Introduction toIntroduction to
Smart CardsSmart Cards
JEAN-LUC Giraud
MacCrypto’01
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents2
OutlineOutline
��What are Smart Cards?What are Smart Cards?
��How do we make them?How do we make them?
��How do they work?How do they work?
��What can you do with them?What can you do with them?
��How can you program them?How can you program them?
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents3
What is a Smart Card?What is a Smart Card?
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents4
A Closer Look (1)A Closer Look (1)
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents5
A Closer Look (2)A Closer Look (2)
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents6
OutlineOutline
��What are Smart Cards?What are Smart Cards?
��How do we make them?How do we make them?
��How do they work?How do they work?
��What can you do with them?What can you do with them?
��How can you program them?How can you program them?
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents7
Manufacturing: CuttingManufacturing: Cutting
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents8
Manufacturing: GluingManufacturing: Gluing
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents9
Manufacturing: BondingManufacturing: Bonding
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents10
Manufacturing: EncapsulationManufacturing: Encapsulation
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents11
Manufacturing: Finished ModulesManufacturing: Finished Modules
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents12
Manufacturing: Module on BodyManufacturing: Module on Body
Electrical InitialisationElectrical Initialisation
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents13
Manufacturing: PersonalisationManufacturing: Personalisation
Electrical and Physical PersonalisationElectrical and Physical Personalisation
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents14
OutlineOutline
��What are Smart Cards?What are Smart Cards?
��How do we make them?How do we make them?
��How do they work?How do they work?
��What can you do with them?What can you do with them?
��How can you program them?How can you program them?
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents15
Card FamiliesCard Families
MicroprocessorMicroprocessor
MemoryMemory
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents16
Memory CardsMemory Cards
� Bitmap, synchronous access� R/W
� R/Erase only
11 00 11 11 11 11 11
11 00 11 11 00 11 00 1100 00 11 11 11 00 11 11
0011 00 11 11 11 11 11
11 00 11 11 00 11 00 1100 00 11 11 11 00 11 11
1111 00 11 11 11 11 11
11 00 11 11 00 11 00 1100 00 11 11 11 00 11 11
00
00 00 00 00 11 11 11
00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00
1100 00 00 00 11 11 11
00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00
00
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents17
Enhanced Memory CardsEnhanced Memory Cards
� Onboard hardwired crypto engine
� Card Authentication
� MAC on balance
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents18
Memory Card ApplicationMemory Card Application
� Loyalty � Payphones
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents19
Smarter Smart CardsSmarter Smart Cards
� Microprocessor based
� Onboard Memory (RAM, ROM and EEPROM/Flash)
� Programmable
� Onboard processing
� Security features� Crypto coprocessor (PK, DES,…)
� Physical sensors (V, freq,…)
� Physical protections (shielding,…)
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents20
Chip Structure (0.25mmChip Structure (0.25mm22))
FLASH / EEPROM
ROM
RAM
CPU
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents21
Smart Card ModuleSmart Card Module
EEPROM /FLASH
RAMROM
Data Bus
Address Bus
MicroprocessorMicroprocessorVcc
Reset
Clock
Ground
Vpp
I/O
CPUCPU
Microcontact Microchip
Micromodule
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents22
CommunicationsCommunications
� One communication channel: serial line
� “Layered” transmission protocol� Application: Application Protocol Data Unit
� Transport: T=0, T=1, T=14
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents23
� An APDU contains:
� a command message,
� a response message.
IFDICC
command APDU
response APDU
The Application Protocol Data UnitThe Application Protocol Data Unit
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents24
ADPU SyntaxADPU Syntax
� APDU Command
� APDU Response
CLA INS P1 P2 Lc Data Le
Parameters Command Data
Data Length Response LengthInstruction
Class
SWData
Response Data Status Word
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents25
ExampleExample
P1, P2 : specify the data to be retrievedLe : length of data to retrieve
READ BINARY (P1,P2,Le)
Data, SW
CLA INS P1 P2 Lc Data Le
A0 B0 xx xx 0 Le
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents26
Required InfrastructureRequired Infrastructure
� Personalisation Center
� Issuing Center
� Reader
� Middleware (CDSA)
� Back-end System
http://www.http://www.gemplusgemplus.com/.com/usbusb
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents27
Middleware (Windows platform)Middleware (Windows platform)
PKCS #11PKCS #11
Token XToken X Token YToken Y Token ZToken Z
CAPICAPI
CSP ACSP A CSP BCSP B CSP CCSP C
RS232RS232 USBUSB PCMCIAPCMCIA
PC/SCPC/SC
PCIPCI
IBM cardIBM card GemSAFEGemSAFEReaderReader
Ha
rdw
are
So
ftw
are
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents28
OutlineOutline
��What are Smart Cards?What are Smart Cards?
��How do we make them?How do we make them?
��How do they work?How do they work?
��What can you do with them?What can you do with them?
��How can you program them?How can you program them?
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents29
Mask your Own CodeMask your Own Code
� Pros:� Small code footprint
� “Complete” control
� Cons:� Development in C and target assembly language
� Use emulators
� Mask lead time (~2 month)
� Bug fixes
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents30
Use Proprietary CardsUse Proprietary Cards
� What you (usually) get:� File System
� Fixed set of APDU Commands
✔Read/Write files
✔Cryptographic computations
� Pros:� Off the shelf products
� Cheaper
� Cons:� Not extensible
� Bug fixes
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents31
Use Open CardsUse Open Cards
� Choice� Java
� Microsoft
� Standard API� Crypto
� GSM (SMS, Pro active commands…)
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents32
Applet Life CycleApplet Life Cycle
� Write code in Java
� Compile it
� Debug it (simulator)
� Verify and Convert it (specific byte code)
� Load it� Personalisation center
� Point of sale
� Over the Internet
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents33
OutlineOutline
��What are Smart Cards?What are Smart Cards?
��How do we make them?How do we make them?
��How do they work?How do they work?
��What can you do with them?What can you do with them?
��How can you program them?How can you program them?
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents34
Why use a Smart Card?Why use a Smart Card?
CryptoCrypto
TheoreticalTheoretical PracticalPractical
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents35
Advantages of a Smart CardAdvantages of a Smart Card
� Tamper resistance
� Storage
� Portability
� Tamper resistance
� Processing
� Ease of use
� Onboard key generation
[Blah Blah]
[@ç^#~r&€]
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents36
Main applicationsMain applications
�� Cellular phone GSM Cellular phone GSM cardscards,,
�� Health cardsHealth cards..
�� Banking cardsBanking cards,,
�� Public phone Public phone cardscards ( (prepre--paidpaid),),
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents37
New applicationsNew applications
�� SecuritySecurity ofof information information systemsystem,,
�� LoyaltyLoyalty ,,
�� Physical accessPhysical access control. control.
�� IdentityIdentity,,
�� GamesGames,,
�� Transport,Transport,
�� Electronic purseElectronic purse,,
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents38
Attacking Smart CardsAttacking Smart Cards
� Timing Attacks
� Power Analysis� Simple Power Analysis
� Differential Power Analysis
� Invasive Attacks� Probe Stations
� Focused Ion Beam
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents39
Standards : ISO/IEC 7816Standards : ISO/IEC 7816Integrated circuits cards with contactsIntegrated circuits cards with contacts
� ISO/IEC 7816-1 : Physical characteristics.
� ISO/IEC 7816-2 : Dimension & location of contacts.
� ISO/IEC 7816-3 : Electronic signals & transmission protocols.
� ISO/IEC 7816-4 : Inter-industry commands.
� ISO/IEC 7816-5 : Registration system for applications in IC card.
� ISO/IEC 7816-6 : Inter-industry data elements.
� ISO/IEC 7816-7 : Inter-industry commands for
Structured Card Query Language (SCQL).
� ISO/IEC 7816-8 : Security architecture and related inter-industry commands.
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents40
ResourcesResources
� On Card development:� Java card : http://www.javacard.org
“Java Card Technology for Smart Cards”, Zhiqun Chen, Sun Java Series,ISBN: 0-201-70329-7
� Windows for SC : http://www.microsoft.com/smartcard/� Gemplus
✔ Developer web site: http://www.gemplus.fr/developers/index.htm✔ Developer conference: http://www.key3studios.com/gemplusworld/
June 20, 21, Paris.
� Middleware:� PCSC-Lite : http://www.linuxnet.com/� OCF (java) : http://ww.opencard.org/� CDSA : http://www.opengroup.org/security/l2-cdsa.htm� PKCS : http://www.rsasecurity.com/rsalabs/pkcs/index.html
� Questions:� [email protected]
Introduction to Smart Cards - Jean-Luc Giraud - MacCrypto29/01/2001
Bull Patents41
ConclusionConclusion
SmartSmart
PersonalPersonal
PortablePortable
SecureSecure
==