Smart Card Developer’s Kit

Description Smart Card Developer’s Kit is designed to provide the practical information you need to design and build applications that incorporate smart cards. Using a combination of detailed exposition, technical reference summaries, and extended examples, this book familiarizes you with the unique strengths and capabilities of this emerging computer technology. Increase your security from a one-factor security-a password-to a two-factor security-a smart card and its PIN. Use the smart card as a portable place to carry your personal preference information and your identity-establishing private signing key. In marketing applications, a smart card offers a much wider and more flexible set of customer benefits than a magnetic-strip card (magstripe) or a paper record card. A smart card can also carry secured information-such as medical records, licenses, subscriptions, and accreditations-that must be guarded against tampering. The book includes a 3K Multiflex smart card, which you can use to begin programming smart cards. The book’s CD-ROM includes all the source code for the book, EZ Formatter, the Cyberflex and Multiflex smart card specifications, and a browser-ready collection of HTML pages that can be used as a starting point for finding smart card information and freeware development tools on the Web. Book Preview Since the advent of the Internet, the need for security has grown exponentially. Smart cards provide a secure medium for storing and transporting data. Smart cards have been produced since the 1970s, but until recently have been confined to a small number of government applications such as pay telephones, national health cards, and financial services cards. Smart cards are now used in Europe for many applications, and are becoming more common in the United States as well. Smart cards offer a much wider and more flexible set of customer benefits than magnetic-strip cards or paper records. They also carry secure information—such as medical records, licenses, subscriptions, and accreditations—that must be guarded against tampering. Smart Card Developer’s Kit is designed to provide the practical information you need to design and build applications that incorporate smart cards. Using a combination of detailed exposition, technical reference summaries, and extended examples, this book familiarizes you with the unique strengths and capabilities of this emerging computer technology. Scott B. Guthery recently joined CertCo to lead the development of a line of cryptographic signing devices. He had previously worked for Schlumberger, where he headed the team that created the first smart card to run a commercial programming language, the Java Card. While at Schlumberger, Dr. Guthery received two patents for his contributions to the design of Schlumberger’s MAXIS well logging system and also contributed to the development of some novel communication systems for urban terminals such as utility and parking meters. Dr. Guthery received a Ph.D. in probability and statistics from Michigan State University and has published articles in the fields of mathematics, programming languages, and electronic commerce. Timothy M. Jurgensen is a senior member of the technical staff at Schlumberger’s Austin Products Center. He holds a Ph.D. in nuclear physics from Rice University and has been with Schlumberger for more than 25 years. He has been particularly active in the development of small aperture (VSAT) satellite-based communication systems and in the provision of high-security computer networks. These networks are now used by Schlumberger’s worldwide operating companies in Oilfield Services to move time-critical exploration and evaluation information from remote well site environments to evaluation offices around the world. He has published articles regarding wide area computer networks, satellite-based communication systems, data management, and network security infrastructures. A smart card is a portable, tamper-resistant computer with a programmable data store. It is the exact shape and size of a credit card, holds 16 KB or more of sensitive information, and does a modest amount of data processing as well. The central processing unit in a smart card is typically an 8-bit microcontroller that has the computing power of the original IBM PC. To make a computer and a smart card communicate, you place the card in or near a smart card reader, which is connected to the computer. After a period of some 20 years of arrested development, smart cards are beginning to evolve. Memory sizes are increasing and processor architectures are moving to 16-bit and 32-bit configurations. This book is about software development for today’s widely available 8-bit microcontroller smart cards. PART I Smart Card Background and Basics A Brief History The smart card— a term coined by French publicist Roy Bright in 1980—was invented in 1967 and 1968 by two German engineers, Jurgen Dethloff and Helmut Grottrupp. Dethloff and Grottrupp filed for a German patent on their invention in February 1969 and were finally granted patent DE 19 45 777 (3, titled “Identifikanden/Identifikationsschalter,” in 1982. Independently, Kunitaka Arimura of the Arimura Technology Institute in Japan filed for a smart card patent in Japan in March 1970. The next year, in May 1971, Paul Castrucci of IBM filed an American patent titled simply “Information Card” and on November 7, 1972, was issued U.S. Patent 3,702,464. Between 1974 and 1979 Roland Moreno, a French journalist, filed 47 smart card—related patent applications in 11 countries and founded the French company Innovatron to license this legal tour de force. Two brief but excellent histories of the early days of the smart card by Klaus H. Knapp of the Eduard Rhein Foundation and Robin Townend of MasterCard International can be found at http://www.eduard-rhein-foundation.de/html/t96.html and http://www.smartcard.co.uk/financel.html. Smart cards cost between $1 and $20, depending primarily on the size of the memory in the card and the software functionality included. Smart card software usually includes a rudimentary on-board operating system with file system, communication, authorization, encryption, and access control primitives. Smart cards are particularly useful components of computer systems that need to address data security, personal privacy, and user mobility requirements. Smart card programming is characterized by a constant and overarching concern for two system requirements: data security and data integrity. Data security means that a data value or a computational capability contained on the card can be accessed by those entities that are authorized to access it and not accessed by those entities that are not authorized to access it. Data integrity means that at all times the value of information stored on a card is defined; the value is not corrupted, even if power to the smart card is cut during a computation involving some piece of information stored on the card. Unlike many software applications commercial programmers deal with daily, smart card applications are typically public systems. This means first that smart cards are used in settings and situations in which using a computer is not the first thing on the user’s mind. Furthermore, the smart card computer must fit seamlessly and, to the greatest extent possible, unnoticed into existing behaviors and relationships. Paying for a newspaper with electronic money on a smart card should, for example, be very much like paying for the newspaper with cash. CHAPTER 1 Smart Card Programming Furthermore, unlike applications that are run on corporate computers in physically guarded environments and on private networks, smart card computers are “on the street” and subject to attack by a range of interests and agendas that are not fully known, let alone understood, by the smart card programmer and system designer. The amount of data processed by a smart card program is usually quite small and the computations performed are typically quite modest. Subtracting 50 cents from a smart card’s electronic purse, for example, entails neither many numbers nor much arithmetic. However, making sure that the expectations of all the parties to this transaction—the cardholder, the card issuer, and the merchant—are met during and after the transaction places an unfamiliar and relatively unique set of demands on software system designers and computer programmers. The merchant expects to be exactly 50 cents richer, the cardholder expects to be exactly 50 cents poorer, and the card issuer expects that the smart card will be left in a consistent state and not have leaked information about its inner workings. Smart Versus Memory Versus Logic Cards 1 Two other credit card—sized devices contain integrated circuits; because of their identical size and similar uses, they are sometimes confused with smart cards. These are memory cards and logic cards. Memory cards contain only memory and logic cards are memory cards with some added circuitry to provide some data security functions. European telephone cards, transportation fare cards, and some medical record cards are examples of the uses of these cards. Since neither memory nor logic cards contain a general-purpose programmable processor for which software can be written, they are not explicitly considered in this book. Nevertheless, many of the discussions about systems that use smart cards apply equally well to memory and logic cards. Memory cards and logic cards should certainly be considered by system designers in building systems that include a portable personal data store. Smart Card Software There are fundamentally two types of smart card software, some examples of which are listed in Table 1.1: • Host software, which is software that runs on a computer connected to a smart card. Host software is also referred to as reader-side software. • Card software, which is software that runs on the smart card itself. As a counterpart of reader-side software, card software is also referred to as card-side software.