the most secure night and maybe years in case they ... · by mikko marin, senior product manager,...

E D I T O R I A L

THE MOST SECURE

H IGH-TECH-C IT IES OF

TOMORROW?

The cover statement of this magazine reads “Security Takes to the Skies” - but is this a little misleading? The editorial team here at SECURE, not only sees the use of security mechanisms for travel in the skies, but the entire air-

port scenario as a breeding ground for all the latest in security techno-logy. In fact, we would argue that airports have taken on the mantel of a self-contained city of tomorrow.

Just like any other citadel, a major modern-day airport can boast its own security personnel, shopping and recrea- tional areas, business and conferencing areas. Both permanent (airport workers) and transient (travelers) populations can take up temporary citizenship – sometimes only a few hours, sometimes over

night and maybe years in case they work there.

Importantly though, they can only achieve this citizenship after proving their identification through their ID cards, their passports, their tickets or boarding cards as well as their frequent traveler or other loyalty cards for access to more privileged areas.

Here at SECURE, we also regard such upcoming applications as eBusiness, eBanking, and eTicketing as strong drivers for the increasing use of smart cards, especially contactless versions that include RFID tokens or labels.

Pilot applications for these technologies are mostly to be found in the airport environment - references for this are London’s Heathrow, New York’s JFK, Munich’s Strauss Airport, where one can see a place thriving with potential applications for security technology. With the numbers of both domestic and international air travelers increasing, today’s airports are vast hubs that have to accommodate huge numbers of people,

throughput even bigger numbers of luggage and provide both with goods and services while they arrive, depart and continue on their journey. Be it on the ground or in the skies.

Our lead article expands this idea further and takes you on a journey from home, to the airport and beyond. All the while, explaining the way security technology has infiltrated the entire travel process. Further on in this issue, we also have an article from Bundesdruckerei, focusing on the future changes at the airport’s border control stations, paired with an outline of Trusted Logic which takes a look at how eTicketing is going the Java Card way.

It may all seem a little far-fetched right now, but after reading this issue of SECURE, we think you’ll never look at an airport in the same way anymore. Have a good flight!

Andreas LiebheitHead of Business Development Chip Card and Security ICs, Infineon Technologies AG

I M P R E S S U M

SECURE - The Silicon Trust Report is a Silicon Trust program publication, sponsored by Infineon Technologies AG.

This issue of SECURE - The Silicon Trust Report is Copyright 2005 by Infineon Technologies AG.

Infineon Editorial Team Camille Gasnier Rainer Bergmann Ursula Schilling Cristina DeLera Ioannis Kabitoglou

Magazine Project Development Krowne Communications GmbH Munich, Germany

Creative Director/Layout Stefan Gassner Email – [email protected] Cover Stefan Gassner

Advertising & Distribution Karen Brindley Email – [email protected]

Subscriptions of SECURE – The Silicon Trust Report can be obtained at: www.silicon-trust.com

No portion of this publication may be reproduced in part or in whole with-out the express permission, in writing, from the publisher. All product copy-rights and trademarks are the property of their respective owners. All product names, specifications, prices and other information are correct at the time of going to press but are subject to change without notice. The publisher takes no responsibility for false or misleading information or omissions.

Any comments may be addressed to [email protected]

Security takes to the Skies . . . . 8

Banking on Security . . . . . . . 14

Pre-Paid Subscription is given a Boost in Developing Countries . . . . . . . . . . . . . . . 24

ICAO kick-starts Airport Authentication . . . . . . . . . . . 28

Fault Induction – a Versatile

Tool for Attackers . . . . . . . . . 40

C O N T E N T

HOW TO CONTACT TH IS

ISSUE ’S AUTHORS . . . . . . 5

INTRODUCING THE

S IL ICON TRUST . . . . . . . . . 6

WELCOME TO

THE TRUST . . . . . . . . . . . . . 7

V IEWPOINT

SECURITY

Security takes to the Skies

By Wendy Atkins for Infineon

Technologies AG . . . . . . . . . . . . . . . 8

APPL ICAT ION FOCUS

eBanking

Banking on Security

By Dr. Manfred Müller,

Director of Strategic Marketing,

SCM Microsystems Inc. . . . . . . . . . 14

Secure Payments

with EMV Cards

By Mikko Marin, Senior Product

Manager, Banking & Retail,

Product Marketing, Setec Oy . . . . . . . 18

The Information Economy:

A Future Analysis

of eBanking and

Digital Information

By Chris Sprucefield, SIPT eSecurity,

in affiliation with Smarticware AB . . . 22

Pre-Paid Subscription is

given a Boost in Developing

Countries: The Virtual

Top-Up (VTU) Solution

By Michael Serrao,

Business Development Director,

Prism Holdings . . . . . . . . . . . . . . . 24

More than just a Phone:

Contactless Technology

opens up Multiple

New Applications

for Cell Phones

By Volker Gerstenberger,

3G Product Marketing Manager,

Giesecke & Devrient . . . . . . . . . . . 27

APPL ICAT ION FOCUS

eGovernment /eTravel

ICAO kick-starts Airport

Authentication

By Björn Brecht, Senior Consultant,

Bundesdruckerei GmbH . . . . . . . . . 28

National ID Cards enable

a Better Life

By Jacob Mendel, V.P. R&D and

Security, SCSquare Ltd. . . . . . . . . . 32

APPL ICAT ION FOCUS

eTransportation

e-Ticketing is going the Java™ way

By Jean-Claude Pellicer, VP Sales,

Trusted Logic . . . . . . . . . . . . . . . . 34

APPL ICAT ION FOCUS

Secure Computing

Trusted Platforms provide

new Levels of Security

By Thomas Rosteck, Senior Director

Product Line Trusted Computing,

Infineon Technologies AG . . . . . . . . . 36

TECHNOLOGY UPDATE

Fault Induction – a Versatile

Tool for Attackers

By Dr. Peter Laackmann, Principal,

Product Security and Marcus Janke,

Senior Staff Specialist, Product Security,

Infineon Technologies AG . . . . . . . . . 40

WITHIN THE TRUST

ACG unveils its New Business

Unit ACG Secure ID

By ACG . . . . . . . . . . . . . . . . . . 46

eight™ is the Magic Number

By Austria Card. . . . . . . . . . . . . . 47

Trusted Platforms for

Mission Critical Applications

By Keycorp . . . . . . . . . . . . . . . . . 48

Advantis gives SERMEPA

the Advantage!

By SERMEPA . . . . . . . . . . . . . . 49

RUNNING

COMMENTARY . . . . . . . . 50

4

ContentC O N TA C T

5

PAYMENT

V IEWPOINT SECT ION

Page 8 Wendy Atkins Tel: + 33 4 68 24 04 22 [email protected]

APPL ICAT ION FOCUS

– eBanking

Page 14 Dr. Manfred Müller SCM Microsystems GmbH Tel: + 49 89 9595 5140 [email protected] www.scmmicro.com

Page 18 Mikko Marin Setec Oy Tel: +358 9 8941 4517 [email protected] www.setec.com

Page 22 Chris Sprucefield SIPT Tel: +44 7921 815 316 [email protected] http://sipt.net

Page 24 Michael Serrao Prism Holdings Tel: +27 11 548 1000 [email protected] www.prism.co.za

Page 27 Volker Gerstenberger Giesecke & Devrient GmbH Tel: +49 4119 2649 [email protected] www.gi-de.com

APPL ICAT ION

FOCUS

eGovernment/eTravel

Page 28 Björn Brecht Bundesdruckerei GmbH Tel: +49 30 2598 2204 [email protected] www.bundesdruckerei.de

H O W T O C O N TA C TT H I S I S S U E ’ S A U T H O R S

2 Jacob Mendel SCSquare Ltd. Tel: +972 3 7657 331 [email protected] www.scsquare.com

APPL ICAT ION FOCUS

eTransportation

Page 34 Jean-Claude Pellicer Trusted Logic Tel: +33 1 30 97 25 09 [email protected] www.trusted-logic.com

APPL ICAT ION FOCUS

Secure Computing

Page 36 Thomas Rosteck [email protected] www.infineon.com/tpm

TECHNOLOGY

UPDATE

Smart Card

Page 40 Dr. Peter Laackmann, Marcus Janke [email protected] [email protected] www.infineon.com/security

WITHIN THE

TRUST

Page 46Katja Dienz ACG Identification Technologies GmbH Tel: +49 6123 791 205 [email protected] www.acg.de

Page 47 Siegfried Gruber Austria Card Tel: +43 1 610 65 243 [email protected] www.austriacard.com

Page 48 Andrea Vuletic Keycorp Ltd. [email protected] www.keycorp.net

Page 49 Roberto Herrero Sánchez SERMEPA / ServiRed Tel: +34 91 346 53 00 [email protected] www.sermepa.es

RUNNING

COMMENTARY

Page 50 Mark Lockie Tel: +44 29 20 560 458 [email protected]

T H E S I L I C O N T R U S T

WHAT IS THE

S IL ICON TRUST?

The Silicon Trust Program has, over the last few years, become a well-respected and established Partnership Program within the Security Industry, and has certainly achieved its initial goal of raising awareness for Silicon-Based Security. As one of the first such Partner Programs in the market, Infineon has demonstrated that bringing together a network of Security Partners can improve the rela-tionship with the end customer, by offering a complete solution across the Value Chain. Building on its past success, Infineon now believes that the Partner-ship should be widened to include more products and solutions - to pro-vide the Customer with more choice.And Infineon means to do this by focusing internal resource on continuing to build up solid relationships with com-panies working with Infineon products, as well as fostering new relationships with companies who are attempting to bring about changes for the future of the security industry – working together to increase marketing and promotional offerings in the marketplace.

WHAT ARE THE

BENEF ITS OF BE ING

A PARTNER?

Working together with Infineon and other companies in the same Market, will lead to a better understanding of applications and future market trends.

Companies can work together within an environment of trust and develop integrated solutions for a combined customer base. By promoting the Program as a whole, individual com-panies can benefit from the resources applied by Infineon.

W H AT A R E T H E

P L A N N E D A C T I V I T I E S ?

Silicon Trust activities are a mix between Marketing and Promotional, and the more time and resources invested by the Partner, the better the result.

Once in the Program, Partners are able to participate in as many activities as they wish. Here are just some of the activities currently being planned for the Silicon Trust:

6

I N T R O D U C I N G T H E S I L I C O N T R U S T

M E M B E R S O F T H E S I L I C O N T R U S T

Frequent emails updating Partners on current and future activities

Access to a database of Partner contacts

Tour of the Infineon fabrication facilities (front and back end)

Attending Networking Events - meet up with the other Partners at the major trade shows (e.g. CeBIT, CARTES)

Participation with Infineon at Exhibitions and Shows (e.g. CARTES)

Participation in Security Application Reviews: in-depth market white papers

Participation in SECURE - a 54 page magazine filled with Partner articles

Partner’s products promoted in the SECURE Solutions Handbook

Participation in the Security Solutions Forum - security conferences hosted by Infineon

Participation in Marketing Update sessions provided by Infineon

Participation in EU Lobbying events in Brussels

Product and solution promotion on www.silicon-trust.com

ACG

Aladdin

Association for

Biometrics

Aspects Software

Austria Card

Baltech

beyondLSI

Bundesdruckerei

Card etc.

Cherry

Datacard

D-Trust

Gemplus

Giesecke &

Devrient

Goldkey

IdentAlink

IEE

Ikendi

ISL

Keycorp

Maurer

Electronics

MMCA

Novacard

Omnikey

PPC Card

Systems

Precise

Biometrics

Prism

Radicchio

realtime

SC2

SCM

Secartis

Sermepa

Setec

Siemens ICM

Siemens ICN

Siemens PSE

Smart Card

Centre

Smarticware

SyntiQ

TeleTrusT

Tresor

Trusted

Logic

United

Access

Utimaco

Safeware

Wave Systems

F O R M O R E I N F O R M A T I O N V I S I T www.silicon-trust.com

Founded in 1879, Bundesdruckerei is one of the world’s leading companies in high-security technology, serving domestic and foreign markets with ID documents and high-security cards, banknotes, postage and revenue stamps, electronic publications of all kinds. It now focuses on new biometric technologies as well. www.bundesdruckerei.de

7

T H E S I L I C O N T R U S T

We would like to welcome the following members to the Silicon Trust. For further information on these companies, please check out their websites.

W E L C O M E T O T H E T R U S T

Founded in 1998 and a wholly-owned subsidiary of Bundesdruckerei GmbH, D-Trust is responsible for electronic signature systems. As an independent service company, D-Trust offers the entire value chain of a trust center: from consultancy services via smart card-based products, right through to services and business solu-tions for all aspects related to the electronic signature. www.d-trust.net

Employing the latest state-of-the-art technology, Maurer Electronics is at the fore-front of supplying integrated systems for national ID applications. The company designs and sells products for data registration, image processing, biometrics, data storage and card personalization; the latter with a particular focus on high-quality, high-security laser engraving.www.maurer-electronics.de

Prism is a trusted transactions company developing innovative ICT products, solu-tions and services for secure electronic transactions in wired and wireless networks, servicing the banking, retail, telco, utilities and oilco sectors. www.prism.co.za

Smarticware AB is a Swedish start-up company that through its independent position and cross-industrial experience is dedicated to supplying the smart card industry with technologies and services directed towards development and inventive usage of smart card applications.www.smarticware.com

Smarticware

F O R M O R E I N F O R M A T I O N V I S I T www.silicon-trust.com

9

The airport environment is an interest-ing microcosm of society: you’ve got a broad cross-section of people ranging from airport cleaners to security guards, government officials to passengers and airline personnel. Added to this, the sheer range of shopping experiences in some major airports could rival many European High Streets. Each group of people passing through an airport has different requirements – and those involved in providing airport services must somehow meet these varied needs.

MANY PEOPLE,

MANY NEEDS

First, let’s take a look at the people pass-ing through the airport. Many will be travelers. But how often do they travel? Are they frequent, very well known registered travelers? Are they occasional travelers? Or are they government officials – such as ambassadors – who are trave-ling? Whichever category they fall into, there is a good chance that they will have used secure measures, such as chip or biometric-based authentication technologies, to authenticate themselves or to speed conveniently through the security process.

Others may be airport or airline employees. They have perhaps worked for their organization for 30 years, but

they will still go through some form of authentication process at least twice a day. They may clock on to a biometric-based time and attendance system.

Whatever the system, they will certainly be issued with a pass giving them access to secure areas of the airport. There’s a good chance that the pass could be a chip card containing information on both the physical and the logical areas of an airport that the employee is per-mitted to visit. The card could even include company e-purse functional-ity for making purchases from vending machines and the staff canteen.

Other employees, such as sub-contrac-tors, who perhaps only work in the airport occasionally, also need to go through some form of security process that adequately checks their credentials without impinging on their work.

Meanwhile, police and immigration officers also have to be authenticated whenever they enter a secure area. And, of course, their involvement in authen-tication doesn’t stop there. Many will be charged with identifying passengers, which could involve checking pass-ports and boarding passes, and will also involve comparing data on the passport with a ‘watch list’ of potential problem passengers.

With such a broad range of groups and subgroups operating in the air-port environment at any one time, the technology used needs to be pretty dynamic to address the challenges and needs that each subgroup brings, espe-cially considering that airports operate under increasingly difficult – and often contradictory – constraints. For example, many airports – such as Frankfurt – are not physically able to grow any more. Yet passenger numbers are continuing to increase, thanks to the introduction of larger planes such as the recently launched A380, capable of carrying more than 800 people, as well as the growth of numerous low-cost carriers.

In fact, the International Air Travel Association (IATA) estimates the Average Annual Growth Rate (AAGR) for inter-national and domestic passenger travel will be 5% for the period 2004-2008.

These challenges come at a time when security requirements are increasing, but passenger throughput times must be reduced.

SECURE

TECHNOLOGY

Airlines are interested in secure tech-nology, both airside and groundside. Chip technology may be required when

S E C U R I T Y TA K E S T O T H E S K I E SB y We n d y A t k i n s f o r I n f i n e o n Te c h n o l o g i e s A G

It’s 6am. You have an important business meeting at noon in Frankfurt. Before the end of the day you will have travelled over 1,000km, sat through five hours of meetings, flown on an airplane for three hours, spent at least an hour and a half in airports, bought some duty free, made several telephone calls, drunk copious amounts of coffee, and had your fair share of chips. Sound familiar? It’s certainly the experience shared by the millions of us who pass through any airport on our way to a business meeting every day. Without realising it, chip technology seems to have entered every part of our life – and we’re now using a range of chip-enabled cards and gadgets to conduct our everyday life safely, conveniently and with a high level of security. What used to be considered science fiction is now very definitely science fact.

V I E W P O I N TS e c u r i t y

selling tickets or when collecting data related to passengers’ traveling habits, to provide convenience and security. Meanwhile, the highly competitive nature of the passenger travel business will dictate that the airline enhances loyalty and customer retention. While the speed and convenience offered by the use of automated authentication processes may help keep customers sat-isfied, there is a good chance that the airline will offer some type of frequent flyer promotion, which may involve some form of chip card.

The airline could be using SITA’s (pro-vider of global Information Technology and Telecommunications solutions to the air transport and related industries) protocols for its devices. Whether the devices are being used for printing, or for sending messages, airlines are confi-dent of the level of their IT security.

Added to this, security measures in the form of no flight lists for the US and person profiling for flights to the US will have been adopted. Steps will have also been taken by the airline to ensure that no baggage is allowed onto a plane unless it is linked to a passenger.

INTEROPERABIL ITY

In the average working day at an airport, the requirement for security, convenience and safety as well as the possibility of making money and retaining customers, requires some form of secure technology. But how can these demands be met and how can the user experience be improved when for some people the requirement for secure technology is primarily for convenience, whereas for others it is much more about implementing the highest level of security possible? Added to this, implementations have to take into account the many different systems, networks and media that have to be linked both in one airport and between other airports – an interoper-ability nightmare!

The solution for those involved in offering airport services is being driven by secure and linked systems using chip- based tools. Such tools pervade every area of life and could be seen in employee cards providing logical and physical access to parts of an airport, frequent flyer membership cards, e-boarding passes and e-baggage tags as well as e-passports with e-visa and e-ID cards.

It’s a massive headache for interoper-ability, but organizations are working together to achieve results. In the pay-ments world, interoperability of chip-based cards has been taken care of via the Europay-MasterCard-Visa (EMV) specification – and many retail outlets at Western European airports should have now upgraded their payment infrastruc-ture to EMV. However, this migration has not been without its own issues, and is a process that many retailers and banks are still going through.

In the airport environment, a raft of standards initiatives is now being worked on. For example, the International Civil Aviation Organization’s (ICAO) pass-port standards specify the mandatory use of facial recognition as well as the optional use of iris and fingerprint rec-ognition. Meanwhile, both the ICAO and IATA are working towards a paper-less boarding pass, with IATA saying it has a vision that e-ticketing implemen-tation will have reached 100% by 2007.

IATA also aims to achieve an industry standard to replace bar coded baggage tags with auto-identifying RFID for baggage handling by 2006.

10


11

MORE RF ID

PLEASE

Airlines have been looking at RFID for baggage handling for some time. With costs of the technology continuing to fall, airlines are increasingly interested in adopting it to cut costs and improve customer perceptions of their service.

For example, in 2004, it was announced that Delta Airlines plans to spend up to US$25 million over a two-year period to roll out an RFID system to track the entire luggage it handles through US airports. According to industry reports, only 0.7% of the baggage Delta handles every year gets lost. Even so, finding what amounts to approximately 800,000 bags and returning them to their owners is estimated to cost the company around US$100 million each year. Delta’s latest plans are for disposable RFID tags that can be attached to passenger luggage at check-in at every US airport it serves.

These labels will enable Delta to track each item through the carrier’s baggage sorting operation and onto the plane, then through any transfer airports for connecting flights and finally onto the baggage carousel at the passenger’s destination. The plans are intended to build on two RFID pilots that were held at Jacksonville Airport, Florida, in October 2003 and May 2004. During these trials, Ultra High Frequency (UHF) RFID inlays, which are capable of reading at up to 4-5 meters and can transfer data faster than low frequency solutions, were embedded in standard bar code tags and were fixed to checked- in luggage on the airline’s Jacksonville to Atlanta route. These trials provided accuracy levels of 96.7% to 99.9%, compared with an estimated 80% to 85% when using bar code technology alone.

This is by no means the only example of RFID being used for baggage control. As long ago as 1999, British Airways tested 150,000 RFID tags operating on the 13.56MHz band on flights from Manchester and Munich to London Heathrow airport.

FROM SMART

ACCESS. . .

Away from RFID, an increasing number of organizations in the aerospace and airport industries are using multi-appli-cation smart cards to provide employees with a host of functions. For example, Boeing is implementing a smart card based enterprise-wide identity manage-ment system, known as SecureBadge, to provide access to information systems and buildings. The program’s design phase began in 2001 when the company examined standardizing its employee identification and physical and logical access control technologies. Companies involved in this program include Siemens Information and Communi-cation Networks, BellID and Gemplus. Meanwhile, Roissy Charles de Gaulle and Orly airports in Paris have imple-mented a staff access control solution using biometric fingerprint technology and contactless cards. The system, which is estimated to affect 90,000 people across the two airports, includes 100 fixed and 15 mobile security check-points. The system is designed to enforce security and increase control reliability whilst reducing the amount of time it takes staff to access working zones. Sagem was the prime contractor for this project, which was implement-ed in partnership with Omnitech.

. . .TO SMART

TRAVEL

And the technology doesn’t stop there. The traveling public is increasingly accustomed to using smart documen-tation for verification. E-passports are becoming a reality worldwide, provid-ing an answer to the requirements of increased traceability and a need to link travel documents.

Smart chip-based electronic passports answer the need for cost-effective, large- scale border crossing and identification applications. Consequently, many governments are now working with the ICAO to issue a specification for chip-based passports utilizing biometric data. This seems like the ultimate level in security,

because individual physical features are what make a person unique.

BIOMETRICS

The US has launched a road map for the migration to contactless chip passports for all its citizens as well as strengthening the laws on immigration with systematic biometric data collection for citizens of visa-requiring countries. Furthermore, from the third quarter of 2005, all passports from the 27 US Visa Waiver Countries, whose citizens can enter the US without a visa, will need to contain biometric data.

Meanwhile, in Burma, an electronic passport system was launched in 2002. This system involved the embedding of a microchip in the passport, containing information about the holder including photographs and fingerprints, and was established to check passports at auto-matic gates in the departure terminals at Rangoon International airport. In the first week of operation, 5,000 e-passports were issued to Burmese diplomats, officials and selected members of the business community as part of a pilot program. The technology for the pass-ports came from Malaysia-based Iris Corporation.

In the UK, the Home Office, in part-nership with key border control, law enforcement and intelligence agencies, is coordinating an e-Borders initiative. A key component of this initiative will be project IRIS (Iris Recognition Immi-gration System) – an automated border entry system using iris recognition technology to fast track trusted travelers through immigration control. The system – supplied by Sagem – is being deployed at the country’s Heathrow, Gatwick, Manchester, Birmingham and Stansted airports, and is due to be fully operational by the middle of 2005. This project builds on an earlier frequent flyer program which was successfully trialed at Heathrow airport using Eye-Ticket Cor- poration’s JetStream Passenger Processing System to process North American frequent travelers traveling to the UK with British Airways or Virgin Atlantic.


V I E W P O I N T

Across the Atlantic, January 2005 saw the announcement that JFK Airport in New York will be operating a pilot using iris recognition to speed pre-registered passengers through security and customs checkpoints. Travelers who enroll in the system will have to go through a background check, including criminal history reviews, fingerprinting and a face-to- face interview with a Homeland Security official. Once approved, passengers will be given a smart card containing their passport and biometric iris informa-tion. The system will be available to US citizens, legal permanent residents and foreigners who are frequent travelers to the US.

IN THE

REAL WORLD. . .

Taking a look at many of the world’s airports, a range of technology initia-tives are having a major impact on the way we travel. Twenty years ago, when the world was divided along East and West lines, the airport experience

would have been markedly different for most business travelers.Today, we’re used to authenticating our- selves several times before we’ve even entered an airport – and chances are chip- based secure technology will have been used for some of this authentication. Consider the case of John, the Vice President of marketing for a major global machinery supplier.

SECURITY

Booking the airline reservation will have required some level of authentication. He may have booked over the Internet using passwords, secure socket layers and even an EMV card connected to a smart card reader. His payment would have gone through the credit card asso-ciation’s behavioral scoring mechanism to ensure his payment wasn’t totally out of character with his usual purchasing habits. The airline’s web booking engine could have been connected to the Sabre Reservation System, which has direct links to the credit card associations for

credit card processing, reducing the possibility of transactions being further exposed to the web. Or perhaps his reservation was made via a biometric-based system to the airline’s call centre. Whichever approach he took, booking an airline ticket is much easier and quicker than in the days of visiting travel agents and getting them to arrange everything. And it doesn’t stop there. There’s a good chance that he will be using a ticket-less airline, such as British Airways or Lufthansa. If so, technology would have been used to create an electronically held record (or ticket) of his transaction, and will be stored in the reservation system of his airline carrier. That seems like a major advantage: it’s convenient, fast and safe. And unlike the bad old days when he had to pay 15 euros for a duplicate ticket to be issued, there’s no worry that the ticket could get lost or stolen. Furthermore, e-ticketing is also helping speed up the time spent queuing, as a paper ticket no longer has to be collected from an air-line’s office.

12

S e c u r i t y

13

V I E W P O I N T

CONVENIENCE

When John leaves his house, chances are he’ll use RFID technology to open his car door. Perhaps he’ll drive along a toll road on his way to the airport. And if he makes this journey frequently, there’s a good chance he’ll be using a smart-enabled device to pay the toll. Perhaps it will be a contactless card or an onboard unit in the car that commu-nicates with the gate through infrared technology.

On the other hand, he may have taken the train. In which case, his contactless travel card may have been used.

AT THE A IRPORT

John checks in with his e-ticket and passport. In the future, he may be using a smart card containing an ICAO-com-pliant fingerprint for verification. The man at the check-in desk, who has a chip-based company identity card around his neck, loads an e-boarding pass on to the smart card and stores John’s frequent traveler bonus points on it as well. John puts his suitcase on the scales. An RFID tag for track and trace is fitted to the suitcase handle and the RFID tag number is stored on the smart card.

As he moves airside, John goes through passport control. The government official, complete with a chip-based identity card, looks at John’s passport and board-ing pass, before turning to an airport employee who is being fast-tracked through security.

Once airside, John meets his colleague, who is just about to depart on a trip to New York. As a frequent traveler to JFK airport, she is enrolled in a biometric iris-based frequent flyer scheme, ena-bling her to speed through security.

TOTALLY TECHNICAL

It’s now 8 am and John has a conference call with a colleague in Dubai. After a quick trip to the coffee shop, he finds a quiet place to make his call. He keys

his pass code into his telephone handset and activates the SIM card in his phone. He’s now ready to call his colleague Barry from the address book stored on his SIM. During the discussion, it emerges that Barry hasn’t received the short email that John sent from his PDA last night. Today, John is using his laptop. He has confidence in the laptop as a Trusted Client, thanks to its use of a Trusted Platform Module (TPM), which provides the capabilities of a built-in secure chip to provide strong authentication, giving a higher level of assurance to secure networks. John sees that he is in a wireless fidelity (WiFi) hotspot. Knowing that he can get a wireless Internet connection, and can transmit information in wave form reasonably quickly, he boots up his laptop, makes a WiFi connection and emails Barry again.

With 15 minutes until boarding to go, John looks around the shops. Maybe he’ll purchase some duty free with his EMV chip and PIN card. Or perhaps he’ll make an impulse purchase in a retail outlet and receive loyalty points on his chip-based loyalty card.

Just as he’s about to switch his tele-phone off to board the plane, John remembers to text his partner to remind her to put the bins out – yes, SMS technology has even entered the world of the most boring domestic task!

Finally, he shows his e-boarding pass and e-passport to the airline employee.

SATISFACTION

When he reaches Frankfurt, John turns on his telephone, which automatically goes into roaming mode. He calls his answer phone, and is asked to key in a PIN. He then goes through to baggage control. After waiting 10 minutes, his bags appear on the carousel. John breathes a sigh of relief. After a major interna-tional airline lost his luggage for several days back in 1995, he is always slightly nervous that he may have to make a presentation in the rather crumpled clothes he has spent a day traveling in. John doesn’t realize that the airline has

improved its baggage handling service using RFID technology.

Having successfully completed his jour-ney, it’s unlikely that John will reflect on how chip technology has improved his traveling experience. While he is enjoying a working lunch in Frankfurt, business will continue as normal at the airports he has traveled through today. Improved levels of authentication are being provid-ed for a host of applications. Customers are happy because their bookings can’t get lost or stolen, and airlines are able to improve services cost-effectively. And finally, the airport can be sure that a high level of security has been used, thanks to systems that comply with international travel regulations.

SCIENCE FACT

In the airport environment, secure technology is widely used by a broad cross-section of individuals. Whether the individual is traveling or working, spending money or earning money, entering a secure area or participating in a loyalty scheme, technology ensuring convenience and safety lays at the heart of any airport experience. The tech-nologies are in place, the products are available and the number of reference cases is growing rapidly as pilot projects as varied as Delta’s implementation of RFID and JFK’s use of biometrics demonstrates.

When we reached the millennium, the media commented that some of the technical leaps and bounds that had been forecast in the 1970s had failed to materialize. OK, we don’t have indi-vidual space pods, and some ‘futuristic gadgets’ have been and gone, but we’ve certainly moved into a high tech age – and even if chips don’t fit into the Atkins diet, they certainly figure highly in the rest of our life!

Whether we’re checking our messages on our PDAs, making payments with our credit cards, using our mobile phones, gaining access to our work place or using ID cards and passports, chip technology is – and will continue to be – very much a part of our daily life.

S e c u r i t y

A P P L I C AT I O N F O C U Se B a n k i n g

It’s 7 pm, and John (see for more details about John’s day) has a few minutes to kill before his flight home, so he powers up his laptop, connects to the airport’s wireless network and browses his bank’s website to pay a few bills.

But instead of just typing his ID and password, he pulls out a hockey puck-sized device and slides in what looks like a credit card. He pushes a button, and the device displays a one-time code that he enters in his bank’s Web page. From there, he has full access to his accounts.

Why not just skip that code and use a standard ID-password combination? In a word, security. In John’s case, he used a smart card and EasyTAN, a smart card reader from SCM Microsystems, to generate a TransAction Number (TAN), a unique code recognized by his bank that is good only for one transaction.

This system is highly secure for John because if someone copies his ID, pass-word and TAN, and then tries to use them from another PC, the expired TAN will cause the fraudulent trans-action to be rejected.

The additional layer of security remains even if John’s laptop is stolen or if some-one peers over his shoulder and jots down his ID and password. This approach protects John, his bank and any partici-pating merchants against fraud.

Today consumers worldwide conduct millions of transactions a year with paper-based TANs issued by banks. In Germany alone, more than 30 million bank customers already use TANs for online authentication. Traditionally banks issued lists of TANs to their customers, who in turn had to store the TANs in

14

B A N K I N G O N S E C U R I T Y

E-banking isn’t the wave of the future. It’s already here – and it’s secure.

B y D r . M a n f r e d M u e l l e r , D i r e c t o r o f S t r a t e g i c M a r k e t i n g , S C M M i c r o s y s t e m s I n c .

15


a secure place – no small task for users who want to manage their accounts and pay bills while traveling. Worse, they had to remember to scratch off each TAN after using it.

That cumbersome process highlights the need for systems that deftly balance security and user friendliness. When security requires users to perform addi-tional tasks – such as protecting and tracking TANs – they begin to look for shortcuts, which often circumvent secu-rity. Just ask anyone who’s taped their password list to the underside of their keyboard rather than memorize them.

Recognizing that, John’s bank has taken security and convenience one step further. By implementing TANs on a smart card, John’s bank eliminates the need for him to carry, manage and replace paper-based TANs. And of course his bank no longer has to issue them.

A MATTER

OF TRUST

At first glance, making customers enter a TAN with each transaction sounds like a chore that might cut usage. But that’s not necessarily the case.

For one, chances are high that John encounters fraud at least once a day, whether it’s a “phishing” e-mail or a news report about identity theft. SCM’s EasyTAN and smart cards leverage that awareness for the benefit of John’s bank: with each use and TAN entry, John is reminded that his bank is working on his behalf, protecting him with addi-tional layers of security.

For another, customers of banks that already use TANs find devices such as the EasyTAN Card Reader are actually more convenient.

Finally, smart card readers can provide more than security. Case in point: SCM Microsystems’ EasyTAN Card Reader can check the balance of a GeldKarte, the cash card carried by more than 60 million Germans.

ACTIVE

SECURITY

Like magnetic stripe cards, smart cards are fast and convenient for users, but they offer far greater security because the card’s embedded integrated circuit is capable of a variety of active security measures for online transactions. For example, it has the ability to store information. In addition to cardholder information like name, account number and the card issuer, other stored infor-mation – called keys or digital signa-tures – are used to verify the authenticity of the card.

More important yet, it can run programs internally, which enables it to play an active security role independent from any system to which it is connected. Depending on the design of the system, these cards are “smart” enough to validate any system to which they connect before proving their own authenticity. And it can all be done without ever sending “secrets” between the card and the reader, because that would create the risk of “eavesdropping” on that communication. Instead a “challenge-response” technique is used, where the challenge consists of variable inputs and the response can only be correctly generated by an authentic card or host. These are the same techniques used by computer systems to validate one another and secure communications; smart cards just make it possible to put that level of security in a card form factor.

That’s why over the last two decades, smart cards have proven that they’re secure enough for applications rang-ing from mobile telephone security and bankcards to accessing buildings and computers at the U.S. Department of Defense.

Smart card readers leverage that inher-ent security and take it to the next level. For example, some readers – whether they’re handheld, cabled to a PC or bolted to a checkout counter – are equipped with a keypad, where the user enters a PIN. The reader and the smart card compare that infor-mation in order to verify the identity.

Then – and only then – is the card’s stored information shared with anoth-er device, such as a PC, or transmitted, such as to a bank’s website.

One important part of this exchange for the reader to protect is the PIN.Payment terminals designed for retail locations go to extraordinary measures to make sure that PIN entry and pro-cessing is secure. For example, the design must make sure no “eavesdrop-ping” can take place between the key-board and the reader that would make it possible to capture PIN codes entered at the terminal. Similarly, the software must be protected in such a way that it prevents any attempt to modify the device electronics or its software to steal PIN codes. High-end personal PIN pads by SCM for online transactions which are compliant with the stand-ards from the banking and government sectors bring these types of security features to everyday individual use.

Online retailers are also drawn to smart cards as a way to cut fraud. By some estimates, although e-commerce gen-erates only 4% of the dollar amount spent in brick-and-mortar stores, the rate of fraud is 12 times higher. Other estimates put the amount lost to on-line fraud at US$1 for every US$100 spent. Smart cards and PIN-pad readers mitigate that risk.

That risk recently shifted. In January 2005, fraudulent transactions became the responsibility of the party that doesn’t support EMV – a new, global standard for smart cards and readers – whether it’s the card issuer or the merchant. With more than 250 million compliant smart cards in circulation, EMV already has an installed base big enough to make a major dent in trans-action fraud.

Named after its three founders, the Europay-MasterCard-Visa standard beefs up security for a wide variety of trans-action types by effectively vouching that the cardholder is present. EMV doesn’t necessarily require major new invest-ment. For example, an SCM Micro-

systems’ e20 reader deployed for TAN-based applications can be re-used when the card issuer adopts EMV, because the reader is compatible with both platforms.

The security of systems such as EMV aren’t limited to PCs and in-store readers. For example, the e20 – also known as myEMV – is battery-powered and palm-sized, so it’s convenient to carry (see Figure 1). It also makes a handy complement to cell phones because the TANs generated by the e20 can be entered in any secure browser, regard-less of whether it’s on a PC, cell phone or public Internet terminal.

This approach has several benefits. For users, myEMV is fast and convenient, and it doesn’t require fiddling with a PC or worrying about operating systems. For card issuers, myEMV is a low-cost option because even though readers can be customized with logos and other features, they don’t have to be configured for each user.

BANKING AND BEYOND

With all those advantages, it’s no sur-prise that shipments of smart cards and readers are booming. In 2003, 9.4 million readers shipped, according to research by Frost & Sullivan. By 2008,

shipments are forecast to hit 35.5 mil-lion annually, for a yearly compound growth rate of 30.6%.

It’s important to note that banking isn’t driving that market by itself. It’s also propelled by industries such as health care. For example, in the Lombardy region of northern Italy, health care facilities now use smart card readers that feature two card slots and a PIN pad. The physician inserts her card and types a PIN, and then the patient does the same with her credentials. Only then can the physician access the patient’s medical records. As with the TAN in John’s bank transaction, it’s tough for users to overlook the security protecting their personal information.

Other emerging technology will make it even more straightforward to use smart cards with portable computers for online transactions. One example is ExpressCard, which will eventually replace the PC card interface on lap-tops and desktops. Developed by the PCMCIA standards organization and available since late 2004, ExpressCard enables a new breed of readers that can accommodate full-sized smart cards and thumbnail-sized variants, such as the subscriber identity modules (SIMs) used in many cell phones. The ExpressCard interface is attractive

to manufacturers of laptops and hand-held devices like PDAs. It requires half the space of today’s PC card interface, yet it works with the same wide variety of smart cards and plug-in devices, such as wireless modems. That flexibility is key, because it means that banking and e-commerce won’t be the only indus-tries driving ExpressCard’s adoption, so greater hardware volumes will quickly drive down the technology’s cost.

Finally, a rapidly growing payment trend is contactless, where users sim-ply wave a smart card near a reader to access an account or pay for a purchase. Worldwide, contactless payment is now utilized in several transit systems, such as Paris, London, Hong Kong and throughout China.

In the United States, every major met-ropolitan city is in the process of install-ing a new generation of contactless based fare collection. Moving beyond transit, American Express, Bank of America, ExxonMobil and MasterCard are among the major companies that have spent the past few years test-ing contactless payment systems – and with impressive results. For example, in American Express’ ExpressPay trial, users spent 30 % more in each transac-tion than when they used cash. That’s one way that contactless payments improve the bottom lines of merchants and card issuers alike.

Another benefit is a streamlined check-out process. Transactions using MasterCard’s PayPass, for example, were 12 to 18 seconds faster compared to cash, while ExpressPay transactions were 63 % faster than cash, according to a 2004 report from the Smart Card Alliance.

The upshot is, that by making the check-out process faster, retailers such as convenience stores and fast food restaurants can move more people and money in less space and time. You don’t have to be a time-strapped business traveler like John to appreciate that.


16 F O R M O R E I N F O R M A T I O N V I S I T www.scmmicro.com

Figure 1: myEMV from SCM Microsystems is designed for use with smart bank and credit cards.


WHAT IS REQUIRED

FROM A SECURE

PAYMENT CARD?

Before going into detail about the securi-ty features of EMV cards, we should first of all consider what is actually required from a payment card to make it secure.In the first instance, the payer (card-holder), the payee (merchant) and the card issuer (cardholder’s bank) have to be able to trust that the payment card used is genuine, identifying a genuine cardholder and cardholder’s genuine account(*) managed by the card issuer. This obviously implies that the pro-duction of fake payment cards must be made as difficult as possible. Fake cards can be personalized with either fully or partially made-up cardholder and account information, or they may be copies of genuine payment cards.Secondly, it is in the payee’s (merchant’s) and card issuer’s (bank’s) particular inter-est to be able to trust that the account connected to the payment card, really has the funds available for the payment. The payment card, usually with the help of the supporting infrastructure, there-fore has to provide secure means to the payee to verify that the card issuer can guarantee the sufficient balance on the cardholder’s account. In practice, this verification can take place either remotely online, or locally offline.

Thirdly, the payer (cardholder) must be able to trust that his payment card can-not be used for payments without his permission. This means that the pay-ment card has to support secure card-holder verification methods. In practice the identity of the cardholder is verified against the cardholder and/or card spe-cific reference data by either the payee (merchant), the card issuer (cardholder’s bank), or by the payment card itself.

THE SECURITY

FEATURES OF EMV

CHIP CARDS

Now that we have a better idea of the requirements for secure payment cards, how do EMV chip cards fulfill them? Let’s look at the security features of EMV cards in the order in which they are processed, during a standard pay-ment transaction with an EMV card (see Figure 1).

OFFL INE CARD DATA

AUTHENTICAT ION

Offline card data authentication is aimed at detecting fake EMV cards locally at the point of sale/service without having the need for any online communication with the card issuer (bank). Offline card data authentication takes place after the EMV card has been

inserted into the EMV terminal (POS terminal, cash register, vending machine or ATM), the EMV application (like a Visa Electron EMV application) has been selected, the payment transaction has been initiated, and the data content of the card application has been read from the card to the terminal’s memory.

The offline card data authentication uti-lizes public key infrastructure (PKI) and asymmetric RSA algorithm and RSA key pairs. The ‘basic’ method for offline card authentication is called Static Data Authentication (SDA). During SDA, the EMV terminal verifies that the data content of the EMV card applica-tion matches its digital signature (Signed Static Application Data - SSAD). The SSAD signature has been generated using the card issuer’s secret RSA key (Issuer Secret Key) and it covers the most critical card data, such as primary account number and expiration date. The terminal verifies the SSAD signa-ture by matching the card issuer’s public RSA key (Issuer Public Key, recovered from the Issuer Public Key Certificate read from the card), the authenticity of which it can verify with the payment scheme (e.g. MasterCard, Visa) owner’s CA Public Key stored in the terminal. SDA efficiently detects the usage of fake EMV cards that contain made-up values for any critical EMV card data

18

S E C U R E PAY M E N T S W I T H E M V C A R D SB y M i k k o M a r i n , S e n i o r P r o d u c t M a n a g e r , B a n k i n g & R e t a i l , P r o d u c t M a r k e t i n g , S e t e c O y

Throughout history, many different payment tools have been introduced to make payment trans-actions both easier and more secure. In this evolution, the first payment cards were certainly a big step towards easier and (in consideration of all the non-card based authorization systems) more secure payments. The latest step in this evolution has been the security of payment cards itself, with the migration from magnetic stripe payment cards to the significantly more secure EMV (Europay-MasterCard-Visa) chip payment cards. Many different EMV chip card products are now available on the market and some of them pro-vide higher security than others. However, it is up to the bank issuing the cards to select an EMV chip card that cost-effectively fulfills the bank’s security needs.

(*) Account here means a bank account, credit arrangement etc.

19


covered by the SSAD signature – here the security premise relies on the assumption that the card issuer’s secret RSA key (Issuer Secret Key) is acces-sible only to the card issuer itself and optionally to an authorized card per-sonalization bureau.The weakness of SDA is that it doesn’t detect if the original card data content, including all the data elements uti-lized for SDA (like SSAD signature and Issuer Public Key Certificate), has been copied to a duplicated, fake card.The more advanced offline card data authentication method is called Dynamic Data Authentication (DDA). Using DDA the EMV terminal not only verifies the authenticity of the EMV card application’s data content, but also uses a random challenge to which the card has to calculate a cor-rect response with a card specific secret RSA key (ICC Secret Key). The ter-minal can verify the response with a matching card specific public RSA key (ICC Public Key) which can be authenticated by the terminal with the

Issuer Public Key and CA Public Key (see Figure 2).DDA efficiently detects all fake cards, including copied and duplicated cards. The assumption is that the physical and logical security of the EMV chip com-ponent and its software (card operating system and the EMV application) pre-vent the reading of the card’s specific secret RSA key (ICC Secret Key). All EMV chip products that have been certified by MasterCard or Visa have undergone a thorough security evalua-tion, the primary target of which is to ensure that all secret key information stored in an EMV chip can never be read out from the chip.The most advanced offline card data authentication method is called a Com-bined Dynamic Data Authentication / Application Cryptogram Generation (CDA). As an offline card data authentication method, CDA is very similar to DDA. The basic difference is that the execution of CDA takes place at the same time as the card action analysis and so the card is able to include the result of this analysis, Application Cryptogram, as part of the data to which it calculates its data authen-tication response with its secret RSA key (ICC Secret Key). The advantage of this method, is that if the terminal success-fully verifies the CDA response, it can also be sure that the Application Cryptogram received from the card is genuine and not corrupted by any fraudulent communi-cation probe.

CARDHOLDER

VERIF ICAT ION

Cardholder verification that takes place after the offline card data authentication and the processing restriction checks (like card effective and expiration date checks), is aimed at preventing unauthorized use of a cardholder’s EMV card.For interoperability reasons, EMV cards support the same cardholder verifica-tion methods that have already been used with magnetic stripe based pay-ment cards - namely handwritten sig-nature and online encrypted PIN. The security level of both signature and online PIN is not affected by the intro-duction of EMV cards.What EMV cards provide in addition, is the possibility to use an offline PIN. When an offline PIN is used, the PIN code entered by the cardholder is trans-ferred from the PIN pad to the EMV card either in plaintext format or in encrypted format. Only such PIN pad and card (ICC) reader devices that have been certified by MasterCard and Visa for offline PIN processing should be used. MasterCard’s and Visa’s PIN Entry Device (PED) certification ensures, among other things, that the PIN code is always transferred securely between the PIN pad and the card reader. When an EMV card’s offline plaintext PIN is used, the PIN code is communi-cated from the card reader to the EMV

Figure 1: The EMV payment transaction process

Figure 2: The DDA process


chip card in plain text. However, in the case of offline encrypted PIN, the PIN code is also encrypted during this communication. MasterCard’s and Visa’s PED certification requirements state that the physical implementation of all card readers must ensure that it is not possible to add any hidden fraudulent communication probes to record the communication between the card read-er and the EMV chip card. However, all cardholders are not always careful enough to notice or mind even clearly visible probes. The usage of offline en-crypted PIN makes such probes, hidden or visible, obsolete.The reference value, against which the entered offline PIN code is compared inside the EMV chip card, is protect-ed by the physical and logical security of the chip components and its soft-ware (card operating system and EMV application). Similar to secret keys, MasterCard’s and Visa’s security evalu-ations for EMV chip products ensure that the offline PIN’s reference value cannot ever be read out from the chip.Finally, the biggest threat for the dis-closure of cardholder’s PIN code is the cardholder himself – if he doesn’t obey the card issuer’s instruction to memo-rize the PIN code and keeps a written copy of the PIN code together with the card, the immediate, unauthorized

use of a stolen EMV chip card is all too easy, despite all the technical security features.

CARD ACTION

ANALYSIS

Card action analysis, that takes place after the cardholder verification, the terminal risk management and terminal action analysis, is aimed at determining the level of risk involved in the cur-rent payment transaction from the card issuer’s point of view.

An important input to the card action analysis is the result of the preced-ing terminal action analysis, in which the terminal evaluates the results of processing restriction checks (effective and expiration date checks, usage con-trol check) and terminal risk manage-ment checks (exception file check, floor limit check, terminal velocity check, new card check, random or forced online request check). In this evalua-tion the terminal utilizes the processing rules (action codes) from payment sys-tem owners (like MasterCard and Visa) and the card issuer, and ends up recom-mending that the transaction should be either accepted offline, declined offline, or that online authorization from the card issuer should be requested.

As part of the card action analysis, the card also executes its own inter-nal risk management, where it evalu-ates the status of the previous transac-tion made with the card, the status of recent offline PIN verifications and the number and cumulative monetary value of the preceding successive offline pay-ment transactions made with the card. Again, the card uses its internal process-ing rules (action codes) to decide if the recent usage history and the cur-rent payment transaction are such that the transaction should be declined or accepted offline or if online authoriza-tion is required.The final card action analysis result always honors the result of the terminal action analysis. If the terminal finished by recommending that the payment transaction should be declined offline, the card always obeys this recommen-dation in a straightforward manner and requests an ‘offline decline’ for the transaction. If the terminal recommend-ed that online authorization should be requested, the card can use its internal risk management to decide if it accepts the request for online authorization or if it decides to decline the transaction offline. Only if the result of the termi-nal action analysis approves the transac-tion offline, can the card fully utilize its internal risk management to decide if the transaction should be approved or declined offline, or if online authoriza-tion is necessary (see Figure 3).

From a security point of view the EMV application’s card risk management logic (program code) is well protected against unauthorized alterations, by the security logic of the chip component’s operating system, and often the applica-tion code is encoded to the non-rewri-table ROM memory which prevents all alterations.

Also it is interesting to note that even if a fraudster was able to develop a com-pletely fake card with the type of fake internal risk management logic that never requests online authorization, he would never know for sure in advance, if the terminal action analysis would still end up requiring online authorization.

20

Figure 3: Table showing the different completion responses

21


ONL INE CARD

AND ISSUER

AUTHENTICAT ION

After the card action analysis the card provides a result by generating an Application Cryptogram (AC) and set-ting its type accordingly. The EMV card generates Application Cryptograms using a symmetric 3DES algorithm with either card specific or session specific (payment transaction specific) 3DES keys. In the case that the result of card action analysis is to request online authorization from the card issuer, the type of crypto-gram is ARQC (Authorization Request Cryptogram). The EMV terminal is not able to verify the cryptogram, but instead it sends the cryptogram together with necessary card and transaction specific identification data to the card issuer’s host system in online authorization message. The host system uses the attached identification data to calculate the correct card or session (transaction) specific 3DES key from a master key and then verifies the ARQC cryptogram. If the ARQC calculated by the card matches the ARQC calculated by the host, the online card authentication is successful and the card issuer can be sure that the EMV card at the EMV terminal is a genuine card.After the online card authentication, the card issuer host checks the account bal-ance and makes its decision to approve or decline the transaction by setting an Authorization Response Code (ARC). Optionally, the host system may use the same card or session (transac-tion) specific 3DES key to calculate an Authorization Response Cryptogram (ARPC) over the ARC. If generated, the ARPC is included in the authoriza-tion response message sent back to the EMV terminal. The terminal forwards the ARC and the optional ARPC to the EMV card. If the card receives the ARPC and it matches the ARPC gen-erated by the card, the optional online issuer authentication has been success-fully completed.The security of Application Crypto-grams is based on the assumption that the physical and logical security of the EMV chip component and its software

(card operating system and the EMV application) prevents the reading of the card specific secret 3DES keys. Also the security of the card issuer’s host system’s secret key management environment is crucial and thus only evaluated and certified Host Security Modules (HSM) should be used.

COMPLET ION

The completion of an EMV payment transaction takes place either directly after the card action analysis or, in the case that online authorization has been requested, after online card and issuer authentication.

From a security point of view, the com-pletion is equal to the generation of the final Application Cryptogram for the transaction. If the result of card action analysis is to decline the transaction offline, it generates an Application Authentication Cryptogram (AAC) and if the result is to approve the transac-tion offline, it generates a Transaction Cryptogram (TC).

If an online authorization is performed, the card makes the final action analysis by first verifying the value of ARC and optionally also the ARPC. If the ARPC is not correct, the card declines the transaction by generating an AAC. If the ARPC is correct and ARC indicates the card issuer’s approval, the card generates a TC. In the situation that the card doesn’t receive ARPC and ARC indicates that an online connection to the card issuer could not be established, the card again utilizes its internal risk management logic to decide whether or not to approve or decline the transaction at hand.

The data used by the EMV card as input for the Application Cryptogram calculation is defined as containing all the critical payment transaction data. Thus the final Application Cryptogram, being either AAC or TC, acts as a Message Authentication Code (MAC) that guarantees the integrity of the critical transaction data. The card issu-er’s clearing system is then able to ver-ify the cryptograms and only approves those payments that have a valid TC.

OPTIMIZ ING

THE SECURITY

The card issuer faces an optimization issue between security and price when he is deciding between the different EMV chip products to be used in his cards. The issuer also has to pay attention to the requirements and recommendations from payment system owners, like Master- Card and Visa.

In short, when possible issuer specific waivers are not considered, MasterCard and Visa require that all cards must support at least SDA and all cards used at offline service points should support offline PIN.

Card action analysis, online card authentication and completion will always be supported, but issuer authentication, when supported by the card, should be set to be only optional as the payment networks do not yet support the transportation of necessary chip data in all countries.

Considering these requirements and recommendations, the issuer finally has only one selection to make, namely to select between EMV chip cards with or without support for DDA, CDA and offline encrypted PIN.

As these three features require an expen-sive RSA-co-processor, it makes sense to only add them when really necessary. DDA is a useful feature in EMV cards that are frequently used in offline payment transactions, as it can detect fake, dupli-cated cards offline. On the other hand, if the card product, like Visa Electron cards, always requires online authorization, there is no need for DDA.

CDA and offline encrypted PIN are useful features to include if there is a risk of the communication between the card and terminal being fraudulently monitored, for example due to contact-less communication.

A card issuer may sometimes feel that the choices to be made when consid-ering security and risk management features are not simple, but he can take solace in the fact that EMV cards, even with minimal security features, will always be much more secure than their predecessors - magnetic stripe cards.

F O R M O R E I N F O R M A T I O N V I S I T www.setec.com


Today’s banking systems have changed very little over the years, and essen-tially the same principles for doing transactions a hundred years ago are applied even today – albeit the means and methods for performing the work implies extensive use of computers; mainly for speed and security.Very little of this is practically visible to the end user – you and me and all of the businesses out there. There are some computerized interactions and services that reach out to your living room or the street – but they essentially go no further than allowing you to access your bank account at a few more places. The banks have, in some ways, become a bit outdated. This is partially due to the methods of operation forced upon them, as well as built in rigidity of the whole banking system. To change this, it will take some new thinking and brute force to break free.Currently, it all revolves around the bank account. Banks are sending information between themselves, carrying your transactions. The bank account is the same as it was from when it first saw the light, and it is fairly secure as long as you stay in the bank office. But the problem

starts as soon as you leave and walk out into the streets of the world.In the big world, we need access to our money. We want to have it in a secure place, but at the same time easily avail-able to us – to run our daily lives – and there are so many other things that also need to be kept secure today; like our identities, immaterial things we buy; such as flight and concert tickets, valuable information, club memberships, and so on. But for these things, there is no real security. The sad thing is that your money is not much better off either.A debit or credit card may easily be copied, and you will end up in a lot of trouble, just to explain yourself. Your bank account can be emptied in an instant – just by someone getting access to your numbers. Online banking suffers from a vast number of problems – associated with the fact that computers are insecure – and you do not really know that the remote party you are talking to, really is who you think they are. The banks, on the other hand, try their best to make sure that you are the one you say you are – but that does not help you much if you have been diverted to a site that has been hijacked.

The newly introduced chip and pin is a good addition to the security when you use it in the shop’s terminal – but still of little importance if someone gets hold of your card’s numbers. Other problems that exist, are the risk of theft and plain robbery. It may only take a few minutes to get a card blocked, but it may take weeks to get it replaced, and in the meanwhile, you have problems, and in today’s stressed lives, problems are the least we want.Even today, with all this automation and advanced technology, we still expe-rience the latencies in the transactions. These latencies may span days, or even weeks, from the time of the purchase until the account has been updated with the transaction. This is another cause for concern, as it opens windows for theft and fraud. This could cost you consid-erable amounts of money as well, if the purchase was made in a different cur-rency, due to changes in exchange rates. You always need to; apart from what the bank already does, keep a book on your transactions not to lose track of your account. This is a lack of methods and technology that does not place the holder in a state of control.

22

T H E I N F O R M AT I O N E C O N O M YA F U T U R E A N A LY S I S O F e B A N K I N G A N D D I G I TA L I N F O R M AT I O NB y C h r i s S p r u c e f i e l d , S I P T e S e c u r i t y , i n a f f i l i a t i o n w i t h S m a r t i c w a r e A B

You have most likely, as a business customer during transactions, and as a citizen throughout everyday life, often come to think a few not so flattering thoughts about the banks, banking systems and services. You have probably also come to wonder about the security issues.You are not alone. I too have, and for good reasons, but I have also come to wonder why things are the way they are and if there are not better ways.

23


As you can see, the security issue is not only about theft. It is also about time-lines, where you don’t know if you will be paying, or maybe get paid, the agreed price in dollars when the card, using the euro currency, is charged two weeks later.

SO, WHAT IS IT THAT

NEEDS TO BE DONE, TO

SORT THE SECURITY?

Taken the shortcomings of the current systems, which are basically down to aged technology, unable to cope with current and future demands – we stand in front of a shift in technology.To solve the problems, security cannot be – and is not – a one-way issue. The key-word in security is “communication” and you need to know who is the one you intend to do business with. Before this happens, there is no security. This is especially true when you make business over distance, like the Internet, online banking systems or a supplier. Just as the business systems require the client to identify itself to the system; it has to be a requirement also for the other party to prove to you who they are at any given time. When the transaction is to be completed, you should be able to require a written statement specifying the meaning or intent of the transaction, a bit of an agreement if you wish, for you to have a proof of what you are paying for before you pay or sign up. Current systems do not allow for this to happen, but I believe that this would be in the best interest of all parties – banks, merchants as well as the customers.In spite of all the technology – you are still unable to pay someone, or get paid, a fraction of the smallest denomination. Either because there are no means to do this – as it may not be supported by the banking systems – or for practical reasons where banking fees becomes bigger than the transaction itself; rendering small transactions impractical or even finan-cially impossible as you would pay more for the transaction than you would get for the goods or services.I have yet to meet anyone that likes having to pay for using their money, and in the meanwhile lending it to the bank for little or no gain. I suppose

you, like me, feels the odds are a bit against you, when dealing with the banking systems. Don’t get me wrong here – there is nothing wrong in banks making money, that’s what they live on, and use to provide the services. What they do need to consider though, is a better model for charging the customer, and scrapping the flat fees that sub-sidizes some, and penalizes others, in favor of a system where you pay for what you use, or, if you wish, a pay per transaction system. In the end, if you charge less for each individual service, but effectively more often, you will see where this will go. Increased profits. Such a system will be conceived as both fair and honest by the public, and help the banks and their customers come to a mutual understanding and acceptance about costs and services.I am no market analyst. But taking what I see, the “micro economy”, is a thing waiting to happen, and will be the next boom on the internet. This is an entirely new segment of the economy, still un- tapped, as the industry behind this has problems finding viable solutions to solve the underlying problems – getting paid. I see that there is a big thirst among customers around the world to pay small amounts for exactly the information they want – when they want it, not having to pay for whole packages.They want to pay for single music tracks or news stories. The connections between sold quantity, the benefit of the customers, and increased profit – is just as obvious as it is thrilling.

WHAT IF?

A system would give you instant access to your funds, and where you can think of debit or credit cards – or cash – interchangeably, that keeps an up to date record of your account at all times. A system that works just as well in direct connection with the bank, in the store, or over the Internet?A system that deals with all possible cards in your wallet, and keeps the information safe in a virtual safety deposit box, where the key to it could be your biometrics, and that lets you block and retrieve it all, in a flash?The future needs a system that is supplier,

technology and platform independent, open, based on standards and allows anyone to participate – to put a stop to fraud and theft and enable instant transactions as well as support for the “micro” and “info” economies and market segments to emerge, and that still allows the issuers to add their competitive edge, and let security be a living part of the system.Is security too much to ask for? Some may think it is, but I certainly don’t.I know quite a few financial as well as other organizations where this is consid-ered to be a very pleasant dream. Most agree that the current systems do not serve the needs of the future – and barely the needs of the current situation. There are, and has been, many systems that solve some of these things, but none of them fit in the grander picture, as they all solve just one little piece at a time.There is a patented methodology avail-able today, that provides a broad solu-tion – and that has taken its shape from the needs of the banks, the merchants, the emerging micro, e- and information economy and market segments, as well as the organizational, governmental, and the private end user.The future of eBanking – through information technology to information economy – may not revolve only around the one-tracked bank account, and banks will not be banks in the traditional way anymore. Banks will evolve and become virtu-al safety deposit boxes for all kinds of information – and wherever you go; your new cash and info account will go with you.You will gain more control, security and possibilities. There will be new ways to pay, and get paid, instantly, anytime, anywhere. You will start to see new services, and it will all be down to one single plastic card, your mobile, a PDA, or whatever it is that you prefer as your information carrier.The economy will become what infor-mation already is; borderless. Now, is the time to capture the oppor-tunities of the future, and bring them to the customers of today. Will you be the pioneer, who gets to reap the fruits?

F O R M O R E I N F O R M A T I O N V I S I T http://sipt.net


24

PRE-PAID SUBSCRIPT ION IS G IVEN A BOOST IN DEVELOPING COUNTRIESTHE V IRTUAL TOP-UP (VTU ) SOLUT IONB y M i c h a e l S e r r a o , B u s i n e s s D e v e l o p m e n t D i r e c t o r , P r i s m H o l d i n g s

Historically GSM Operators have provided mobile telephony services to customers in two categories: Contract based (post-paid) and Pre-paid subscribers. Where mobile telephony services are offered globally, generally the pre-paid base represents the largest segment of the subscriber market. The reasons for this are well documented and in most cases pre-paid subscribers exceed 75% of a Mobile Operator’s client base. In fact, it is not uncommon to find in third world countries that this statistic exceeds 90%. The mobile phone has become ubiquitous and has transcended social/economic boundaries like no other technology – it is an essential part of our daily lives irrespective of our individual social standing in society.

25


Although the previously mentioned position brings significant rewards to Operators of such technology - deliver- ing cost effective, convenient, and low risk methods to recharge airtime value does pose a massive logistical problem.

To date, airtime recharge value has been delivered in the form of “scratch cards” (disposable one time playable tokens) in pre-determined denominations. In South Africa the minimum value is R25.00 (US$4). One can also purchase “electronic” tokens, or “logical” tokens and in this instance the token value is represented simply as a number printed on a Point of Sale terminal slip.

Today, airtime is distributed via retail channels and in almost all instances the channel is not owned or managed by the Operator. These channel relation-ships provide the Operator with a con-venient method to distribute airtime without the need to develop distribu-tion points and the Operator pays the merchant a pre-determined commission for this service.

THE PROBLEM

Operators have evolved and established a critical mass of subscribers that pur-chase many millions of airtime recharge vouchers. The Operator community has identified the need to consolidate the distribution of airtime into a less volatile and less expensive process.

The cost of manufacturing “scratch cards” is punitive. It is also costly to dis-

tribute physical vouchers and because they represent real value, some form of abuse or fraud is relatively common.

Both physical and electronic voucher solutions employ fixed face value denominations. In emerging economies the value can be too high for many potential sub-scribers to participate – i.e. they cannot afford to allocate that much money to stored “single-use” value on a pre-paid basis. The manner in which this airtime has been distributed has led to a situation where customers at the entry level of the cellular market have been excluded from making use of the pre-paid service. Given this situation, a micro-distribution model that empowers the individual to purchase airtime in values of their own choosing and of lower value, has the potential to create, and empower an entirely new level of subscriber.

THE SOLUT ION

With VTU, a GSM handset is essentially transformed into a mobile voucher recharge vending device. Using VTU the Operator employs “agents” that have a direct association with the busi-ness. Agents set-up a “directory” of sub distributors, and the “tree” has several levels, thereby introducing pervasive employment opportunities into the recharge distribution chain (see Figure 1).

The system empowers individual entrepreneurs who in the past did not have the necessary resources to start-up a business of their own. All that is required at the point of contact where

the vendor “touches” the client is a standard mobile phone.

THE BENEF ITS

From a customer perspective, the main driver for VTU is that pre-paid users want to be able to recharge their air-time simply, securely, and conveniently. The VTU system is so simple that the pre-paid subscriber is not required to key in a number string (recharge token) on the handset, it’s merely an exchange of telephone number and cash with the VTU vendor and the client’s phone is “topped-up” over the air - a simple text message confirms that the cor-rect top-up has been transmitted to the recipient’s handset. The cost-efficiency of VTU allows a low minimum top-up amount to be carried out in an afford-able way, enabling customers who pre-viously could not afford the relatively high minimum values inherent in phys-ical or electronic fixed denomination vouchers, to participate as subscribers.

For the Operator, commission fees are reduced and with greater numbers of active agents, this automated system begins to displace physical scratch cards. Operators are aware that in adopting this kind of technology solution they are able to reduce distribution costs and optimize their use of network infra-structure. This model has the potential to create employment opportunities and indirectly has the ability to empower the individuals selling and distributing airtime, and those given the option of purchasing airtime with such ease.

Figure 1: The VTU model


Value is more dynamic, subscribers are able to purchase smaller denomina-tions and Operators have a new level of subscriber to address. The distribution channel, network and usage become more efficient, and the Operator is also able to reach more subscribers with greater efficiency.

THE TECHNOLOGY

The key to enabling the Prism VTU solution is the provision of a virtual merchant SIM card, coupled with the back-end VTU server system. The SIM contains a secure application that allows the virtual distribution of airtime (extendable to other pre-paid products)

from the mobile handset in a secure, scaleable and manageable manner. The vendor dispenses the airtime value when the customer requests it, and immediately transfers that value to the customer’s handset. In effect, with the vending SIM, the virtual merchant’s handset becomes a sales device driven via a simple and easy to use VTU menu (see Figure 2). The SIM card integrates financial payments, security and proto-col capability that enable mobile com-merce and payment transactions to function within a trust model. This functionality is core to facilitating financial and telecommunications industry convergence and inter-operation.

26 F O R M O R E I N F O R M A T I O N V I S I T www.prism.co.za

Disclaimer: Material from this article has been supplied to Cards Now Asia for their Jan/Feb. 05 issue.

Figure 2: The VTU System

KEY BENEF ITS:

VTU facilitates vending directly from a standard GSM handset Variable value can be vended right down to the smallest practical denomination Displaces physical vouchers in the airtime distribution chain Lowest cost per transaction VTU expansive business model minimizes Operator OPEX Transposes physical retail points of sale for mobile entrepreneurs Convenience factor enhances the subscriber buying experience Proven, secure and scalable technology Incumbent STK/browser based technology translates to rapid time to market Simple to use

CONCLUSION

The Prism VTU solution is already commercially available. Working with a large Mobile Operator that has opera-tions in several African countries, Prism has been able to introduce the technol-ogy into the market place and put the theory of a convenient, efficient sys-tem into practice. And in November 2004, Prism was awarded a prestigious technology innovation award by the Department of Science and Technology in South Africa in recognition of the advances the company has made in the development of secure value transfer systems in the mobile telephony indus-try and specifically VTU.

27


(U)S IM

TECHNOLOGY

The basis for such applications is a con-tactless chip, which functions without physical contact via a magnetic field. As a major SIM card supplier, Giesecke & Devrient (G&D) has developed a technological solution for a dual interface (U)SIM card based on the Infineon security controller SL 66CLX320P, with the new feature of both a contact-based and a contacless interface with the appropriate functionality. This combination allows a wide range of contactless functions to be implemented on the (U)SIM card, whilst a display on the handset establishes a channel of communication with the user, so that each of the transactions is visible and verifiable.The antenna needed for energy and data transfer can either be integrated into the handset or printed on a plas-tic film and added as a separate compo-nent. The dual-interface SIM solution is quick and simple to implement, and so highly user-friendly. Also, it offers the same security levels as the previous (U)SIM card, which is important espe-cially in payment, ticketing and access control applications.

PRACTICAL

APPL ICAT IONS

The dual-interface SIM can be used in everyday applications, showing how versatile yet simple the new concept is.

eTicketingOne such scenario is the mobile pur-chase of an electronic subway ticket. In

this process, the ticket is not just paid for, but also validated and checked via the mobile phone and a reading device. Throughout the procedure, the mobile handset only has to be held a few cen-timeters away from the contactless reader in the ticket machine in order to complete the transaction. The same then applies if the passenger passes through a barrier or turnstile on leav-ing the subway. The cell phone only has to be moved past the reader in order to “cancel” the electronic ticket.

The option of a (U)SIM card with an additional contactless interface will in future also let users order tickets with-out leaving their offices or homes, via a text messaging function. Standing in line at the ticket machine or searching for change will soon become a thing of the past.

Access ControlIn a further scenario, the cell phone is also able to handle access control proce-dures. The phone simultaneously func-tions as a contactless corporate badge and a normal phone. Employees with the appropriate authorization simply move their cell phones past the reader in reception, and access to the building is enabled.

eBankingAnd in a further interesting application, an electronic purse function can be implemented on the dual-interface (U)SIM card. In this scenario, users load money onto the card via an appropriate

text messaging function. When it comes to paying (for instance in a fast-food restaurant) the cell phone is simply brought close to a reader, and the amount is electronically debited. A user dialog can even be set up to confirm the transaction.

These scenarios show that the (U)SIM card with an added contactless interface can potentially turn the cell phone into a multifunctional device with com-pletely new, highly practical fields of application. Functions running on a cell phone with a dual-interface SIM card can be comprehensively protected by security technologies that are already in place in mobile telecommunications.

With UniverSIM® Proximity technology, mobile operators and service providers can unlock the potential for an extended service offering that delivers daily benefit to every cell phone owner.

M O R E T H A N J U S T A P H O N ECONTACTLESS TECHNOLOGY OPENS UP MULT IPLE N E W A P P L I C AT I O N S F O R C E L L P H O N E S B y V o l k e r G e r s t e n b e r g e r , 3 G P r o d u c t M a r k e t i n g M a n a g e r , G i e s e c k e & D e v r i e n t

Mobile phones are now firmly established as part of our daily lives. With a market penetration of over 80 per cent in some areas, there is scarcely anyone without a cell phone in their pocket. But the device can potentially offer a far greater variety of useful services than just voice and data communications. A cell phone could also be used to purchase and download electronic tickets, authorize access to buildings or act as an electronic purse.

F O R M O R E I N F O R M A T I O N V I S I T www.gi-de.com

Disclaimer: Material from this article has been supplied to Cards Now Asia for their Jan/Feb. 05 issue.

28

I C A O K I C K - S TA R T S A I R P O R T A U T H E N T I C AT I O NB y B j ö r n B r e c h t , S e n i o r C o n s u l t a n t , B u n d e s d r u c k e r e i G m b H

The International Civil Aviation Organization’s (ICAO) decision in 2003 to equip travel documents with biometric identifiers and electronic storage media has triggered a host of initiatives worldwide. In the long term, this should help passenger travel become more secure – and more convenient – provided legal and interoperability agreements can be made.

A P P L I C AT I O N F O C U Se G o v e r n m e n t / e Tr a v e l

28

29

A P P L I C AT I O N F O C U Se G o v e r n m e n t / e Tr a v e l

Today, a breadth of travel initiatives is filling newspaper columns from Los Angeles to London. The US, for instance, is working towards biometrically sup-ported systems for border control with the introduction of stricter border con-trol laws and procedures. On the world stage, the G8 states have developed their own activities and support the ICAO in achieving global standardization of international travel documents. Mean-while, the EU has accomplished fun-damental political and legal work to create pre-conditions for harmonized features and biometric use of travel documents.

A M A S S I V E

C H A L L E N G E

Enhancing travel documents with bio-metrics is a major test. For example, in the US alone, 500 million people arrive each year, including 350 million foreign travelers. US consulates received 8.4 million applications for visas in 2002, and people entered the country at around 400 border-crossing points. The world’s 30 biggest passenger airports recorded more than 620 million passengers in 2002, with Frankfurt/Main recording more than 40 million international passengers. And forecasts indicate that

passenger numbers are expected to grow worldwide by 3.4% annually on average until 2020 (see Figure 1). As a result, any developments have to take place against a backdrop of growing passenger numbers as well as an increasing requirement for private organizations – such as airlines and airports – to check passenger documents.

If the air travel industry and border control officials are to keep pace with passenger growth, new approaches are urgently needed. One answer is to inte-grate biometric features and electronic storage media into travel documents. Others – which are already in place – include collecting and transmitting the data contained in the passport. Here, electronic scanners are increasingly being used to accelerate data capturing.

With airlines and immigration officials alike taking an interest in the identity of the traveling public, passengers are forced to pass through a number of controls, often duplicating the security and authentication process. This seems a no-win situation for passengers, who can feel inconvenienced at the length of time it takes to go through a stop-and-go process. These security require-ments also mean that resources are not

utilized to the full – a situation that is unacceptable, particularly in times of increasing competition.

TOO NARROW

A number of projects are now under-way to automate the passenger handling process using biometric features. How-ever, these have a severe limitation as they are only applied to a small part of the airport process. For example, the Transport Security Administration (TSA) projects in the US only offer accelerated access to airports’ secure areas. People involved in this scheme can avoid time-consuming ran-dom sample controls – but they must enroll to take part in it. Likewise, the Automated Biometric Border Control (ABBG) pilot being carried out by the Federal Ministry of the Interior at Fraport Airport in Frankfurt requires prior enrolment. Participants in this project can go through border controls without any additional manual process-ing once their biometric features have been verified.

As these projects highlight, although the number of biometric schemes is growing, biometric methods are still only used for single applications in the

Figure 1: Comparison of Numbers of Passengers and Capabilities within the Terminals

A P P L I C AT I O N F O C U S

airport environment. This is due to the difficulty in meeting the requirements of a diversity of stakeholders. Local solutions that can only be used by a few passengers are not very attractive for all those involved and will stagnate at the current state of installation.

THE ANSWER?

One option gaining interest worldwide is the control of airport processes using electronic passports. Here, an e-pass-port in which biometric identifiers are stored can automate and accelerate the passenger handling process for a large number of passengers.

Using e-passports, passengers can be verified via the biometric data stored in their passport during check-in. At the same time, authenticity and validity of their travel documents can be examined and the details required for the Advance Passenger Information System (APIS) data can be taken from the travel docu-ment and compared with the data held in the airline’s reservation system. Finally, any visa requirements can be checked. Such examinations can be carried out at a check-in machine or at the airline counter, even without pre-enrolment.

The latter would be necessary to inte- grate internet and mobile solutions. Since mobile phones supporting fingerprint scanners are already on the market and 3G networks will be able to identify the user, such solutions are close at hand.

SECURITY CONTROL

Today, passenger access control to secure areas of airports is conducted manually via an examination of the passenger’s boarding card and, if applicable, the travel document. By recording passenger data during check-in, this manual process could be removed. Instead, passengers could verify themselves with their e-passport before moving quickly through to the departure lounge (see Figure 2).

BORDER CONTROL

Official travel documents come into play here, with border control staff checking the authenticity of the docu-ment, identifying the individual against one or many databases and verifying the individual as the rightful owner of the document. The current situation of manual document checks could be improved considerably using biometric technology and e-passports.

With such documents, both fully and partially automated border controls will become a reality. However, for full auto-mation to work successfully, airports need to adapt their border control areas to ensure that only one individual can pass through a control unit at any one time. Once the border controls are automated, it is possible for passengers to fully con-trol the checking process. Officials will supervise the process and only interfere to conduct random checks.

BOARDING

Before boarding the aircraft, the identi-ty of the passenger must be established without any doubt. As this has been completed during check-in, automated boarding with an electronic travel doc-ument and ticket is now possible. Thus, the airline can ensure that the person about to board is the same as the one who checked in, because the passenger can be biometrically verified against the e-Passport and identified against the boarding list.

AT THE

DEST INATION. . .

Once the aircraft reaches its destina-tion, the passenger must once again go through border control; or, in the case of a transfer, identify him or herself for possible boarding and check-in.

THE LONG GAME

While we can dream about this automat-ed total solution for airports, in reality it is still some way off. E-Passports are not yet available, but this will change in the years to come. A host of different solu-tions will be required because the archi-tecture of airports alone will have an enormous impact on the process.

With its proposal, the ICAO has not only created the basis for new electron-ic travel documents, but has also laid the foundation for enormous process enhancements in the years to come. These enhancements will boost both security and comfort and improve the use of scarce resources.

30 F O R M O R E I N F O R M A T I O N V I S I T www.bundesdruckerei.de

e G o v e r n m e n t / e Tr a v e l

Figure 2: Documents and Possible Applications in an Airport Scenario


THE EASE OF

eGOVERNMENT

The silence of the streets outside lends a certain tranquility, even when reporting last year’s income on the tax website. I fill out an electronic form and sign it digitally, using a digital certificate issued to my smart NiD card by the govern-mental Certificate Authority server. However, it’s important to remember how I got here; the entrance to the tax website’s Internet server. Access to the site is restricted, and I was therefore prompted to authenticate my identity to the server using my smart NiD card. The encryption underlying the entire process fills me with a great degree of confidence that the information sent to the server is inaccessible to anyone else, despite the fact that it is transmitted through the world wide web. What more could I ask for? I paid the traffic ticket I received last month, at the police payment site. After quickly authenticating myself with my smart NiD card, I received an admonishing reminder that if I accumulate only a few additional traffic violations, I will have to “benefit” from our choice of public transportation services. For the third time, I also paid my social secu-rity fees. After I first registered at the social security website and entered my credit card details, all I had to do this time was to authenticate myself using my smart NiD card and digitally sign the periodic payment form.I pause a moment to write a brief email to a colleague at SCsquare, telling him of my latest brilliant idea for our next product, with the potential to amaze the entire global information security indus-try. I encrypt the letter using a private

digital certificate that I issued to my own Apollo OS smart card, through a pub-lic Certificate Authority server. After encrypting the letter, I decide to sign it as well, so my colleague will be sure that I was the person who sent the email. I can’t wait to hear his reaction… Back to governmental matters. Two days ago, I received a digitally-signed email from the Ministry of the Interior, inviting me to register for an electronic Passport (ICAO e-Passport with PKI-Active Authentication and BAC) with an integral contactless smart card. The letter explained that the new passport technology, using smart chips embed-ded in passport covers, significantly enhances the reliability of identity checks at country and border cross-ings. A hyperlink on the message from the Ministry of the Interior directed me to the site. After a brief authen-tication process using my smart NiD card and biometric identification, the government is confident that I am the individual requesting access, and all the information currently appearing in my passport is now displayed for me on the screen, where I can add new informa-tion, such as the names of family mem-bers to be contacted in an emergency, and a more recent photograph. I am also prompted to enroll my finger-prints using the biometric fingerprint reader on my computer keyboard. The website explains how all the informa-tion is securely encoded into my new e-Passport and guarantees the reliability of my identification at border crossings worldwide. All that remains for me now is to confirm all the information items and digitally sign the electronic form at the site. The site stresses that no other

private smart card apart from my smart NiD card can be used for this purpose.

WHAT IS

INVOLVED?

A brief review of the components of these sophisticated e-Government sys-tems, with a specific emphasis on the PKI components and smart cards they contain, will help us understand what goes on behind the user’s simple expe-rience with these highly advanced and secured systems. Clearly, any government that chooses to provide the services described above, must have supportive, comprehensive and secured computerization systems at its disposal. Such governmental systems, sufficiently secure to handle private information about individuals, finances and processes important to state secu-rity, require the application of extensive knowledge in a broad range of areas, including law and justice, organization and management, information security and information technology (IT).Governmental information systems are based on the registration of the coun-try’s population. This registration proc-ess produces the most sensitive and important database for the country and its citizens. Any system that updates the information in this database, or receives information from it, must guarantee a secured and monitored link at all times, in order to protect the reliability and integrity of the information.

D IG I TAL CERT I F ICATES

ARE THE KEY

The process begins when the coun-try’s citizens are issued digital cer-tificates. Digital certificates make it

32


N AT I O N A L I D C A R D S E N A B L E A B E T T E R L I F EB y J a c o b M e n d e l , V. P. R & D a n d S e c u r i t y , S C S q u a r e L t d .

Three AM is the hour of choice for my eGovernment activities. At that nocturnal hour I never encounter a crowd at the reception desks. I’m never put on hold, only to wait endlessly for the call center operator to return to me, and I certainly never find myself in the midst of an angry mob competing for a place in line.

33


possible to verify the identity of indi-viduals seeking to access governmental services through the Internet, infor-mation kiosks or by physically visiting the offices of a government ministry. Smart cards supported by a secured and efficient operating system offer the most secured method to carry and pro-tect these certificates. When they bear digital government certificates, these smart cards become known as smart NiD (National Identification) cards. Certificates are issued by governmen-tal Certificate Authority servers or by civilian Certificate Authority servers approved by the local governments, in a multi-stage process:

Initial identification of the future cardholder is confirmed before the smart NiD card is issued.

Each smart NiD card issued is docu-mented in the governmental system.

Citizens receive instructions on the range of services available when using the smart NiD card.

Citizens are also instructed on how a digital certificate can be obtained, and the legal implications of such a process.

The certificate and the accompany-ing public key are attributed to the citizen’s information record in the country’s population databank.

To guarantee and secure the legality of digital signing operations using the smart NiD cards it issues, the govern-ment must ensure that any loss, theft or irreparable damage to a card is reported, documented and published. Therefore, governments providing PKI-based services must operate mechanisms for publishing lists of revoked certificates (Certificate Revocation Lists). These mechanisms are of dual importance, both for the services of the govern-ment, as well as for civilian mechanisms that make authorized use of smart NiD cards. Once the government is certain of a citizen’s identity, there is virtually no limit to the range of electronic services that it can provide. Such services range from the payment of fines and taxes, filing income tax statements, updating personal details, submitting applica-

tions for governmental certificates such as passports, reporting the theft or loss of governmental certificates, and more. To ensure verification of a user’s iden-tity, the smart NiD card, containing the government-issued digital certificate, is used in two basic security and authen-tication mechanisms. The first is a PKI-based secured identification process, where the user is authenticated to the governmental system by his/her smart NiD card (containing the digital cer-tificate). The second is the digital sig-nature that completes the process, again using the smart NiD card. This method guarantees the user’s active participa-tion throughout the process, from start (authentication) to finish (signature).

To support such services on a large scale, servers hosting such e-Government operations must be linked to the coun-try’s population database. Here, too, PKI and smart card technology offer a major advantage. When a certificate is issued, the government records the digital cer-tificate in the population database, but allows digital certificate information to be additionally stored in a separate dedicated database. Since these digital certificates are issued in a completely secure and trusted process, the digital certificate database can also be used as the basis for reliable identification of individuals. Use of the digital certificate database to verify an individual’s iden-tity, makes it unnecessary to access the country’s sensitive population database, either directly or indirectly. Consistent and uniform use of the digital cer-tificate database also ensures that this database constitutes a comprehensive solution for publishing lists of revoked certificates or lists of new certificates added to the database.

FROM NATIONAL

TO I N T E R N AT I O N A L

U S A G E

e-Government services do not begin or end with smart NiD cards or digital certificates. In an era when terror has sown its seeds of horror throughout the world, electronic passport solutions have emerged as one of the principal, most promising defense mechanisms

for countries and their citizens. These electronic passports offer a combina-tion of diverse technologies designed to make the criminal act of counterfeiting impossible.Electronic passports also require sup-portive PKI and information systems. As in the case of other e-Govern- ment services and systems, electronic passports must be handled with maxi-mum sensitivity, caution and security. The information contained in a pass-port issued to a citizen must be digit-ally signed by the state, and the state must be able to identify with certainty the individual to whom the passport is issued. This sensitive identification of citizens as a condition for the issue of electronic passports, is simply per-formed by using smart NiD cards and the digital certificate stored in them. Where national electronic passport projects precede a smart NiD card project, the country can conduct a reverse identification process that is no less secured, certain or reliable.The integration of all the e-Government, PKI and smart card systems, both inside and outside the country, promise a new and fascinating era for all of us, allow-ing the government to reach out to its citizens by providing enhanced access and reliability of its services, and simul-taneously improve beyond recognition its citizen’s security, welfare and the confi-dentiality of private information.It is rare when technology grounded in business or financial information secu-rity finds its way into national or inter-national governmental applications, in support of such ethical goals as narrow-ing social gaps by increasing access to a government’s services for its citizens, protecting human life by preventing identity theft through the fraudulent use of smart NiD cards and e-Passports, and improving the quality of health, welfare and other public services. There is no doubt that smart card tech-nology has come a long way in provid-ing the secure world of e-Government. For all those involved in this area of technology, it is undoubtedly a great privilege to take part in a process that will bring a new, better and safer era for us all.

F O R M O R E I N F O R M A T I O N V I S I T www.scsquare.com


A P P L I C AT I O N F O C U Se Tr a n s p o r t a t i o n

H ISTORICAL

PERSPECTIVE

Using smart cards in Transport is noth-ing new. The first, and hugely successful deployment of smart cards in Transport dates back to 1995, when Hong Kong’s MRTC launched its Octopus card, set-ting the scene for what was to be the first of many such projects. Although not yet widely used, the term e-Ticketing was coined, with millions of cards com-ing forth in the space of just a few months, establishing Transport as a new market to be reckoned with.

This scenario has now been repeated many times over the years, with smart cards becoming a natural core product of most transport systems. Two systems in particular seem to dominate the market: MiFare (e.g. London, Warsaw, Stockholm) and Calypso technology designed by transport operators through the European project Calypso (e.g. Paris, Brussels, Lisbon, Montreal, Athens, Naples).

Today, Calypso has been implemented in numerous transport networks, main-ly in Europe, thanks to the members of the Calypso Networks Association (CNA). One of the largest such schemes can be found in the Paris region, where Navigo (Calypso-based system) has been implemented by SNCF (French National Railway) and RATP (Urban

Transport). Like most systems in place today, Calypso uses a dedicated mask to support its transport application. But not for long! RATP, a member of CNA, is now proactively breaking new ground by fostering a new type of Navigo card, based on Java Card for its network, and the development of a Java based Calypso applet.

BUSINESS

RATIONALE

The move to Java Card is the result of a natural evolutionary process:

Application interoperability This is the fundamental premise of Java Card: the fact that the application is abstracted from the underlying OS, sub-sequently leading to the independent development of both. E-Ticketing can therefore be implemented to execute on any Java Card OS from any given manufacturer (in fact, CNA members have just completed the development of a standard Calypso applet).

Multi-application capabilityBecause of the OS/Application inde-pendence, the same card can host and manage several applications through both contact and contactless interfaces. This capability can lead to the “City card” concept, with a card hosting not only one or more transport pass(es), but

also city-related services such as access to corporate premises, parking and a general Identification card.

Easily CertifiableIncreasingly, smart cards are to be vali-dated against functional and security criteria. Here, Java Card has a defi-nite advantage over its native equiva-lent: card components can be certified in a stack-wise fashion, independently of one another – namely chipset, Java Card OS and applications.

Cost control All 3 elements described above have a direct impact on cost: Application interoperability allows

transport organizations to get better deals from card manufacturers

Multi-application capabilities can lead to sharing infrastructure costs with the card being used by sever-al networks at the same time (e.g. ATM can be used to load transport rights onto a transport application)

An easier certification diminishes the overall cost of card security certification, while ensuring a more overall secure solution.

TECHNOLOGICAL

ASPECTS

The major criticism raised against Java Card in the field of Transport, is its lack

34

E - T I C K E T I N G I S G O I N G T H E J AVA ™ WAYB y J e a n - C l a u d e P e l l i c e r , V P S a l e s , T r u s t e d L o g i c

Java Card™ has become synonymous with the last frontier for maturing smart card applications: witness the smooth migration to Java during the last few years of both EMV payment and GSM from what used to be (and still is to a certain extent) a bastion for proprietary systems (another for native card code).This article focuses on the Transport sector, in an attempt to show that it too is ready for the big move over to the open world of Java Card. A combination of business and technical rationale is provided to support this view, while casting some light on the work currently being conducted by Calypso as a discussion background.

35

A P P L I C AT I O N F O C U Se Tr a n s p o r t a t i o n

of performance. In fact, the challenge is admittedly pretty high, with less than 400 ms allowed to carry out a full pass transaction.

The combined industry experience using Java Card OS over the last few years has nevertheless led to a simple enough conclusion: critical transaction time is spent doing cryptographic calculations and writing to the EEPROM - the rest is negligible. Hence running Java or native code does not matter, since both EEPROM writing and cryptographic computations are done in native.

Old arguments do sometimes die hard and the best way to dispel this myth is to show a Java Card platform doing the job correctly, in the given time limit. This is what CNA mem-bers have set out to do, with the sup-port of industry leader Trusted Logic

and its premier JTOP™ platform, run-ning on Infineon’s technology (SLE66 Contactless interface).

CNA MEMBERS

TAKE THE LEAD

ON JAVA

The successful spread of Calypso tech-nology abroad is now prompting the Calypso Networks Association to explore new technology alternatives to a dedicated mask, whilst looking at minimizing overall system costs.

For Calypso, the key to successful development is the ability to offer a standardized and interoperable transport application, meeting the needs of trans-port operators all over the world, irre-spective of what medium they run on. Looking at not only the technology, but

also (and primarily) at market adoption, Java is the perfect solution, being the most widely used open system solution (96% market share).

The first step was to develop a Java Card applet meeting the Calypso Specifications. Now that the feasibility has been established, the second step is to follow through to the end and make sure there is a sufficient supply of Java Card platforms out there meeting Calypso needs. As of today, off-the-shelf Java Card platforms are not yet suitable.

This project is currently being conduct-ed in partnership with Trusted Logic, and it will be specifying these needs for the benefit of the industry at large. The first compliant cards should be ready to hit the market during the second part of 2005, and Trusted Logic’s jTOP platform is certain to be part of this offering.

F O R M O R E I N F O R M A T I O N V I S I T www.trusted-logic.com

S e c u r e C o m p u t i n g

OVERVIEW

The sheer variety of attacks is increasing every year. In the beginning we had to deal with viruses and Trojan horses; now, identity theft and phishing seem to be the hackers’ attacks of choice. The US Cert Coordination Center published a paper some time ago in which they presented the attack trends that they have evalu-ated; one of them being more and more automated attacks with higher speed and sophisticated attack tools. This means that hackers are able to attack multiple sys-

tems in a very short time, looking for an interesting and vulnerable target, which is eliminating the number one “security measure”: hiding in the millions of inter-net users. The number of available security products is also rising as a consequence. However, one of today’s unresolved problems of widely used security applications, is to protect the hardware platform itself against attacks to its integrity or to the modification of the security software. Typical well-known examples are the attacks carried out against home banking

applications or even against security evaluated digital signature software.

Solving this problem purely at the soft-ware level does not seem to be possible. Therefore, a secure hardware base is necessary to countermeasure these kind of attacks.

Additionally the right use of security measures is an extremely complex topic even for experts and the provision of a secure solution is simply not enough. It is important that inexperienced users are

36

T R U S T E D P L AT F O R M S P R O V I D E N E W L E V E L S O F S E C U R I T YB y T h o m a s R o s t e c k , S e n i o r D i r e c t o r P r o d u c t L i n e Tr u s t e d C o m p u t i n g , I n f i n e o n Te c h n o l o g i e s A G


Hardly a day goes by without hearing about a new attack on computer systems. Previously limited to PC based systems, these threats are now moving into new environments like the PDA and mobile phone networks. The basis for world wide communication and business processes is at risk. However, Trusted Computing is one piece of the puzzle that does provide the potential for significant security improvements. Will it solve all problems? No. But it will significantly raise the bar for security attacks.

Figure 1: Structure of the “chain of trust”

37

S e c u r e C o m p u t i n g

also able to work with it. Consequently, flexibility and ease-of-use are also critical to the success of Trusted Computing.Major companies in the PC sector have joined forces and begun working to solve this problem, with the aid of a new hardware approach and the creation of an associated industry standard. In 1999 Compaq, Hewlett-Packard, IBM, Intel und Microsoft established the Trusted Computing Platform Alliance (TCPA). The aim was to create Trusted Clients (i.e. not only PCs, but also PDAs or mobile phones). At the same time, however, this standard was to be kept as open as possible in order to inform the interested public in time and to create confidence. The emerging Trusted Computing standard employs a secure hardware structure whose main component, the Trusted Platform Module (TPM), is specified as a security chip. This standard is largely based on recent years’ experience with smart cards, their applications, and attacks on them.

As the TCPA organizational structure reached its efficiency limit in April 2003, TCPA was transformed into the Trusted Computing Group (TCG) with AMD, HP, IBM, Intel, Microsoft, Sony and Sun being the current promoters. More than 90 companies are members of TCG today.

IS TRUSTED

COMPUTING GOOD

OR BAD?

During the last two years there has been an ongoing and very valuable discussion about the opportunities and risks of the current Trusted Computing approach. The main concerns raised are linked to data protection aspects and user auto-nomy; could, for example, components be used by service providers to enforce the use of certain operating systems or applications for the use of their respective offering? It has also gained the attention of certain governments (e.g. Germany, the European Union and China) which are actively participating in the discus-sion, publishing papers with recommen-dations or even providing the forum for such a discussion.

Although many of the concerns are not just related to Trusted Computing, such discussions are important. It has given the TCG valuable inputs for their future work and some of the inputs have already been implemented in the most recent specifications. But this work will continue.The TCG’s technology – like any other technology – can be used in a way not originally intended. By acknowledging this, the TCG is in the process of pro-viding best practices for the use of Trusted Computing.

WHAT IS TRUSTED

COMPUTING?

How can you describe the idea of Trusted Computing? It is definitely more than just the efforts of an industry alliance like the Trusted Computing Group, as it takes the initiative of the whole value chain in the security industry. Based on a device on the platform that you can trust, the chain of trust is build up to provide secure operating systems and trustworthy applications.

The TCG Standard in the first place provides authentication and accreditation of the platform, not of the user. The Standard additionally permits secure storage of critical secrets such as keys of either the user or the platform.

Inserting a secure and certified TPM into the PC platform with standard PC components does not, however, prevent intelligent attacks with hardware de-bugging and analysis tools. Although the TPM significantly increases the resistance and security level of such a platform (TPM-protected data is virtually impervious to attack), it must be taken into account that even a TC platform cannot provide 100% security. Still, it makes an attack much more complicated.

HOW DOES IT WORK?

The generic TCG approach is to produce new system structures: whereas until now security was to be achieved by means of additional levels of encryption

or antivirus software, the TCG begins at the very lowest level of the platform. At the start of the booting operation of such a system, the TPM is being trusted “a priori” as a certified hardware security chip. At system start-up an uninterrupted “chain of trust” extends from this lowest layer, up to the applications. As soon as the lower level in each case has a stable security reference, the next layer can be supported on top of it (see Figure 1). Each of these domains is built upon the preceding one and can therefore expect every transaction, internal link and device connection to be trusted, reliable, secure and protected.

As a hardware security reference, the TPM constitutes the “root of trust” for the entire chain.

THE ROOT OF TRUST:

TRUSTED PLATFORM

MODULE

In accordance with the TCG architecture, the TPM provides the security func-tions requiring particular protection and which are therefore also implemented in a secure hardware environment.

Here the privacy aspects are paramount: the TPM is designed as a passive parti-cipant. The process has no means of actively influencing program execution of the main processor or the boot oper-ation. It receives only control and status measuring data from the main processor which it processes, stores and reads out again from its secure structure, and feeds these results back to the main processor. Only at this stage is the subsequent sequence of security procedures con-trolled using these results.

However, the TPM can make the access to particular data (such as key material) dependent on the presentation of appro-priate authentication patterns.

The main security functions handled by the TPM are:

Protection of key material The various key classes are stored in

a protected manner in the TPM.


System authentication Authentication and validation of the

platform to third parties. Communication of the system’s

security status (attestation) Trusted communication of the

security-relevant (platform-owner-defined) configuration.

Random number generator Generation of genuine hardware-

based random numbers for secure key generation.

File sealing Binding of data to the system con-

figuration and signing of the data when storing with the hash value of the configuration. Access to the data is then only possible if the configu-ration remains unchanged.

Secure saving of configura-tion changes in the Platform Configuration Registers (PCR)

Status changes are detected and safe-guarded by the SHA-1 hash algorithm.

In addition, the TCG has also placed emphasis on some general, but equally important characteristics: Protection against attacks on the

integrity of the TPM; particularly against physical attacks

Inexpensive implementation in order to allow widespread use

Compliance with global export control regulations in order to allow international trade with TC platforms (PCs)

And most importantly, an implemen-tation which supports protection of the private sphere and self-deter-mination of the user’s data.

The TCG Software Stack (TSS) as an API (Application Programming Inter- face) makes the security functions avail-able to the operating system and the applications. Additionally, to enable already existing solutions, it seemed reasonable to provide the appropriate interfaces. Although this functionality is not required by the standard, it con-siderably increases the usability of the platform. Two implementations cur-rently exist: Microsoft Cryptographic Service Pro-

vider (MS-CSP) for use with various

applications under Windows (such as Outlook, Explorer, Word etc.)

PKCS#11 developed by the RSA as the most widely used universal crypto interface standard. It is used by the Netscape browser.

ADDIT IONAL

COMPONENTS

OF A TRUSTED

PLATFORM

As has already emerged from the delibe-rations concerning the implementation of trusted digital signatures, in addition to making the platform secure, a trust-ed interface to the user is also required. A trusted platform must of course be able to satisfy the basic paradigm “What you see is what you get” (WYSIWYG).

Although the TPM alone can check security states or digital signatures or even generate signatures, it cannot safe-guard communication with the outside world or assume the security functions of the main processor. Additional security functions are therefore required in the other building blocks of a platform (e.g. secure input and output). The two major PC chipset manufacturers AMD and Intel are founding members of the TCPA/TCG and have since been engaged – even beyond the scope of TCG – in incorporating the relevant security func-tions in their chip sets to make use of the advantages of Trusted Computing and to provide the necessary functionality to a secure operating system.

To really make a client “trusted”, the operating system has to take advantage of the previously mentioned compo-nents and has to translate it into a trust base for the applications. The TCG Standard with its tamperproof and trusted hardware, creates the basis to which the security mechanisms of the OS can relate. It is specifically for that purpose that the TPM not only pro-vides its signature, but also its secure storage functions.For the integration of and into an oper-ating system, the following activities are currently being carried out:

Microsoft NGSCB NGSCB (Next Generation Secure

Computing Base) is the name of Microsoft’s activities to provide a trustworthy computing approach in the upcoming operating system “Longhorn”.

Open Source Whereas public discussion concerning

TC applications and characteristics has focused on Microsoft, in the area of Open Source (specifically Linux) the first deployment and application examples have already emerged (e.g. IBM, Royal Holloway University London, University of Bochum).

APPL ICAT IONS AND

FUNCTIONAL IT IES

The TCG is offering a whole range of advantages for applications that need security functionality. Offering the secu-rity API of the TSS, as well as providing MS-CAPI and PKCS#11, the system supports existing applications like Outlook, Internet Explorer, Netscape, RSA SecurID, as well as the products of Entrust and Checkpoint. This will benefit firewalls, PKI Infrastructures, file & folder encryption, DRM, E-mail systems, secure commu-nication, virtual private networks, certi-fications authorities and authentication services.

System administrators can unambigu-ously identify the different devices in their networks with the aid of a TPM. New devices can be reliably booked into network management, unknown or changed devices can be clearly detected. This enables security policies to be fur-ther automated and implemented in a controlled manner.

Through the use of known remote access server procedures, not only the users’ authentications (name, password, smart card, biometrics) but also the platform used can be identified. The network can check, for example: The user’s access rights If a company notebook known to

the system is being used If the notebook has trusted status.

38

A P P L I C AT I O N F O C U SS e c u r e C o m p u t i n g

39

This information gives a higher flexi-bility to system administrators for respective policies. For example, if all checks are passed positively, the security policy could permit unrestricted access. If it is the correct user but an unknown PC, operation with restricted rights (e.g. for file access) could be permitted.

By means of the attestation ID functions, a TC platform can appear under an anonymous identity. This could be useful in the case of procurement and auction platforms, to issue anonymous bids without the buyer being influenced by the bidder’s identity. An external, neutral and trustworthy Trust Center must hold the connection of the anonymous iden-tity to the real identity and, once the bid has been accepted, provide infor-mation about the mutual identities, therefore enabling the contract to be transacted.

It is often erroneously assumed that TPM-based TC platforms would replace smart cards or other authen-tication methods. TC is, however, designed to supplement these functions. If a person authenticates himself using a cryptographic token or biometric method, the target system always

Following the Common Criteria Evaluation Scheme the result of such an evaluation would be certified by a trusted party, usually a governmental agency (see Figure 2).

Trusted Computing acknowledges the following Certificates:

The Endorsement Certificate confirms that the TPM originates from a trusted manufacturer.

The Platform Certificate is brought in by the motherboard/PC manufactur-er and confirms that a valid TPM has been mounted in a correct platform.

The Conformance Certificate is issued by a test laboratory and con-firms that the security functions of the TPM and motherboard have been positively checked and are compliant with the protection profile of the TCG.

Companies and test laboratories put their name on the line to confirm that the trusted environment works as it should. WHAT WILL

HAPPEN?

Trusted Computing is already happen-ing today. The need for trustworthy platforms has existed for years and the threats are rising every day. Companies like Hewlett-Packard, Intel, IBM, Fujitsu, Fujitsu-Siemens, NEC and many more are shipping TPM enabled platforms. Trusted Computing will also move into other applications, like mobile phones and servers. This is just the first step and it will be supported by more secure platform architectures and operating systems in the future. It is now up to the application and service providers, as well as system administrators to make use of these new capabilities.

However it is important to remember that the root of trust needs to be valid. Therefore secure implementations, appropriate security levels, reliable certificates, and security evaluations are the basis for the trust that we all need.

F O R M O R E I N F O R M A T I O N V I S I T www.infineon.com/tpm

A P P L I C AT I O N F O C U SS e c u r e C o m p u t i n g

requires a secure reference against which the authentication data can be checked. In today’s systems, this data is mainly stored on a special server or, in the case of standalone systems, hidden deeply on the hard drive, where it should – hopefully – not be found. The TPM also makes it possible to store any reference data securely and in a protected manner. This means that for the first time even high-security authen-tication processes can run on normal standalone systems. The processes and protocols necessary for this purpose are currently being worked out by the TCG’s Authentication Workgroup.

WHOM DO WE

TRUST TODAY?

The TPM as the root of trust and the integral part of the security system is obviously a sensitive component in this environment. If the TPM should fail or be easily compromised, the whole trust chain would fall apart. The TPM hosts the so-called Endorsement Key, as well as critical secrets of the user.

According to the TCG specification, the Endorsement Key is digitally signed

by the TPM manufac-turer and provides the only way for a TPM to remotely prove that it is a real hardware TPM, com-pliant to the requirements of the TCG. Obviously the signature of the TPM manufacturer must be trusted, and this will be affected by the trustworthi-ness, security and quality processes of this company.

Thankfully, however, the TCG specifications do not solely rely on the manufac-turer. It is mandatory for the security of the TPM to be evaluated by an independent third party. They review the way it is manufactured and the way the Endorsement Key is created and signed.

Figure 2: Security Certificate for Infineon TPM

T E C H N O L O G Y U P D AT ES m a r t C a r d

Subsequently, public discussion con-cerning smart card security has been influenced by the dramatic demonstra-tions of new fault attack techniques. Two years ago, the first detailed public paper describing optical fault induction methods caused havoc. And recently,

a fault induction attack was shown to be effective for attacking asynchronous logic, showing that the perception and reality of product security can differ even today [1].Integrated circuits, used as smart card controllers, are usually made from silicon

wafers. The electrical behavior of silicon, in turn, may differ upon exposure to different environmental parameters. As an example, the electrical properties of silicon may react to different voltages, to temperatures, to light and ionizing radiation and also to the influence

40

FAULT INDUCT ION – A VERSAT ILE TOOL FOR ATTACKERSB y D r . P e t e r L a a c k m a n n , P r i n c i p a l , P r o d u c t S e c u r i t y a n d M a r c u s J a n k e , S e n i o r S t a f f S p e c i a l i s t , P r o d u c t S e c u r i t y , I n f i n e o n Te c h n o l o g i e s A G

Today, disturbing the functionality of a smart card has evolved into an art form, carried out by thousands of attackers around the world; ranging from amateurs to absolute professionals. Because of this, the so-called “fault induction attacks” have become far more relevant to both security evaluation and the certification of smart card controllers.

41

T E C H N O L O G Y U P D AT ES m a r t C a r d

of electrical and magnetic fields. Changing these environmental parame-ters, an attacker can try to induce faulty behavior, including errors in the pro-gram flow of the smart card control-ler. Usually, an attacker would try to force a smart card to make a wrong decision. If, for example, a password or PIN (personal identification number) is entered, the attacker could try to make the smart card controller accept even a wrong entry, allowing access to the secret data stored in its memory. Another interesting variant is the so-called “memory dump” – instead of giving out its non-secret identifica-tion data, the smart card controller would, after a fault induction attack, output much more data. This data may include parts of the card operating sys-tem, secret data or even stored keys. The attacker can also try to focus on a method called DFA (differential fault attacks), disturbing the cryptographic operation and yielding an erroneous result, which can give the attacker information about the secret keys that are used in this operation. In the worst case, one single faulty computation can be sufficient for an attacker to extract the complete secret key.

Various methods for inducing faults are known, and a survey of these scenarios is summarized in Table 1.

SPIKE AND GL ITCH

ATTACKS

Attackers know about the vast variety of Fault Induction Attacks. The simplest way, that has been around for years,

can be found in most datasheets for security controllers on the market today, only actual tests can prove if these countermeasures are really effective. As the performance of these products may vary by orders of magnitude, it is extremely important that the security level is checked by independent evalu-ation and certification.

E L E C T R O M A G N E T I C

I N D U C T I O N AT TA C K S

Although spike and glitch attacks can achieve results, more sophisticated methods have emerged to induce volt-age or signal alterations into a semicon-

Name of specialized attack Fault induction method Synchronization possible ? Local attack possible ? Selected Literature

Spike Attacks Voltage Transients on Power Supply Yes No [2], [3], [4], [5], [6]

Glitch Attacks Modifications of Clock Signal Yes No [2], [6], [7]

ECMAAS Electromagnetic Induction Yes Yes [8]

Optical Fault Induction Optical Irradiation of the Chip Surface Yes Yes [9], [10], [11], [12], [13]

Conducting Temperature Attacks Modification of Ambient Temperature Difficult Difficult [1], [14], [15], [16]

Thermal Induced Voltage Alteration TIVA Local Temperature Alteration due to Laser Irradiation Yes Yes [17], [18], [19]

Single Event Effect Attacks Alpha Particle Radiation Difficult Difficult [20], [21], [22]

Table 1: Summary of specialized attacks

is to modify the power supply or sig-nal inputs of the smart card controller. Whereas short transients in the power supply are often called spikes, the so-called glitches normally define specific modifications to the clock signal that are also necessary for the operation of the security controller. Spike and glitch attacks can lead to controller malfunc-tions in a way that single parts of its electronic modules would temporarily fail, thereby skipping or performing wrong operations. An attacker could exploit this behavior - for example, circumventing a password entry test or a blockage of the card. Although countermeasures against spike and glitch attacks

Figure 1: Optical attack against asynchronous logic [1]

S m a r t C a r d

at Infineon for many years, is the meth-odology of optical fault induction. In these cases, the surface of the smart card controller is irradiated with light while the normal application is running. Due to the light irradiation, voltages and currents are generated inside the silicon of the smart card chip, which may also cause faulty behavior. An attacker, uti-lizing these techniques, may circumvent passwords or a PIN, dump secret data or perform an attack on a cryptographic operation to yield secret key data.

If the complete chip surface is irradiated, the attack is called global optical attack. Using global optical attacks, an un- protected smart card can even be compromised without removing the card plastic from the chip surface. The light source is placed over the back of the smart card, while the card is oper-ated. The intensities for this kind of attack are usually high, which means that a strobe light, photoflash or even laser needs to be used. Local optical attacks, on the other hand, are used as a more sophisticated method, but require the use of highly focused light. From other writings available on the subject, we know that a microscope equipped with a laser or a xenon strobe lamp can be used (see Figure 1). Local

optical attacks that use focused light, require the opening of the smart card package prior to performing the attack. This can be done by using concentrated acids (such as red fuming nitric acid) dissolving the card’s plastic but leaving the smart card chips functional. These techniques are widely known and described in the works of M. G. Kuhn.

Tests show that simple countermeasures such as opaque coating would not be sufficient even against amateur attacks. Coatings that are part of the chip, like metal plates, don’t cover the more sophisticated optical attacks, which has recently been demonstrated. If infrared light is used, the attack can also be per-formed by irradiating the back of the chip – and in this case no metal plates or chip covers would provide a signifi-cant barrier.

THERMAL

ATTACKS AND

T IVA

Modifying the environmental tempera-ture can also be used as an attack method against security controllers. In recent literature, an attack against the memory contents of a personal computer was detailed. By increasing ambient temper-atures, some bits of the RAM memory could be changed, which enabled an attack against a virtual machine model. In this case, a simple light bulb was used to increase the ambient temperature. In contrast, also a decrease in temperature can enable attacks - applying extremely low temperatures can cause a memory to “freeze in” the stored information in a RAM, even if the power supply is shut off. The effectiveness of temperature attacks is strongly dependant on the type of memory used in the security con-troller. In principal, smart cards may also be vulnerable to these kinds of attacks if no appropriate countermeasures are introduced. As a basic countermeasure, temperature sensors on the smart card chips measure the conditions of the silicon and set off an alarm if the tem-perature exceeds the margins. However, today’s security features are far more complex than this basic protection, as a

42

T E C H N O L O G Y U P D AT E

ductor chip. Electromagnetic Induction Attacks also became well known some years ago, and have been developed over time to near perfection. Attacks on the PIN (personal identification number) check of a GSM SIM card give the attacker the possibility to extract protected data from the card without knowledge of the PIN [8]. In order to inject the “disturbing” signal into the smart card in these special cases, electrical coils are usually used, placed directly over the chip surface. Electro-magnetic attacks are more complex in terms of the attack methodology, but there is a major advantage in com-parison to conventional spike or glitch methods, as the attack can be performed locally on a specific module in the smart card controller. Appropriate countermeasures are harder to develop. If a security controller could monitor its external supply voltage, it could detect some spikes – but if electromagnetic pulses are applied only to a specific module, e.g. a cryptographic processor, this would probably not be detected.

OPTICAL FAULT

INDUCTION ATTACKS

Another class of attacks that has also been included in the scope of research

Figure 2: TIVA-Device [17](Thermally Induced Voltage Alteration)

43

S m a r t C a r d

new method of attack is available that would even be suited to circumvent-ing temperature sensors – utilizing the so-called “TIVA” devices (Thermally Induced Voltage Alteration) – see Figure 2.

TIVA uses local irradiation with an infrared laser; its beam is directed through the back of the chip into the silicon, causing local heating effects. It is a very special characteristic of TIVA lasers, that the selected long wavelengths of the laser radiation do not have enough energy to trigger conventional optical attacks – which in turn could be used to circumvent dedicated light sensors. But TIVA causes small areas of the chip to heat up, thus inducing faulty behavior in electronic elements on the security controller. Although TIVA has been developed for reliability and failure analysis (not for smart card attacks), this method could become interesting for attackers over the next few years.

ATTACKS USING ALPHA

RADIAT ION

Irradiating a smart card chip with alpha particles has emerged as an extremely simple, yet effective attack (see Figure 3). Nevertheless, there are some restrictions worth knowing about. Using alpha radi-ation, an attacker is not able to foresee the exact moment when the fault would occur in the chip, as alpha particles are produced by radioactive decay, which is a purely statistical process. Also, exact focusing of alpha radiation is not easy. But even these statistical effects can be used to perform attacks - the same operation is repeated again and again, while the smart card chip is irradiated. Faulty answers are logged, and later sorted and subsequently analyzed.

Commonly known effects of alpha radiation include the alteration of memory contents, and the delay of signaling times. Yet a variety of other effects have been collected in special-ized literature, mainly in the field of space and aviation electronics.

Attacks using alpha radiation are dangerous to some applications, as no


Figure 3: Alpha radiation attack - a simple test assembly

Also, certain anomalies concerning the clock supply are blocked. For example, if a security controller is attacked using very high voltage alterations which cannot be blocked by the regulation system alone, sensors are implemented as part of the second barrier. If a sensor detects critical values for environmental parameters, an alarm is triggered setting the smart card to a secure status. Voltage sensors check the power supply, clock sensors look for frequency anomalies, and temperature and light sensors check for optical and temperature attacks. As optical attacks can also be performed through the back of the chip, the optical sensors are not restricted to detecting irradiation only on the front surface.

The third barrier is built up from the design of the security controller core itself. Hardware countermeasures, in combination with software, are used to produce an effective third barrier. The combination of hardware and software is essential, as purely software counter-measures could in some cases be the target of fault attacks themselves.

If the vast variety of fault induction attacks is taken into account, it is clear that an effective protection against present and future attacks must be built on an integral security concept. Firstly, the countermeasures and security features

expensive equipment is involved. A weak source of alpha radiation, derived from radioactive radium dials or smoke detectors, can be sufficient. If only parts of the chip are to be irradiated, the alpha radiation can be blocked by simply using transparent plastic masks. The success of alpha radiation attacks is mainly dependant on the experience of the attacker; especially on his know-ledge concerning the software code inside the smart card.

C O U N T E R -

M E A S U R E S

Measures against fault induction attacks not only have to work independently from each other focusing on specific vulnerabilities, but must also interact without causing any conflicts. The secu-rity concepts of modern Infineon smart card controllers are based on three lines of defense:

Preventing induction of faults Detection of fault-inducing

conditions Measures against faulty behavior

of the security controller.

Filtering the power supply and the in-put signals acts as a first barrier; fast reacting stabilizers are used to block voltage transients in specific boundaries.

44

S m a r t C a r d

F O R M O R E I N F O R M A T I O N V I S I T www.infineon.com/security


L ITERATURE

[1] H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, C. Whelan, “The Sorcerer’s Apprentice Guide to Fault Attacks”, Proceedings Proceedings Workshop on Fault Diagnosis and Tolerance in Cryptography, Florenz, 30.06.2004; http://www.elet.polimi.it/res/DSN04workshop/

[2] R. Anderson, M. G. Kuhn, “Tamper Resistance - A Cautionary Note”, Proceedings 2nd USENIX Workshop on Electronic Commerce, Oakland, USA, 18.-21.11.1996, S. 1-11.

[3] P. Hofreiter, D. Lebedev, P. Laackmann, “Spike- und Glitchangriffe gegen Security Controller”, Card-Forum 6, 2003, 50-53.

[4] S. P. Skorobogatov, “Copy Protection in Modern Microcontrollers”, 02.11.2001, http://www.cl.cam.ac.uk/~sps32/mcu_lock.html.

[5] S. P. Skorobogatov, “Zaschita Sovremennyh Mikrokontrollerov ot Kopirovanija” (in russischer Sprache), MePhI, Moskau 2001, 84-85.

[6] E. Auer, “Tamper Resistant Smartcards – Attacks and Countermeasures”, 28.9.2000.

[7] R. Anderson, M. G. Kuhn, “Low Cost Attacks on Tamper Resistant Devices”, Proceedings “Security Protocols – 5th International Workshop”, Paris, 7.-9.4.1997, 125-136.v

[8] J. J. Quisquater, D. Samyde, “ECMAAS – Eddy Current for Magnetic Analysis with Active Sensor”, Proceedings und Präsentation “Esmart 2002”, Nizza, 19.-20.9.2002, 185-191.

[9] S. P. Skorobogatov, R. Anderson, “Optical Fault Induction Attacks”, Mai 2002.

[10] W. Knight, “Camera Flash Opens up Smart Cards”, New Scientist, 13.05.2002.

[11] A. Clark, “Lasers Crack the Key to Smartcard Chip Secrets”, EETIMES, 20.05.2002.

[12] D. Nuhn, “Smart Cards are Safe - New Vulnerabilities are not Cause for Concern”, Semiconductor Insights, Business Wire, Ottawa 15.05.2002.

[13] C. Aumüller, P. Laackmann, “Lichtangriffe”, Card-Forum 7/8, 2002, 56-59.

[14] S. Govindavajhala, A. W. Appel, “Using Memory Errors to Attack a Virtual Machine”, IEEE Symposium on Security and Privacy 2003, 11.-14.5.2003.

[15] P. Gutmann, “Secure Deletion of Data from Magnetic and Solid-State Memory”, Proceedings “6th Usenix Symposium”, San Jose, 22.-25.7.1996.

[16] S. Skorobogatov, “Low Temperature Data Remanence in Static RAM”, Technical Report UCAM-CL-TR-536, University of Cambridge, 2002.

[17] R. A. Falk, “Advanced LIVA/TIVA Techniques”, International Symposium for Testing and Failure Analysis, OptoMetrix, Inc. Washington, 2001.

[18] C. Boit, K.R. Wirth, S. K. Brahna, P. Sadewater “Interaction of Laser Beam with Semiconductor Device”, Institute for high-frequency and semiconductor technology, TU Berlin.

[19] “Failure Analysis Techniques for Integrated Circuits”, EMFASIS 5, 2002, 1-2.

[20] J. J. Quisquater, Your electronic wallet in the Van Allen radiation belt, or Electronic commerce at RISK in space?, 30.11.1996.

[21] M. Janke, P. Laackmann, “Single Event Effects”, SECURE 1, 2003, 36-39.

[22] M. Janke, P. Laackmann, “Chipkarten unter Beschuss – Single Event Effects”, Card-Forum 3, 2003, 51-53.

have to be tested thoroughly by the manufacturer, using the most advanced attack technologies for checking products. And secondly, independent security evaluation and certification is

particularly important in order to prove the value of the targeted security level by a neutral, recognized body. Research in the field of fault induction attacks is never ending. The attack

scenarios of the future have to be taken into account today, especially when designing new secure products that must give efficient protection against the attacks of tomorrow.

W I T H I N T H E T R U S T

46

ACG Secure ID offers components, pro-ducts and consultancy services. Established in 2004 as a new business unit of ACG, its mission is to foster the understanding and implementation of advanced identifica-tion concepts applied to citizen identity authentication such as the new e-passport and e-Visa, the electronic driver license and advanced ID documents based on smart card and RFID technology.The new division was established in a response to the emerging requirements expressed by governments worldwide, following the launch of the US Visa Waiver Program. Its aim is to support governments and the security indus-try to deploy advanced smart card and RFID based auto ID solutions in fields where personal identity authentication has for a long time been almost exclu-sively a paper-based process.

The industry’s most reliable partner for state-of-the-art citizen identity programsACG Secure ID is able to address any kind of customer requirement in terms of hardware and software components for state-of-the-art e-document projects: from integrated circuits, modules and inlays to reader components, software and personalization issues.

Offering complete support to the governments’ suppliers and partners facing the need to give an electronic dimension to the credentials issued to their citizens, the new Secure ID division provides its clients independent consultancy and training services through ACG’s most competent microcontroller technology and ICAO specialists.

ACG Secure ID acts as a competence center supporting the security industry in deploying govern-ment driven programs in the field of personal identity authentication.

A C G U N V E I L S I T S N E W BUS INESS UN IT ACG SECURE IDA C G R E S P O N D S T O T H E E M E R G I N G G L O B A L E L E C T R O N I C C I T I Z E N I D E N T I T Y A U T H E N T I C AT I O N P R O G R A M S

ACG offers the most valuable services to the security industry: Stock & consignment stock Security certified warehouse Multiple sourcing concept Life time warranty

The most reliable partner in the security industryACG is an independent component and technology supplier acting throughout the value chain of smart card and RFID based systems. Established in 1999 as a consulting firm, today the company serves both component manufacturers and system integrators on a global scale and has established a leading role in the smart cards and RFID industries.

Headquartered in Walluf (Germany), ACG has 21 locations throughout Europe, the Americas, Asia Pacific and the Middle East.

The new Secure ID division of ACG leverages on the extensive expertise acquired by the company in all aspects of RFID technology (readers and trans-

ponders) and microcontrollers (hardware, operating systems and middleware).

Sharing know-how with partners and clientsACG has established itself as a central product information and innovation hub in the rapidly growing markets for contact and contactless smart cards, fostering the market penetration of the innovative and empowering technologies of RFID and microcontroller smart cards.Following ACG’s corporate philosophy, ACG Secure ID shares its acquired know-how, making it available to part-ners, clients and the entire security industry via training courses, seminars and in general with its targeted consul-tancy services.In 2004, ACG established the SmartWorld-Academy, the first vendor independent knowledge transfer initiative on the topic of microcontroller cards. Located in Prague, the academy acts as a train-ing center and provides the technical infrastructure and expertise for tech-nical platform evaluation and customer pilot project realization.

F O R M O R E I N F O R M A T I O N V I S I T www.acg.de

47


eight™ is the solution.

With eight you have a completely new, multifunctional card system that is integrated into your already existing (security) infrastructure. Instead of rely-ing on individual, often incompatible security and identification tools as cur-rently happens, eight offers you a sim-ple and highly intelligent solution with numerous additional features. Thanks to a unique combination of modern secu-rity technology and innovative chip technology, there are hardly any limits to this card system.

Security itself must be protectedThe Smart Card operating system ACOS developed by Austria Card, ensures maximum flexibility, modular and modern architecture and security. RSA encryption and Elliptic Curves Cryptography associated with Public Key Infrastructure, protect the sys-tem from unauthorized access even in extreme cases. When describing the simple and secure use of eight, it can be compared to an ATM card – the card

holder is the only person who knows the PIN code, as it is not even known by the system administrator. Even the data individually stored on eight is sub-ject to highly stringent security mecha-nisms.

eight is multitasking and has the follow-ing solutions:

Authentication – The additional PIN code option ensures that the card only ever has one “rightful” owner, allowing them a pre-defined level of access. The PIN code can be replaced by biometric identifiers such as fingerprint or face recognition.

Access Control/Centralized Chrono-logy – eight combines access to specified areas with time recording for accounting purposes. You can clearly define and continuously control the extent to which authorized persons may relay information and/or have access to areas with increased security demands.

Digital Signature – The multi-functional card system complies with

E I G H T ™ I S T H E M A G I C N U M B E R

Everything on one card is the motto for the new product that Austria Card is bringing to the market. After the successful collaboration with various universities, and winning an ICMA-Award for the Kepler-Card by the Johannes Kepler University in Linz, the Austrian high-tech company has decided to develop a multifunctional card for the most diverse types of companies and institutions.

F O R M O R E I N F O R M A T I O N V I S I T www.austriacard.com

all relevant EU regulations for digital signatures, and provides a forgery-proof electronic signature, as well as the most complex encryption of your data.

Identification – Highly secure print processes ensure that the card is forgery proof.

Transactions – Clients and employ-ees can carry out transactions quickly and easily at specially designed info-terminals.

Electronic Purse – Using the elec-tronic purse function speeds up cash-less payments in the cafeteria, at cash machines, over the Internet or at self-service terminals.

Customer Loyalty Programs – eight uses integrated counters to record movements in customer spending for any kind of customer loyalty programs.

PC Log-On – By using eight in conjunction with an additional iden-tification number, you can make your system more secure, increase its con-venience and also undertake protect-ed applications within the company network, as well as over the Internet.

As a subsidiary of Oesterreichische Nationalbank OeNB – the Central Bank of Austria – Austria Card oper-ates on the highest level of security. In cooperation with CLEARjet Austria Card develops systems that satisfy the security demands of our customers.

The encompassing know-how in the field of software security, as well as the implementation of user-friendly solu-tions and the mutual experience in the development of multi-functional card systems, enables us to offer your company, your data and your systems maximum protection.


48

Keycorp’s expertise in multi-application smart cards is focused particularly on smart card platform security and mission critical applications. We offer the most comprehensive range of MULTOS products, that have been specifically designed and engi- neered to meet the specialized needs of government, financial and IT security markets, requiring the highest level of trust, privacy and information security. As an open platform, MULTOS provides a number of very important benefits compared to alternative proprietary and open platforms: Unsurpassed level of security. MULTOS security has achieved the highest level of independent certifiction ever reached by a smart card technology – ITSEC E6 High. Rapid and secure introduction of new strategies and value added services to existing card base. MULTOS has been designed to support loading and deleting of new applications as they become available, at any time during the card lifecycle. ITSEC E6 High evaluated secure dynamic card and application management protocols facilitate the addition of new, as well as the maintenance of existing applications without the need to replace an already issued card base. Issuer-centric business model, ideally suited for security sensitive financial or

Keycorp is a world-leading developer and supplier of secure electronic transaction solutions, including: high security smart card operating systems and solutions, payment terminals for electronic banking and electronic payment gateways.

TRUSTED PLATFORMS FOR MISSION CRITICAL APPLICATIONS

government applications. The issuer of the card retains the control of information on the card and how it is used at all times. Flexible supply chain. Open specifi-cations and a mandatory, third party Type Approval process guarantee cross-plat-form interoperability at all levels of the supply chain. Multiple vendors are available to supply any component of MULTOS based end-to-end solutions, ensuring that the card issuer is not locked into a single supply chain situation. Easy deployment. MULTOS is a mature and proven technology, supported by the network of industry’s leading vendors ranging from operating system implementers to chip vendors, card manufacturers, personalization bureaus, card and application management system vendors all providing components for MULTOS end-to-end solution. Wide variety of “off the shelf ” appli-cations are available from a large base of application developers. MULTOS enables fast application development using industry standard languages such as C and Java, as well as the super-efficient MULTOS Executable Language (MEL). Protection on investment. Cross-platform interoperability and backwards com- patibility ensure that applications will run on all current and future MULTOS plat-

forms without any change and without costly re-building of data preparation and personalization systems. Lower card cost at issuance, as the result of fast personalization made possible by the range of applications already built into ROM memory, the ability to separate Data Preparation from the Personalization process, and the incorporation of fast personalization capability in the platform design. The card cost is also kept low as MULTOS is the most efficient open platform for multiple applications with smaller and faster application, meaning more applications can run on a smaller chip size.

Keycorp MULTOS product family, includes MULTOS and MULTOS step/one platforms, built on the latest Infineon SLE 66Plus suite of contact, contactless* and dual inter-face technology, with memory ranging from 4K (low cost MULTOS step/one) all the way through to large 64K devices.

As an additional value add, Keycorp MULTOS platforms come preconfigured with some of the most widely used smart card applications, such as EMV payment, e-purse, PKI and match-on-card biomet-ric algorithms (from Precise Biometrics). Keycorp MULTOS smart card technol-ogy has been deployed in high profile smart card projects, such as govern-ment solutions (including Hong Kong National ID, Norway State Lottery and others), major EMV migration projects around the world (including dozens of MasterCard member banks and other regional payment systems). Beyond the supply of technology, Keycorp also offers commercial and technical services and support for smart card technology and EMV migration, including our expertise in payment terminals and gateways, directly to banks and government agencies.

* MULTOS contactless platform suitable for contactless payment and ICAO e-passport deployment is to be released in 2005.

F O R M O R E I N F O R M A T I O N V I S I T www.keycorp.net

49


F O R M O R E I N F O R M A T I O N V I S I T www.sermepa.es

In this way, SERMEPA has been developing its PRICENET platform in order to handle EMV chip card transactions by means of: More than 27,000 ATMs making

up the ServiRed Network More than 500,000 ServiRed

merchants More than 30 MM ServiRed cards

currently facing EMV migration.SERMEPA develops products and tech-nology that supply all the necessary infrastructure for processing financial transactions with multi-application cards taking into account both issuing and acquiring perspectives. SERMEPA is prominent in this area having developed the Advantis multi-application card operating system.The Advantis family, consisting Advantis (previously TIBC 3.0), Advantis Crypto, Advantis Contactless, Advantis Crypto Contactless and Advantis JavaCard™, has made SERMEPA an international leader in the payments industry. Advantis Crypto is a new generation of smart cards whose operating system is the first in the world to combine, in a single chip, debit/credit applications under the EMV standard, and the electronic wallet under the CEPS standard. In addition, Advantis Crypto provides support to PKI applications, and thanks to its Cryptographic Library

A D VA N T I S G I V E S S E R M E PA T H E A D VA N TA G E !

SERMEPA is a leading provider of electronic payment solutions. SERMEPA’s core competencies are thorough insight into all aspects of payment processes and the ability to convert this perspective into new competitive services that can help our ServiRed´s financial institutions strengthen their business.

it allows interoperability with numerous PC operating systems and applications. In the field of ServiRed EMV ATM technology, SERMEPA developed the ServiRed EMV Kernel to facilitate the migration from magnetic stripe to EMV ATMs, regardless of the operating system used by the ATM. Furthermore, SERMEPA is accredited by EMVCo as a level 2 EMV certification laboratory, helping suppliers of POS and ATMs to certify their equipment under EMV specifications. SERMEPA developed the Advantis Validator applications to help issuing companies with their smart card pre-personalization, personalization, and post-personalization processes. Another

SERMEPA’s services combine traditional technologies with the development of the most advanced solutions. In pursuit of this objective, SERMEPA offers:

Authorization, exchange, clearing and settlement through its PRICENET communications node

Research and development in new technologies, especially in electronic commerce, chip technology, payments by mobile phone, and many other innovative value-added services

Payment systems consulting services both to member institutions and outside companies

Maintenance of the infrastructure of point of sale terminals and ATMs

The telephone center providing complete services to cardholders, merchants, and member financial institutions

Card management systems (CMS) for payment products issued by financial institutions.

noteworthy innovation is the develop-ment of the Advantis Contactless and Advantis Crypto Contactless operating system, which adds to the functions of the Advantis Operating Systems a dual interface with both contact and contactless technology. Advantis Contact- less technology combines the Advantis family EMV debit/credit functions with a proprietary transportation card application.

Also, SERMEPA created Advantis Operat- ing System and Applet Visa Cash Wallet Advantis TIBC 3.0 with Java Card tech-nology, meeting GlobalPlatform speci-fications.

50

R U N N I N G C O M M E N TA R Y

All considered, it didn’t take long from the launch of IBM’s first computer in 1952, with 1 kilobyte of RAM and a tape drive, to reach the stage we are at in 2005, where a top spec desktop can have gigabytes of RAM and terabytes of hard disk storage. We pick up the story in between these two dates, when the invention of electronic mail, or e-mail, came into being in 1971 on the world’s first large-scale network – ARPANET. It had been invented during the Cold War to ensure quick transfer of data, but it soon caught on as a social medium, something that came as a complete sur-prise to its inventors. The rest is history, with most people now almost incapa-ble of performing a day’s work without being hooked up to the addictive world wide web and receiving e-mail from far and wide, from friends and strangers alike.To say that the prefix of the letter ‘e’ to the word mail was catchy is to under-estimate the situation. It started a trend that is still ongoing today where, like it or not, ‘e’ precedes almost everything. Try it. Think of a word, put ‘e-’ in front of it, and type it into a search engine. Here’s a few examples in no particular order: e-commerce (obvious), e-house, e-job, e-card, e-flowers, and even e-sex (although quite what that entails one shudders to think!).If you look at the chapter headings in this issue of SECURE, you will see that the letter ‘e’ is more than just a passing feature. It has almost completely taken

50

L O N G L I V E T H E ‘ e ’ R E V O L U T I O N

Back in the ‘olden’ days, when computers were more science fiction than science fact the letter ‘e’ was no more exceptional than the letter ‘a’ or s’. Few could have imagined what was in store for this humble little character; the global importance that it would soon assume.

over – we have e-banking, e-passports, e-visas, e-government, e-travel and e-transportation. It seems that the secu-rity industry and the letter ‘e’ are start-ing to develop quite a love affair.Continuing the story. While many ‘e’s appeared to be content to be the oil of commerce on the internet, at some point some of them must have become bored zipping around on the world wide web and decided to take a leap into the real world. And one of the primary vehicles for this amazing journey is no less than the mini-com-puter that now sits in each smart card in the form of a ‘smart card chip’. (And mini-computer might not even be a suitable description, bearing in mind recent news that smart cards containing a whopping 256 megabytes of RAM have just been launched.) These intrep-id adventurers found their way into mobile phones – in the SIM – smart bank cards, ID cards, visas, travel tick-ets and their latest escapade is an assault on the world’s passports to ensure their global credentials remain intact.As is often the case, the grass is always greener on the other side of the fence. So for some ‘e’s when it became clear that life in the first mobile phones was going to be pretty boring – just storing names and addresses and a few other pertinent details – they decided they missed the wheeling dealing world of e-commerce and tried to re-create their old lives in their new environment. So

out with the old and in with the new and the first thing to have was a name change. So after a great deal of thought, the little ‘e’s became little ‘m’s and after a few false starts the great new world of m-commerce was born.

SCIENCE F ICT ION

The smart card industry – along with many other identification technology industries – has recognized the impor-tance of the letter ‘e’ for years, and is either busy targeting the existing ‘e’ markets, such as e-commerce, with its solutions to ensure proper authentication between individuals, or else, it is busy forging ‘e’ markets of its own, in the creation of products, such as e-passports.

On page 8 in the article “Security Takes to the Skies” the various scenarios graphically illustrate how the smart card is now pervading almost every aspect of daily life. It also highlights that while all this technology is new, it is certainly no longer science fiction, but ‘science fact’. This is true. However, if I were a smart card business development manager, I would not only be interested in where today’s markets are, but I would want to have my figure on the pulse of what’s coming up. In other words, I would want to know what will be tomorrow’s science fiction.

A good place to start would be a dic-tionary of all the ‘e’ words. When in need of inspiration, the executive would run their finger down the list and apply knowledge of their products to the words on the page. They might be sur-prised just how many potential markets might appear. And all thanks to one (or maybe two) humble little letters. Long live the ‘e’ revolution!

b y M a r k L o c k i e