Path: senator-bedfellow.mit.edu!bloom-beacon.mit.edu!newsfeed.stanford.edu!postnews.google.com!news4.google.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local01.nntp.dca.giganews.com!nntp.rcn.net!news.rcn.net.POSTED!not-for-mail NNTP-Posting-Date: Sat, 29 Oct 2005 11:34:37 -0500 From: "Scott Guthery" Newsgroups: alt.answers Followup-To: alt.technology.smartcards Subject: alt.technology.smartcards FAQ Date: Sat, 29 Oct 2005 12:34:14 -0400 Approved: news-answers-request@MIT.EDU X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-RFC2646: Format=Flowed; Original Message-ID: Lines: 3459 NNTP-Posting-Host: 209.150.51.147 X-Trace: sv3-tAQDy9BnuPxK8XJ1zXODphEOfdI9cnXKuBl9ApOlKbtGvMqm6d2xgowB7+GcTNrVDFGfTFglMEruCAn!B9PE8k8HaQMCg6whkCB87ID0bsIGWcIDBQWTZ8R9yUPMlJvbahcL6VA1jDuiEJnV0A== X-Complaints-To: abuse@rcn.net X-DMCA-Complaints-To: abuse@rcn.net X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly X-Postfilter: 1.3.32 Xref: senator-bedfellow.mit.edu alt.answers:79845 Newsgroups: alt.technology.smartcards,alt.answers,news.answers Subject: alt.technology.smartcards FAQ Followup-To: alt.technology.smartcards Approved: news-answers-request@MIT.EDU X-Disclaimer: Approval for *.answers is based on form, not content From: sguthery@mobile-mind.com Archive-name: technology/smartcards/faq Disclaimer: Approval for *.answers is based on form, not content. Posting-Frequency: monthly to alt.technology.smartcards Last-modified: 2005/11/01 Expires: 2005/12/15 Version: 2.0 URL: http://www.mobile-mind.com/htm/scfaq.htm Maintainer: Scott Guthery Frequently Asked Questions (FAQ) for news:alt.technology.smartcards Comments and suggestions for improvement of the a.t.s. FAQ should be sent to Scott Guthery at sguthery@mobile-mind.com. The current edition of the FAQ is always available at http://www.mobile-mind.com/htm/scfaq.htm. CONTENTS 1. Purpose of alt.technology.smartcards 2. General Questions About Smart Cards 3. Standards, Specifications and Patents 4. Smart Card Hardware 5. Smart Card Operating Systems and Virtual Machines 6. Fixed-Command Smart Cards, Readers and Tools 7. Programmable and Multi-Application Smart Cards 8. Card and Application Management Systems 9. Resources 10. Legands and Lore 1. Purpose of alt.technology.smartcards The purpose of alt.technology.smartcards is to provide an unmoderated forum for the discussion of technology, applications and issues associated with smart cards. It will serve as a resource for people to: Engage in discussion and debate about technical and public policy issues including the security, privacy, legal, regulatory and economic impact of smart card applications. Educate and inform others about the strength, weaknesses and general use of smart cards; share ideas, information and specific experience about smart cards, both in technology: Find information and have questions answered by people in the smart card industry and developer communities. 1.1 New(s) Items 1.1.1 Free Smart Card Emulator There is a smart card emulator written in C++ free for the downloading at: http://csrc.nist.gov/piv-program/index.html 1.1.2 Dhrysones Benchmark Program for Java Card Folks working with Java Cards wonder about the speed of one vendor's card versus another's. The Dhrystone benchmark is an integer benchmark that has been used for many years to compare interger performance of machines and compilers. There is a version of the Dhrystone benchmark suitable for loading on Java Cards available at http://www.code.com Here's a chance to see how your Java Card compares to a VAX 11/780. 2. General Questions About Smart Cards 2.1. What is a smart card? Historically a smart card has been thought of as credit-card-sized plastic card that contains an integrated circuit with memory, and circuitry controlling the access rules to the memory. Common smart cards use 5 to 8 electrical contacts on one side of the card as a communication mean with a smart card reader, and the integrated circuit is behind the contacts. Recently, the security architecture of the smart card has been decoupled from this physical form factor and there are now smart cards that aren't physical cards at all. What makes the card "smart", compared to a memory card or magnetic card, is the enforcing of access control rules to data it contains: for example some areas (like card holder name) might be made read-only after it is first written; and/or an area (holding the card value) might be written only in a manner allowing the value of the card to go down, not up. This access control can be performed by an 8-bit microcontroller similar to a Motorola 6805 or an Intel 8051, or by even simpler circuitry in low-end Smart Cards. Much like our concept of recorded music is moving from vinyl disks to blobs of bits, the notion of a smart card is moving from a piece of plastic to a software security architecture for portable and embedded devices. One of the key smart card standards, ETSI TS 102 221, draws the distinction between the physical and logical characteristics of smart cards. The result is that we are starting to see the smart card security architecture in memory sticks, USB tokens, multi-media cards, mobile-phone handsets and other places. The only virtual thing about these smart cards absence of plastic. 2.2. Where did the phrase "smart card" come from? Smart cards were independently invented in Germany (1967), Japan (1970), the United States (1972), and France (1974). In 1980, when France began a major campaign to control the technology, Roy Bright of the French government's marketing organization, Intelmatique, coined the phrase "smart card" to describe the technology. The first commercial use of a smart card was a phone card in Brazil. Invented by Nelson Bardini, this card contained what were essentially fuses that were blown as the card was used to place telephone calls. 2.3 Is it "smart card" or "smartcard"? Most English dictionaries use "smart card" but you'll see both in use. In French it's "carte a puce" which is roughly "card of a flea". Tiny integrated circuit chips look like fleas. 2.4. Is the a.t.s. FAQ on the Web somewhere? Yes. http://www.mobile-mind.com/htm/scfaq.htm 2.5 Are the postings to a.t.s. archived somewhere? Yes. On Google. http://groups.google.com/group/alt.technology.smartcards The Google archive of all postings to a.t.s is searchable in a number of different ways. 2.6. Is a.t.s the right place for information about satellite card analysis, emulation and hacking? Only for TECHNICAL information. Please do not post here satellite card advertisement, channel keys, channel frequencies. Post here only information about algorithms, protocols, security breaches, ECMs. 2.7. Is a.t.s the right place for satellite card and other satellite equipment advertisment? alt.satellite.tv.crypt.forsale would probably generate more sales. 2.8. Is a.t.s the right place for smart card collectors? The rec.collecting hierarchy is probably a better selection. 3. Standards and Specifications 3.1. Are smart cards standardized? There are all sorts of smart card standards. The physical and mechanical standards are observed more uniformly than the software standards. An excellent annotated summary of most smart card standards is at: http://forum.afnor.fr/afnor/WORK/AFNOR/GPN2/Z15Y/PUBLIC/WEB/ENGLISH/commerce.htm Some frequently used and references smart card standards are posted at: http://www.ttfn.net/techno/smartcards/standards.html ISO/IEC JTC1 Information technology SC 17 Identification cards and related devices (www.iso.ch/meme/JTC1SC17.html) is interested in common smart card issues. The ISO 7816 series of standards and the ETSI SMG9 standards are the most important and relevant for smart card application programmers. ISO 7810 Identification cards -- Physical characteristics. ISO/IEC 7812 Identification cards -- Identification of issuers. ISO/IEC 7816 Identification cards -- Integrated circuit(s) with electrical contacts. A complete description of the ISO 7816 standards is provided in Section 3.2 below. ISO/IEC 10536 Identification cards -- Contactless integrated circuit(s) cards. The standard specifies close coupling (slot and surface) cards communication (parts 1-3) ISO/IEC 10373 Identification cards -- Test methods. ISO/IEC 14443 Remote coupling communication cards. (Contactless cards) ISO TC 68 Banking and related financial services SC 6 Financial transaction cards, related media and operations is representing interest of smart payment card issuers and is developing the standard series ISO 10202 Financial transaction cards -- Security architecture of financial transaction systems using integrated circuit cards (parts 1-8). EN 742 Identification cards: location of contacts for cards and devices used in Europe. New edition specifies the format ID-000 used for GSM Subscriber Identity Module (SIM). EN 726 Terminal Equipment (TE); Requirements for IC cards and terminals for telecommunication use. The standard is the technical basis for smartcards in Europe. In the U.S., the National Institute of Standards and Technology (NIST at http://csrc.ncsl.nist.gov/) has published FIPS 140-1 (http://csrc.nist.gov/publications/fips/fips1401.htm) "Security Requirements for Cryptographic Modules" concerns physical security of smart card IC-s as they are one kind of cryptographic modules. The Swedish government tried to standardize a smart card for use by its citizens called the Secure Electronic Information in Society (SEIS) card (www.seis.se) bu failed. 3.2. What is ISO 7816 all about? The formal title of ISO 7816 is Integrated Circuit Cards with Electrical Contacts. It is the most widely used and referenced smart card standard. ISO 7816 is the international standard for integrated-circuit cards that use electrical contacts. Anyone interested in obtaining a technical understanding of smart cards needs to become familiar with ISO 7816. ISO 7816 currently has thirteen parts: Part 1 - Cards with contacts: Physical characteristics Part 2 - Cards with contacts: Dimensions and location of the contacts Part 3 - Cards with contacts: Electrical interface and transmission protocols Part 4 - Organisation, security and commands for interchange Part 5 - Registration of application providers Part 6 - Interindustry data elements for interchange Part 7 - Commands for SCQL Part 8 - Commands for security operations Part 9 - Commands for card management Part 10 - Cards with contacts: Electrical interface for synchronous cards Part 11 - Personal verification through biometric methods Part 12 - Cards with contacts: USB electrical interface and operating procedures Part 13 - Commands for application management in multi-application environment Part 15 - Cryptographic information application 3.2.1. Part 1: Physical characteristics Defines the physical dimensions of contact smart cards and their resistance to static electricity, electromagnetic radiation and mechanical stress. It also prescribe the physical location of a IC card's magnetic stripe and embossing area. Amendment 1 : Maximum height of the IC contact surface 3.2.2. Part 2: Dimensions and Location of Contacts Defines the location, purpose and electrical characteristics of the card's metallic contacts: 3.2.3. Part 3: Electronic Signals and Transmission Protocols Defines the voltage and current requirements for the electrical contacts defined in Part 2 and asynchronous half-duplex character transmission protocol (T=0). Smart cards that use a proprietary transmission protocol carry the designation, T=14. In practical terms, that means the card is not compatible with ISO 7816. Proprietary protocol is used in German health care cards. Amendment 1:1992 Protocol type T=1, asynchronous half duplex block transmission protocol. Amendment 2:1994 Revision of protocol type selection Amendment 3: Electrical characteristics and class indication for integrated circuit(s) cards operating at 5V, 3V and 1,8V 3.2.4. Part 4: Inter-industry Commands for Interchange ISO 7816-4 is an International Standard that establishes a set of commands across all industries to provide access, security and transmission of card data. Within this basic kernel, for example, are commands to read, write and update records. There is an urban legend often repeated by smart card sales people that ISO 7816-4 is so complex and so poorly written that it is impossible to implement. Strictly compliant implementations of ISO 7816-4 have been created. These claims are intended to excuse lack attention to complying with the standard in the hopes of selling non-standard cards. Amendment 1: Impact of secure messaging on the structures of APDU messages Clarifies the construction of secure message variants of commands in Part 4. http://perso.wanadoo.fr/dgil/scm/iso7816_4.html 3.2.5. Part 5: Numbering System and Registration Procedure for Application Identifiers Establishes standards for Application Identifiers (AIDs). An AID has two parts. The first is a Registered Application Provider Identifier (RID) of five bytes that is unique to the vendor. The second part is a variable length field of up to 11 bytes called the Proprietary Application Identifier Extension (PIX) that a vendor can use to identify specific applications. Every smart card application builder such as yourself can get a RID. RIDs are assigned by the Copenhagen Telephone Company Ltd. (KTAS), (aka TeleDanmark A/S) which is also the ISO/IEC 7816-5 Registration Authority, KTAS's address is Teglholmsgade 1, DK-1790, Copenhagen, V, Denmark, but the application has to be approved by your national ISO body. RIDs cost $500. Matthew Deane (212) 642-4992) at the American National Standards Institute will handle requests for both national and international numbers. Forms for applying for an RID can be found at www.scdk.com. Fax the application back to Matthew Deane at ANSI, (212-840-2298) but make your payment directly to the Registration Authority in Denmark. If you want to issue a single application smart card then you need an Issuer Identification Number (IIN) which is specified in ISO 7812. For U.S. residents, forms for an IIN are also available through Matthew Deane at ANSI. The cost is $600. For those in the US, all the relevant registration information for both RIDs and IINs is at http://www.ansi.org/public/register.html 3.2.6. Part 6: Inter-industry data elements Describes encoding rules for data needed in many applications e.g. name and photograph of owner, his preference of languages etc. Technical Corrigendum 1: Interindustry Data Elements Amendement 1: IC manufacturer registration 3.2.7 Part 7: Interindustry commands for Structured Card Query Language (SCQL) Defines how to treat the data on the card as an SQL database. 3.2.8 Part 8: Security related interindustry commands Adds symmetric and asymmetric key capabilities to Part 4. 3.2.9 Part 9: Additional interindustry commands and security attributes Adds commands needed for personalization such as Create File and Delete File as well as search commands to Part 4. 3.2.10 Part 10: Electronic signals and answer to reset for synchronous cards Defines basic communication protocols for synchronous (T=14) smart cards. 3.2.11 Part 11: Personal verification through biometric methods Defines how to represent and organize biometric data on a 7816 ICC 3.2.12 Part 12: Cards with contacts: USB electrical interface and operating procedures Defines a variant of the USB protocol for use with on an ICC. 3.2.13 Part 13 - Commands for application management in multi-application environment A scaled-down version of the GlobalPlatform specification. 3.2.15 Part 15: Cryptographic token information in IC Cards A standardized way to keep cryptographic material on a smart card and to access public keys and certificates stored therein. 3.3 Contactless Cards Contactless cards are cards that just have to be held near a reader rather than actually inserted into (and thus make contact with the electrical contacts of) a reader. Contactless cards are classified based on how far away from the reader they can be and still be read. Close-Coupled Cards 0mm - 10mm (you touch it against the reader) Proximity Cards 10mm - 10cm (you hold it up to the reader) Vicinity Cards 10cm - 50cm (you walk by the reader) The releavant standards for these cards are: ISO/IEC 10536 - Identification cards - Contactless integrated circuit(s) cards - Close coupled cards ISO/IEC 14443 Identification cards -- Contactless integrated circuit(s) cards -- Proximity cards. The standard set (parts 1-4) specifies the communication (transmission, anticollision, selection and command exchange) of chipcards in ranges up to 10cm. These standards define protocols type A and B and there are "industry standards" for type C, D and E. For interoperability look for compliance to parts 1-4 and type A and/or B. ISO/IEC 15693 - Identification cards - Contactless integrated circuit(s) cards - Vicinity cards There are also devices into which you can put a contact card which turn it into a contactless card. These devices can project a smart card a considerable distance, up to 10 meters and more. They are used for example for using pre-paid cards with drive-through highway toll booths and drive-through Taco Bells. Access to the contactless standards is available at: http://wg8.de/sd1.html Increasingly common are now dual-interface processor cards which do have a contactless interface according to ISO/IEC 14443 parts 1-4 and a normal contactbased interface according to ISO/IEC 7816 parts 1-3. Examples for controllers are the Philips MIFARE ProX (includes NPU) and the Infineon SLE66CL160S. 3.4 ISO/IEC 24727 - Interoperability of Integrated Circuit Cards Smart card vendors avoid building standard-compliant smart cards whenever possible. The one exception is their biggest market, the GSM/3G SIM card, where 500 telecom operators held their feet to the fire. See the ETSI standards below. Failing to get smart card vendors to produce standard-compliant smart cards, smart card issuers are trying a second approach: define simple, virtual smart card, build their applications on this virtual card and then map existing cards onto the virtual card. This moves the problem from the card where the vendors work to defeat interoperability to the middleware where there are vendors that understand interoperability and where the issuer can build to the standard himself if he needs to. The series of standards that are defining an interoperability framework for smart cards based on a virtual card edge is called ISO/IEC 24727. The series is based on a smart card specification issued by the U.S. Government that invented the virtual card edge idea: Government Smart Card Interoperabilty Specification (GSC-ISv2.1). >> http://csrc.nist.gov/publications/nistir/nistir-6887.pdf GSC-IS is not a standard in that it has not been issued by a recognized Standards Development Organization (SDO) so the U.S. Government submitted it to ISO and requested that a task force be created to turn it into a standard. This task force has the name ISO JTC1/SC17/WG4/TF9 and is chartered with creating the ISO/IEC 24727 series out of GSC-ISv2.1 So far the ISO/IEC 24727 series has three parts: ISO/IEC 24727 Part 1: Architecture ISO/IEC 24727 Part 2: Generic card edge ISO/IEC 24727 Part 3: Application interface Three more parts are planned. ISO/IEC 24727 Part 4: Card management and personalization ISO/IEC 24727 Part 5: Test Methods ISO/IEC 24727 Part 6: On-card programming interface The interesting thing about ISO/IEC 24747 is that they are being written with sufficient detail and precision so that independent implementations will be interoperable. This is not true of the ISO/IEC 7816 series. Drop me an e-mail if you'd like to know more: sguthery@mobile-mind.com. 3.5 Where do I get the ISO standards? Official copies of the ISO standards must be purchased from the ISO catalog at www.iso.ch. The ISO is very proud of these standards. A Xerox copy of the most important standard from a software developer's point of view, ISO 7816-4, costs $85.40. The 7-page Xerox copy of ISO 7816-5 costs $31.80. A complete set of ISO 7816 smart card standards costs $436.50 plus shipping and handling. Delivery can take months. At www.iso.ch standards you can also be downloaded at a cheaper price. ISO/IEC 7816-4: Paper: CHF 136 (ca. 90 EUR), PDF: CHF 44 (ca. 29 EUR) ISO/IEC 7816-5: Paper: CHF 50 (ca. 33 EUR), PDF: CHF 44 (ca. 29 EUR) ANSI tacks an additional 35% onto these prices (ISO 7816-4 is $115) but lets you download copies immediately. See http://www.ansi.org/. Under Electronics Standards Store select ISO/IEC JTC. 3.6 Doesn't ETSI also write standards for smart cards? Yes. The most successful smart card is actually invisible. It is the Subscriber Identity Module (SIM) in GSM mobile telephones. Besides the subscriber's personal cryptographic identity key, the SIM contains other useful information such as the current location of the phone and an address book of frequently called numbers. Recently this network-connected smart card has been opened up (on a controlled basis) to application programming. The ETSI SMG9 working group wrote the standards for the SIM card. The most relevant standards are for building applications for the SIM are: GSM 02.19: Digital cellular telecommunications system (Phase 2+); Subscriber Identity Module Application Programming Interface (SIM API); Service description; Stage 1 GSM 02.48: Digital cellular telecommunications system (Phase 2+); Security mechanisms for the SIM application toolkit; Stage 1 GSM 03.19: Subscriber Identity Module Application Programming Interface (SIM API); SIM API for Java Card (TM); Stage 2 GSM 03.48: Digital cellular telecommunications system (Phase 2+); Security Mechanisms for the SIM application toolkit; Stage 2 GSM 11.11 Digital cellular telecommunications system (Phase 2); Specification of the Subscriber Identity Module - Mobile Equipment (SIM - ME) interface (GSM 11.11) GSM 11.14: Specification of the SIM application toolkit for the Subscriber Identity Module - Mobile Equipment (SIM - ME) interface ETSI TS 201.220 Integrated Circuits Cards (ICC); ETSI numbering system for telecommunications; Application providers (AID). See Section 3.2.5 above for instructions on obtaining application identifiers for GSM SIM Toolkit Applications. All are available free of charge from www.etsi.org. It would seem that ETSI actually wants folks to use their standards. 3.6.1 Other Mobile Telephone Smart Cards Other mobile telephones besides GSM phones use smart card modules for security, for GSM compatibility and for prepay. The generic name for all these cards including the GSM SIM is UIM for User Identity Module. The smart card in a WAP phone is called a WIM for Wireless Interface Module. It is described in WAP WIM Wireless Application Protocol Identity Module Specification, available (for free) at www.wapforum.org. The smart card for a 3GPP (aka UMTS) mobile phone is called the USIM. It is described in 3G TS 21.111 Version 3.0.0, USIM and IC Card Requirements, available (for free) at http://www.3gpp.org/specs/specs.htm. The smart card for a 3GPP Project 2 (3GPP2) mobile phone is called the R-UIM or UIM depending on whether or not it is removeable. The R-UIM is described in a specification issued by the 3rd Generation Partnership Project 2 entitled Removable User Identity Module (R-UIM) for Spread Spectrum Systems (3GPP2 C.S0023) of December 9, 1999, It is available (for free) from http://3gpp2.org/tsg_c.html#doc. The smart card for a CDMA mobile phone is just called a smart card. It is described in CDMA Development Group Document #43, Smart Card Stage I Description, Version 1.1, May 22, 1996, and can be ordered at http://www.cdg.org/tech/tech_ref.html and costs $25. 3.6.2 3GPP Work Group T3 In late 1999 representatives of the various TDMA mobile phone systems got together and decided to start a project to come up with a common subscriber identity module. Since the GSM specification was the most mature, it was taken as the starting point. ETSI shut down SMG9 and transferred all of its documents and responsibilities to 3GPP Work Group T3 which is now responsible for the common core SIM in all 3GPP phones including GSM phones. T3's documents can be found at: http://www.3gpp.org/ftp/TSG_T/WG3_USIM/ Each TDMA technology can still put their own extensions on the 3GPP core depending on the particular needs of the technology. 3.6.3 3GPP2 Work Group TSG-C Some but not all CDMA phones use a smart card for network access authentication. In these phones the SIM is called the R-UIM which stands for Removable User Identity Module. The CDMA folks think of their handsets as being secure platforms and they think of the SIM as a kind of industrial-strength floppy disk ... a removable media. 3GPP2 R-UIM specs are available at: http://www.3gpp2.org/Public_html/specs/#tsgc 3.6.4 ETSI Project - Smart Card Platform An effort has also been launched to define a common core for the identity module used in all communications applications. This module is called the Universal Integrated Circuit Card (UICC). It would include for example all mobile phones (not just TDMA phones), settop boxes, internet TVs, wireless SCADA, and so forth. The thrust of this project is to define a framework for smart cards that contain identity support for all of these applications simultaneously. After all it's always you whether you are talking on the phone or transmitting your blood sugar readings. ETSI was given initial responsibility for this project and since it rose from the ashes of SMG9 it was originally called "The New SMG9". One of its first official acts was to give itself more compelling name, hence Smart Card Platform (SCP). All communication organizations are represented in this new group or at least have been invited to participate. In an effort to gain as wide a consensus as possible it has thrown its Web site open to all at: http://docbox.etsi.org/scp/ You can tell from the name that the SCP folks imagine that the results of their efforts might have applicability outside communication. It becomes a bit challenging to keep track of documents coming out of these three groups. Here's a start. Description GSM 3GPP SCP =========== ===== ====== ======= Vocabulary for Smart Cards 102.216 USIM and IC Card Requirements 21.111 USIM/SIM Application Toolkit (USAT/SAT) 02.19 22.038 Physical and Logical Characteristics 11.11 31.101 102.221 Administrative Commands 102.222 Test Specifications 102.230 Characteristics of the USIM Application 11.14 31.102 USIM Application Toolkit (USAT) 31.111 102.223 Security Mechanisms for the SAT-Stage 1 02.48 Security Mechanisms for the SAT-Stage 2 03.48 33.102 Numbering System for Card Applications 101.220 SIM API for Java Card 03.19 SIM API for the C Programming Language 31.131 Here are the core standards that define the Smart Card Platform: GSM 02.17 - Subscriber Identity Module (SIM); Functional Characteristics GSM 02.19 - Subscriber Identity Module Application Programming Interface (SIM API): Service Description; Stage 1 GSM 02.48 - Secuity Mechanisms for the SIM Application Toolkit; Stage 1 GSM 03.19 - GSM API for SIM toolkit; Stage 2 GSM 03.48 - Security Mechanisms for SIM Toolkit Application; Stage 2 3GPP 21.111 - USIM and IC Card Requirements 3GPP 22.038 - SIM Application Toolkit (SAT); Stage 1 3GPP 22.112 - USIM Toolkit Interpreter; Stage 1 3GPP 31.102 - Characteristics of the USIM Application 3GPP 31.111 - USIM Application Toolkit (USAT) 3GPP 31.113 - USAT Interpreter Byte Codes 3GPP 31.131 - C API for the USIM Application Toolkit 3GPP 34.131 - Test Specification for the C SIM API SCP 101.220 - Integrated Circuit Cards (ICC); ETSI Numbering System for Telecommunication; Application Providers (AID) SCP 102.124 - Transport Protocol for UICC Based Applcations SCP 102.127 - Transport Protocol for CAT Applications SCP 102.216 - Vocabularly for Smart Card Platform Specifications SCP 102.221 - Smart Cards; UICC-Terminal Interface; Physical and Logical Characteristics SCP 102.222 - Integrated Circuit Cards (ICC); Administrative Commands for Telecommunications Applications SCP 102.223 - Smart Cards; Card Application Toolkit (CAT) SCP 102.224 - Security mechanisms for the Card Application Toolkit: Functional requirements SCP 102.225 - Secured packet structure for UICC applications SCP 102.226 - Remote APDU Structure for UICC based Applications SCP 102.230 - Smart Cards; UICC-Terminal interface; Physical, Electrical and Logical Test Specifications SCP 102.240 - UICC Application Programming Interface SCP 102.241 - UICC Application Programming Interface for Java Card SCP 102.310 - Extensible Authentication Protocol Support in the UICC All of them are available free at http://www.3gpp.org/ftp/Specs/ for the GSM and 3GPP documents and http://portal.etsi.org/docbox/SCP/SCP/Specs/ for the SCP documents. 3.7 What is the standing of the U.S. Government's Smart Card Specification? The National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce has issued and is maintaining a specification that endeavors to establish a foundation on which to standardize the smart cards used by various U.S. federal entities. The specification is called the Government Smart Card Interoperability Specification (GSC-IS) and is available at: http://csrc.nist.gov/publications/nistir/nistir-6887.pdf The U.S. Government is also working on a Federal Information Processing Standard (FIPS) for a Personal Identity Verfication (PIV) smart card. Early drafts can be found here: http://csrc.nist.gov/piv-project/ This is an outgrowth of the Common Access Card (CAC) program being rolled out by the U.S. Department of Defense. Source code for a Java Card Applet implementing the PIV specification (NIST Special Publication 800-73) was created by a smart card class at Michigan State University. It is available at: http://www.identityalliance.com/downloads/PIV-II-MSU.zip 3.8 Are there other standards bodies working on smart card standards? Yes. Lots of them. It seems to be becoming a global pasttime. The B10 workgroup of NCITS (http://www.incits.org/tc_home/b10htm/b10-feb.html) is the US representative to the ISO. They work on a number of existing and emerging standards. One of the most interesting given the Real ID legislation is a smart card driver's license. The current draft is at >>http://www.aamva.org/standards/index.asp. 3.9 Are there any industry specifications? In addition to standards formulated by recognized standards bodies, there are a number of specifications created by companies, industrial consortia and ad hoc users groups. These specifications are typically guided as much by marketing agendas as by technical necessity or utility. Membership rules vary from organization to organization but are usually constructed to be functionally equivalent to invitation only; i.e. the market wannabes trying to gang up on the market leader. Europay, MasterCard and Visa formed working group to create their Integrated Circuit Card Specifications for Payment Systems, commonly called "EMV'96" or just "EMV" (http://www.emvco.com/). The specification was intended to create common technical basis to compete with the Mondex specifications. Everybody of course when ahead and implemented their own version of EMV cards (UKIS - UK Bank EMV, VSDC- Visa EMV. MCHIP - MasterCard EMV). Europay as also lead the defintion of a standard electronic cash purse called CEPS for Common Electronic Purse Specifications. The specification costs EUR 94 and is available at www.europay.com. Like EMV, each of the card associations are implementing their own version of CEPS. Check out CEPS specs at http://www.cepsco.com/ An old version of the GeldKarte specification used to be available at ftp://ftp.ccc.de/pub/docs/geldkarte.pdf for free. The latest version is available from Bank-Verlag Koeln, Melatenguertel 113, D-50825 Koeln, Germany. Phone +49-0221-5490-0. Fax +49-0221-543498. (www.bank-verlag.de) It costs DM400 and there is an NDA to execute. Microsoft heads a group of smart card manufacturers to produce a specification for the use of smart cards on personal computers and workstations called PC/SC for Personal Computer/Smart Card. -http://www.pcscworkgroup.com The SET (Secure Electronic Transactions) at http://www.setco.org/ and C-SET (Card Secured Electronic Transactions) at http://www.europayfrance.fr/fr/commerce/secur.htm specifications include descriptions of the smart cards they use to perform SET transactions. RSA (www.rsa.com) has published an file hierarchy and data description for accessing PKI certificates and associated information on cryptographic tokens including smart cards. It is called PKCS #15 and entitled "Crytographic Token Information Syntax Standard". Unfortunately since it is not a card-edge specification it does not advance the cause of interoperable PKI tokens. Visa is very active in the smart card area and has published specifications for Visa Cash, the Visa Integrated Circuit Card; see -http://international.visa.com/fb/paytech/smartcard/vsmartspecs/visspec.jsp Visa developed a smart card management architecture called Visa Open Platform (US Patent 6,005,942) which they turned over to GlobalPlatform GlobalPlatform (or "GP" as it's known in the trade) is the defacto standard for doing post-personalization content management (loading applications, keys, certificates, etc.) on smart cards. It has been submitted to the ISO as ISO/IEC 7816-13 for standardization. -http://www.globalplatform.org MasterCard has formed the Global Mobile Commerce Team (not to be confused with the Globle Mobile Commerce Forum) and the Chip Vendor Services Program (CVSP). The Java Card Forum (www.javacardforum.org) and JavaSoft (www.javasoft.com) maintain specifications for the Java Card. There is a new version of the Java Card specification about every three months. The OpenCard Framework (www.opencard.org) is a way to access smart cards from the Java programming language. The Small Terminal Interoperability Platform consortium (www.stipgroup.org) is doing this too. The Radicchio (www.radicchio.org), Global Mobile Commerce Forum (global.mobilecommerce.com), are studying the use of PKI smart cards on wireless networks. Radicchio has morphed into the Liberty Alliance (http://www.projectliberty.org/) The Mobile Electronic Signature Consortium (www.esign-consortium.org) is based on Brokat's digital signature patent WO09922486A1 of 5/6/1999 entitled "METHOD FOR DIGITAL SIGNING OF A MESSAGE" and is writing a specification based on this patent for wireless e-commerce. The PKI Forum (pkiforum.org) is also writing specifications for digital signatures. The World Airline Entertainment Association has put out a fascinating specification for the use of smart cards by passengers in airplanes. (http://www.waea.org/tech/techspecs/smartcards.htm) It's free. The International Air Transport Association sells a specification for smart cards in travel and entertainment cards for $200 at http://www.iata.org. The SIMalliance (www.simalliance.org) is writing specifications for a suite of protocols to connect GSM SIM cards to the Internet. It is a closed group consisting of French card manufacturers. The proposal is to hack up the WAP protocols which are themselves a hack up of the standard Internet protocols. A TCP/IP stack with a real Web server can be put on a SIM card so you have to wonder we why need a new, homegrown bunch of protocols. SmartTrust (www.smarttrust.com) makes the specifications for its micro-browser available to everyone. Contact Anders Sellin (Anders.sellin@smarttrust.com). The Smart Card Constituency working under the banner of eEurope is proposing to write yet another set of smart card interoperability specifications that everybody can ignore. They have published a list of 17 items for action and set up a bunch of task forces and work packages. Contact Jan van Arkel for details. The Card Application Management System Consortium consists of just Visa and MasterCard. The relationship of this effort to Visa's Open Platform effort and the work of the Global Open Platform would break a pencil at any PR agency. http://europa.eu.int/comm/information_society/eeurope/index_en.htm Eurosmart (www.eurosmart.com) is kind of a retirement project for the first generation of smart card experts who know much but say little at least publically. Israel has a standard concerning the use of Hebrew for textual data in smart cards. It is available (in English) at http://www.qsm.co.il/Hebrew/si4424e.htm E-Europe is kind of a European governmental trade association. There is a smart card project inside E-Europe that has generated a number of white papers that are good smart card tutorials and talk a lot about smart card applications, real ones and possibilities. Check out ... http://www.eeurope-smartcards.org/B2-Index.htm The European Committee for Standarization is writing specifications for a trans-Euopean digital signature card called variously eAuthentication and eSign or just IAS. http://www.cenorm.be/cenorm/businessdomains/businessdomains/isss/activity/smart+cards.asp See also http://www.e-europestandards.org/published_standards.htm 3.10 Patents There is an ongoing debate as to who invented the smart card and who got the first smart card patent. Some claim the card was invented in America and some claim it was invented in Germany. Jules Ellinboe, an American working for TRW, applied for a patent on an "Active Element Card" on October 27, 1967. The was patent, US 3,637,994, was granted on January 25, 1972. Two German engineers, Jurgen Dethloff and Helmut Grottrupp essentially working in their garage are regarded to be the inventors of the smart card in Europe. They announced their invention in 1967 and filed for a German patent (DE 19 45 777 C2, "Identifikanden/Identifikationsschalter) in February of 1969. Amazingly this patent wasn't granted until 1982. On August 8, 1978, Dethloff was granted US patent 4,105,156, "Identification system safeguarded against misuse". Kunitaka Arimura of the Arimura Technology Institute in Japan filed for a Japanese patent in March of 1970. In May of 1971, Paul Castrucci of IBM filed for an American patent entitled simply "Information Card". The patent, US 3,702,464, was issued on November 7, 1972. Between 1974 and 1979 a French journalist, Roland Moreno, filed 47 smart card related patents in 11 countries and founded the French company Innovatron to license these patents. US 3,971,916, "Methods of data storage and data storage systems" is a foundational US filing. The square-on-top-of-a-stick or two-piece flag that you see printed on some smart cards is the trademark of an Innovatron license. Bull under the leadership of Michel Ugon has also historically been very active in patenting smart card technology, filing over 1,200 patents starting in 1977. Bull claims that all smart cards use their SPOM (Self-Programmable One-Chip Microcomputer) technology. US 4,404,464, "Method and apparatus for electrically connecting a removable article, in particular a portable electronic card" issued September 13, 1983, is a key Bull patent. The tiny circular smart card contact that you see printed on some smart cards is the trademark of a Bull license. Many of the original smart card patents have expired. Some pundits have opined that the vigorous enforcement of these patents has inhibited smart card use and that their expiration will open up the smart card market. About the only thing that has happened so far however is that Bull CP8 died when it was taken off royalty payment life support. A surprising number of entities, not historically associated with the smart card industry, are applying for and getting smart card patents these days. In fact it might be said that there is a feeding frenzy in smart card patent application. Some smart card software and business process patents applied for or issued in the last 12 months of interest at least to the FAQ editor are listed below. Dates are published dates for reference purposes not priority dates. WO05101725A1: METHOD FOR DYNAMICALLY AUTHENTICATING PROGRAMMES WITH AN ELECTRONIC PORTABLE OBJECT, Gemplus (Chevallier-Mames, Naccache, Paillier), October 27, 2005. >> The stack is the signature. US20050188360A1: Method and apparatus for providing an application on a smart card, Sun Micro Systems (de Jong), August 25, 2005. > Gasp! Names are made up of parts, like, oh, Eduard of the family of Jong. US20050185515A1: Methods and systems for performing horological functions using time cells, IBM (Berstis, Klim, Lam), August 25, 2005. > Like Archimedes' water clock only with electrons. US20050154672A1: Performance optimized smartcard transaction management, Microsoft (Griffin, Perlin, Schutz), July 14, 2005. > Didn't this used to be called timesharing? US20050149457A1: Method and apparatus for establishing trust in smart card readers, Intel (Cihula), July 7, 2005. > It is an axiom of the crypto community that trust is directly proportional > to complexity. US6912633: Enhanced memory management for portable devices, Sun Microsystems (de Jong), June 28, 2005. > The larger your vocabularly the more you can say. US6896523: IC card, Renesas Technology and Hitachi (Nisizawa, Ishihara, Shiraishi, Yukawa), May 5, 2005. > Super-size your SIM, sir? WO05045683A1: APPARATUS AND METHOD FOR GARBAGE COLLECTION, Electronics and Telecommunications Research Institute (Jung, Jun, Chung), May 19,2005. > Garbage collection for smart card. Mark and sweep with timeout. US6889329: Adding secure external virtual memory to smart cards, Sun Microsystems (DiGiorgio, Uhler, Stevens), May 3, 2005. > Swap the memory of a smart card out to the "secure object store". Why > bother with the card? US6883715: Multi-mode smart card, system and associated methods, STMicro (Fruhauf, Pomet, Leydier), April 26, 2005. > The nice thing about standards is that there are so many to choose from. WO05036486A1: ACCESSING DATA ELEMENTS IN A PORTABLE DATA CARRIER, Giesecke & Devrient (Gibis, Seemuler), April 21, 2005. > Hierarchical tags rather than hierarchial files ... like OIDs, for > example. EP1088295A4: BALANCED CRYPTOGRAPHIC COMPUTATIONAL METHOD AND APPARATUS FOR LEAK MINIMIZATION IN SMARTCARDS AND OTHER CRYPTOSYSTEMS, Cryptography Research (Jaffe, Kocher, Jun), April 20, 2005 > Multiplying by 1 really is harder than multiplying by 0. US6880752: System for testing, verifying legitimacy of smart card in-situ and for storing data therein, (Tarnovsky, Tarnovsky), May 19, 2005. > Generate card malfunctions to get at hidden card functionality; hardware > stego. EP1495927A3: System for controlling a function of an automobile vehicle having a control device and a smart card on which operational parameters and program parts for the control device are stored, and smart card therefore, Giesecke & Devrient (Liegl), April 20, 2005. > "Sorry, the dealer says I shouldn't go that fast." US20050066191A1: System and method for delivering versatile security, digital rights management, and privacy services from storage controllers, Seagate (Thibadeau), March 24, 2005. > Hundreds of virtual smart cards inside a harddisk. EP1517475A1: Smart card based encryption in Wi-Fi communication, Axalto (Shannon), March 23, 2005. > And you thought the Clipper chip was a bad idea. EP1515448A1: System and method for configuring a software radio, Harris (Wallace), March 16, 2005. > There's hope for radio yet EP1514273A1: ROLL BACK METHOD FOR A SMART CARD, Koninklijke Philips (Arnold, Lackner), March 16, 2005. > No, you can't back-up and restore your e-purse. EP1508253A1: SECURE INTERACTION BETWEEN DOWNLOADED APPLICATION CODE AND A SMART CARD IN A MOBILE COMMUNICATION APPARATUS, Axalto (Mahalal), February 23, 2005. > This is how the mobile operator masquerades as you. US20040260656A1: Integrated circuit card with situation dependent identity authentication, Microsoft (Guthery), December 23, 2004. > Hey, kid, put down that magazine. US20040255131A1: Integrated circuit devices with steganographic authentication and steganographic authentication methods, Microsoft (Guthery), December 16, 2004. > Performance biometrics. US20040250066A1: Smart card data transaction system and methods for providing high levels of storage and transmission security, IBM (Di Luoffo, Fellenstein, Reilly), December 9, 2004. > A competitor for GlobalPlatform. US20040249959A1: Communications network with smart card, Mobile-Mind (Guthery), December 9, 2004. > IP header hacking. US6829200: Sensing methods and devices for a batteryless, oscillatorless, binary time cell usable as an horological device, IBM (Berstis, Klim, Lam), December 7, 2004. > Very, very cool. Sense of time for a smart card. US20040238646A1: Management of byte transmission in a smartcard, Axalto (Gien, Mennecart), December 2, 2004. > Yet another half-baked, home-grown, smart card communication protocol. > See T=0. EP1480174A1: A method for making a reliable time available on a smart card provided with a timer, Axalto (Joffray, Barbe), November 24, 2004. > External time + on-card timer = internal time. No persistance. See > US6829200 above. US6819986: System and method for collecting vehicle data and diagnosing the vehicle, and method for automatically setting the vehicle convenience apparatus using smartcard, Tellsyn (Hong, Lee, Jeong), November 16, 2004. > Your card is watching ... you. EP1473664A2: Smart card device as mass storage device, STMicroelectronics (Tournemille, Tamagno), November 3, 2004. > Use the security architecture on the card to protect resources off the > card. EP1473869A1: Universal secure messaging for cryptographic modules, ActivCard (Le Saint, Wen), November 3, 2004. > If you can't have new ideas, you can always try to patent existing > standards. EP1471420A2: Montgomery modular multiplier and method thereof using carry save addition, Samsung (Son, Yoon), October 27, 2004. US20040206815A1: System for testing, verifying legitimacy of smart card in-situ and for storing data therein, (Tarnovsky, Tarnovsky), October 21, 2004. > Value checker on steroids. WO04088603A1: METHOD TO GRANT MODIFICATION RIGHTS FOR A SMART CARD, Koninklijke Philips (Przybilla), October 14, 2004. > A simplified version of GlobalPlatform. WO0176131A1: CRYPTOGRAPHIC METHODS AND APPARATUS USING WORD-WISE MONTGOMERY MULTIPLICATION, Oregon State University (Koc, Sava), October 11, 2004. > It all comes down to efficient multiplication. US20040199787A1: Card device resource access control, Sun Microsystems (Hans, de Jong), October 7, 2004. > Attempt to patent the DoD CAC Access Control Applet US6801956: Arrangement with a microprocessor, Koninklijke Philips (Feuser, Koenig), October 5, 2004. > Yet another smart card USB patent. US6779732: Method and apparatus for linking converted applet files, Schlumberger Malco, (Krishna, Wilkinson, Burianne), August 24, 2004. > Java Card discovers incremental linking fighting its way into the 1960's. US6776339: Wireless communication device providing a contactless interface for a smart card reader, Nokia (Piikivi), August 17, 2004. > Mobile phone as a relay for a contactless smart card. US6779113: Integrated circuit card with situation dependent identity authentication, Microsoft (Guthery), August 17, 2004. > Your mobile-phone PIN won't get you into Ft. Knox. US6779112: Integrated circuit devices with steganographic authentication, and steganographic authentication methods, Microsoft (Guthery), August 17, 2004. > Throw two-blue darts at a green balloon and then whistle Dixie. WO04066196A1: SMARTCARD WITH PROTECTED MEMORY ACCESS, ECEBS (Hochfield, Breslin), August 5, 2004. > Smart card swaps to FLASH. WO04063979A1: METHOD AND TERMINAL FOR DETECTING FAKE AND/OR MODIFIED SMART CARD Koninklijke Philips (Baker), July 29, 2004. > An environmental attack becomes a security feature. US20040148502A1: Method and system for the distributed creation of a program for a programmable portable data carrier, Giesceke & Devrient (Gollner, Ciesinger), July 29, 2004. > Secure loading of native and byte coded applications onto a smart card. US6766960: Smart card having memory using a breakdown phenomena in an ultra-thin dielectric, Kilopass Technologies (Peng), July 27, 2004. > Pushing the envelope on persistent memory. US20040143820A1: Optimized representation of data type information in program verification, Sun Microsystems (de Jong), July 22, 2004. > Part of the rapidly-growing picket fence around Java Card. US6763463: Integrated circuit card with data modifying capabilities and related methods, Microsoft (Guthery), July 13, 2004. > Card provides minimally sufficient response to a query. US6760796: Smart card which temporarily stores transactions in non-secure memory and consolidates the transactions into secure memory, NCR (Rossmann, Savage), July 6, 2004. > Compact log of all transactions. Improves on the old cyclic file > approach. US20040124246A1: SYSTEM AND METHOD FOR VALIDATING AND OPERATING AN ACCESS CARD, (Allen, Jilka), July 1, 2004. > Super smart card with display and keypad. US20040123132A1: Enhancing data integrity and security in a processor-based system Axalto (Montgomery, Sinha, Kumamoto), June 24, 2004. > Garbage collection with cryptographic checksums. EP1431862A2: Uniform framework for security tokens, ActivCard (Le Saint), June 23, 2004. > Another attempt to patent the DoD CAC card. EP1190316B1: TECHNIQUES FOR PERMITTING ACCESS ACROSS A CONTEXT BARRIER IN A SMALL FOOTPRINT DEVICE USING GLOBAL DATA STRUCTURES, Sun Microsystems (Susser, Butler, Streich), June 16, 2004. > Java Card discovers the FORTRAN COMMON block. US6751671: Method of communication between a user station and a network, in particular such as internet, and implementing architecture, Bull CP8 (Urien), June 15, 2004. > A smart card could be a node on the Internet except for the proprietary > protocols. WO04047464A2: FIREWALL SYSTEM FOR MOBILE TELECOMMUNICATION DEVICE, Schlumberger (Lambert), June 3, 2004. > Telephone company censors your SMS messages. US6745048: Sim manager API, Microsoft (Vargas, Shen), June 1, 2004. > DLL for SIM access from programs on mobile handset. WO04042572A2: MICROCIRCUIT CARD COMPRISING MEANS FOR PUBLISHING ITS COMPUTER OBJECTS, Oberthur (Flattin, Louis, Contreras), May 21. 2004. > Card gives back a local identifier for an application identified by an > AID. US20040093436A1: Secure memory device for smart cards with a modem interface (Colnot), May 13, 2004. > Yet another device that supports ISO 7816 commands that isn't a card. US20040087337A1: Mobile device controlling method, IC card unauthorized use preventing method, program for changing settings of mobile device, and program for preventing IC card from unauthorized use, Fujitsu (Takae, Takae, Tani, Omiya), May 6, 2004. > And you thought you controlled the mobile phone you bought and paid for. EP1155365B1: TECHNIQUES FOR IMPLEMENTING SECURITY ON A SMALL FOOTPRINT DEVICE USING A CONTEXT BARRIER, Sun Microsystems (Susser, Butler, Streich, de Jong), May 6, 2004. > Java Card discovers the split I-D space of the PDP-11/45, circa 1972. US20040088562A1: Authentication framework for smart cards, Schlumberger Malco (Vassilev, Hutchinson), May 6, 2004. > Looks a lot like the proposed framework for the V2 DoD CAC card. ISO/IEC Smart Card Standards ---------------------------- EP1385118A2: Method and apparatus for supporting a biometric registration performed on a card, Activcard (Hillhouse, Hamid), January 28, 2004. DE 198555961: Portable microprocessor-assisted data carrier that can be used with or without contacts, Orga Kartensystems (Hanno) May 5, 1996. US5473690: Secured Method for Loading a Plurality of Applications into a Microprocessor Memory Card, Gemplus (Grimonprez, Paradinas), January 16, 1992. A constantly growing list of USB smart card patents. Government Smart Card Interoperability Specification (GSC-IS) ------------------------------------------------------------- US20040103415A1: Method of interfacing with data storage card, (Zuppicich), May 5, 2004. US20040040026A1: Method and System of Linking a Smart Device Description File with the Logic of an Application Program, ThinkPulse/Gemplus (Farrugia), February 26, 2004. US6694436: Terminal and system for performing secure electronic transactions, Activcard (Audebert), February 17, 2004. WO02073337A2: SYSTEMS AND METHODS FOR PROVIDING SMART CARD INTEROPERABILITY, US GSA (Dray, Fedronic, Fernandez, Jackson, Barr, Windsor, Hendricks), September 19, 2002. US2002/0129266A1: System for Identification of Smart Cards, Sun Microsystems (Bender), September 12, 2002. US6213392B1: Card Interface for Interfacing a Host Application Program to Data Storage Cards, SmartMove (Zuppicich), April 10, 2001. EP0780813B1: IC card, IC card reading/writing apparatus, host for an IC card reading/writing apparatus, IC card system, and method for allowing use of multiple vendors in an IC card system, Fujitsu (Tanaka), February 11, 2004. ETSI GSM SIM and SIM Toolkit Specifications ------------------------------------------- US6671522B1: Terminal Controlled by a Subscriber's Identification Module for Running an Application,. Societe Francaise du Radiotelephone (Beaudou), December 30, 2003. US6619554: Integrated circuit card for use in a communication terminal, Nokia, (Vestergaard, Lindholm), September 16, 2003. US6453167: Telecommunications Systems, British Technology Group (Michaels, Timson, Dervan), September 17, 2002. US6236851: Prepaid security cellular telecommunications system, Freedom Wireless (Fougnies, Harned), May 22, 2001. US6157823: Security cellular telecommunications system, Freedom Wireless (Fougnies, Harned), December 5, 2000. US6078821: Cordless Radiotelephone System having an Extendable Geographic Coverage Area and Method Therefor, Motorola (Kaschke, Kalenowsky, Metroka), June 20, 2000. US6619554B1: Integrated Circuit Card for Use in a Communication Terminal, Nokia (Vestergaard, Lindholm), January 2, 2000. US6094656: Data Exchange System Comprising Portable Data Processing Units, Belle Gate Investment (de Jong), August 2, 1996. See also US 6385645 B1. US5802519: Coherent Data Structures with Multiple Interaction Context for a Smart Card, Belle Gate Investment (de Jong), February 8, 1995. See also US 6052690. 3.11 Security Evaluations and Certifications Smart cards and smart card readers can be subjected to various national information technology security evaluations and certifications. In the past this was ITSEC in Europe, TCSEC in the US and ITSET in Canada. The shortcoming of these evaluation schemes was that one didn't know what had been evaluated and thus had no basis on which to judge the utility of the evaluation to one's application context. Only one smart card has received the higest possible ITSEC certification, the Multos card, which has been certified at the E6 High level. These diverse evaluation criteria and protocols are slowly being harmonized and homogenized into a world-wide standard called the Common Criteria. - http://csrc.nist.gov/cc/linklist.htm lists the Common Criteria Web sites of the countries actively involved in this effort. A property of Common Criteria testing is that the tests performed are public. The tests are called protection profiles. A number protection profiles have been proposed for smart cards: Smartcard Integrated Circuit, PP/9806, Version 2.0, September 1998. Intersector Electronic Purse and Purchase Device, PP/9808, Version 1.2, February 1999. Smart Card Integrated Circuit with Embedded Software, PP/9809, Version 1.0, Issue October 1998. Smartcard Embedded Software, PP/9810, Version 1.0, November, 1998. Smart Card Integrated Circuit with Embedded Software, PP/9811, Version 2.0, Issue June 1999, is available at: - www.ssi.gouv.fr/fr/confiance/documents/PP9911.pdf PP/9806, PP/9908, PP9909 and PP/9811 are available at -http://www.eurosmart.com/download. Large card issuers have also published their security evaluation and certification criteria. Visa's, for example, can be found at - http://international.visa.com/fb/paytech/smartcard/vsmartspecs/main.jsp For complete information on the Common Criteria approach and the Smart Card Security Users Group (SCSUG) check out - http://csrc.nist.gov/cc/sc/sclist.htm The SCSUG protection profile is available at - http://www.bsi.bund.de/cc/pplist/scsugpp.pdf Common Criteria is also known as ISO 15408. The ISO is finally starting to standardize the tests used to validate claims about 7816 conformance. The first such is ISO FCD 10373-3 which is specification of the test methods for ISO 7816-3. Four chips have received Common Criteria certification: - STMicroelectronics ST19 (EAL4+) - Philips P8WE6017V1I (EAL5+) - Philips P8WE5032V0B (EAL3) - Atmel AT05SC1604R (EAL4+) Sun has produced a protection profile for Java Card implementations called the Java Card System Protection Profile (JCSPP). It is available at: - http://java.sun.com/products/javacard/pp.html JCSPP is concerned primarily with protecting Sun and the Java Card manufacturers. 3.12 Smart Card Testing Laboratories The following organizations do smart card testing and certification and/or sell testing tools: - Aspects Software (http://www.aspects-sw.com) - COACT (http://www.coact.com/) - Collis (http://www.collis.nl/conclusion) - Cygnacom Solutions (http://www.cygnacom.com/labs/index.htm) - Domus ITSEC Laboratory (www.domus.com) - Exponent (http://www.exponent.com) - FIME (http://www.fime.com) - ICC Solutions (http://www.iccsolutions.com) - InfoGuard Labs (http://www.infogard.com) - Integri (http://www.integri.be) - Micropross (http://www.micropross.com) - Tuvit (http://www.tuvit.de) The list of cryptographic token testing labs accredited by NIST is at http://csrc.nist.gov/cryptval/1401labs.htm Besides the general-purpose FIPS 140 cryptographic token certification there are two Common Criteria protection profiles specifically for US government smart cards: - Department of Defense Public Key Infrastructure and Key Management Key Infrastructure Token Protection Profile http://niap.nist.gov/pp/index.html There is also a strong initiative achieve interoperability between smart cards used by the US government. See the patent application: WO02073337A2: SYSTEMS AND METHODS FOR PROVIDING SMART CARD INTEROPERABILITY and "Government Smart Card Interoperabilty Specification" available at http://csrc.nist.gov/publications/nistir/nistir-6887.pdf. 3.13 The Value of Certification to the Cardholder and Card Issuer Protection profile based certification provides virtually no assurances of card security to the cardholder and very few to the card issuer. Protection profiles are formulated by and serve the interests of the card manufacturer. Under ITSEC certification the cardholder could not obtain the list of card properties that were tested and certified. If the manufacturer claimed the card gave up its secrets at the drop of a hat and the tester discovered it did, then the card did what it claimed and was given an ITSEC certificate. Common Criteria has addressed this shortcoming and now you the cardholder can see the assertions that were tested in order to achieve a certification. Unfortunately, you have no way of determining if there is any relationship between the card was tested and the card in your hand. All you know for certain is that somewhere, sometime some card passed the profile. The card in your hand might be quite a different card. Furthermore, you have no clue about properties of the card that do not appear in the protection profile. The card manufacturer can for example put backdoors in the card security and still get a certificate as long as the card manufacturer doesn't claim an absence of backdoors in the protection profile. Thus, for example, a Java Card applet loaded onto a Java Card can access PIN-protected data without the PIN due to a backdoor in the smart card operating system provided to the Java Card virtual machine by the card manufacturer. Since this backdoor isn't mentioned in either the smart card protection profile or the Java Card protection profile, Java Cards with this backdoor can get certified and you the cardholder are never the wiser. You think since you didn't enter your PIN your data can't be read but a Java Card applet can read the data and send what it reads to anybody it likes all while covering your eyes with a security certificate. 4. Smart Card Hardware To build your own smart card you can either work with a full-service smart card manufacturer who has the know-how and equipment to take your software and return finished cards. Or you can work directly with a chip manufacturer to produce smart card chips or modules which contain your software and then work with an embedder to put your module into a card. Smart card manufacturers include: Dai Nippon, Gemplus, Gieseke & Devrient, Intercard, Landis & Gyr, Oberthur, Orga, Exponcard, I'M Technologies, Samsung, SchlumbergerSema, Solomon and Tianjin, Worldtronix. Chip manufacturers include include Advanced Logic, Atmel, Dallas Semiconductor, Hitachi, Infineon, NEC, Philips, Samsung, STMicroelectronics, Toshiba, Emosyn and Xicor. Embedders include Micromodular Data Solutions, Integrated Card Technology, ACG, and NBS. Of course if you're really into doing it yourself and the folks downstairs don't mind a little noise, you can make your own smart cards: Muehlbauer (http://www.muehlbauer.de), Meinen, Ziegel & Co. (http://www.meinen-ziegel.com). STMicroelectronics publishes a nice set of data sheets on their chips. Look under Smartcard ICs on http://www.st.com. If you want to build your own smart card O/S from the I/O registers up, Atmel chips are probably the best place to start. There are a bunch of good tools at http://www.openavr.org/ The Chip Store http://www.chipcardstore.com supplies a range of parts used for building smart cards and smart card systems. If you want to jump-start your smart card O/S project, there are some good building blocks at http://www.smartecos.com Good articles on the various physical attacks that are mounted on smart cards can be found at the following two sites: - http://www.cl.cam.ac.uk/Research/Security/tamper - http://www.cryptography.com/dpa/technical/index.html 5. Smart Card Operating Systems and Custom Cards A smart card operating system is a type of embedded operating system. There are many of them for the same reasons that there are many embedded and real-time operating systems. It is not certain that there will ever be a DOS for smart cards although many companies continue to pursue this vision. Historically smart card operating systems have been bundled with smart card hardware so it was difficult to buy a smart card chip and an operating system independently. It was even harder to license a smart card operating system that you could customize and put on your own chip. This situation is changing slowly. 5.1 Do-It-Yourself Smart Card Operating Systems Open Source Projects ==================== There are a couple open source smart card operating system efforts underway. One, Gnu Card O/S (gcos), was lead by Christian Kahlo (C.Kahlo@intershop.de) but has been shutdown. The obituary is at www.gcos.de. There is also an open source smart card operating system project going on at the University of Michigan (www.citi.umich.edu). Contact Jim Rees (rees@umich.edu). There is also a smart card communications project going on at the University of Cape Town: http://www.cs.uct.ac.za/Research/DNA/SOCS/projectpage.html Simple Operating System for Smartcard Education (SOSSE) is a smart card operating system for Atmel processors. It move sooner or later to www.opensc.org/sosse/. Currently at www.mbsks.franken.de/sosse/. http://www.franken.de/users/mbsks/sosse/index.html www.gcos.de Development Kits and Emulators ============================== A number of embedded software tool companies are spotting an opportunity for growth by including smart cards in their offerings. Most of these are as expected chip specific. You'll need ... 1) a C compiler for the chip 2) a workstation-based chip simulator to do first level debugging 3) an in-circuit emulator (ICE) that contains the real chip in a electronic debugging harness and let's you single step your program and examine memory 4) developer cards with a ROM loader that contain the chip you're working with so you can alpha and beta test your program - Ashling (http://www.ashling.com) - Associated Compiler Experts (ACE) (http://www.ace.nl) - Atmel (http://www.atmel.com) - Hitex (http://www.hitex.com) - IAR Systems (http://www.iar.com) - Keil (http://www.keil.com) - Raisonance (http://www.raisonance.com/En/Products/SmartCard/Prescards.htm) - Tasking (http://www.tasking.com/home.html) SmarTEC (http://www.smartecos.com) make available a free SDK for their SmarteCOS smart card operating system. A Smart Card Framework for .NET applications called the SmartCard Subsembly for .NET is available from: - http://subsembly.com/ It does for .NET what OpenCard tried to do for Java. There's a great collection of smart card software and software tools at: - http://www.linuxnet.com/musclecard/ Applet loader for Java Cards: - http://www.vrweb.de/~martin.buechler/smartcard/CFlexAccess32Loader.zip Lots of smart card tools and example programs: - http://www.conrad-electronic.de/chipkarten_toolbox/967740.html Blank Cards, White Cards and Soft Masks ======================================= These cards let you download executable code directly to the EEPROM memory of the smart card chip. They contain a small loader in ROM which loads Motorola S-records or Intel extended hex records or some other industry standard binary core image representation. After you finish downloading, you flip a bit that tells the chip to execute your program rather than the ROM loader the next time it is reset. Clearly these are the most flexible cards you can use from an application developer's point of view. They are also the hardest to get hold of. There is much heavy breathing about security considerations regarding blank cards but in fact there is nothing you can do with a blank card that you can't do with a Java Card or a Windows card so the heavy breathing really all about market control not security. Atmel sells a development kit for building your own smart cards from scratch using flash memory AVR chips A particularly interesting development in the blank card area are the PIC cards being offered by MDS. See also the discussion of creating your own mask in the smart card operating section above. Multisat (http://www.multisat.de/) makes some nice programmer tools for those building their own smart cards. Finim (http://www.electronic-devices.com/ and http://www.finimusa.com) also makes some useful smart card development tools including serial port paddle boards. Cards and Loggers - Card-Shop (http://www.card-shop.net/Cards/cards.html) - hm-zeit ( http://www.hm-sat.de/shop/) - Mr. Server (http://www.mr-server.de/c70.html) - Olbort (http://www.olbort.at/bdm.htm) - RTVShop (http://www.rtv-w.de/) - Wafer Shop (http://www.wafer-shop.de/) 5.2 Smart Card Operating Systems Some work as been done in research settings on the specification of smart card operating systems and their components. For example ... http://citeseer.nj.nec.com/glaser96structuring.html http://citeseer.nj.nec.com/44724.html http://citeseer.nj.nec.com/hartel94towards.html http://www.research.microsoft.com/scripts/pubs/view.asp?TR_ID=MSR-TR-99-07 Paul C. Clark and Lance J. Hoffman, "Bits: A Smartcard Protected Operating System", Communications of the ACM, pp. 66 - 94, November 1994 Vol 37 Number 11. Naccache, David and David M'Raïhi. 1996. Cryptographic Smart Cards. IEEE Micro 6:14, 16-19, 21 - 24. The following smart card operating systems can be licensed independently and customized to a greater or lesser extent. Apollo-CL SC^2 (SC Squared) 2A Habarzel St., Ramat Hahayal Tel Aviv 69710, Israel E-Mail: ofira@nisko.co.il Telephone: +972-(0)3-7657-331 FAX: +972-(0)3-6494-975 Web Site: www.scsquare.com Caernarvon Elaine Palmer IBM T.J.Watson Research Center P.O. Box 704 Yorktown Heights, NY 10598 E-Mail: erpalmer@us.ibm.com Telephone: +1 914 784 6642 Fax: +1 914 784 6225 JayCOS Philippe Fremy 10 impasse de l'harmonie 13016 Marseille, France E-Mail: philippe.fremy@inseal.com Telephone: +33 6 07 98 76 44 Web Site: www.inseal.com SMOS Smart Card Solutions Limited Farfield House Albert Road, Stow-cum-quy, Cambridge, UK, CB5 9AR Telephone: +44 1223 810 250 Fax: +44 1223 810 251 Web Site: http://www.sc-solutions.co.uk/products/smos.htm MTCOSBasic and MCOS Light / Standard / Pro MaskTech GmbH Buergermeister Herb Strasse 5a 87490 Boerwang E-Mail: info@masktech.de Telephone: +49 (0) 8304 923 285 Web Site: http://www.masktech.de SwiftCOS FORTH, Inc. 5155 W. Rosecrans Avenue, Suite 1018 Hawthorne, CA 90250 USA Telephone: 800.55.FORTH (US and Canada) 310.491.3356 Fax: +1 310 978 9454 Web Site: http://www.forth.com SmarTEC SmarteCOS 19834 Merritt Drive Cupertino, CA 95014 Telephone: +1.415.874.7248 Fax: +1.408.516.8968 Web Site: http://www.smartecos.com Todd Carper E-Mail: todd@smartecos.com Procos( Protekila Smart Card Operating System) Protekila Husrev Gerede Cd. No 112 D 6 Tesvikiye 80200 Istanbul Turkey Telephone: +90 212 2610163 FAX: +90 212 2610494 E-Mail: info@protekila.com.tr SuperTech STCOS Address: Yinhua Building 16th Floor Wuyi Middle Road Changsha, Hunan 410011 China Phone : (86)731-445-3191 (86)©731-445-6556 Fax : (86)731-445-6319 Email : stsinfo@public.cs.hn.cn E-mail : supertec@public.cs.hn.cn Phone : (86)731-445-3191 (86)731-445-6556 Fax : (86)731-445-6319 Web Site : http://www.supertech.com.cn Flash COS and Logos SIM iMP Logos SmartCard Sorgenfrivej 18 DK-2800 Kgs.Lyngby Denmark Mr. Mads Pii or Mr. Hans Peter Riggelsen Voice: (+45) 70 25 02 66 FAX: (+45) 70 25 02 67 sales@logossmartcard.com STS-COS SuperTech Systems, Inc. 2425N. Central Expressway Richardson, Texas 75080, USA Tel: +1 (972)231-2037 FAX: +1 (972)231-2041 E-mail: stsinfo@supertechsystems.com http://supertechsystems.com/products/COS.htm AMOS-SC and AMOS-SIM American Microdevice Manufacturing, Inc. 1830-A Bering Drive San Jose, CA 95112-4226 California, USA Voice: +1 (408) 573-7070 FAX: +1 (408) 573-7607 On-Track S2COS-5 Z.H.R. Industrial Zone P.O.Box 32 Rosh Pina 12000 Israel Tel: +972-6-6938884 Fax: +972-6-6938887 e-mail:ontrack@oti.co.il Exceldata http://www.exceldata.es M.MAR ISO - ISO 7816 Card M.MAR GSM - GSM SIM Card M.MAR J+ - GSM SIM with J+ virtual machine M.MAR CEN/WG.10 - CEN e-purse card MioCOS Peter Öhman Miotec Oy Kamreerintie 6 FIN-02770 ESPOO, FINLAND Tel (+358) 9 8045 3094 FAX (+358) 9 859 4041 GSM (+358) 40 547 4905 peter.ohman@miotec.fi www.miotec.fi IBM MFC Michael Schilling Project Manager Smart Card Projects schilling@de.ibm.com IBM Java Card Operating System Peter Buhler bup@zurich.ibm.com Gator and SCOS Amazing Smart Card Technologies 1615 Wyatt Drive Santa Clara, CA 95054 U.S.A. Voice: +1 408 566 0300 FAX: +1 408 748 7724 Email: sales@amazingtechnologies.com Smart Card for Windows Microsoft Corporation One Microsoft Way Redmond, WA 98052 U.S.A. Contact: Mike Dusche mdusche@microsoft.com SCOS Techtronics Ltd Katesbridge Thurlby Bourne Lincolnshire PE10 0EN UK Voice: +44 1778 562920 FAX: +44 1778 561174 Email: sales@techtronics.com SCOS Personal Cipher Card Corporation (PC3) 3211 Bonnybrook Dr. North Lakeland, FL 33811 Voice: +1 941 644 5026 FAX: +1 941 644 1933 Contact: Kip Wheeler Also available from Micromodular Data Solutions 1582 Norman Avenue Santa Clara CA 95054 USA Voice: +1 408-986-9000 FAX: +1 408-986-9829 sales@micromodular.com DVK1 SoftChip Technologies Ltd. 38 Nerot Shabbat St. P.O. Box 23411 Jerusalem 91233 Israel Voice: +972 2 5864086 FAX: +972 2 5864008 Contact: Eitan Mizrotsky eitan@softchip.com Blue eCash Technologies Bothell, WA David Watson david.watson@ecashtechnologies.com OSSCA Keycorp Limited Level 9 67 Albert Avenue Chatswood NSW 2067 Australia Voice: +61 2 9414 5297 FAX: +61 2 9415 1363 http://www.keycorp.net DKCCOS Datakey 407 West Travelers Trail Burnsville, MN 55337 Voice: 612-890-6850 FAX: 612-890-2726 http://www.datakey.com Secure Java O/S David Samyde, quadra@worldnet.fr Gilles Dumortier, dgil@ieee.org www.jayacard.org Siemens CardOS M3 and M4 Werner Braun werner.braun@nbg.siemens.de Information and Communication Group, Smart Cards and Security Otto-Hahn-Ring 6 D-81730 Munich Germany FAX: +49 (0)89 636 46400 http://www.siemens.com/sbs/en/offerings/services/SmartCard/Products/cardos_m4.html WebKomputing 649 S Main St. Milpitas, CA 95035 Phone: +1 408-262-8638 http://www.webkomputing.com Hive Minded, Inc. 2110A Vine Street, Berkeley, California, 94709 USA info@hiveminded.com http://www.hiveminded.com Check out VCT to license a number of different operating systems: - http://www.vct.com/VCT/website/smartcardsoftware.html Simple Operating System for Smartcard Education http://www.franken.de/users/mbsks/sosse/index.html If you license one of these operating systems or write your own the next step is getting it onto a smart card. Most of the chip manufacturers can supply "blank" cards that contain a simple loader in ROM which will load your O/S into EEPROM and run it from there. Unfortunately you may have to commit to very large orders and pledge your first born child in order to get these loader cards. The old economy smart card manufacturers could also provide this service but they won't because they want to sell you cards containing their operating systems. There are a growning number of firms that are setting about to serve the exploding demand for low-volume batches of custom smart cards. Here are some to check out: - ACG (http://www.acg.de) - Alegra Technologies (http://www.alegratechnologies.com) - EM2 (http://www.em2-outsourcing.com) - Emosyn (http://www.emosyn.com) - Micromodular Data Solutions (http://www.micromodular.com) - Multisat (http://www.multisat.de/) - Ordacard (http://www.ordacard.com) - Versatile Card Technologies (http://www.versacard.com) - Winter Wertdruck (http://www.winter-ag.com) - Zeitcontrol (http://www.zeitcontrol.com) The GNU folks have a program for managing passwords on smart cards. - GnuPOC http://www.gnu.org/software/poc/poc.html 5.4 Smart Card Virtual Machines There are lots of virtual machines (also known as byte-code interpreters and runtime environments) available for use on smart cards. The two best known ones are the MULTOS virtual machine that runs on-card programs written in C and the Java Card virtual machine that runs on-card programs written in Java. Unless you build your own card from the silicon up we aren't quite in the era where you can pick a operating system from vendor A and a virtual machine from vendor B but we're getting there. Here's the list of currently available smart card virtual machines categorized by the primary programming language used to write the on-card application. Of course since all of these are byte-code interperters you can write in any language you like as long as you have a complier from the source language to the virtual machine byte codes. C Programming Language ---------------------- MAOSCO MULTOS Hiveminded Smartcard.NET Sospita QX Basic Programming Language -------------------------- Zeitcontrol BasicCard Smart Card Integrators S-Choice MASTECK MTCOSBasic Forth Programming Language -------------------------- Keycorp OSSCA Forth Inc. SwiftCOS Java Programming Language ------------------------- IBM Java Card Open Platform (JCOP) Exceldata M.MAR J+ OneEighty Software ORIGIN-J Fujitsu HIPERSIM Aspects Software OS755 jayaCard (www.jayacard.org) In spite of all the hype, Java Cards are not compatible. You can't reliably move source code between Java Cards let alone byte code executables. Like J2ME, Sun sells licenses to implementors and has no business interest in making sure implementations are interoperable. Java Card mplementors on the other hand have every business interest to make sure you can't move applets developed for their Java Cards to other Java Cards. Therefore it is no surprise that the result is non-interoperable implementations. 5.5 Java Card Emulators, Simulators and Formal Models Sun originally posted a reference implementation of Java Card on the Web but it has since been pulled. There are however a growing number of independently developed Java Card emulators appearing. These let you get beyond the marketing brochures and see how Java Cards really work. - http://sourceforge.net/projects/jayacard/ - http://sourceforge.net/projects/smartsign - http://sourceforge.net/projects/jcatools J Strother Moore and Hanbing Liu are developing a series of more and more capable Java Card executable formal models in ACL2. The interesting thing about using ACL2 is that you can export the formal model into C and have a reference implementation of a Java Card whose security properties have been proven. This work started in 1997 with Richard Cohen's work on the Defensive Java Card ... - http://www.cli.com/software/djvm/ J Moore's work started with a Tiny JVM ... - http://www.cs.utexas.edu/users/moore/publications/tjvm/tjvm.lisp The current work is described in ... - http://www.cs.utexas.edu/users/moore/publications/jvm_simulator_in_lisp_0528.ps The ACL2 home page is ... - http://www.cs.utexas.edu/users/moore/acl2/acl2-doc.html Gemplus has also done a paper formal model ... - http://www.gemplus.com/smart/r_d/publications/download/LISBONNE.pdf 6. Fixed-Command Smart Cards, Readers and Tools 6.1 Fixed-Command Smart Cards Smart cards for developers come in four forms: - off-the-shelf programmable cards - off-the-shelf non-programmable cards - smart card software development kits (SDKs) - application-specific packages Off-the-Shelf Programmable Cards ================================ Programmable cards such as the Multos card, Microsoft's Smart Card for Windows, Zeitcontrol's Basic Card and the many Java Cards offer the developer maximum flexibility at the cost of some performance. With these cards you can download a program to the card that implements the commands that you want your application to use to access the card. In other words, you control both the host side and the card side. All of these cards run a virtual machine on the card which interprets the downloaded code. EVerybody and his dog are putting out Java Cards these days. In spite of the "Write-Once-Run-Everywhere" hype, there is no binary compatibility between them. To move an applet from one card to another you have to have the source code and recompile it. What's worse is that there is not even source compatibility between the various versions of the Java Card specifications. There is a vast speed difference between competing implementations of the Java Card Virtual Machine. The IBM JVM called JCOP is fastest EEPROM implementation. It is roughly five (5) times faster than the other EEPROM implementations. The Fujitsu implementation is even faster than JCOP due in no small part to the use of FRAM rather than EEPROM memory. - Gemplus GemXpresso RAD 211 (www.gemplus.com) - Giesecke & Devrient Sm@rtCafé (www.gdm.de) - Oberthur GalactiC (www.oberthurusa.com) - Schlumberger Cyberflex (www.cardstore.slb.com) - IBM Java Card (Peter Buhler at bup@zurich.ibm.com - Aspects Software (www.aspects-sw.com) - Microelectronica Espanola (www.exceldata.es) - I'M Technologies (www.imcorporation.com) - Datacard Aptura (www.datacard.com) - Fujitsu HIPERSIM (www.fujitsu.com) - Datakey Model 330J (www.datakey.com) - WebKomputing (www.webkomputing.com) Motorola fielded a 32-bit smart card with a 32-big Java Card implementation but it's gone. IBM has put up a good Web resource on Java Card at http://www.zurich.ibm.com/csc/infosec/smartcard.html. In general it is difficult to compile non-Java languages to a Java virtual machine. Thus, if you use a Java card you are stuck with using the Java programming language. Bug or feature, your choice. Two programmable card designers have taken a different approach which is to provide a language-independent virtual machine on the card and let the programmer write in any one of a number of languages and then compile this language to the virtual machine. - Multos (www.multos.com) - C, Java, and assembler (MEL) - Microsoft (www.microsoft.com/smartcard) - Visual Basic, C, and assembler (RTE) The ZeitControl (www.zeitcontrol.de) Basic card sports a language-independent virtual machine but only a Basic compiler is available for it. The ZeitControl SDK is is available from Versatile Card Technology (http://www.versacard.com) Hiveminded (www.hiveminded.com) has announced a smart card based on Microsoft-designed and ECMA-standardized .NET architecture. Smartcard.NET supports multiple programming languages. Off-the-Shelf Non-Programmable Cards ==================================== Off-the-shelf non-programmable cards are "classic" smart cards with fixed command sets. You can send commands to these cards through the smart card reader API or through the PC/SC or OpenCard APIs. If you go this route be sure to get the detailed technical documentation for the card including a bit-level description of each command the card supports, the files and the file system, the access controls on the files, and any keys you need to unlock the card. - Deutsche Telekom (http://www.telesec.de) Company Multifunction Card TCOS Cryptographic Card - Schlumberger (http://www.cardstore.slb.com) Multiflex Cyberflex Cryptoflex MicroPayflex - Gemplus (http://store.gemplus.com) GEMSafe (http://www.gemsafe.com) - IBM MFC 4.1 Availble from ComCard (http://www.comcard.de) Contact Mr. Haertel (haertel@comcard.de) or Mandy Oeser (oeser@comcard.de) Schlumberger makes the full documentation for their multi-purpose card, Multiflex, and their cryptographi card, Cryptoflex, available for free on-line at http://cardstore.slb.com; click down to the individual card descriptions to find the docs. Application-Specific Packages ============================= Application-specific, ready-to-go packages expensive and they may only work with certain cards but if you only have one thing to do they can get on the air very quickly. Examples of application-specific packages: - ActivCard Services Integration Kit (http://www.activcard.com) - Gemplus GEMSafe (http://www.gemplus.com) - Litronic Netsign (http://www.litronic.com) - Schlumberger Cryptoflex Security Kit (http://www.cardstore.slb.com) Tools and Libraries =================== Freeware Smart Card Tools and Libraries - SCEZ Library (http://www.franken.de/crypt/scez.html) - UMich Library (http://www.citi.umich.edu/projects/smartcard/sc7816.html) - PC/SC software (http://www.pcsc.pl/VAS/index.html) - ttfn (http://www.ttfn.net/techno/smartcards/software.html) - ActiveX Component (http://www.prioregroup.com/) Other Smart Card Tools and Libraries - DataKey SignaSURE DTK (http://www.datakey.com) - Flint Smart (http://www.flint.co.uk) - Giesecke & Devrient STARCOS Tool Kit (http://www.gdm.de) - Metrowerks (www.metrowerks.com) - a Java Card development system - Schlumberger (cardstore.slb.com) - Cyberflex Java Card development kit - Smart Dynamics EZ Formatter (http://www.smartdynamics.com/software.htm) - Smart Toolz (http://www.smarttoolz.com) - Utimaco (http://www.utimaco.com) - Card-Lab (http://www.card-lab.com) - Jaiger's Smartcad Downloads (http://www.innovationsw.com/~jaiger/downloads/smartcard.html) Card-Lab has created a combined simulator/emulator for Multos, Check it out at www.card-lab.com. A really useful tool for use with the Windows PC/SC stack is the WinSCard APDU View Utility available at http://www.fernandes.org/apduview/index.html. Dmitry Basko has posted open source for a PC/SC driver at http://www.dbasko.com along with a bunch of nice PC/SC utilities. A smart card API for Delphi can be found at http://www.ppuvas.com.pl. AET provides a software that supports PKCS#11 on serveral platforms (Windows 95 / 98 / SE / ME / NT4.0, Windows 2000 / XP, Linux, MAC OS X). see -http://www.aeteurope.nl/index.html. Currently they support G&D StarCos card (ITSEC E4 high evaluated) and Rainbow iKey 3000 USB tokens. Jaiger has some useful tools for Linus and M.U.S.C.L.E. Some M.U.S.C.L.E. tools for loading Java Card applets can be found at: - http://vrweb.de/~martin.buechler/smartcard/CFlexAccess32Loader.zip - http://home.vr-web.de/~martin.buechler/smartcard/loaderlibs.tgz Here's a slick little tool for use with the Windows smart card interface which is called winscard.dll: - http://www.fernandes.org/apduview/index.html Here are some useful PC/SC tools: - http://ludovic.rousseau.free.fr/softwares/pcsc-tools/ Finally, if you have a card but you don't know what card it is, you can sometimes tell from the string that the card shoots back when it is turned on. This is called the Answer-To-Reset string or just the ATR. Here's a list of some ATRs: - http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt 6.2 Smart Card Readers Smart card readers used to come with their own homegrown APIs and not look like other peripheral devices in the computing environment. A group of companies got together to create a specification for treating smart card readers as standard peripherals. This specification is called Personal Computer/Smart Card or PC/SC for short. The PC/SC specification has been implemented on Windows and Linux. The multi-part specification can be obtained at http://www.pcscworkgroup.com. The list of PC/SC readers that work with Windows can be found at: - http://www.microsoft.com/hcl/default.asp under Smart Card Readers. Linux PC/SC implementations for many smart card readers can be found at - http://www.linuxnet.com Smart card reader manufacturers that sell readers in small quantities include: - Advanced Card Systems (http://www.acs.com.hk) - American Biometric (http://www.abio.com) - ASK (http://www.ask.fr) - Athena (http://www.athena-scs.com) - Bull SC&T (http://www.cp8.bull.com) - Castles Automation (http://www.casauto.com.tw) - Celo (http://www.celocom.com) - Cheery (http://www.cherrycorp.com/english/advanced-line/index.htm) - Datamega (http://www.datamega.com) - DeLaRue (http://www.delarue.com) - Epsilon Electronics (http://www.eps.no) - Firstoi (http://www.firsttoy.com) - Fischer International Systems (http://www.fisc.com) - Gemplus (http://www.gemplus.com) - Indala (http://www.indala.com) - Inside Technologies (http://www.insidefr.com) - Intertex (http://www.intertex.se) - Litronic (http://www.litronic.com) - Maxking (http://www.maxking.com/minimax.html) - Omnikey (http://www.omnikey.com) - Omron (http://www.omron.com) - Rainbow Technologies (http://www.rainbow.com) - Schlumberger (http://www.slb.com/smartcards) - SCM Microsystems (http://www.scmmicro.com) - SDLogic Technologies (http://www.sdlogic.com) - SecureTech (http://www.securetech-corp.com) - SmartCard Laboratory (http://www.smartcardlab.com) - Todos (http://www.todos.se/argosminiindex.htm) - Towitoko (http://www.txsystems.com ) - Uniform Industrial (http://www.uicusa.com) - Utimaco (http://www.utimaco.com) - Zeitcontrol (http://www.cybermouse.de) There is an innovative rack-mounted reader at - SmartMount (www.smartmount.co.uk) Maxking even provides schematics for you to build your own smart card reader. Here's a high-end reader that is connected with its own Cryptographic Service Provider: -http://www.wave.com/technology/csp.html Here are some schematics for building your own reader: -http://www.technick.net/index.php?load_page=http%3A//www.technick.net/cir_smartcardemu.php There are a growing number of portable or handheld readers. Most of them can double as a serial port reader on your PC. - Xiring Multigame (www.xiring.com) - Spyrus Personal Access Reader (www.spyrus.com) - Towitoko Chip Drive Mobile (www.towitoko.de) Almost all readers are micro-processor based and contain an internal API of some sort. Smart card reader manufacturers have been slow to surface these APIs to allow smart card developers to build their own application-specific functionality into the readers. A delightful exception is Traditor in Finland which makes a nice line of smart card readers with SDKs. Contact Antti Saksa at aes@traditor.fi. The Spyrus Rosetta PAR 2 (Personal Access Reader) (www.spyrus.com) has a programmable API and program loading features. There is a German standard for smart card readers called the Card Terminal Application Programming Interface (CT-API). There is an English version of the specificaiton at http://www.microdatec.de/download/ctapi11e.pdf The Small Terminal Interoperability Platform consortium is trying to standardize smart card terminals. The latest version of their specification is available at their Web site (http://www.stipgroup.org/). Rarely does one see so much code do so little. Europay International (http://www.europay.com) has also put together a specification for terminals called the Open Terminal Architecture (OTA). OTA includes a Forth virtual machine. The OTA VM is a derivative of the FORTH VM designed by MicroProcessor Engineering (www.mpeltd.demon.co.uk) for the SENDIT Esprit project. The VM uses a two-stack architecture derived from Forth, and extended to be language neutral so that code can be compiled from languages other than Forth. C is in fact used more than Forth. Europay has submitted this specification for ISO standardization. Bull is pushing an Electronic Funds Transfer Point Of Sale (EFT-POS) terminal based on Sun's K virtual machine (which should not be confused with a virtual machine for the K programming language found at http://www.kx.com). Point of Sale (POS) terminals have a lot in common with smart card readers. Check out: - Hal Stile's POS Page (http://www.beachnet.com/~hstiles/posl2.html) A number of efforts are underway to improve the speed of communication between the smart card and the terminal. Most of these use the two spare contacts on the module interface. The USB protocol is a popular candidate and it is in the process of being standardized through the ISO process. 6.3 Software Tools There are a number of software tools available for working with smart cards (even setting aside all the DSS hacking tools which we won't cover). SmartX by ThinkPulse was an XML script that makes one smart card look like another or like a fantasy smart card such as one that abides by the ISO standards. The Smart Card Explorer by Smart Dynamics (http://www.smartdynamics.com/) lets you configure smart card file systems. It works with a number of different cards and card readers and includes a scripting language that lets you add your own. Unfortunately, it doesn't run on top of PC/SC. Smart Toolz (http://www.smarttoolz.com/) provides software and APIs that work with CardLogix smart cards. CardLogix (www.cardlogix.com) also provides software that supports these cards. The Smart Toolz and CardLogix packages also support CardLogix's memory cards. Netissmo (http://www.netissimo.com) is a smart card SDK for Internet applications. PocketServer (http://www.pocketserver.com) is a smart card and smart card SDK for personal information and transaction processing. One of the best books on smart card hardware is the Smart Card Handbook by Wolfgang Rankl and Wolfgang Effing. The first author has made available a freeware smart card simulator written in Visual Basic. http://www.geocities.com/SiliconValley/Foothills/4710/tscs.html. IFDTEST is a program that was built to exercise a card reader and check it for PC/SC compliance. It is also a very handy low-level, command-line card editor. You can download it form http://www.microsoft.com/hwtest/device/smartcard.asp. THe list of all the readers that are PC/SC compliant is at http://www.microsoft.com/hcl/ A Smart Card Framework for .NET applications called the SmartCard Subsembly for .NET is available from: - http://subsembly.com/ It does for .NET what OpenCard tried to do for Java. 6.4 Operational Hints To kickstart the Smart Card Service on most version of Windows you should try reinstall the service. Enter the following lines at the console prompt: %windir%\system32\scardsvr reinstall regsvr32 %windir%\system32\scardssp.dll Lots of good smart card utilities and tools: - http://www.linuxnet.com/apps.html 7. Programmable and Multi-Application Smart Cards 7.1 General Purpose Programmable Cards Perhaps the most revolutionary event in the history of smart cards over the last 25 years is the recent emergence of programmable smart cards. Rather than freezing the program that runs in the smart card in read-only memory at the time the card is manufactured, programmable smart cards let you add executable code to the smart card at any time in its lifetime. The primary intended use of programmable smart cards is to create multi-application smart cards on which applications can be added and deleted at will. Thus you might decide to get rid of the Koffee Klub Frequent Drinker program and add the Budapest Transport System ticket program. There are a number of programmable smart cards on the market. Some can be programmed in high-level languages, some can be programmed in virtual assembly language and some can only be programmed in the assembly language of the chip on the smart card. The Basic Card from Zeitcontrol (www.basiccard.com) can be programmed in Basic. Zeitcontrol has done a excellent job of integrating the development of the program on the smart card with the development of the program on the host or terminal that is using it. The Basic Card is available directly from Zeitcontrol and from Versatile Card Technologies in the US. The MULTOS (www.multos.com) smart card is a smart card defined by MAOSCO, a spin-off of MONDEX and MasterCard. The MULTOS card can be programmed in C, Java, Basic and MEL (MAOS Executable Language), which is the assembly language for the virtual machine on the card. Keycorp (www.keycorp.com.au) once marketed a smart card called OSSCA (Operating System for Smart Card Applications) which you could program in the Forth language. This may have been the first smart card with a virtual machine. The HOST operating system from Oberthur (www.oberthurusa.com) is also advertised as supporting the field loading of interpreted applications written in an undefined high-level language.Contact Michael Cariou of Oberthur for details (michael.cariou@Oberthurusa.com). Both Syprus (www.spyrus.com) and Datakey (www.datakey.com) have cards that let you add programs written in native assembler if you are approved by their respective creators. The operating system on the Spyrus card is called SPYCOS and the operating system on the Data key card is called DKCCOS. Java Card --------- A number of card manufacturers have announced smart cards which can be programmed in Java. Each defines its own Java byte code set so you can't take an applet off the card of one manufacturer and run it on the card of another. This problem has been recognized and is starting to change for the better. The Java Card Forum (www.javacardforum.org) controls the technical specification of the Java Card. Only Schlumberger sells its Java Card and Software Development Kit (SDK) on-line: - Schlumberger: Cyberflex, http://www.cardstore.slb.com The other vendors of Java Cards and Java Card SDKs are: - Aspects Software: http://www.aspects-sw.com - Gemplus: GemXpresso, http://www.gemplus.com - Oberthur: Galactic, http://www.oberthursc.com - Giesecke & Devrient: Sm@rtCafe, http://www.gdm.de - IBM: http://www.zurich.ibm.com/csc/infosec/smartcard.html - Fujitsu: http://edevice.fujitsu.com/fj/CATALOG/PDF/a05000263e.pdf - Logos Smart Card: http://www.logossmartcard.com/ The current version of Java Card is 2.2.1. Applet loader for the M.U.S.C.L.E. Card - http://www.vrweb.de/~martin.buechler/smartcard/CFlexAccess32Loader.zip .NET Card --------- Hive Minded (www.hiveminded.com) has created a .NET smart card that sports a language-independent virtual machine a lots of other goodies. 7.2 Programmable SIM Cards The SIM cards in GSM mobile phones (and soon other mobile phones and wireless communication devics) sport an application programming interface called the SIM Application Toolkit or SAT for short. There are at least ten SIM cards that support SAT. Eight run applications written in Java: - Schlumberger's SIMera - Gemplus' GemXplore98 - Oberthur's SIMphonic - Orga's SIMtelligence - Giesecke & Devrient's StarSIM - Excedata's M.MAR J+ SIM - Xponcard - I'M Technologies's Java SIM Card - Aspects Software All of these are separate from the general purpose Java card offered by these vendors. They cost more than the general purpose SDKs and are harder to order. Mobile-Mind (www.mobile-mind.com) has written SIM, USIM and SIM Toolkit applications that run on the MULTOS smart card. Microelectronica offers a SIM card with SAT - http://www.exceldata.es/tarjet_i/itarjba.htm as does Miotec - http://www.miotec.fi and Setec Oy - http://www.setec.fi/ 7.3 Contactless Contactless card applications are starting to get some traction outside the transportation industry. Think of a contactless card as a secure RFID tag. There are a number of kits on the market that let you explore contactless card application development: - http://www.ask.fr/ - http://www.insidefr.com/products/kits.htm - http://www.epicard.com/contactless/products/ - http://www.supertechsystems.com - http://smartechnology.com.au/index1.htm - http://www.topcard-monetique.com/anglais/summary/summaryd.htm - http://www.epsys.no/sreaders.htm - http://www.athena-scs.com - http://www.omron.com/card/rfid/prod/v720/kit.html - http://www.microchip.com/1000/pline/tools/index.htm - http://www.ehag.ch/HTML-Files/RFID/inside.htm 7.4 Other Form Factors There is no reason why a smart card has to be a card or even an integrated circuit.. In fact smart card operating systems and smart card applications are starting to show up on other form factors like harddisks and USB dongles. What it means for a smart card to be something other than a card is that the smart card standards and interfaces are implemented on the alternative form factor so that the device behaves like a smart card and incorporates all of the smart card functionality like commands, files, access control lists, etc. but it is not a card. An example of this approach is described in: US20050066191A1: System and method for delivering versatile security, digital rights management, and privacy services from storage controllers 8. Vertical Markets and Associated Products 8.1 Smart Cards in SCADA Applications Smart cards are starting to show up in some new places and none are more interesting (IMHO) than system control and data acquisition applications. Their environental robustness coupled with their tamper-resistance make them perfect places to collect data from or inject sensitive information to autonomous digital systems. Home medical applications are particularly interesting because of the ease with which self-help patients can manage the cards that are monitoring and controling their treatments. Resptronics (http://www.respironics.com/ and http://www.cpapman.com/respiron.html) has done some very innovative work here with their Encore SmartCard. We're also starting to see some patents in the area, for example: US6170742: Method for using a smart card for recording operations, service and maintenance transactions and determining compliance of regulatory and other scheduled events US6122351: Method and system aiding medical diagnosis and treatment by Med Graph. 8.2 Card and Application Management Systems Once you start loading to and unloading applications from smart cards after they have been issued, you immediately are confronted with the problem of managing a card population where all the cards are different and which can change their application load daily. This is called the card and application management problem. Many people believe that card and application management is where the trust goes into a card scheme and the money comes out. The Java Card Forum (www.javacardforum.org) has published an overview paper that describes the problem. It's free. Justin Monk and Judy Henderson have published a report entitled "Implementing a Multi-Application Smart Card Project: A Practical Guide to the Smart Card Project Life Cycle" available at SMi Publishing (http://www.smi-online.co.uk). It costs $775. There are a number of competing specifications and commercial systems for doing card and application management. The three leading specifications are: - MXI by MAOSCO (http://www.multos.com) - Open Platform by the Global Platform (http://www.globalplatform.org) - PMA (Platform Management Architecture) by platform7 (http://www.platform7.com) Only the MAOSCO specification has been converted to a fielded system. It is in actual use and in fact has been for a number of years. There have been some noises recently that the Visa system (Open Platform) and the MasterCard system (MXI) are going to at least interoperate which means essentially that they will recognize and support each other's cards. The current version of the Open Platform specification is at http://www.visa.com/nt/suppliers/open/docs.html. There are a number of commercial systems that have set about to solve the card and application management problem including - ACI Worldwide (http://www.acismartcard.com) - ActivCard (www.activcard.com) - Cardbase Technologies (http://www.cardbase.com) - Cards etc (http://www.cardsetc.com) - DataCard (http://www.datacard.com) - Intercede (http://www.intercede.com/) - Logica (http://www.logica.com) - Oberthur (http://www-usa.oberthur.com) - RSA (http://www.rsa.com) - Total System Services (http://www.totalsystem.com) - NBS Technologies (http://www.ubiqinc.com) Most of the major smart card manufacturers are also fielding card and application management systems. Total System Services and DataCard have implemented a version of the Visa GlobalPlatform card management system. Gemplus and IBM have also announced a system. Both are in the press release stage of development. 9. Resources 9.1 Smart Card Courses 9.2 Vendor-Specific Forums and Newsgroups Some of the vendors run discussion forums or newsgroups to catch questions about their products and provide answers. - Schlumberger Cyberflex: http://www.cyberflex.slb.com/Support/support.html - Gemplus: http://www.gemplus.com/smart/dev/index.html 9.3 Newsgroups There is a French smart card group at: news:fr.comp.carte-a-puce Besides alt.technology.smartcards and fr.comp.carte-a-puce, there are other newsgroups that while not devoted exclusively to smart cards carry information relevant to smart cards. - news:alt.microcontrollers.8bit - Discussion of CPUs like those in smart cards - news:comp.arch.embedded - Good source of software and expertise - news:sci.crypt - Different methods of data en/decryption - news:sci.crypt.research - Cryptography, cryptanalysis, and related issues - news:comp.security.misc - Security issues of computers and networks - news:alt.security - Security issues on computer systems - news:alt.stellite.tv.europe - Europe satellite TV watchers' forum - news:alt.satellite.tv.crypt - Satellite TV payment systems security - news:alt.microcontrollers - Low traffic - news:comp.robotics.misc - Another good source of software and 8-bit experience. The embedded software folks cover smart cards too: http://www.embeddedsig.com/phpBB2/index.php 9.4 Pointer Farms There are many smart card resources on the Web and they change so quickly that it would be futile to try to list them all here. There are however a number of people who have built wonderful pages of pointers to smart card resources. Therefore rather than listing the original resources, we just include pointers to these pages of pointers here. CardsNow! http://www.cardsnowasia.com/ Wolfgang Rankl's Smart Card Link Farm http://www.wrankl.de/Links/Links.html Peter Gutman's Security Products http://www.cs.auckland.ac.nz/~pgut001/links/products.html E-Panorama http://www.epanorama.net/links/smartcards.html InfoSec on Smart Cards http://www.infosyssec.org/infosyssec/secsmc1.htm Peter J. Ognibene's List http://members.aol.com/pjsmart/page4.htm Sesam Vitale Health Card http://www.sesam-vitale.fr/ Giovanni Motta's Smart Card Links http://www.cs.brandeis.edu/~gim/smartcards.html Tomi Engdahl's Card Technology Technology Page http://www.epanorama.net/links/smartcards.html Smart Card News (under Links) http://www.smartcard.co.uk Smart Card Resources on the Web http://www.dice.ucl.ac.be/crypto/card.html Smart Card Manufacturers and Services http://www.smartcard.co.uk/links.html Smart Card Security Information Page http://www.geocities.com/ResearchTriangle/Lab/1578/smart.htm General Smart Card Information http://www.cryptsoft.com/scard/ Smart Card Security News http://www.geocities.com/ResearchTriangle/Lab/1578/smart.htm The Smart Card Cybershow http://www.cardshow.com/ The Smart Card Club http://www.smartcardclub.co.uk/ S. Prasad's Page of Pointers http://home.att.net/~s-prasad/ecsc.htm Smart Card Central http://www.smartcardcentral.com/ Smart (U.S.) Government http://smart.gov Leo Van Hove's Master List of E-Purses http://epso.intrasoft.lu/inventory/indexvanhove.cfm Smart Cards On-Line http://www.smartex.com/ Smart Card Basics http://www.smartcardbasics.com/industrylinks.html 9.5 Smart Card Associations Smart Card Group http://www.smartcard.co.uk/ Smart Card Alliance (www.smartcardalliance.org). This is a merger of the two above organizations, SCIA and SCF. 26 Broadway, Suite 400, New York, NY 10004, Phone: (212) 837-7713, Fax: (212) 837-7720 ACT Canada (www.actcda.com) 831 Miriam Road, Pickering, Ontario, L1W 1X7 Voice: +1 905-420-3520, FAX: +1 905-420-27297 AIM USA (www.aimusa.org) 634 Alpha Drive Pittsburgh, PA 15238-2802 Voice: +1 412-963-8588 FAX: +1 412-963-8753 Email: adc@aimusa.org, Tomo Razmilovic, Board Chairman Electronic Funds Transfer Association (www.efta.org) 950 Herndon Parkway, Suite 390 Herndon, VA 22070 Voice: +1 703-435-9800 FAX: +1 703-435-7157 Lisa Eyler, Director of Marketing EuroSmart (www.eurosmart.com) Mr Lutz Martiny, Rue Montoyer, 47. B-1000 BRUSSELS. Voice: +32 2-506-88-68, Email: info@eurosmart.com, International Card Manufacturers Association (www.icma.com) 34-C Washington Road Princeton Junction, NJ 08550 Voice: +1 609-799-4900 FAX: +1 609-799-7032 Justin D'Angelo, President National Association of Campus Card Users (www.naccu.org) 21 Colony West, Suite. 180, Durham, NC 27705, Voice: +1 919-403-2273 FAX: +1 919-403-1324 Global Chipcard Alliance (www.chipcard.org) 1420 Fifth Avenue, 22nd Floor Suite 2222, Seattle, WA 98101, Seattle, Washington, USA, Voice: 206-613-4430 FAX: 206-613-4431 GlobalPlatform (www.globalplatform.org), PO Box 8999, San Francisco, CA 94128-8999, USA, Voice: +1 650-432-4116, FAX: +1 650-432-3980. 9.6 Smart Card Centers and Laboratories UCL Crypto Group, Microelectronics Laboratory, http://www.dice.ucl.ac.be/crypto/ Center for Information Technology Integration at the University of Michigan http://www.citi.umich.edu/projects/sinciti/smartcard 9.7 Conferences A schedule of upcoming smart card conferences is maintained by the Smart Card Club - www.smartcardclub.co.uk/conferences.html Cartes 20xx is the annual smart card show where the French give themselves prizes. - http://www.itsecurityexpo.com/en/2005/index.htm CardTech/SecurTech conferences in the U.S. The proceedings from these shows are useful summarizations of the current state of the market. - www.ctst.com Omnicard is the annual German smart card conference. - www.omnicard.de 9.8 Books Smart Card Handbook (Third Edition) by Wolfgang Rankl and Wolfgang Effing ... $142.79 at http://www.amazon.com/exec/obidos/ASIN/0470856688/smartcarddevelopA/ Smart Card Handbook (Second Edition) by Wolfgang Rankl and Wolfgang Effing ... $155.00 at http://www.amazon.com/exec/obidos/ASIN/0471988758/smartcarddevelopA/ Mobile Application Development with SMS and the SIM Toolkit by Scott Guthery and Mary Cronin ... $59.95 at http://www.amazon.com/exec/obidos/ASIN/0071375406/smartcarddevelopA/ Smart Card Manufacturing: A Practical Guide by Yahya Haghiri and Thomas Tarantino ... $135.00 at http://www.amazon.com/exec/obidos/ASIN/0471497673/smartcarddevelopA/ Smart Cards: A Developer's Toolkit by Tim Jurgensen and Scott Guthery ... $44.99 at http://www.amazon.com/exec/obidos/ASIN/0130937304/smartcarddevelopA/ Get Smart : The Emergence of Smart Cards in the United States and their Pivotal Role in Internet Commerce by Chuck Wilson ... $35 at http://www.amazon.com/exec/obidos/ASIN/0967446058 Smart Card Security and Applications by Mike Hendry ... $79 at http://www.amazon.com/exec/obidos/ASIN/1580531563/smartcarddevelopA/ Smart Cards: a Case Study (IBM SG24-5239) by Jorge Ferrari, Robert Mackinnon, Susan Poh, and Lakshman Yatawara ... $30 at www.redbooks.ibm.com. Smart Cards: Seizing Strategic Business Opportunities by Catherine Allen and William Barr (eds.) ... $26.25 at http://www.amazon.com/exec/obidos/ASIN/0786311088/smartcarddevelopA/ Smart Cards: A Guide to Building and Managing Smart Card Applications by Henry Dreifus and Thomas Monk ... $31.99 at http://www.amazon.com/exec/obidos/ASIN/0471157481/smartcarddevelopA/ Smart Card Developers Kit (including a CD-ROM and a working smart card) by Scott Guthery and Tim Jurgensen ... $79.95 at http://www.amazon.com/exec/obidos/ASIN/1578700272/smartcarddevelopA/ Smart Cards: The Global Information Passport: Managing a Successful Smart Card Program by Kaplan ... $44.95 at http://www.amazon.com/exec/obidos/ASIN/0786311088/smartcarddevelopA/ Smart Cards by Jose Luis Zoreda and Jose Manuel Oton ... $67.00 at http://www.amazon.com/exec/obidos/ASIN/0890066876/smartdevelopA/ Smart Card Application Develoment Using Java ... $59.95 at http://www.amazon.com/exec/obidos/ASIN/3540658297/smartdevelopA/ Java Card Technology for Smart Cards ... $39.95 at http://www.amazon.com/exec/obidos/ASIN/0201703297/smartdevelopA/ Implementing Electronic Card Payment Systems ... $39.95 at http://www.amazon.com/exec/obidos/tg/detail/-/B0000A4FUN/103-6156959-1778202/smartdevelopA/ RFID Handbook: Fundamentals and Applications in Contactless Smart Cards and Identification by Klaus Finkenzeller ... ad $112.91 http://www.amazon.com/exec/obidos/tg/detail/-/0470844027 9.9 Newsletters and News Release Sites Personal Identification Newsletter (PIN), Warfel & Miller Publishing, 12300 Twinbrook Parkway #300, Rockville, MD, 20852, Voice: +1 301 881-6668 FAX: +1 301-881-2554, Email: Cardsmarts@aol.com Smart Card Monthly, Mr. Stephan Seidman, Editor & Publisher, P.O. Box 548, Lopez Island, WA 98261, Voice: +1 360-468-3570, FAX: +1 360-468-3571 Smart Cards and Comments, Mr. Jerome Svigals, Publisher, 221 Yarborough Lane, Redwood City, CA 94061, Voice: +1 415-365-5920, FAX: +1 415-363-2198 The Nilson Report, Mr. H. Spencer Nilson , Publisher, P.O. Box 49936 (Barrington Station), Los Angeles, CA 90049, Voice: +1 310-396-0615, FAX: +1 805-983-0792 World Card Technology, Ms. Jane Adams, International Managing Editor, European Office: 42 Phoenix Court, Hawkins Road, Colchester, Essex CO2 8JY, Voice: +44 31-337-3311, FAX: +44 31-337-7739 Smart Card News, PO Box 1383, Rottingdean Brighton, East Sussex BN2 8WX United Kingdom Voice : +44 1273-236677, FAX : +44 1273-624433 Email: scn@pavilion.co.uk Report on Smart Cards, 1333 H Street NW, Suiote 100-East, Washington, D.C., 20005-4606, Voice: +1 202-842-0520, FAX: +1 202 842-3023, www.tr.com. Card News, Phillips Business Information, 1201 Seven Locks Road, P.O. Box 60037, Potomac, MD 20859-0037, Voice: +1 301-424-3338, FAX: +1 301-309-3847, Email: clientservices@phillips.com. Card Technology, http://www.faulknergray.com/ Smart Card Central, http://www.smartcardcentral.com/ On-Line Smart Card Book http://unix.be.eu.org/docs/smart-card-developer-kit/ewtoc.html 9.10 Consultants These people can provide technical and marketing assistance in specifying, designing, engineering and rolling-out a smart card program. If you are smart card consultant and would like to be added to this list simply send an e-mail to Scott Guthery (sguthery@mobile-mind.com). Philip E. Andreae 85 Normandale Road Unionville, ON L3R 4J9 Voice: +1 (416) 508 4077 E-Mail: pea@andreae.com www.andreae.com David Brich E-Mail: daveb@hyperion.co.uk CONSULT HYPERION Voice: +44 1483 301793 8 Frederick Sanger Road, Guildford, Surrey, GU2 5YD, UK Matthias Bruestle E-Mail: matthias.bruestle@ecore.net Siegertsbuehl 9 91077 Neunkirchen am Brand Voice: +49-9134-995521 Fax: +49-9134-995722 Jacques Cabessa Ingénieur informaticien indépendant Software Consultant http://www.cabessa-consulting.com/ Tel : + 33 (0)6 12 16 53 05 Fax : + 33 (0)1 45 89 50 41 Larry Carnes E-Mail: larry.carnes@prodigy.net Voice: +1 409 684 1290 P.O. Box 1068 Crystal Beach, TX 77650 USA Bonar Dickson E-Mail: bonar@xicom.com.au Voice: +61 2 6290 0850 FAX: +61 2 6290 0851 Mobile: +61 0408 499 086 Unit 5, Southlands House, 18-28 Mawson Place, Mawson ACT 2607 Canberra, Australia Ian Donald E-Mail: donaldif@iaccess.com.au Voice: +61 3 9614 2400 FAX: +61 3 9614 2444 Level 2, 517 Flinders Lane Melbourne Victoria 3000 Canada Uli Dreifuerst Open Domain Inc. E-mail: u3f@opendomain.com Voice: 925-855-0558 FAX: 925-855-0460 9 Crow Canyon Court Suite 100 San Ramon, CA 94583 USA Henry Dreifus Dreifus Associates, Ltd. E-Mail: info@dreifus.com Voice: +1 407 862-3398 P.O. Box 915746, Longwood, FL 32791-5746 USA Robert Elliott Phd TekCard Corporation. Voice 703.530-8144 Fax 703.530-8155 E-Mail Drbob1@gte.net 143 Forrest St Manassas Park Va. 20111 Tim Jurgensen E-Mail: tmjurgensen@jump.net Voice: +1 512 452 8090 Mobile: +1 512 965 4806 2720 Mt. Laurel Lane Austin, TX 78703 USA Klaus P. Karmann E-Mail: karmann@t-online.de European and German Patent Attorney Franz-Albert-Str. 28c 80999 München Germany Voice: +49 700 PKarmann Dmitriy Kruglyak Aquave Group E-Mail: dkruglyak@aquave.com Voice: 650-329-0397 Mobile: 650-678-1480 www.aquave.com METACA Corporation 460 Applewood Crescent, Concord, Ontario, Canada L4K 4Z3 Tel. (905) 761-8222 Fax. (905) 761-8220 sales@cards.ca Micro Szience and Athena Five 25 Fell Mead, East Peckham, Tonbridge, Kent, UK TN12 5EQ Voice: +44 1622 873 102 Peter J. Ognibene Smart Card Development Services E-mail: pjsmart@aol.com Voice: +1-301 434 8572 P.O. Box 3013 Silver Spring, Maryland 20918-3013 U.S.A. Walter Oney Consulting and Training PC/SC drivers a specialty http://www.oneysoft.com E-Mail: waltoney@oneysoft.com Dr. Gerd Pfeiffer Unternehmensberatung Dr. Gerd Pfeiffer Hängerweg 2 D-34281 Gudensberg Germany Phone: +49 5603 911855 Email: info@cardinsight.de Jonathan Rosenne QSM Programming Ltd. E-Mail: rosenne@qsm.co.il Voice: + 972 3 561 2015 Mobile: + 972 54 246 522 FAX: + 972 3 561 6049 74 Petah Tiqva Road P O Box 51298 Tel Aviv 67215 Israel Jim Russell Russell Technology Associates E-Mail: jfrussell1@aol.com Voice: +1 302 234 3319 675 Montgomery Woods Drive, Hockessin, DE 19707-9323 USA Bill Shaw Westbrook Systems Email: bshaw@connix.com Voice: 860-399-5334 176 Dennison Road Westbrook, CT 06498 Andrew W. Tarbox Thornebrook Associates, LLC. E-Mail: andy@thornebrook.com Voice: +1 518 279 1000 FAX: +1 518 279 9677 Mobile +1 518-441-8810 PO Box 3038 (Center Brunswick) Troy, New York 12181-3038 USA Hardy Tichenor E-Mail: info@hardysoft.com Voice: +1 415 331 5077 FAX: +1 415 331 5472 44 Edwards Avenue Sausalito, CA 94965 USA 9.11 Smart Card Graphic Designers and Printers These people can help you create the graphics to be printed on a smart card and get the card produced. Maria Nekam Smart Card Design Voice: +1 512 258 0758 Email: nekam@austin.rr.com Paul Tripi or Jenny Baird Data Manufacturing Inc. Chesterfield, MO Voice: +1 888 526 2273 http://www.datamfg.com Micromodular Data Solutions 1582 Norman Avenue Santa Clara CA 95054 USA Voice: +1 408 986 9000 FAX: +1 408 986 9829 Email: sales@micromodular.com http://www.micromodular.com Smart ID Card, Ltd. 450 N. Causeway Blvd., Suite D Mandeville, LA 70448 Voice: +1 504 727 4865 FAX: +1 504 727 0133 Email: sales@smartidcard.com http://www.smartidcard.com 9.12 Smart Card Supplies (Card, readers, SDKs, etc.) Alegra Technologies Pittsburg, Pennsylvania USA Jim Canfield jcanfield@alegratechnologies.com Toll Free: 866-6ALEGRA Phone: 412-771-7120 Fax: 412-771-7121 Bantry Technologies 25 Ballsbridge Terrace Ballsbridge, Dublin 4 Ireland Tel: +353 1 664 29 30 Fax: +353 1 664 29 33 http://www.bantry-technologies.com CDN Print Plastic 91 Kelfield St, #6 Toronto, ON Canada M9W-5A4 Tel: (1) 416.240.7775 Fax: (1) 416.241.0825 http://www.cdnprintplastic.com/index.htm Dawar Technologies 1020 Ridge Avenue Pittsburgh, PA 15233 Phone: 800-366-1904 Phone: 412-322-9900 http://www.dawar.com/ Digital Solutions www.smartcard.bz Gemplus http://store.gemplus.com Net Informatique Services http://www.nis-infor.com/ Nexsmart Technologies 2102 business Center Dr. Suite 217 Irvine, CA 92612 U.S.A. Tel: (949) 453-8588 Fax: (949) 453-8587 http://www.nexsmart.com/ Oak-Tech.com Room 2607 APEC Plaza, 49 Hoi Yuen Road Kwun Tong, Kowloon Hong Kong Phone: + (852) 2771 3898 FAX: + (852) 2771 3399 market@hkaok-tech.com info@hkoak-tech.com http://www.hkoak-tech.com Schlumberger Smart Card Store http://www.scmegastore.com/ SDLOGIC Technologies, Inc. 545 Thrush Dr. Big Bear Lake, CA 92315-1403 USA SDLOGIC Toll-Free Phone - Sales (866) 524-7272 SDLOGIC Toll-Free Phone - Tech Support (866) 584-8697 SDLOGIC Fax - (909) 878-4733 Sales / Dealer Enquiries Email: sales@sdlogic.com Technical Support Email: techsupport@sdlogic.com http://www.sdlogic.com/index.asp Smart Card Integrators 1380 W. Washington Blvd. Los Angeles, CA 90007 +1 213 743 9181 info@sci-s.com http://www.sci-s.com Smart Dynamics 3601 Wilson Blvd. Suite 500 Arlington, VA 22201 Phone: (703) 312-7383 Fax: (703) 812-5190 http://www.smartdynamics.com/ SmartcardFocus 37 Kew Road, Richmond, Surrey TW9 2NQ, UK Voice (UK Customers): 0800 068 1219 Voice (Outside UK): +44 (0)20 8241 9596 Fax: +44 (0)20 8241 2192 http://www.smartcardfocus.com/ info@smartcardfocus.com SMART-SOLUTIONS.CA PO Box 48143 Bedford, NS B4A 3Z2 http://www.smart-solutions.ca/ info@smart-solutions.ca VCT 5200 Thatcher Road, Downers Grove, Illinois 60515 Telephone: (630) 852-5600 Fax: (630) 852-5817 Mr. Rome Jetté, Director Card Applications and Security (x265) email: rome@versacard.com http://www.basiccardusa.com/ Towitoko Inc. 9155 Brown Deer Road, Suite 1 San Diego, CA 92121 Ph. (858) 622-2004 Fax. (858) 622-2011 http://www.towitoko.com/home.html VFJ Technology 33 Brookhollow Ave Norwest Business Park Baulkham Hills, NSW 2153 Australia Telephone: +61 2 8853 8000 Facsimile: +61 2 8853 8088 Email: info@vfjtech.com.au http://www.vfjtech.com.au/vfjhome.htm Westai Media http://www.westai.no/ ZeitControl Cardsystems GmbH Siedlerweg 39 D-32427 Minden Germany Tel.: +49 (0)571 50522-0 Fax: +49 (0)571 50522-99 eMail: info@basiccard.com http://basiccard.com/ 9.13 Smart Card Collectors Smart card collecting has ebbed and flowed over the years. Here's a dated page of some folks that do or did at one time collect smart cards: http://www.cip.com.au/scard/collect.html If you get hold a smart card you can't identify, there is a list of smart card ATRs at http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt 9.14 Smart Card Applications There are some innovative applications of smart cards starting to appear. Games: http://www.kaosc.com Entertainment: http://www.statcard.com Medical: http://www.respironics.com Medical: http://www.cpapman.com/respiron.html Laundry: http://www.macgray.com 9.15 Smart Card Companies Other Than the Big Four - ACG: http://www.acg.de - Advanced Card Systems: http://www.acs.com.hk - ASK: www.ask.fr - Aspects: http://www.aspects-sw.com - CardLogix: http://www.cardlogix.com/ - Ecebs: http://www.ecebs.com/ - E-Smart: http://www.e-smartsystems.com - Iris Smart Cards: http://www.iris.com.my - Logos Smart Card: http://www.logossmartcard.com/ - Martsoft: http://www.martsoft.com/ - Microelectronica Espanola: http://www.exceldata.es/ - Novacard: http://www.novacard.de - On Track Innovations: http://www.oti.co.il/ - SafNet: www.safenet-inc.com - Silcom: http://www.silcom.co.uk - Smart Card Group: http://www.smartcard.co.uk/ - Smart Card Integrators: http://www.sci-s.com - Smart Card Technology (SCT): http://sct.co.kr - Smartec: http://www.smartecos.com/ - WebKcomputing: http://www.webkomputing.com - ZeitControl: http://www.basiccard.com/ 10. Legands and Lore Security based on weak cryptography, obscurity and smash-mouth lawyers - http://www.parodie.com/humpich/home.htm