|Resources Articles||Site Map|
Cartes 2002 - Trip Report
by Kevin Shorter
and Bryony Pomeroy
Cartes 2002 - the 17th international forum for card technologies and techniques - took place on the 5th, 6th, and 7th November 2002 at the Paris-Nord Villepinte Exhibition Centre (France). Kevin Shorter and Bryony Pomeroy of QinetiQ Trusted Information Management attended the conference - the following is a brief summary of the presentations they attended.
Speakers from NIST and DCSSI gave a brief summary of the Common Criteria and their relevance to Smart Cards. The talk began with an outline of the history of evaluation criteria. The first formal evaluation guide was the 'Orange book', published in the mid 1980's. This was followed in 1990 by MSFR (NIST), and the Federal Criteria in 1992. The European ITSEC was produced in 1991, and the Canadians published their TCPEC in 1993. The Common Criteria were developed between 1993 and 1998, and are under continual review (the current version of the CC is v2.1).
The CC do not contain security 'requirements' - instead they use the concept of protection profiles, which may be used as a statement of requirements. Accredited laboratories evaluate products by testing conformance to the required protection profile. The number of these laboratories has been growing steadily over the past few years. In 2000 there were 25, there were 27 in 2001 and at present there are 33. The number of products gaining CC certification has also been growing in recent years, with 27 in 2000, 30 in 2001, and 68 in 2002.
It was noted that a CC certificate does not imply that the product is secure. In the ensuing debate, the speaker conceded that CC gives some measure of confidence that an evaluated product is secure, but cannot give a guarantee. It was also noted that the CC does not provide for the assessment of cryptography, although it is hoped that this will be addressed in the future.
There are two international agreements in place: the CCRA (the scope of which is capped at EAL4) and the SOG-IS (which covers up to EAL7).
As far as Smart Cards are concerned, evaluations are carried out in two phases. The first step is to evaluate the microcontroller, and the second step is to test the Smart Card together with the applications on it (using the results from the first step).
ST22 spoke about what they perceive to be the future for the JavaCard platform. The presenter pointed out that today's Smart Cards consist of 70% memory and 30% logical parts. He envisaged that by 2008, Smart Cards would contain around 90% memory and 10% logic. He stated that 32-bit CPUs are now mainstream, although 8 and 32 bit architectures will co-exist for the next 3 years. In his opinion, JavaCard 3.0 (the next version of JavaCard) will be "closer to Java". He thinks it will incorporate enhanced hardware features (e.g. changing the memory model) and will include greater backward compatibility. He also thinks that there will be a protocol independent architecture, improving card management and resulting in better platform interoperability.
Over the three-day conference, a great deal of emphasis was placed on real-world implementations of Smart Cards.
ASK spoke about a contactless paper ticket. Many ticket-based systems use magnetic stripe tickets, but these are old technology - there is a need for an alternative that is: more secure/harder to forge; faster; lower maintenance; and capable of holding more information. The most important factor, however, is low cost. The C.ticket is basically a contactless Smart Card with a paper body and printing for the antenna. The C.tickets can be produced at a rate of 10 per second, and are designed to be disposable and completely biodegradable. The tickets conform to ISO TFC.1 and follow ISO 14443. Already, 4 million tickets have been delivered (some to be used on the French train network). The tickets cost from 30 - 40 cents each, although more secure chips increase the cost per unit.
Along the same lines, the speaker also discussed the C.label, a contactless smart label.
Xiring gave a presentation on access control with strong authentication. The talk concentrated on Xi-Sign, a handheld mobile authentication device that works in conjunction with a Smart Card. Authentication is achieved using challenge-response. A challenge is sent to the user via the Web. The user inserts their Smart Card into the Xi-Sign device, and then types in the challenge on the keypad. The Smart Card generates a response, which is displayed on the screen. The user than copies this response to the server. The challenge is typically 8 characters, and the response is usually 3 groups of 4 or 6 characters. Thus, the user is required to do quite a lot of copying of characters in order to use the scheme. Having said that, it is fairly easy to deploy, and there is no need to purchase and install card readers.
ALSTOM deal mainly in the fields of energy and transport. Their presentation concentrated on CASPA (Common ALSTOM Security Policy and Architecture). The aim is to promote security (protecting company assets) whilst reducing costs and making the IT as "user friendly" as possible. CASPA has taken the approach of defining confidentiality, integrity and availability throughout the 7 OSI layers, setting out the policy and then 'injecting' it into the architecture. CASPA includes the following components: smart token; single sign on; disk encryption; PKI; personal firewalls; a "secrets" manager for storing passwords; windows logon; VPN; and LDAP.
A speaker from OmniTek gave a presentation on Prox cards. 'Prox' is a term used in the US to describe an RFID technology used in the access control market. This presentation concerned a new version of Prox card that overcomes several of the security weaknesses of its predecessor. With the old cards, the RF interface is publicly available, making it very easy for people to sniff the signal and then program a blank card to replay the same signal. The new card also benefits from encrypted communication and mutual authentication.
For access control, contactless cards are preferable to contact cards for at least two reasons. Firstly, they can transfer data at higher rates than contact cards, so that access decision is reached quicker. Secondly, the readers can be buried in walls of buildings, so are far less susceptible to vandalism.
The speaker then outlined the types of contactless Smart Card available. In addition to the standard card there is the Hybrid card (aka Combi card), which is a contactless card with an extra contact chip (and no connection between the chips), and a dual interface card, which has two interfaces to a single chip.
A speaker from BMS introduced the Moneo contact e-purse, which is currently being developed in France. The e-purse will be included in renewed and future credit cards for consumers (there are 40 million credit cards currently in France). It will cost the consumer between � 5 and 12 per year to use the e-purse, and consumers will need to register (it is not mandatory). The e-purse can be used to pay for small-value items. In an attempt to mimic the paper cash world, use of the e-purse is anonymous - there will simply be an item on the statement. The e-purse can be used for parking, at cafes, bakeries, newsagents, chain stores and banks, as well as for the SNCF. In the future they are planning for a multi-application card, and are currently looking for clear business cases to satisfy this within the next three years.
A presentation from the North East Regional Smart Card Consortium discussed current UK ID card plans and Smart Card initiatives underway in the UK. This included the Department of Work & Pensions and Department of Education (16-19 year olds) schemes. The speaker posed the question "Will there ever be an ID card in the UK?" The north-east region (including Northumberland, Tyne and Wear, Durham, Tees Valley) has 26 local councils and a population of 2.7 million. They are working with the major transport operators (bus, train, metro), Newcastle University and the regional development agency to roll out Smart Cards throughout the region. The emphasis is on citizen-centric (putting people first) and multi-application (transport - purse, incentives - retail and local Government services). The region is currently undergoing pilots including 30,000 GemSafe cards used for transport (hybrid contact/contactless card), school meals, leisure, rewards/incentives and authentication. The major lesson learnt from this rollout to children was that they did not like the colour scheme of the card - hence the citizen-centric approach! Future aims are to integrate with other UK Government initiatives such as the Connexions scheme and across Europe. The region is planning to set up authentication for e-Government services, corporate access (physical and logical) and for "data consent management". They are using the UK Government framework, which defines 4 levels of authentication for Government transactions (0 - informal, 1 - personal, 2 - financial/statutory consequence, 3 - sustantial financial/statutory or safety consequence). For example, with level 1 a citizen can log on to the Web site and view councillor information, whereas level 3 is required to examine account information. They are planning to set up a PKI and biometrics, and expect to receive enough funding from the UK Government to cover this.
The current state of Smart Card technologies in China was outlined. China currently has some 200 million identity cards and 500 million banking cards in circulation. However, there is still an enormous demand for cards (with 800 million + identity cards needed to cover the entire population). Many of the early identity cards are now out of date, so (in an attempt to cut down on fraud) China is currently producing the second generation of ID cards, known as the Chinese Citizen ID card. This citizen card is used to authenticate individuals in a wide variety of situations, including: elections and voting; census; marriage; joining university or college; obtaining passports, visas and driving licences; boarding aeroplanes or boats.
Total System Services Inc. gave a presentation on chip migration in Japan. Research into chip cards in Japan began in the early 1970's, with a variety of pilots being carried out in the 1980's. One such pilot was the VISTA Project, where a 'super Smart Card' was developed. The card incorporated a display, but was far too expensive (the cards costing in excess of 100 euros).
The presentation then concentrated on the present-day situation and plans for the future. It was explained that Japanese banks are keen to migrate to EMV, because they are currently using magnetic stripe cards with the stripe positioned on the front of the card, so need to change anyway. Also, the Government has promised to introduce new legislation to combat card fraud if the banks migrate to EMV. The Japan Credit Card Association (JCCA) aim to complete migration to chip cards no later than 2008 and it is expected that all credit cards currently in circulation will have been converted to chip by 2006. There was some discussion about Loyalty schemes, which are very important applications for Smart Cards in Japan. Japan also makes great use of Smart Cards in transportation. Cards are used for drive-through tolls on motorways, and a pilot has been in progress since 1999. It was noted a problem with this scheme is that it is not possible to protect the card with a PIN, as it would be too dangerous to enter it while driving.
A presentation given by American Express discussed possible uses of the EMV network other than providing secure payments. It was suggested that EMV chip cards could potentially be used for payment (both physical and over the Internet), authentication (with the addition of digital certificates), e-purse applications, loyalty schemes, ticketing for transport and Web navigation. It was pointed out that chip cards have a significant advantage over magnetic stripe cards for loyalty applications because rewards can be instantly redeemed. The speaker suggested that these possible applications could be treated as a menu, with the user picking what they want from the list.
Of the presentations on real-world Smart Card schemes, it was noticeable that a large proportion incorporated biometrics in some way.
HSB Card & Card Systems discussed a Smart Card based scheme due to be rolled out in the Netherlands in the next few months. The aim of the scheme is to provide an identification mechanism for patients within the drug administration system, while maintaining patient privacy. It is vital that drugs are given to the correct individuals (particularly with the distribution of drugs such as Heroin). To provide strong authentication, the card carries a template(s) of the patient's fingerprint(s), and these are also stored centrally on a server. When a drug is requested, the patient's fingerprint is matched against the stored template, which unlocks the data on the card. Interestingly, the system is built on Linux, so is open-source.
The system has been piloted over the last few years. Several biometrics were tested, including signature verification, hand geometry, and fingerprints. Signature verification was found to have a high failure rate at the enrolment stage, and the technology was judged to be inadequate. Hand geometry was found to be prohibitively expensive. Fingerprints were chosen primarily because of their relatively low cost.
From 2002 to 2004, the system will be rolled out to around 30 000 patients at around 200 locations.
The goal of the EU Fingercard project is to produce an ISO compliant Smart Card with an ultra-thin fingerprint reader built into the card itself. As the speaker from Infineon Technologies explained, the card currently exists in prototype. The advantages of the Fingercard were listed as: Dual factor security; Secure and local data management on card through access protection and on-card encryption; Physical and electrical protection through tamper-resistant device; Biometric computation in a safe environment; Reduction of infrastructure costs. From a security perspective, the advantage of the card over other biometric implementations is that the reading, matching, encoding and storage of the biometric are all done on the card. It was noted that because the card was required to be ISO compliant, it was not possible to incorporate finger position markers around the sensor. However, this would have been possible with a token.
Zorg En Zekerheid introduced the Parkinson Project - a collaboration between several organisations in Holland to provide Smart Cards to sufferers of Parkinson's disease. The card stores all the patients medical data pertaining to the disease to help maintain a record for the patient and to help them to manage their medication. The card uses biometric authentication (fingerprints) rather than a PIN because many of the patients are elderly and unable to remember PINs. The patient is also supplied with a handheld card reader, which notifies them when they are due to take some medication.
There were also several presentations relating to security weaknesses in Smart Cards and protocols.
An excellent presentation on side channel attacks on Smart Cards was given by Gemplus. Simple analogies were used to illustrate power analysis and timing attacks. To explain a power analysis attack, the example was given of a journalist who wants to know when a group of negotiators reach agreement. The negotiations are taking place in a hotel, and the journalist has access to the hotel's power supply. If the journalist sees the electricity meter disk spinning quickly, this indicates the negotiators are in separate rooms, and a deal has not been struck. If the disk is spinning slowly, the negotiators are in the same room, and have reached an agreement.
To illustrate a timing attack, the following scenario was described. There are two pots, one red and one blue. One of the pots contains �28 and one contains �10. An attacker wants to know which pot contains which amount. He asks someone with access to the pots to multiply the contents of the blue pot by 10, the contents of the red pot by 7, add the two results, and tell him whether the result is even or odd. Of course, both calculations yield even answers. However, the average person will take longer to perform the calculation (28 x 7) + (10 X 10) than (10 x 7) + (28 x 10). Thus, by measuring the amount of time it takes for the person to arrive at the answer that attacker can find out how much money is in each pot.
Possible countermeasures to these attacks include: adding noise and / or random delays; modifying the chip so it has a uniform power consumption; designing the algorithm so that information leakage does not matter; and adding capacitors to 'smooth out curves'. EMV is a payment standard written in 1996 by Europay, MasterCard and Visa. The stated objectives are to move authorisation offline, decrease systemic risk, and to decrease financial risk. A speaker from Iteon pointed out some of the security issues with the standard. EMV-specific areas of risk were described as: device application authentication (the device is never authenticated by the card, so false terminals can be a problem); card application authentication; cardholder verification (EMV allows 'no authentication' this is down to the vendor); weak implementation; and poor certification. It was stated that cloning an EMV card is a relatively simple task, with all the necessary information and equipment available on the Internet. It was pointed out that an intelligent clone will never go online, and will always answer positively to a PIN validation (a so called 'yes card'). Weaker clones will go online, but they still cannot be shut down. Therefore, unless they are physically removed, clones are there forever once they are made.
[R] Content restricted to Daily News and Newsletter Subscribers only
|© 2002 Smart Card News Ltd|