smart cards and the tags used in the supply chain.
Contactless Smart Card Standards
• International Standards Organization (ISO)/International
Electrotechnical Commission (IEC) Standards
• Federal Information Processing Standard 201 – FIPS 201
• FIPS 140
• Common Criteria
• Global System for Mobile Communication (GSM) Standards
• Europay, MasterCard, and Visa (EMV 2000)
• …
ISO/IEC 7816 (several parts)
• Application-level standards
• Contact and contactless
• Covers card and interfaces
Physical dimensions
Electrical interface
Communications protocols
Security commands
Management commands
Cryptographic services
Application naming
ISO/IEC 14443
Proximity contactless smart cards
– Designed for short read range and fast transactions
– Two modulation types (Type A and Type B)
Defines interfaces to card
– Radio frequency interfaces
– Electrical interfaces
– Communications interfaces
– Anti-collision protocol
– Read/write
– Ability to use security features
– Support for authentication
13.56 MHz
Range = 4 inches (10 centimeter)
106 Kbps transmission speed
Travel documents (e-passport), access control (PIV), and finance
ISO/IEC 15693
Vicinity contactless smart card
– Read at longer distances but slower
Defines interfaces to card
– Physical characteristics,
– Radio frequency power and signal interface
– Anti-collision and transmission protocol
– Read/write
– Ability to use security features
– Support for authentication
13.56 MHz
Range = 3 feet (1 meter)
26.6 Kbps transmission speed
Logistics, labeling and agriculture applications
Federal Information Processing
Standard 201 – FIPS 201
• Homeland Security Presidential Directive 12
(HSPD-12) issued August 27, 2004
• FIPS 201, Personal Identity Verification (PIV) of
Federal Employees and Contractors, on
February 25, 2005 published by National
Institute of Standards and Technology (NIST)
– Standard Federal contactless smart card
– Federal employees and contractors
– Physical and logical access
Smart Card Links
• Smart Card Alliance
– http://www.smartcardalliance.org/
– http://www.smartcardalliance.org/pages/smartcards-intro-standards
• U.S. General Services Administration (GSA)
Smart Card web site
– http://www.smartcard.gov
• Smart Card Basics
– http://www.smartcardbasics.com/standards.html
Contact Information
Dale R. Thompson, Ph.D., P.E.
Associate Professor
Computer Science and Computer Engineering Dept.
1 University of Arkansas
Fayetteville, Arkansas 72701-1201
Phone: +1 (479) 575-5090
FAX: +1 (479) 575-5339
E-mail: d.r.thompson@ieee.org
WWW: http://comp.uark.edu/~drt/
Copyright Notice, Acknowledgment, and Liability
Copyright Notice
– This material is Copyright © 2008, 2009 by Dale R. Thompson. It may be freely redistributed in its
entirety provided that this copyright notice is not removed. It may not be sold for profit or
incorporated in commercial documents without the written permission of the copyright holder.
– These materials were developed through a grant from the National Science Foundation at the
University of Arkansas. Any opinions, findings, and recommendations or conclusions expressed in
these materials are those of the author(s) and do not necessarily reflect those of the National
Science Foundation or the University of Arkansas.
Liability Release
– The curriculum activities and lessons have been designed to be safe and engaging learning
experiences and have been field-tested with university students. However, due to the numerous
variables that exist, the author(s) does not assume any liability for the use of this product. These
curriculum activities and lessons are provided as is without any express or implied warranty. The
user is responsible and liable for following all stated and generally accepted safety guidelines and