Smart cards. Part 1. Principles of work
We all use different types of smart cards in everyday life. The most prominent examples of smart cards are: SIM cards, credit cards, electronic documents, etc.
In fact, a smart card is an optimized cryptographic microcontroller with an increased level of security. What does this mean? Unlike a standard microcontroller, the memory access of a smart card is strictly controlled by the processor. Thus, reading data from a card, their writing on it is governed by the software of the card itself. Moreover, chip manufacturers are taking measures to prevent unauthorized access (copying all memory, reprogramming) to the card at the electronic and physical levels.
A smart card is used in cases where it is necessary to certify the authenticity of its holder. An example of this is the SIM card. Its main role is to prove to the operator that the phone that connects to the network belongs to a specific subscriber. After such verification, the operator will be able to direct the communication from the number and to the subscriber's number to that particular telephone, as well as register the subscriber’s payment balance.
From a technical point of view, the card has the following functions:
Cards do not work autonomously, but only in conjunction with the so-called terminal (telephone, ATM, other wired or wireless electronic reader). The reader provides the card with electricity and sends commands. The card never initiates communication, but always necessarily responds to any commands sent to it by the terminal. If there is no answer, the card will be considered “MUTED”, i.e. not working. In such a situation, the terminal either does not react to the error in any way, or tries to restore communication with the card after the RESET.
')
At the logical level, communication between the terminal and the card takes place in the APDU format described by the ISO7816-4 standard. As for the physical level, the above mentioned communication is not governed by any particular standard, but by their multitude. For example, there are standards for contact (ISO7816-3 T = 0 and T = 1, USB, etc.) and contactless (ISO14443, NFC / SWP) communication.
I would like to describe in more detail the communication terminal with the card. It happens as follows:
It is worth mentioning that more than one program can be installed on the card. In addition, the terminal has the ability to communicate in parallel with one or more programs using so-called logical channels. The number of supported logical channels depends on the specific card. The ISO7816-4 standard allows the card to support no more than 20 channels. However, in practice most cards only support 4 channels.
Some smart cards go into production with already installed on them and not subject to change, addition, or removal of one or more programs designed to perform specific functions (SIM and USIM, EMV, etc.). Such cards, called Native, are attractive due to their low price (for bulk purchases) and the relative simplicity of the code used to program them, which reduces the likelihood of problems with card security. However, the most interesting, in my opinion, cards are cards based on JavaCard and Global Platform, in which the OS card is a platform on which you can install various applications. Applications written for JavaCard using standard APIs can be downloaded to all cards that support a compatible version of the platform, regardless of the manufacturer of the card. As for the Global Platform, this is a set of specifications governing the safe administration of the card, including the installation, blocking or removal of certain applications, and the life cycle management of the card.
A small note about the administration of the card. The card user, as a rule, is not the owner and administrator of the card. For example, the SIM-card administrator is a mobile operator, not a subscriber. Only the operator has the right to install or remove applications to / from the card. However, it is also possible to purchase “blank” cards for self-developed applications.
Thus, in this part of my article, I touched on the basis of the work of a smart card, both on the external and internal levels, and also gave a brief definition of the concept of a smart card. I would like to devote the following parts of the article:
Smart Card, Wikipedia
ISO7816-4
Part 2. APDU
Part 3. TLV
In fact, a smart card is an optimized cryptographic microcontroller with an increased level of security. What does this mean? Unlike a standard microcontroller, the memory access of a smart card is strictly controlled by the processor. Thus, reading data from a card, their writing on it is governed by the software of the card itself. Moreover, chip manufacturers are taking measures to prevent unauthorized access (copying all memory, reprogramming) to the card at the electronic and physical levels.
Smart card application
A smart card is used in cases where it is necessary to certify the authenticity of its holder. An example of this is the SIM card. Its main role is to prove to the operator that the phone that connects to the network belongs to a specific subscriber. After such verification, the operator will be able to direct the communication from the number and to the subscriber's number to that particular telephone, as well as register the subscriber’s payment balance.
From a technical point of view, the card has the following functions:
- Saving the identity of the card holder (most often ID numbers, not the contact details of the holder).
- Saving and checking PIN codes for two-factor authentication.
- Generation and preservation of cryptographic keys and certificates. Typically, these keys are used exclusively for the performance of other functions within the card and are not readable.
- Digital signature generation.
- Challenge-Answer authentication.
- Other specific functions inherent in a particular type of card.
Smart card operation
Cards do not work autonomously, but only in conjunction with the so-called terminal (telephone, ATM, other wired or wireless electronic reader). The reader provides the card with electricity and sends commands. The card never initiates communication, but always necessarily responds to any commands sent to it by the terminal. If there is no answer, the card will be considered “MUTED”, i.e. not working. In such a situation, the terminal either does not react to the error in any way, or tries to restore communication with the card after the RESET.
')
At the logical level, communication between the terminal and the card takes place in the APDU format described by the ISO7816-4 standard. As for the physical level, the above mentioned communication is not governed by any particular standard, but by their multitude. For example, there are standards for contact (ISO7816-3 T = 0 and T = 1, USB, etc.) and contactless (ISO14443, NFC / SWP) communication.
I would like to describe in more detail the communication terminal with the card. It happens as follows:
- Initialization of the physical channel (Cold reset, ATR, etc.)
- Select the desired program using the SELECT command. This step is optional. If it is not executed, then communication will be carried out with the program selected by default when the channel is initialized.
- Further communication for specific tasks
It is worth mentioning that more than one program can be installed on the card. In addition, the terminal has the ability to communicate in parallel with one or more programs using so-called logical channels. The number of supported logical channels depends on the specific card. The ISO7816-4 standard allows the card to support no more than 20 channels. However, in practice most cards only support 4 channels.
Native and Javacard Cards
Some smart cards go into production with already installed on them and not subject to change, addition, or removal of one or more programs designed to perform specific functions (SIM and USIM, EMV, etc.). Such cards, called Native, are attractive due to their low price (for bulk purchases) and the relative simplicity of the code used to program them, which reduces the likelihood of problems with card security. However, the most interesting, in my opinion, cards are cards based on JavaCard and Global Platform, in which the OS card is a platform on which you can install various applications. Applications written for JavaCard using standard APIs can be downloaded to all cards that support a compatible version of the platform, regardless of the manufacturer of the card. As for the Global Platform, this is a set of specifications governing the safe administration of the card, including the installation, blocking or removal of certain applications, and the life cycle management of the card.
A small note about the administration of the card. The card user, as a rule, is not the owner and administrator of the card. For example, the SIM-card administrator is a mobile operator, not a subscriber. Only the operator has the right to install or remove applications to / from the card. However, it is also possible to purchase “blank” cards for self-developed applications.
Thus, in this part of my article, I touched on the basis of the work of a smart card, both on the external and internal levels, and also gave a brief definition of the concept of a smart card. I would like to devote the following parts of the article:
- a brief description of the format of the APDU ISO7816-4
- BER-TLV format description
- javacard concept and entity
- different aspects of the global platform
Resources
Smart Card, Wikipedia
ISO7816-4
The rest of the article
Part 2. APDU
Part 3. TLV
Source: https://habr.com/ru/post/367229/
All Articles