Please note, that the Knowledge Base isn't translated to english completely at the moment. You will still find some german texts - we are translating permanently the outstanding parts! Thank you for understanding!

Smart Card applications

		PRACTICE

Smart Cards are perfect for storing secrets, especially monetary values or cryptographic keys. For example a PKI depends much on the security of the private keys of the users. Company Cards can be a omnipotent tool for authentication of the employee.

Cryptographic keys are not only used for authentication, but also for signing informations. The secure digital signature would be not imaginable without smart cards.

The company card of a country is the citizen Card. For authenticating citizens at e-Government applications without registering beforehand and PIN/TAN Mechanisms the austrian authorities use the austrian citizen card function which is based on a qualified certificate on a signature card.

Separation of functions vs. multifunctional card

The many applications of a smart card can be merged into one card. For example Maestro cards of austrian banks can be equipped with a qualified certificate for secure digital signature and a citizen card function. Also the national insurance card (e-card) will be usable for this.

Many people prefer this combinations, because the amount of different cards is reduced. But the loss of such a card will bring you in greater trouble, because you have to revoke, block and reapply for all functions on this card.

Other people find it useful to have different cards for different areas, the bankcard for all monetary issues, the signature card for all legal and governmental transactions, the insurance card for health care issues.

E-Government Applications

The austrian concept of the citizen card should allow a definite authentication of a citizen for e-Government application with use of a secure digital signature, but without the possibility to link the activities. More about the austrian citizen card...

The Finnish Electronic Idendity Card (FINEID) is existing since the end of the 90s and contains a Public-Key-Certificate, each person is getting a 9digit electronic user ID at certificate enrollment. This ID is stored in the certificate after the full name of the person.

Austrian Citizen Card The main advantage of a austrian citizen card is that no beforehand registration is necessary to use e-government applications. Immediate use is possible.

Monetary Transactions

Since the 70s debit- and creditcard-applications are realised on magnetic stripes. The crucial disadvantage of a magnetic stripe is, that it ist only a passive data store. If the pin-check on an ATM isn't done online (at the legacy system) only the data from the magnetic stripe is available. Usually the hardware security module (HSM) of an ATM is encrypting (symmetric) data from the magnetic stripe and extracts the pin with another algorithm from the ciphertext. The at the HSM entered PIN is compared to the PIN computed from data from the magnetic stripe.

Although this principle is known, the payment system operators don't publish informations about algorithms and methods. Of course, it would be a nasty surprise and the trust would decreases, if the operator still uses simple DES like 25 years ago. A few cards the magnetic stripe data and the right PIN and you would be able to compute the DES cryptographic keys in a "certain" time. This would be a jackpot for criminal organisations, spying out wouldn't be necessary anymore - you can compute the pin of a card.

The use of smart card for debit and credit cards are pushed for this reason for years. In Austria the Paychip Application exists long time on all austrian bank cards, but the magnetic stripe is still in use for backup and this weakest link will stay until all ATMs are migrated to chip.

Europay International, Mastercard and Visa has created the EMV-specification for debit and credit card applications. EMV is realised at the moment in many countries. A "Shift of Liability" to the issuer of cards and operators of ATMs is exerts pressure to them to migrate to EMV. Also in Austria Auch in Österreich Paychip is replaced by EMV.

Intersector Electronic Purses

Many electronic purse systems in Europe were implemented on the base of european CEN-Norm EN 1546. But EN 1546 is more a framework than a bit and bytes detailed standard. Also for example Purse-to-Purse Transactions are not described in EN 1546.

For critical elements for compatibility are described in CEPS (Common Electronic Purse Specification). CEPS extends EN 1546 and designs a possible worldwide interoperable electronic purse. Some electronic purses are also usable for e-commerce. e.g. @Quick in Austria.

@Quick Quick is the austrian IEP (Intersector Electronic Purse) which is issued on the austrian Maestro Cards. You can load up to € 400 on the chip at austrian ATMs. You can pay at POS terminals, vending machines, parking meter and also on the internet at webshops.

Digital Signature

An application on smart cards for creating digital signatures is described In PKCS #15 which is now ISO/IEC 7816 Part 15. Besides public and privat key there can be other security related information like symmetric secret keys. Authentication can be done with PINs or biometric templates.
But notice, this is only the application on the smart card (operating system) - you won't get in touch with this as user your software will do this.

Digital Signature - in brief A digital signature is a kind of signet, which is concatenated to the electronic document and fulfill the same function like a handwritten signature. This signet is a cryptographic code which is computed from the document and a digital certificate.

Mobile Communication

One of the most known use of smart card is subscriber identification in mobile communication networks. GSM is using the so called SIM (subscriber identity module) cards. UMTS is using USIM cards. Also satellite based mobile communication (Iridium, Inmarsat) are using cryptographic smart cards. Also digital radio communication standards (TETRA) want to use smart cards for authentication.

The GSM authentication of the IMSI (International Mobile Subscriber Identity) is based on Challenge Response Algorithm with symmetric encryption. The random number generated by the network operator is encrypted with the card individual key (Ki). The network operator authentication center knows this key too and verifies the value. The temporary key for encryption communication via air interface is derived from random number and Ki. Because there is only authentication of the subscriber against the network it is possible for an IMSI-Catcher to pretent to be a base station.

WIM is called a PKCS #15 application on a SIM-card.

	www.buergerkarte.at (austrian citizen card)
	www.fineid.fi
	Handbuch der Chipkarten Rankl / Effing at Amazon

Cryptoshop Tipps

Handbuch der Chipkarten Rankl/Effing at Amazon
This book provides an overview in the field of chipcards, but is very detailed. It describes basics like electrical and physical characteristics, security techniques, operating systems and commands.

@Quick

Austrian Citizen Card

Digital Signature - in brief

Authentication

Identification

Encryption