Currently, most payment cards still use a magnetic stripe to store consumer-related information. In the future, however, it is expected that extensive use will be made of integrated circuit (IC) cards for consumer payment systems, such as debit cards, credit cards and electronic purse systems. This annex provides a description of IC cards, the production and personalisation process and their security features.
IC cards can be categorised as smart cards or memory cards. A smart card has data-processing and storage functionality, where as a memory card is used only for data-storage purposes. The first operational IC card systems for consumers (telephone cards in France) made use of memory cards. Currently, most systems use smart cards because of the data-processing functionality needed for computing, particularly cryptographic, purposes. Smart cards can be either of the contact type, which must be inserted into a reader when used, or of the contactless type, which must contain its own power source and operates remotely from the reader/writer. This annex focuses on the contact smart card, the device used in many electronic purse or stored-value card projects.
A typical smart card is a plastic card in which an IC chip is embedded and on which eight contacts are placed. The physical and electronic specifications generally follow ISO and IEC standards (see Annex 6). A typical smart card chip consists of the following components:
CPU (Central Processing Unit), which performs computation;ROM (Read-Only Memory), which stores the operating system and applications;
EEPROM (Electronically Erasable and Programmable ROM), which stores the variable data such as the balance of the purse, cardholder data, etc.;
RAM (Random Access Memory), which is used as the work area when the chip is processing;
and I/O (Input/Output), which takes place through designated contact fields.
The price of a smart card depends on its data-storage and processing functionality. Smartcards with limited memory (8 Kbytes) and built-in symmetric encryption processors are currently available at a relatively low price (approximately US$ 5 if produced in large quantities). Smart cards that can also perform asymmetric cryptography have, in the past, been considered much more expensive and technically less reliable. In the course of 1996, a new generation of more reliable IC chips that contain a coprocessor to compute asymmetric cryptography are expected to become available at reasonable prices.
The development and the production of IC cards is a very complex process, consisting of roughly the following phases: design, manufacturing and initialisation of the chip module; embedding of the chip module in the card; and personalisation. Many controls and measures are implemented to ensure that no single entity or person can obtain complete knowledge of the design of the chip, the cryptographic initialisation keys, or the initialisation or personalisation data. Separation of duties on a need-to-know basis is common during these early phases of the IC chip life cycle. This can be achieved through cryptographic separation, physical separation, in which two or three employees are needed to produce or transport certain keys, or administrative measures, including internal controls.
Design and manufacture of the IC chip
The chips that are being used in smart cards are produced mainly by a few large manufacturers. The technical characteristics of chips from these manufacturers determine the constraints within which electronic money suppliers and others must design the functionality of their IC chips. It should be noted that the manufacturers do not provide their technical design to potential customers; rather, they provide only the set of commands that the chip operating system can execute.
Organisations can choose between designing their own proprietary application code in close collaboration with the manufacturer and buying a standardised application that has already been designed by the manufacturer. The application code must be extensively tested before being converted into a "mask", which is the hardware specification that defines the physical and functional properties of the IC chip.
The production of chips takes places in several steps. Chips are first produced on a silicon wafer; then the wafer is sawn into smaller parts. The chips are mounted on separate modules, encapsulated with coatings and then tested, after which the test pins that are used during this phase are physically disabled.
As a final step in the production process, the chip module is initialised. The EEPROM is programmed to contain the directory and file structure. In addition, the most important cryptographic keys are loaded during this phase in order to provide control over the subsequent phases.
Embedding the chip module in the card
The process by which the chip module is mounted on the plastic carrier is called embedding. The company that performs the embedding function does not have access to the secret cryptographic keys with which the chip is protected, and therefore cannot tamper with the contents of the chip.
Personalisation
During the personalisation phase, the application on the chip is uniquely identified and the chip is loaded with all necessary personal and non-personal data and secret cryptographic keys. This process is divided into several steps and can also be designed to be performed by separate companies. The issuing company is present during all steps in this process, to control and supply the necessary keys.
The personalisation of the smart card takes place in such a way that the personalisation company cannot read the user data. The user data are encrypted by a key that has been loaded by thecard-issuing organisation during the initialisation phase. This encrypted information is then decryptedby the card itself using the same secret key and stored in the appropriate records and files on the card.
The countermeasures that can be taken to protect IC cards relate to different threats and vulnerabilities, such as analysing its design optically or electronically, manufacturing a fraudulent ICcard, or changing the content of the IC chip (for example by increasing the balance).
Measures to prevent optical and physical analysis
Code in ROM is invisible. In the past, the ROM code was implanted on a chip with transistors that could be easily read optically. With advanced technology, the code is now usually implanted using the density of impurities in the transistors, and is protected by special coatings inorder to prevent optical analysis.Layout of chip is scattered. In earlier designs, the components of an IC chip such as the CPU, ROM, EEPROM, RAM and I/O were clearly separated on a chip, which made it easier to isolate each component from the others and analyse them separately. It is difficult to do so with an advanced IC chip, because the important components are scattered across different areas of the chip.
Double metal layer of wiring. Chip wiring laid out in a single layer may be relatively straightforward to analyse. With current advanced technology, however, the wiring is distributed between two layers, which makes analysis more difficult. The inclusion of "dummy" wiring in some chips is also intended to deliberately mislead potential attackers.
Measures to prevent electrical analysis
Low-frequency detector. Electrical analysis of IC chips is done by measuring the voltage and current of the wiring when the chip is working at very low frequency. With the current technology the chip is designed in such a way that it will not operate at low frequencies.Scattered ROM/EEPROM data. The data stored in the ROM and EEPROM in a chip are stored in different physical locations on the chip, so that an attacker who reads the contents of ROM and EEPROM faces the task of determining which bits belong together.
Disabled test pins. The test pins of the chip, through which the chip is tested during the manufacturing process, are physically disabled so that they cannot be used to gain access to the inside of the chip. This is also referred to as "blowing the fuses".
Use of sensitive wiring. The wiring of a chip is designed to operate at a certain voltage. If an attacker used a voltage above the prescribed levels to analyse the contents of the chip, the wiring would burn and the information on the chip could not be recovered.
Measures to prevent the manufacture of fraudulent IC chips
Small-scale technology. The utilisation of small-scale chip technology requires an investment of hundreds of millions of dollars in specialised equipment and extremely specialised expertise in order to manufacture an IC chip.Proprietary operating systems. All chip operating systems are proprietary. Chip manufacturers generally provide a limited set of commands that the operating system will accept. They do not provide the source code.
Custom-made masks. Chip manufacturers and card issuers work closely together to establish the source code that will perform the specific application on the chip. This code is integrated into the mask, which is used to physically produce the chips. The code is known only to the manufacturer and developers.
Layout and keys during initialisation. The further layout of the data and the master cryptographic keys are established and loaded during the initialisation phase and are known only to the card issuer or other owner of the application on the chip.
Encrypted personalisation. Personalisation takes place by encrypting the user data under a cryptographic personalisation key that is known only to the owner of the application. Thi s keyis installed in the chip during initialisation.
Administrative and procedural controls. Administrative and procedural controls help ensure that no one person will be able to obtain all the information needed to fraudulently create a card.
Measures to prevent alteration of the contents of an IC chip
Electrical protection of EEPROM. A special protection layer protects the contents of the EEPROM from UV (ultraviolet) rays, X-rays and electromagnetic modification.Commands for changing the contents of EEPROM. Changing the contents of the EEPROM requires several consecutive commands. The contents of the EEPROM cannot be altered unless the attacker can provide all the necessary commands in the proper order.
Control registers. For some data records stored in the EEPROM, a "hash" value (see Annex 7) is calculated and stored on the card in a control register. Access to the data records may only be allowed if the recomputed hash value is the same as the value in the control register.
To date, there have been no published reports of security breaches of smart cards, although some instances of tampering with simpler memory cards are known. Tampering with a chip would entail overcoming many physical and cryptographic barriers. This does not mean that the current security measures will continue to be sufficient in the future. As new techniques for attacking chips are developed, the current security measures may become obsolete and new ones will have to be adopted. In addition to new physical security measures, systems utilising IC cards should be designed to allow the security of the IC card to be upgraded, for example by implementing new or redundant algorithms.
Although not discussed in detail here, it should be stressed that considerable care must be taken to implement administrative and procedural security measures effectively. In view of the robustness of the technical security features of smart cards, an attack on administrative security during the manufacturing, distribution or issuing process (such as stealing ready-to-distribute cards, etc.) may constitute a greater risk.