Smartcard Tech

Tech Decrypted

Taking the mystery out of learning cryptography

Seminar

Smartcard Technology:

A Technical Overview

by H.X. Mel & Doris Baker

co-authors of Cryptography Decrypted

Goals

Explain smartcard technical basics

	smartcard shortcoming and vulnerabilities
	smartcards place in HSPD-12 and PIV-1 and REAL-ID Act

Demonstrate real Javacard authentication system

Outline

Brief history of smartcards

Smartcard fundamentals

Microprocessor cards / memory cards
Contact / contactless cards
Architecture (physical and logical)
Memory
ROM
Non-volatile memory
RAM
Manufacturing
Burning (masking ROM)
Some attacks and defenses
Power attacks against crypt keys
ICC defenses

Communicating to/from a smartcard

Protocols
Link level
Application level (T0, T1)
Unidirectional serial channel
Master / slave
VISA OpenPlatform
Vulnerabilities
Microsoft's PC/SC and IBM’s J/PCSC extension
Proprietary vendor API
E.g. Schlumberger (Axalto), Gemplus
DoD, Activcard
Data security and integrity

Some standards and security guidelines

ISO 7816
Common Criteria
Other

Javacard specifics

Architecture (physical and logical)
Post manufacture applets
VISA OpenPlatform
API packages – Functionality and Theory
Vulnerabilities and deficiencies
e.g. On Card
Signing and verifying requirements
Processing time

Javacard virtual machine

          Off card VM
          On card VM
          Vulnerabilities
          Applet lifetimes

Examples of cryptographic applets for:

          Authentication
          Authorization
          Wallet and loyalty apps

Smartcard role in fulfilling HSPD-12, PIV-1 & REAL-ID Act

Why Learn Smartcards?

Smartcards enable Internet users to validate the authenticity of their Internet correspondent. They are the vessel that contains the digitized identity (as personal cryptographic key material) as well as other personal data (e.g. medical emergency data, authorizations, etc.)

Security professionals (and maybe every Internet user) need to know smartcard potentials and shortfalls. This is especially true for Federal government staff and consultants who need to evaluate smartcard applicability in satisfying Federal mandates as specified in documents like HSPD-12, FIPS 201, PIV-I and II, etc.

This presentation provides a concise and descriptive overview of smartcard basic empowerments and vulnerabilities, as well as illustrating an online real time smartcard authentication and file transfer system.

Contact: seminar at HXMEL.com