Making inroads in security, smart cards have gained market momentum with the passing of federal programs and clear advantages of multiple technology credentials. Multi-technology credentials and multi-function applications bring convenience, security and safety to an ever growing range of applications.
Schools are one vertical market where you are seeing the smart card application in wide use. Smart cards are used worldwide as campus IDs at colleges and universities, often combining access, identification and payment functions. Uses can include:
• Parking access.
• Guard tour.
• Academic Building Access.
• Faculties Management Access.
• Event Access.
• Dorm Access.
• Library and Network Access.
• Meals.
• Book Store purchases.
• Vending machines.
• Local Community participating vendor transactions.
• Spot check identity verification.
A Typical Smart Card Deployment
Eastern Illinois University is using smart cards in its Panther Card Program. With the credential having a computer chip on the front surface of the card and a magnetic stripe on the back, the combination allows for multiple functions with just one card. It serves the following functions at present and new applications may be added in the future.
Identification: The Official University Identification card, which is required for all students, staff and faculty.
Cash: Smart Chip technology brings the convenience of electronic cash for on-campus purchases.
Checking: A Unique partnership with First Mid Illinois Bank, designed to bring the best possible financial services to students and staff.
Dining: The card provides access to the university meal plan options - Meal swipes and Dining Dollars.
With the smart card market poised for 30% growth over the next five years (Frost & Sullivan), the issue of balancing security with usability has moved to the forefront. This month's offering of case histories, new products and experts will give you additional insight into multi-technology credentials.
Protecting the Data
While smart card technology brings numerous advantages, security still represents a significant issue. Security Dealer interviewed Paul Kocher, president and chief scientist, Crytpography Research, regarding encryption solutions to this problem.
SD: What is the background of Cryptography Research?
Paul Kocher: Cryptography Research Inc. specializes in solving complex data security problems. In addition to security evaluation and applied engineering work, CRI is actively involved in long-term research and technology licensing in areas including tamper resistance, content protection, network security, and financial services.
SD: What is CRI's role in smart card security? What issues does your company address?
CR: We provide technology and services used by companies that make smart cards. Our job is to help improve the cryptographic and physical security of the cards. One area that is a particular focus is making sure that smart cards are protected against power analysis attacks, which are the digital equivalent to picking a combination lock using a stethoscope.
SD: What are the defacto encryption standards for smart cards, and how do they differ or what are their similarities to other encryption schemes such as that used on proximity and magstripe access control credentials?
CR: Proximity cards and magnetic stripes generally do not use any encryption at all. As a result, anyone who can gain access to the credential can copy it.
For smart cards, there are two main classes of cryptographic algorithms that are used:
• Symmetric, or secret-key, algorithms use the same key in the card and the verification device. These methods reduce the cost of the card slightly, but require that each accepting device be able to communicate with a secure server that can verify the card. Virtually all products using symmetric cryptography use either AES or triple DES (3DES), which are U.S. Government standards and are extremely secure
• Asymmetric, or public key, algorithms do not require secret parameters when performing encryption or verification operations. These enable the mathematical equivalent of a padlock, which can be locked by anybody but requires a key to open. Although the card cost can be a few cents higher, they can lower infrastructure costs and improve reliability by reducing the need for accepting devices to communicate with servers. The most commonly used public key techniques are the RSA and EC-DSA (elliptic curve DSA) algorithms.
There are standards that describe how these techniques are implemented. The main ones are: ISO-7816 and ISO-14443 define physical interface requirements for contact-based and contactless smart cards, respectively.
• Federal Information Processing Standard 201 (FIPS 201) defines the U.S. government ID card for federal employees.
• Common Criteria and Federal Information Processing Standard 140 (FIPS 140) define requirements and validation procedures for security devices.
PAYMENT SYSTEM BRINGS NEXT GENERATION TECHNOLOGY TO SLIPPERY ROCK UNIVERSITY
A unique college campus solution developed by Heartland Payment Systems' new micro-payments division, capitalizes on two well-established trends: the ubiquity of the mobile phone among college students; and the popularity of new contactless, or tap-and-go, payments among American consumers.
According to Heartland, this program launches the next generation of campus card programs which have remained unchanged for the last 20 years.
Beginning in July, Slippery Rock University 's 8,500 students, faculty and staff received a new official campus ID card and a separate contactless token designed for use with their mobile phones. Slippery Rock University is located in Pennsylvania .
Using either the card or the phone, they will be able to make payments at on-campus locations as well as participating merchants in the surrounding community. During the summer, campus vending machines, laundry facilities, photocopiers and printers will be outfitted with dual-technology readers to enable contactless payments via mobile phone in addition to the traditional ID card payments.
The new mobile phone tokens incorporate the same standards-based contactless technology (ISO 14443) used worldwide by MasterCard, Visa and leading card issuers in the payment and identity sectors. The technology enables data to be read without physical insertion into – or contact with – a card reader. Thus, it is more convenient and secure than prior payment options. By design, the phone must be held in close proximity – no more than 2 inches – to an approved contactless reader for communication to occur.
The new Rock Dollars card and ID token provide access to a fully functional debit account that is FDIC insured. Student financial aid will be distributed to the new accounts, and funds can be added or withdrawn from select ATMs.
A robust Website and voice response system enable 24/7/365 account access for balance inquiries, funds transfer, and other tasks. For more information, visit www.heartlandpaymentsystems.com and www.MerchantBillOfRights.com.
FreedomPay and iCLASS Contactless Smart Cards Fully Integrate
The move to contactless transactions may be as transformational to the credentials as the adaptation to IP is for video surveillance; it's hard to predict where it will ultimately go but there is definitely no turning back.
Many consider that the breakthrough began with HID's introduction of its economical and robust iClass 13.56MHz contactless read-write technology in 2005.
HID's clamshell-style card is constructed of an acrylonitrile-butadiene-styrene (ABS) shell and polyvinyl chloride (PVC) cover label that is strong, flexible and resistant to cracking and breaking. Additionally, the card can be custom printed utilizing most direct image printers offering convenient on-site photo identification capabilities.
The iCLASS Clamshell Card is based on HID's iCLASS 13.56 MHz read/write contactless smart card technology platform that includes a highly-secure, encrypted 64-bit diversified key format for mutual authentication. For even higher security, the card data can be protected with DES (Data Encryption Standard) or triple-DES encryption.
It is a symmetric cryptography algorithm which is the U.S. Government's officially adapted standard for the encryption of non-classified information. DES is a block cipher and encrypts data in 64 bit blocks. (Actually 56 bits because 8 bits are parity). DES encrypts 64 bits of data by executing the algorithm 16 times. Triple DES also known as 3DES, is a newer standard that was designed to replace DES. It essentially performs the process that DES does three more times (48).
“It has been our long-standing strategy to provide customers with multiple card technology choices and price points for use with our iCLASS and Prox card readers,” states Jim Colleran, HID's product manager for credential technologies. “These new iCLASS Clamshell Cards demonstrate our ongoing commitment to deliver value-priced credentials for those customers implementing contactless smart cards for access control.”
FreedomPay's online hosted network now integrates fully with the read/write capability of HID's iCLASS 13.56 MHz contactless smart card technology. Jim Ellis, FreedomPay's SVP, comments, “The FreedomPay cashless application, when coupled with the iCLASS card, allows employees and students to link funds directly to their iCLASS card. The solution offers speed of service and convenience, including a higher level of fraud protection and authentication that is not seen in other ID technologies.”
The combination of FreedomPay's cashless network with HID's iCLASS technology illustrates how convenience and security come together to create clearly identifiable benefits. For more information, visit www.freedompay.com.
