Smart Card Security and Applications

This extensively updated, second edition of the popular Artech House book, Smart Card Security and Applications, offers you a current overview of the ways smart cards address the computer security issues of today's distributed applications. Brand new discussions on multi-application operating systems, computer networks, and the Internet are included to keep you abreast of the very latest developments in this field.

The book provides you with technical details on the newest protection mechanisms, features a discussion on the effects of recent attacks, and gives you a clear methodology for solving your unique security problems. From user authentication in remote payments, Internet transactions, and telephony... to fraud and counterfeit in card payments... to electronic ticketing, portability, and confidentiality, this comprehensive resource describes the major applications of smart cards. It explains how smart cards are particularly relevant to Internet-based applications, and to payment in the modern world through the use of cryptography, public key infrastructures, and biometrics.

Contents
Foreword
Part 1: Background
1 Introduction
The march of the card
What is a smart card?
Systems and procedures
Market issues
Organization of this book
2 Problem Definition
Perceptions
... and reality
Calculating the risks: probabilities and odds
Technical communication obstacles
3 Specifying the Requirements
Security criteria
Safety
Nondelivery
Accuracy
Data integrity
Confidentiality
Impersonation
Repudiation
Quantifying the threat
Possible outcomes and costs
Objects threatened
Causes and modes of failure
Frequency of incidents
Risk management
Standards
Use of standards within specifications
Classes of security
Quality assurance
Documenting the specification
Initial system specification
Analysis and iteration
Component security objectives
Part 2: Technology
4 Card Technology
Visual features
Magnetic stripe
Encoding and decoding
Copying and counterfeiting
High-coercivity cards
Other magnetic card types
Enhancing security using complementary technologies
Optical
Smart cards
Origins and development
Elements of the technology
Standards
Hybrids
PCMCIA cards
Others
Barcoding
Radio frequency identification (RFID)
5 Encryption
Cryptology overview and terminology
Algorithms
Symmetric key systems
Asymmetric key systems
Keys
Secret keys
Public and private keys
Master keys and derived keys
User and equipment keys
Key-encrypting keys
Session keys
Selecting an algorithm and key length
Key management
Key generation
Key transmission
Key indexes
Certification authority
Computational requirements
Cryptography export controls
Summary
References
6 Passwords and Biometrics
Personal identification types
Passwords, tokens, and biometrics
Behavioral and physiometric
Requirements
Recognition versus verification
Performance
Procedures
Components
Passwords and PINs
Behavioral
Signature verification
Keystroke dynamics
Voice recognition
Physiometric
Finger/thumbprint
Hand geometry
Retina scan
Iris scan
Others
Biometrics and cards
7 Smart Card Types and Characteristics
Memory cards
Unprotected
Protected
Secure logic
Microprocessor cards
Development
Conventional
State change
Cryptographic
Contact and contactless
Contact cards
Contactless cards
Combi cards
Form factors
Modules
Minicards
Diskettes
Keys
Others
8 Smart-Card Components
Carrier
External security features
Chip
Microprocessor
Memory
Coprocessors
Memory management
Input-output
Chip security features
Contacts
Antenna
Mask
Reliability factors
Sample card specifications
9 System Components
Reader
Contacts
Card transport
Control electronics
Contactless-card readers
Terminal
PINpads
PC reader
EPOS or EFT-POS terminal
ATM
Vending machine
Access control
Others
Terminal protection
Network
The role of the card
Network security checks
Provision of network security
The Internet
Fallback and recovery
Hacking
Host systems
Trusted third parties
Authentication hosts
Evidence centers
Key escrow
10 Processes and Procedures
Chip design
Manufacture
Personalization
Data transmission
Fixed and derived data
Testing
Data protection
Electrostatic discharge and interference
Issue
Loading/validation
Use
Logging
Card and cardholder authentication
Error recovery
Lost, stolen, and misused cards
Issues
Detection
Block and unblock
Reissue
End of life
Expiration
Dispose or recover
Recycle
Part 3: Applications
11 Telephony and Telecommunications Applications
Prepaid telephone cards
Requirements
Standards
Issues
Reloadable and account cards
GSM telephones
Television decryption
Requirements
Weaknesses and responses
Computer networks
Computer system access
Confidentiality of data and programs
The Internet
Internet and Web access points
Data content
Internet mail
Internet purchases
12 Financial Applications
Bank cards
Functions
Attacks
Credit/debit cards
Requirements
Standards
Procedures
Electronic purses
Requirements
Types
Status
Online transactions
Transaction authorization
Secure electronic transactions
Other electronic commerce
Benefits payment
Loyalty
Other value-added services
References
13 Health
Insurance
Medical records
Alternative approaches
Issues
Operational and pilot schemes
Prescription
Patient monitoring
Reference
14 Transport
Local public transportation
Organization
Types of card
Issues for smart cards
Taxis
Trains
Air travel
Requirements
Electronic ticketing
Inflight entertainment
Road tolling
Parking
15 User Identification
Requirements
Issues
Level of security
Online and offline systems
Card issuer responsibilities
Data storage
Access control
Alternative technologies
Features
Special cases
Other applications
16 Multiapplication Cards
Functions and applications
Card operating system
Downloading
Hybrid card types
Card control
Issuer responsibilities
Consumer issues
Interchange and compatibility with existing
card systems
17 Current Trends and Issues
Market forecasts
Cards
Chips
Masks
Contact/contactless
Application downloading
Encryption
International issues
Single terminals
Standards
Market structure
18 Security Model
Aims
Reducing the reward
Increasing the effort
Criteria
Types of security
Model
Storage
Transmission
Use
Analysis
Initial situation analysis
Sources of attack
Risk analysis checklist
19 The Way Forward
Manufacturers
Semiconductors and masks
Cards
System designers and managers
Scheme operators
Beyond smart cards
Conclusions
Appendix: Standards
Glossary
Bibliography
Smart card security references
About the Author
Index