Contact IAR Systems
Home Products Support Resources Downloads About us Contact My Pages
Developer's Toolbox Webinars IAR Solution Selector Viewpoints Video Presentations Further reading LEGO MINDSTORMS NXT
 
Resources   >   Viewpoints   >  

An Overview of Smart Cards

by Shawn Prestridge, IAR Systems
 
There are many different kinds of smart cards in use in the marketplace today as the need for security increases in our global marketplace.  Given the nature of how information is collected about individual users and transmitted across electronic networks, people are greatly concerned about the security of the information that they exchange with electronic devices such as Automated Teller Machines (ATMs) and credit card readers via the traditional possessed-object cards they carry on their person.  Classical possessed-object cards are stateless in nature as they typically only contain just a few bytes of information on their magnetic strips such as the account holder’s name and the account number assigned to them.  Because of their low security, classical cards offered very little protection from nefarious people bent on stealing information from these cards by the use of fake ATMs or by temporarily separating people from their cards, e.g. waiters taking a credit card to the back of the restaurant to process the payment for a meal and also running the card through a portable credit card reader that can be attached to a standard PDA.

With these concerns in mind, many different entities went to work trying to address these issues in their own ways, most notably in 1993 when MasterCard, Visa and EuroPay agreed to work together to develop specifications for the next generation of payment, be that via a credit card or a debit card.  One of the ideas for debit-card systems was that the account holder’s balance was actually on the card.  This had appeal because it meant that a merchant’s payment processing system need not be connected to an electronic network full-time in order to process a payment.  However, this meant that security precautions had to be taken to ensure that a crafty account holder didn’t hack his or her own card and artificially inflate the account balance available on the card; it was clear that some sort of protection mechanism needed to be incorporated into the card.  They began to develop a standard called EMV, an eponym for the three companies consorting to create the standard.  Eventually, this gave way to such international standards as ISO/IEC 7816, ISO/IEC 7810 and ISO/IEC 14443.

Currently there are two primary kinds of smart cards: contact and contactless.  Contact smart cards are typically inserted into a reader which interfaces with the onboard microcontroller unit (MCU) via the following pinout:
 
 
There are several advantages to contact smart cards:

  • They do not require internal power sources; power is provided by the smart card reader via the Vcc pin
  • The card must be deliberately inserted into a reader in order to be read; they cannot be scanned by simply being in the proximity of the card (we will expound on this in a moment)
  • The infrastructure is generally cheaper than it is for contactless smart cards.

Because the power is provided by the reader, the amount of power that can be supplied to the card is effectively limitless; therefore, these types of cards provide more flexibility in terms of the amount of functionality that they can provide.  The security for smart cards is usually provided by sundry cryptographic algorithms, many of which are notoriously compute-intensive when negotiating an authenticated handshake between the card and the reader.  As the number of computations increase, the amount of time required authenticating the card to the reader and vice-versa grows correspondingly.  The customer using the smart card and the merchant purveying goods and/or services expects that this delay for this authentication should be nearly imperceptible, so as the infrastructure adopts increasingly complex algorithms to ensure security, the MCU will need to be run at higher and higher clock frequencies in order to complete the algorithms in a reasonable time.  The increased clock frequencies necessitate more power to be supplied to the MCU which isn’t a problem in this scenario because the reader can simply supply more amperage to the MCU.  However, increased security is not the only reason that makes the limitless power attractive: the infrastructure can be later expanded to add more functionality to the whole system which would require the MCU to execute more cycles.  This idea will be expatiated later in the article.

The designers of a contact-based system have a luxury in that the card can only be activated if it is inserted into a reader.  This allows engineers to assume that the card is being used by a legitimate user for normal purposes rather than being accidentally activated thus allowing the authentication scheme to confirm the identities of the user and the merchant.  Contactless systems have to worry about passive scanning of a card, such as by a nefarious person sitting nearby the owner of a card at a coffee shop or on a public transportation system in order to get account information off the card.  Moreover, these contactless systems also have to concern themselves with the card not being close enough to the reader for a sufficient amount of time to obtain a coherent negotiation between the card and the reader.  Like wired vs. wireless Ethernet, the number of complexities is much less when a wired system is adopted.

Because a contact smart card does not require Radio Frequency Identification (RFID) equipment to be attached to the card and to the reader, the development costs of the system are typically cheaper than they are for contactless systems.  This offloads most of the cost of the equipment to the reader and not to the individual cards and can be a significant savings, particularly if the cards are to be mass-produced.  While the cost of developing contactless cards can be mitigated by passive contactless systems (such as those in electronic toll systems for collecting fares on a highway), the penalty is the amount of information that can be exchanged between the reader and the card which is typically very low.  The tried-and-true method of activating a circuit by physical electrical connection is more reliable and cheaper than trying to establish contact over a distance.
  
Contactless cards, by contrast, offer a greater range of flexibility than their contact-based brethren.  They can:

•    Scan a greater number of items per unit time than contact-based systems
•    Scan cards without overt interaction by the user
•    Work indefinitely as there are no electrical contacts that fray over time

Generally, contact-based readers are designed to make contact with only a single card at a time.  However, contactless systems can be designed such that they can read multiple cards simultaneously since there is no physical interface between the reader and the card.  The removal of this one-item-at-a-time limitation allows the contactless systems to scan a multiplicity of items simultaneously because the antenna of the reader can be pointed over a wide area and establish contact with multiple cards simultaneously.  Moreover, the contactless paradigm is generally faster at scanning cards because “contact” between the reader and card can be established only as long as is necessitated to read the data on the card and process it.  Perhaps the best way to illustrate this is with test systems that Wal-Mart has employed to speed their checkout process.  The RFID-based system simply passes a wand over a shopping cart loaded with goods, each good possessing a unique RFID tag.  The wand reads the different RFID tags and scans its database looking for the cost of the item to add to the shopping cart’s total purchase price while simultaneously deducting that item from the store’s inventory which is stored in the mainframe at the back of the Wal-Mart.  What would traditionally take a checkout clerk several minutes to process could now be reduced to a matter of a few seconds.  This concept is also illustrated in toll-collection systems on many roadways where the vehicle simply drives under a wireless reader that scans the toll tag of each vehicle which can be cruising at speeds of 100 kilometers per hour or more; in such a scenario, a contact-based system would not be feasible.  These types of systems draw power from the electromagnetic wave that is used to scan the card, but the power is relatively limited which makes the amount of processing that can be performed by the card rather limited; in fact, toll tag systems typically just transmit a tag identification number back to the reader which is tied to the user’s account in the toll collection authority’s database.

Additionally, contactless systems allow scanning of the card without the user consciously making their card come in contact with a reader.  As mentioned previously, this can be both a boon and a bane for this type of card because the problem with security is much greater than it is with a contact-based system.  However, it is also quite a convenience in some of the aforementioned examples because it greatly speeds the process of the transaction and is easier on the end user.  Some devices have been engineered in such a way that they require relatively close proximity to the reader in order to scan properly; this is done in order to mitigate the security concerns but still allow ease and speed of use.

There are also two types of cards that take advantage of both the contact-based and contactless systems: dual-interface and hybrid cards.  A dual-interface card has a single chip that has both the contact-based and contactless hardware connected to it whereas as a hybrid has two chips, one to handle the contact-based connection and the other for the contactless connection.  Needless to say, both of these types of cards give you the best of both worlds but have the downside of being more expensive solutions to implement.  Sometimes these cards can provide the same services regardless of which interface is being used; other times, the operations of the contact-based and contactless systems can be completely different, e.g. the contactless interface could be used to give a student entrance to a library or school building while the contact-based interface accesses the student’s meal or debit account.

In all of the aforementioned systems, smart cards can be categorized into two different types: memory cards and microcontroller chips.  Memory cards typically have things such as account numbers or account balances stored within them and have some rudimentary cryptography to prevent unauthorized access to said data.  Account numbers should be protected to keep criminals from stealing someone’s card and being able to access the account numbers stored within them.  The account balances must be protected from nefarious legitimate users who might otherwise artificially inflate their account balances, a sort of modern-day counterfeiting of money.  While these are indeed an important part of the smart card market, the bulk of this and future Developer’s Toolbox articles will focus on the microcontroller-based smart cards.  These cards provide a litany of functionality to the developer, the likes of which are limited only by the imagination of the developer and the size of the ROM on the card.  If the ROM of the card is Flash-based, then the card can be reprogrammed to address security concerns or to add more functionality to the card.  Added features to the card, however, generally require more processing time to complete or perhaps more processing power as the clock on the microcontroller may be stepped up to offset the added demands of the new features.  In this scenario, contact-based cards have a distinct advantage because their power is supplied by the card reader which is typically plugged into the wall.  Contactless systems in this scenario might be required to either compromise their battery life or resort to a more powerful wave from the reader.

The uses of smart cards are sundry and as such there are many variations of smart cards on the market.  In the coming months, we will explore the topic of smart cards in greater depth and detail and include code examples of how smart cards can be used to do some of the more popular applications mentioned in this overview.  We will also discuss best practices of coding and how to get more out of the IAR Embedded Workbench IDE in  your project as you pursue smart card solutions.
 
This article was published in e-News from IAR Systems.

SUBSCRIBE to free, monthly newsletter.