Smart Cards in Access Control

Jan. 1, 2004
?Access control refers to the process of granting access to certain entities or persons and refusing access to others. Access used to be primarily physical and was controlled via gates, locks, and security guards. Keys, passwords, PIN numbers and encryption are all currently commonplace mechanisms for limiting access to valuables, files and other forms of data. As we've evolved, access control has moved to new technologies, including the technology of smart cards.

?Understanding Smart Cards
Smart cards generally look like credit cards. What makes the smart card different from an ordinary plastic card is the technology embedded in it that makes it "smart," provides storage capacity of 1K to 64K and enables it to be used in controlling access by identifying and authenticating the user.

In addition to memory or a microprocessor chip, smart cards incorporate RAM, ROM, EEPROM and a serial communications interface. They provide secure information storage and information processing; they respond to tampering by inhibiting the output function. Generally, a secure microprocessor chip is embedded in the smart card. The microprocessor chip is capable of implementing a secure file system, computing cryptographic functions and detecting invalid access attempts.?

The smart card processing unit implements a hierarchical file system on the non-volatile memory of the card and a set of access and control operations for both the card and the file system. The hierarchical file system supports a special root (master) directory file, optional sub-directory (dedicated) files and data (elementary) files according to ISO 7816-4. The identifiers of all files from the master file down to a specific file unambiguously identify the specific file. The three categories of files all contain control information such as the file identifier, file name and record specifications.?

Smart cards implement three levels of logical access control. The first level includes the association of a set of privileges with a user's password and the ability to control access to files on the card based on those privileges. The second level is the ability to detect and respond to a sequence of invalid access attempts. The third level is the "logic channel" that constitutes a logical link between the host system and a file on the smart card.????

Smart cards are dependent on an outside power source provided by a reader interface. Therefore, any information held in conventional RAM is lost every time the card is removed from the reader. The microprocessor uses only a few hundred bytes of RAM for working transactions. ROM contents are fixed in the chip when it is manufactured. Data that is unalterable resides in EEPROM between 1K and 16K.??????????????????????????????????????????????????????????????????????????????????????????

Types of Smart Cards Contact smart cards. A contact smart card has a single, embedded integrated circuit chip that contains either just memory or memory plus a microprocessor. This chip and/or microprocessor takes up only a small portion of the card and is protected by a plastic cover or emblem.?

Cards with memory-only chips have a limited amount of logic circuitry for control and security and contain non-volatile memory. These cards' chips can hold from 103 bits to 16,000 bits of data. Generally less expensive than cards containing microprocessors, memory smart cards have a corresponding decrease in data management security. All memory smart cards require a card reader and depend on the security of the card reader for their processing.?

Cards with microprocessor chips contain an "intelligent" controller that is used for the secure addition, deletion, modification, and updating of information contained in the memory. The more sophisticated the microprocessor chip, the more sophisticated the features for protecting the memory from unauthorized access.

To use a contact smart card, the user must physically insert the card into a reader where pins attached to the reader make contact with special pads on the surface of the card. Once this contact is made, the information on the chip can be read.

Contactless smart cards. Contactless smart cards contain an embedded antenna instead of contact pads connected to the embedded chip. Information can be read and written to the chip and the memory on these smart cards.??

Since they work on radio frequency, contactless smart cards do not have to be inserted into a reader device. Instead, they need only be passed within range of a radio frequency acceptor in order to read and store information on the chip. The range of operation is generally between 2.5" and 3.9".?

Contactless smart cards can be used for many of the same applications as contact smart cards, and they are generally more convenient and faster to use.?

Proximity smart cards. Also known as "prox cards," proximity smart cards communicate through an antenna that has a fairly wide range of operation?up to 20". Prox cards allow a small amount of information to be read, such as an identification code that can be verified by a computer. However, it is not possible to write information back to the card.?

Proximity cards come in several thicknesses, with the antenna generally embedded between the two plastic surfaces of the smart card. These cards are convenient and offer security, identification and access control applications.?

Hybrid and combination smart cards. Hybrid cards are referred to as e-cards by some manufacturers and multi-technology cards by others. They contain two or more of the abovementioned embedded chip technologies.??

One of the most prominent uses for hybrid cards is for upgrading existing badging and security systems. The hybrid card allows the accommodation of legacy systems' card technology and infrastructure while adding new applications and technologies to the card.?

Combination smart cards, also known as dual-interface cards, are similar to hybrids in that they incorporate more than one technology, but different in that they include one embedded smart chip that can be accessed both through contact pads and embedded antennas.?

This card provides both high security and ease of use. It lends itself to mass transit applications where a cash value can be put in the memory chips through a contact-acceptor, and fare can be deducted through a contactless interface.?

Standards
The International Standards Organization (ISO) 7810, and the 7816 series, parts 1-10, specify the physical structure of the smart card. In 1987 the ISO published standard 7816, which allowed smart cards to communicate using the same protocol.??

One major problem in the acceptance of smart cards is that there is no one standard. In addition to the ISO standards, other significant standards are the Europay, MasterCard and Visa (EMV), the Global Standard for Mobile Communications (GSM), the Personal Computer/Smart Card (PC/SC) and the OpenCard Framework. Since the technology continues to evolve, the standards need to evolve also.?

The most common smart cards are plastic with the dimensions of 85.60mm x 53.98x 0.80mm, with a printed circuit and an integrated circuit chip embedded in the card. ISO standard 7816/3 provides five connection points for power and data. The printed circuit is hermetically fixed on the card and is burned onto the circuit chip, filled with a conductive material and sealed. The integrated circuit chip provides the individual capability for each card. To avoid breakage, the chip is restricted to a few millimeters in size. The physical interface is normally limited to 9600 bits per second. The bi-directional serial transmission line conforms to ISO standard 7816/3, and since information is sent in half duplex mode, data is transmitted in one direction at a time.?

ApplicationsIn order to provide highly assured and trusted applications, smart cards are normally used in conjunction with other technologies. Besides being one of the most important uses of smart card technology, access control is also the motivation behind smart card development.? System boot-up. Smart cards can be used for actually booting personal computers and servers where the system requires critical information contained on the smart card and system startup cannot take place until user authentication takes place. This means that if attackers are successful in gaining physical access to the hardware, they will be unsuccessful in accessing the files.? U.S. government use. As of February 2003, the U.S. government has launched 64 smart card programs in various agencies. These cards are issued to government employees to allow them access to their systems when off-site. They are also issued to workers who do not work for the government, such as airport, port, rail and bus workers. The Department of Defense issued 1.6 million smart card IDs to military and civilian employees in 2002 and expects the number to increase in the future.?? Private sector use. Private sector companies like Microsoft, Exxon, and Pfizer are also issuing smart card IDs, some with biometrics like fingerprints, photos, and facial recognition, to protect their networks and facilities worldwide.?? Medical information. In Europe each individual customarily has a smart card containing pertinent medical information that can be presented to any hospital or doctor from whom the individual seeks treatment. These smart cards can be updated after each treatment before being returned to the patient. They also carry pertinent contact information and emergency medical data.? Financial institutions. Banks and insurers are using smart cards for electronic payments because of their capability to process data, their portability and tamper-resistance. Stored-value cards (i.e. prepaid phone cards, transportation cards) and cards that access money balances are both gaining in popularity.? Physical access. More and more hotels, corporations, universities, hospitals, health clubs and commercial buildings are issuing smart cards to personalize access. The use of these cards allows the issuer to give or deny access based on privilege and time restrictions.??

Smart cards have certain capabilities that make them ideal for controlling both physical and system access. While they are more expensive than magnetic stripe cards, operating costs are generally lower for smart cards. Following are some basic requirements necessary for a smart card platform to succeed.

? Smart cards must be an extension of the network and/or Internet environment;

? Smart cards must provide software development tools that have a broad base of developer familiarity and support;

? Each smart card issuer must have the ability to choose components they want and deem necessary from a variety of suppliers;

? Smart cards must incorporate extensive security features and be attractively priced.?

It's anticipated that 2.7 billion smart cards will be in use this year, and the number will continue to grow. Applications will always be the driving force behind the smart card market, since they will be the deciding factor for implementers, adapters, and users of smart cards.?

D.E. Levine CISSP, CFE, FBCI, CPS is a regular contributor to ST&D and a contributing author to Computer Security Handbook, Fourth Edition (Wiley 2002). She can be reached at [email protected].