- Количество слайдов: 32
Smart Cards & RFID Name: Yousef Yahya Foad ajjawi Dr. Lo’ai Tawalbeh
What is the Smart Card? • A smart card is a card that is embedded with either a microprocessor and a memory chip or only a memory chip with non-programmable logic. The microprocessor card can add, delete, and otherwise manipulate information on the card, while a memory-chip card (for example, pre-paid phone cards) can only undertake a pre-defined operation. • Smart Cards example For RFID ISO-Standards
How Does It Work? • Smart Card inserted into Card Acceptor Device (CAD), card reader • Communicated with CAD through half duplex serial lines with a data rate of up to 9600 bits per second • Commands follow standard ISO 7816 specifications • Smart Card can get information from host computer, provide identification, do encryptions/decryption , etc.
Where Are They Used? • All over the place, more so outside the US • Medical applications: In Germany 80 million people can use smart cards when they go to the doctor • Voting: In Sweden you can vote with your smart card • Entertainment: Most DSS dishes in the U. S. have smart cards • Telecommunications: Many cellular phones come with smart cards
Smart Card Readers ¢ • Dedicated terminals Usually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner. Computer based readers Connect through USB or COM (Serial) ports
Terminal/PC Card Interaction • The terminal/PC sends commands to the card (through the serial line). • The card executes the command sends back the reply. • The terminal/PC cannot directly access memory of the card – data in the card is protected from unauthorized access. This is what makes the card smart.
Fields of Smart Card Usage (1) • Health Applications Ø For example in Germany health insurance companies will issue an electronic health card Ø cards for the health professionals • electronic passport (e. Pass, ICAO-specifications) Ø No need to say that BSI is active in this field… • e. Government / e. Card Ø Goal: to fit as many applications as possible onto one card in order to avoid multiple cards for every citizen Ø BSI is very active to promote this concept in Germany Ø Social insurance also related to this
Fields of Smart Card Usage (2) • Digital Signatures Ø As you know CC evaluation is required here by law in Germany and other countries • Digital Tachographs Ø Smart cards will be used in trucks in Europe instead of paper disks in order to store driving times and similar data • Access Control in companies and organizations • Public Transport
Some developers • Hardware-Vendors: ATMEL, Philips, Renesas (former Hitachi), Infineon (former Siemens), Samsung, ST microelectronics • Smart-Card-Vendors: Oberthur, Gemplus, AXALTO (former Schlumberger), IBM, Sony, ORGA Card Systems, T-Systems (Telesec), ASK, Gieseke & Devrient, Austria Card, Siemens • Other software/application issuers are mainly related to the banking/payment field: Soc. T. Europienne de Monnaie Electronique (a French electronic purse society), Mondex, other banks and credit card companies
Physical Structure & Life Cycle • Physical structure specified by ISO Standard 7810, 7816 • Printed circuit provides five connection points for power and data • Capability of Smart Card defined by IC chip – Microprocessor – ROM – RAM – EEPROM
Life Cycle • OS and security keys inside each smart card which have different visibility rules • Hence life cycle as card passes from manufacturer to application provider to user
Massachusetts Bay Transit Authority (MBTA). • The MBTA aims to provide a safe, available, and inexpensive service to its customers while respecting its customers' basic rights to privacy. • Currently, the MBTA is pursuing a plan of automated fare collection that will entail the use of RFID smartcards.
Smart Cards vs. RFID • Contactless Smart Cards ØIdentify people ØStore information • RFID ØIdentify or track objects
RFID Privacy and Smartcard Privacy RFID = Radio Frequency Identification • Transponder (RFID-Tag, RFID-Label) • Antenna • Integration in Information Systems (i. e. Server, Services, Back Office …Example: inventory control system)
RFID and Identity RFID has 3 identity types –ID linked to Person: • direct identification: personal data on chip (biometrics) • personal data in database (employee badge) –ID linked to Service: • In combination with person ID (banking, season cards) • Anonymous (one time public transportation paper tickets) –ID linked to Object / Product: • product information in database (retail products, library books) • direct identification (car keys) Combining Object/Product ID with Individual is additional step, covered by existing privacy principles
Privacy-enhancing solutions for RFID (PETs) System-solutions • Encryption • Tag/Reader Authentication • Range reduction • Antenna size/design Consumer-in-Control Solutions • “Kill-switch” • Removable tags • Blocker tags • Shielding • User interface (NFC-device)
• Security Evaluation • Users (e. g. Banks) want high security assurance • for smart cards. • Standard security evaluation procedure: • – Common Criteria evaluation: EAL 4 or EAL 5 • – Evaluation is very expensive
Determining Privacy Risk When Privacy Risk is: • –High: use smart cards + PETs • –Medium: use smart cards, smart tag + PETs • –Low: use smart tag (PETs optional)
Ways of protecting privacy • “Privacy by Design” (technological) – examples: encryption, kill command, read range –main actors: technology providers, standardization bodies – influencing factors: cost, usability – public policy: R&D-funding, Launching customer • “Privacy by Design” (organizational) – examples: system design, business model –main actors: system integrators, end-users (business) – influencing factors: business opportunities, customer trust – public policy: privacy principles, guidelines, best-practices • Rule-based protection – examples: self-regulation, law –main actors: government, business, stakeholders – influencing factors: administrative burdens (cost), market development – public policy: compliance verification (“Trust but Verify”)
Contactless Smart Cards and Privacy Data security –Personal data (may be) stored in chip’s memory –Password protection –Mutual authentication chip and reader –Advanced encryption (3 DES, AES, PKI) –Extremely short operating range: < 10 cm –Advanced system design and sensor technology to prevent tempering Multi-application smart cards –Several applications on a single card –Exclusivity Clear separation of applications and data (as if different cards were used) Back office and system design – Full application of current privacy and data protection laws
RFID/EPC tags and privacy ICC Principles of Fair RFID/EPC use –RFID-use should be legal, honest, decent • No personal data stored in RFID-tag –Consumer information and choice • Labeling • How to remove / disable tags –Privacy statement including RFID/EPC use • What data is collected via RFID • Purposes of collection/use • Data disclosures (if any) –Data security – Individual’s right of access to data in RFID-enabled ITsystem
Recommendations • Do not legislate RFID-technology, but only its applications and use –Address privacy risks of the entire system –Current OECD Privacy Principles already apply to system design, applications and data collection and –management • Use Privacy-Enhancing Technologies only where relevant –Stimulate R&D, standardization and use/acceptance of PETs RFID is the enabling technology !
Sample Applications of RFID Systems • Logistics Chains • Enterprise Resource Planning Systems • Inventory Control Some Benefits • reducing the sources of errors(for instance reduction of inventory inaccuracies) • minimizing out of stocks • reduction of labor costs • simplification of business processes
RFID -Areas of Applications From a cross-industry viewpoint, the following areas of applications can be distinguished: • identification of objects • document authentication • maintenance and repair, recall campaigns • theft-protection and stop-loss strategies • access authorization and routing control • environmental monitoring and sensor technology • supply chain management: automation, process control and optimization Also: Convenience Tools, Magic, New Learning Tools, New Dimension of Gaming
RFID –Basic Services • Identification Example: Which bag is it? • Localization (to a certain extent) Example: Where is the bag? => Hint: Location of the reader (active RFIDs: GPS receiver) • Capturing State Example: monitor the temperature of perishable goods • Mapping into Information Systems Examples: Automatic Stocktaking, Customer Relationship Management
RFID: Technology and Standards (A) Active vs. Passive (B) „Smart“ vs. „Dumb“ (C) Near Field vs. Far Field (D) Closed Systems vs. Open Systems
Passive no internal power supply antenna induces minute electrical current durable Need an external antenna which is 80 times bigger than the chip in the best version thus far • Typical: tags embedded in labels • •
Active • Own internal power source • Transmit at higher power levels than passive tags (Re-)writable • (Larger) memory (for example 1 MB) • Communication ranges of 100 meters or more • Example: Monitoring the security of ocean containers or trailers stored in a yard or terminal
„Smart“ vs. „Dumb“ Smart: Microprocessor and Smart Card OS (up to Dual -Interface-Cards with Crypto Co-Processor) vs. Dumb: Always the same ID number or State Machine
Closed Systems vs. Open Systems Closed Systems: • • One application case Optimized and reduced functionality No need for interoperability and compatibility Example: proprietary RFID enhanced library Open Systems: • • • Each antenna can read each tag Internet of Things/Objects Simple Components and Protocols Interoperability and Compatibility important Example: Electronic Product Code (EPCglobal)
RFID: Some Properties • Radio: no intervisibility, often contactless => no choice to prevent reading event, no consent • Fix Address (EPC: unique worldwide) => Recogmition and intersection attack • Embedded pot. Invisible => no choice to decline • RFIDs are resource weak (in general) => well known and standard PETsnot applicable