Frequently Asked Questions (FAQ) for news:alt.technology.smartcards
Comments and suggestions for improvement of the a.t.s. FAQ should be sent to Scott Guthery at sguthery@mobile-mind.com. The current edition of the FAQ is always available at www.scdk.com/atsfaq.htm.
CONTENTS
1. Purpose of alt.technology.smartcards
2. General Questions About Smart Cards
3. Standards, Specifications and Patents
4. Smart Card Hardware
5. Smart Card Operating Systems
6. Fixed-Command Smart Cards, Readers and Tools
7. Programmable and Multi-Application Smart Cards
8. Card and Application Management Systems
9. Resources
The purpose of alt.technology.smartcards is to provide an unmoderated forum for the discussion of technology, applications and issues associated with smart cards. It will serve as a resource for people to:
Engage in discussion and debate about technical and public policy issues including the security, privacy, legal, regulatory and economic impact of smart card applications.
Educate and inform others about the strength, weaknesses and general use of smart cards; share ideas, information and specific experience about smart cards, both in technology:
Find information and have questions answered by people in the smart card community.
A Smart Card is a credit-card-sized plastic card that contains an Integrated Circuit with memory, and circuitry controlling the access rules to the memory. Common Smart Cards use 5 to 8 golden contacts on one side of the card as a communication mean with a Smart Card Reader, and the Integrated Circuit is behind the contacts.
What makes the card "smart", compared to a memory card or magnetic card, is the enforcing of access control rules to the memory: for example some areas (like card holder name) might be made read-only after it is first written; and/or an area (holding the card value) might be written only in a manner allowing the value of the card to go down, not up. This access control can be performed by an 8-bit microcontroller similar to a Motorola 6805 or an Intel 8051, or by even simpler circuitry in low-end Smart Cards.
Here's a good overview of smart cards:
http://res.ufgartner.ufl.edu/datapro/2882-1.htm
Smart cards were independently invented in Germany (1967), Japan (1970), the United States (1972), and France (1974). In 1980, when France began a major campaign to export the technology, Roy Bright of the government's marketing organization, Intelmatique, coined the phrase "smart card" to describe the technology.
Most English dictionaries use "smart card" but you'll see both in use. In French it's "carte a puce" which is roughly "card of a flea". Tiny integrated circuit chips look like fleas.
Yes. http://www.scdk.com/atsfaq.htm.
Yes. www.google.com maintains an archive of all postings to a.t.s that is searchable in a number of different ways.
Only for TECHNICAL information. Please do not post here satellite card advertisement, channel keys, channel frequencies. Post here only information about algorithms, protocols, security breaches, ECMs.
alt.satellite.tv.crypt.forsale would probably generate more sales.
The rec.collecting hierarchy is probably a better selection.
There are all sorts of smart card standards. The physical and mechanical standards are observed more uniformly than the software standards.
An excellent annotated summary of most smart card standards is at:
http://forum.afnor.fr/afnor/WORK/AFNOR/GPN2/Z15Y/PUBLIC/WEB/ENGLISH/commerce.htm
and standards that are particularly relevent to payment cards at:
http://www.aston.ac.uk/smartcard/documentation/standards1.htm
ISO/IEC JTC1 Information technology SC 17 Identification cards and related devices (www.iso.ch/meme/JTC1SC17.html) is interested in common smart card issues. The ISO 7816 series of standards and the ETSI SMG9 standards are the most important and relevant for smart card application programmers.
ISO 7810 Identification cards -- Physical characteristics.
ISO/IEC 7812 Identification cards -- Identification of issuers.
ISO/IEC 7816 Identification cards -- Integrated circuit(s) with electrical contacts. A complete description of the ISO 7816 standards is provided in Section 3.2 below.
ISO/IEC 10536 Identification cards -- Contactless integrated circuit(s) cards. The standard specifies close coupling (slot and surface) cards communication (parts 1-3)
ISO/IEC 10373 Identification cards -- Test methods.
ISO/IEC 14443 Remote coupling communication cards. (Contactless cards)
ISO TC 68 Banking and related financial services SC 6 (www.iso.ch/meme/TC68SC6.html) Financial transaction cards, related media and operations is representing interest of smart payment card issuers and is developing the standard series ISO 10202 Financial transaction cards -- Security architecture of financial transaction systems using integrated circuit cards (parts 1-8).
EN 726 Terminal Equipment (TE); Requirements for IC cards and terminals for telecommunication use. The standard is the technical basis for smartcards in Europe.
In the U.S., the National Institute of Standards and Technology (NIST at http://csrc.ncsl.nist.gov/) has published FIPS 140-1 (http://csrc.nist.gov/publications/fips/fips1401.htm) "Security Requirements for Cryptographic Modules" concerns physical security of smart card IC-s as they are one kind of cryptographic modules.
The Swedish government is standardising a smart card for use by its citizens called the Secure Electronic Information in Society (SEIS) (www.seis.se) card.
The formal title of ISO 7816 is Integrated Circuit Cards with Electrical Contacts. It is the most widely used and referenced smart card standard. ISO 7816 is the international standard for integrated-circuit cards (commonly known as smart cards) that use electrical contacts. Anyone interested in obtaining a technical understanding of smart cards needs to become familiar with ISO 7816.
ISO 7816 currently has eleven parts. Some have been completed, some have been ammended, others are just in draft stage and one has been abandoned.
Defines the physical dimensions of contact smart cards and their resistance to static electricity, electromagnetic radiation and mechanical stress. It also prescribe the physical location of a IC card's magnetic stripe and embossing area.
Amendment 1 : Maximum height of the IC contact surface
Defines the location, purpose and electrical characteristics of the card's metallic contacts:
Defines the voltage and current requirements for the electrical contacts defined in Part 2 and asynchronous half-duplex character transmission protocol (T=0).
Smart cards that use a proprietary transmission protocol carry the designation, T=14. In practical terms, that means the card is not compatible with ISO 7816. Proprietary protocol is used in German health care cards.
Amendment 1:1992 Protocol type T=1, asynchronous half duplex block transmission protocol.
Amendment 2:1994 Revision of protocol type selection
ISO 7816-4 is an International Standard that establishes a set of commands across all industries to provide access, security and transmission of card data. Within this basic kernel, for example, are commands to read, write and update records.
There is an urban legend often repeated by smart card sales people that ISO 7816-4 is so complex and so poorly written that it is impossible to implement. Strictly compliant implementations of ISO 7816-4 have been created. These claims are intended to excuse lack attention to complying with the standard in the hopes of selling non-standard cards.
http://perso.wanadoo.fr/dgil/scm/iso7816_4.html
Identifiers
Establishes standards for Application Identifiers (AIDs). An AID has two parts. The first is a Registered Application Provider Identifier (RID) of five bytes that is unique to the vendor. The second part is a variable length field of up to 11 bytes called the Proprietary Application Identifier Extension (PIX) that a vendor can use to identify specific applications. Every smart card application builder such as yourself can get a RID.
RIDs are assigned by the Copenhagen Telephone Company Ltd. (KTAS), (aka TeleDanmark) which is also the ISO/IEC 7816-5 Registration Authority, KTAS's address is Teglholmsgade 1, DK-1790, Copenhagen, V, Denmark, but the application has to be approved by your national ISO body. RIDs cost $500.
Matthew Deane (212) 642-4992) at the American National Standards Institute will handle requests for both national and international numbers. Forms for applying for an RID can be found at www.scdk.com. Fax the application back to Matthew Deane at ANSI, (212-840-2298) but make your payment directly to the Registration Authority in Denmark.
If you want to issue a single application smart card then you need an Issuer Identification Number (IIN) which is specified in ISO 7812. For U.S. residents, forms for an IIN are also available through Matthew Deane at ANSI. The cost is $600.
For those in the US, all the relevant registration information for both RIDs and IINs is at http://www.ansi.org/public/register.html
Describes encoding rules for data needed in many applications e.g. name and photograph of owner, his preference of languages etc.
Technical Corrigendum 1: Interindustry Data Elements
Amendement 1: IC manufacturer registration
(SCQL)
Defines how to treat the data on the card as an SQL database.
Adds symmetric and asymmetric key capabilities to Part 4.
Adds commands needed for personalization such as Create File and Delete File as well as search commands to Part 4.
Defines basic communication protocols for synchronous (T=14) smart cards.
A standardized way to keep cryptographic material on a smart card and to access public keys and certificates stored therein.
Part 4 is going through it's every-five-years review and it's looking like it will improve drastically.
Contactless cards are cards that just have to be held near a reader rather than actually inserted into (and thus make contact with the electrical contacts of) a reader. Contactless cards are classified based on how far away from the reader they can be and still be read.
| Close-Coupled Cards |
0mm - |
10mm |
(you touch it against the reader) |
| Proximity Cards |
10mm - |
10cm |
(you hold it up to the reader) |
| Vicinity Cards |
10cm - |
50cm |
(you walk by the reader) |
The releavant standards for these cards are:
ISO/IEC 10536 - Identification cards - Contactless integrated
circuit(s) cards - Close coupled cards
ISO/IEC 14443 Identification cards -- Contactless integrated circuit(s) cards -- Proximity cards. The standard set (parts 1-4) specifies the communication (transmission, anticollision, selection and command exchange) of chipcards in ranges up to 10cm. These standards define protocols type A and B and there are "industry standards" for type C, D and E. For interoperability look for compliance to parts 1-4 and type A and/or B.
ISO/IEC 15693 - Identification cards - Contactless integrated
circuit(s) cards - Vicinity cards
There are also devices into which you can put a contact card which turn it into a contactless card. These devices can project a smart card a considerable distance, up to 10 meters and more. They are used for example for using pre-paid cards with drive-through highway toll booths and drive-through Taco Bells.
Access to the contactless standards is available at: http://wg8.de/sd1.html
Increasingly common are now dual-interface processor cards which do have a contactless interface according to ISO/IEC 14443 parts 1-4 and a normal contactbased interface according to ISO/IEC 7816 parts 1-3. Examples for controllers are the Philips MIFARE ProX (includes NPU) and the Infineon SLE66CL160S.
Official copies of the ISO standards must be purchased from the ISO catalog at www.iso.ch. The ISO is very proud of these standards. A Xerox copy of the most important standard from a software developer's point of view, ISO 7816-4, costs $85.40. The 7-page Xerox copy of ISO 7816-5 costs $31.80. A complete set of ISO 7816 smart card standards costs $436.50 plus shipping and handling. Delivery can take months.
At www.iso.ch standards you can also be downloaded at a cheaper price. ISO/IEC 7816-4: Paper: CHF 136 (ca. 90 EUR), PDF: CHF 44 (ca. 29 EUR) ISO/IEC 7816-5: Paper: CHF 50 (ca. 33 EUR), PDF: CHF 44 (ca. 29 EUR) I'm to lazy to add up the prices of all these PDF standards.
ANSI tacks an additional 35% onto these prices (ISO 7816-4 is $115) but lets you download copies immediately. See http://www.ansi.org/. Under Electronics Standards Store select ISO/IEC JTC.
ISO 7816-1, -2, and -3 dealing with the physical aspects of smart cards can be found in text form at: http://cuba.xs4all.nl/hip/iso7816.txt. Part 4 is at http://cui.unige.ch/~zbinden6/smartcard/iso7816_4.html. A well-written overview of the T= protocols is at http://www.gsm-hacking.dk/papers/iso7816.txt
Yes. The most successful smart card is actually invisible. It is the Subscriber Identity Module (SIM) in GSM mobile telephones. Besides the subscriber's personal cryptographic identity key, the SIM contains other useful information such as the current location of the phone and an address book of frequently called numbers.
Recently this network-connected smart card has been opened up (on a controlled basis) to application programming. The ETSI SMG9 working group wrote the standards for the SIM card. The most relevant standards are for building applications for the SIM are:
GSM 11.11 Digital cellular telecommunications system (Phase 2); Specification of the Subscriber Identity Module - Mobile Equipment (SIM - ME) interface (GSM 11.11)
GSM 11.14: Specification of the SIM application toolkit for the Subscriber
Identity Module - Mobile Equipment (SIM - ME) interface
ETSI EG 201.220 Integrated Circuits Cards (ICC); ETSI numbering system for telecommunications; Application providers (AID). See Section 3.2.5 above for instructions on obtaining application identifiers for GSM SIM Toolkit Applications.
All are available free of charge from www.etsi.org. It would seem that ETSI actually wants folks to use their standards.
Other mobile telephones besides GSM phones use smart card modules for security, for GSM compatibility and for prepay. The generic name for all these cards including the GSM SIM is UIM for User Identity Module.
The smart card in a WAP phone is called a WIM for Wireless Interface Module. It is described in WAP WIM Wireless Application Protocol Identity Module Specification, available (for free) at www.wapforum.org.
The smart card for a 3GPP (aka UMTS) mobile phone is called the USIM. It is described in 3G TS 21.111 Version 3.0.0, USIM and IC Card Requirements, available (for free) at http://www.3gpp.org/specs/specs.htm.
The smart card for a 3GPP Project 2 (3GPP2) mobile phone is called the R-UIM or UIM depending on whether or not it is removeable. The R-UIM is described in a specification issued by the 3rd Generation Partnership Project 2 entitled Removable User Identity Module (R-UIM) for Spread Spectrum Systems (3GPP2 C.S0023) of December 9, 1999, It is available (for free) from http://3gpp2.org/tsg_c.html#doc.
The smart card for a CDMA mobile phone is just called a smart card. It is described in CDMA Development Group Document #43, Smart Card Stage I Description, Version 1.1, May 22, 1996, and can be ordered at http://www.cdg.org/tech/tech_ref.html and costs $25.
In late 1999 representatives of the various TDMA mobile phone systems got together and decided to start a project to come up with a common subscriber identity module. Since the GSM specification was the most mature, it was taken as the starting point. ETSI shut down SMG9 and transferred all of its documents and responsibilities to 3GPP Work Group T3 which is now responsible for the common core SIM in all 3GPP phones including GSM phones. T3's documents can be found at:
http://www.3gpp.org/ftp/TSG_T/WG3_USIM/
Each TDMA technology can still put their own extensions on the 3GPP core depending on the particular needs of the technology.
Some but not all CDMA phones use a smart card for network access authentication. In these phones the SIM is called the R-UIM which stands for Removable User Identity Module. The CDMA folks think of their handsets as being secure platforms and they think of the SIM as a kind of industrial-strength floppy disk ... a removable media. 3GPP2 R-UIM specs are available at:
http://www.3gpp2.org/Public_html/specs/#tsgc
An effort has also been launched to define a common core for the identity module used in all communications applications. This module is called the Universal Integrated Circuit Card (UICC). It would include for example all mobile phones (not just TDMA phones), settop boxes, internet TVs, wireless SCADA, and so forth. The thrust of this project is to define a framework for smart cards that contain identity support for all of these applications simultaneously. After all it's always you whether you are talking on the phone or transmitting your blood sugar readings.
ETSI was given initial responsibility for this project and since it rose
from the ashes of SMG9 it was originally called "The New SMG9". One of its
first official acts was to give itself more compelling name, hence Smart Card
Platform (SCP). All communication organizations are represented in this new
group or at least have been invited to participate. In an effort to gain as
wide a consensus as possible it has thrown its Web site open to all at:
You can tell from the name that the SCP folks imagine that the results of their efforts might have applicability outside communication.
It becomes a bit challenging to keep track of documents coming out of these three groups. Here's a start.
| Description |
GSM |
3GPP |
SCP |
|---|---|---|---|
| USIM and IC Card Requirements |
|
21.111 |
|
| USIM/SIM Application Toolkit (USAT/SAT) |
02.19 |
22.038 |
|
| Physical and Logical Characteristics |
11.11 |
31.101 |
102.221 |
| Administrative Commands |
|
|
102.222 |
| Test Specifications |
|
|
102.230 |
| Characteristics of the USIM Application |
11.14 |
31.102 |
|
| USIM Application Toolkit (USAT) |
|
31.111 |
102.223 |
| Security Mechanisms for the SAT-Stage 1 |
02.48 |
|
|
| Security Mechanisms for the SAT-Stage 2 |
03.48 |
33.102 |
|
| Numbering System for Card Applications |
|
31.110 |
|
| SIM API for Java Card |
03.19 |
|
|
Here are the core standards that define the Smart Card Platform:
GSM 02.17 - Subscriber Identity Module (SIM); Functional Characteristics
GSM 02.48 - Secuity Mechanisms for the SIM Application Toolkit; Stage 1
GSM 03.19 - GSM API for SIM toolkit; Stage 2
GSM 03.48 - Security Mechanisms for SIM Toolkit Application; Stage 2
3GPP 21.111 - USIM and IC Card Requirements
3GPP 22.038 - SIM Application Toolkit (SAT); Stage 1
3GPP 22.112 - USIM Toolkit Interpreter; Stage 1
3GPP 31.102 - Characteristics of the USIM Application
3GPP 31.111 - USIM Application Toolkit (USAT)
3GPP 31.113 - USAT Interpreter Byte Codes
3GPP 31.131 - C API for the USIM Application Toolkit
3GPP 34.131 - Test Specification for the C SIM API
SCP 102.223 - Smart Cards; Card Application Toolkit (CAT)
SCO 102.225 - Secured packet structure for UICC applications
SCP 102.226 - Remote APDU Structure for UICC based Applications
SCP 102.240 - UICC Application Programming Interface
All of them are available free at
http://www.3gpp.org/ftp/Specs/
for the GSM and 3GPP documents and
http://docbox.etsi.org/tech-org/scp/Document/scp/
for the SCP documents.
Yes.
The IETF is becoming a forum for discussion of smart card standards at least as they pertain to smart cards being nodes on the Internet. See, for example, the Internet Draft "IP and ARP over ISO 7816-3" at http://search.ietf.org/internet-drafts/draft-guthery-ip7816-00.txt
The B10 workgroup of NCITS (it used to be ANSI) is the US representative to the ISO. They work on a number of existing and emerging standards One of the most interesting ones is a smart card driver's license. The current draft is at http://www.aamva.org/standards/index.asp.
In addition to standards formulated by recognized standards bodies, there are a number of specifications created by companies, industrial consortia and ad hoc users groups. These specifications are typically guided as much by marketing agendas as by technical necessity or utility. Membership rules vary from organization to organization but are usually constructed to be functionally equivalent to invitation only; i.e. the market wannabes trying to gang up on the market leader.
Europay, MasterCard and Visa formed working group to create their Integrated Circuit Card Specifications for Payment Systems, commonly called "EMV'96" or just "EMV" (http://www.emvco.com/). The specification was intended to create common technical basis to compete with the Mondex specifications. Everybody of course when ahead and implemented their own version of EMV cards (UKIS - UK Bank EMV, VSDC- Visa EMV. MCHIP - MasterCard EMV).
Europay as also lead the defintion of a standard electronic cash purse called CEPS for Common Electronic Purse Specifications. The specification costs EUR 94 and is available at www.europay.com. Like EMV, each of the card associations are implementing their own version of CEPS. Check out CEPS specs at http://www.cepsco.com/
An old version of the GeldKarte specification is available at ftp://ftp.ccc.de/pub/docs/geldkarte.pdf for free. The latest version is available from Bank-Verlag Koeln, Melatenguertel 113, D-50825 Koeln, Germany. Phone +49-0221-5490-0. Fax +49-0221-543498. (www.bank-verlag.de) It costs DM400 and there is an NDA to execute.
Microsoft heads a group of smart card manufacturers to produce a specification for the use of smart cards on personal computers and workstations called PC/SC for Personal Computer/Smart Card (http://www.pcscworkgroup.com).
The SET (Secure Electronic Transactions) at http://www.setco.org/ and C-SET (Card Secured Electronic Transactions) at http://www.europayfrance.fr/fr/commerce/secur.htm specifications include descriptions of the smart cards they use to perform SET transactions.
RSA (www.rsa.com) has published an file hierarchy and data description for accessing PKI certificates and associated information on cryptographic tokens including smart cards. It is called PKCS #15 and entitled "Crytographic Token Information Syntax Standard". Unfortunately since it is not a card-edge specification it does not advance the cause of interoperable PKI tokens.
Visa is very active in the smart card area and has published specifications for Visa Cash, the Visa Integrated Circuit Card (www.visa.com/cgi-bin/vee/nt/chip/visdownload.html) and the Visa Open Platform (www.visa.com/nt/suppliers/open/main.html).
GlobalPlatform (www.globalplatform.org) is a consortium organized by Visa which is drawing up a specification based on Visa Open Platform (US Patent 6,005,942) for loading applications on and deleting applications from multi-application smart cards.
MasterCard has formed the Global Mobile Commerce Team (not to be confused with the Globle Mobile Commerce Forum) and the Chip Vendor Services Program (CVSP).
The Java Card Forum (www.javacardforum.org) and JavaSoft (www.javasoft.com) maintain specifications for the Java Card.
The OpenCard Framework (www.opencard.org) is a way to access smart cards from the Java programming language.
The Small Terminal Interoperability Platform consortium (www.stipgroup.org) is doing this too.
The Radicchio (www.radicchio.org), Global Mobile Commerce Forum (global.mobilecommerce.com), are studying the use of PKI smart cards on wireless networks.
The Mobile Electronic Signature Consortium (www.esign-consortium.org) is based on Brokat's digital signature patent WO09922486A1 of 5/6/1999 entitled "METHOD FOR DIGITAL SIGNING OF A MESSAGE" and is writing a specification based on this patent for wireless e-commerce.
The PKI Forum (pkiforum.org) is also writing specifications for digital signatures.
MasterCard is also starting coalition to draft U.S. digital ID procedures for issuing, revoking and establishing digital user identifications. The coalition includes ACI Worldwide, Gemplus, Bull Smart Cards & Terminals Giesecke & Devrient; Schlumberger and Unisys.
The Mobey Forum (www.mobey.org) is a collection of banks, handset manufacturers and smart card manufacturers that are trying snatch the mobile trust high ground away from the telecoms. In a refreshing display of candor, they have explicitly locked the telcoms out of their organization.
The ETSI Technical Committee Security (sic) has also weighed in with a standard for the format of PKI certificates, ES 201 733.
The World Airline Entertainment Association has put out a fascinating specification for the use of smart cards by passengers in airplanes: http://www.waea.org/tech/techspecs/smartcards.htm. It's free.
The International Air Transport Association sells a specification for smart cards in travel and entertainment cards for $200 at http://www.iata.org.
The SIMalliance (www.simalliance.org) is writing specifications for a suite of protocols to connect GSM SIM cards to the Internet. It is a closed group consisting of five smart card manufacturers. The proposal is to hack up the WAP protocols which are themselves a hack up of the standard Internet protocols. A TCP/IP stack with a real Web server can be put on a SIM card so you have to wonder we why need a new, homegrown bunch of protocols.
Across Wireless (www.AcrossWireless.com) makes the specifications for its micro-browser available to everyone. Contact Anders Sellin (Anders.sellin@AcrossWireless.com).
The Smart Card Constituency working under the banner of eEurope (http://europa.eu.int/comm/information_society/eeurope/index_en.htm) is proposing to write yet another set of smart card interoperability specifications that everybody can ignore. They have published a list of 17 items for action and set up a bunch of task forces and work packages. Contact Jan van Arkel <arkel@ecp.nl> for details.
The Card Application Management System Consortium consists of just Visa and MasterCard. The relationship of this effort to Visa's Open Platform effort and the work of the Global Open Platform would break a pencil at any PR agency.
Eurosmart (www.eurosmart.com) is kind of a retirement project for the first generation of smart card experts who know much but say little at least publically.
Israel has a standard concerning the use of Hebrew for textual data in smart cards. It is available (in English) at http://www.qsm.co.il/Hebrew/si4424e.htm
E-Europe is kind of a European governmental trade association. There is a smart card project inside E-Europe that has generated a number of white papers that are good smart card tutorials and talk a lot about smart card applications, real ones and possibilities. Check out ... http://www.eeurope-smartcards.org/B2-Index.htm
There is an ongoing debate as to who invented the smart card and who got the first smart card patent. Some claim the card was invented in America and some claim it was invented in Germany.
Jules Ellinboe, an American working for TRW, applied for a patent on an "Active Element Card" on October 27, 1967. The was patent, US 3,637,994, was granted on January 25, 1972.
Two German engineers, Jurgen Dethloff and Helmut Grottrupp essentially working in their garage are regarded to be the inventors of the smart card in Europe. They announced their invention in 1967 and filed for a German patent (DE 19 45 777 C2, "Identifikanden/Identifikationsschalter) in February of 1969. Amazingly this patent wasn't granted until 1982. On August 8, 1978, Dethloff was granted US patent 4,105,156, "Identification system safeguarded against misuse".
Kunitaka Arimura of the Arimura Technology Institute in Japan filed for a Japanese patent in March of 1970. In May of 1971, Paul Castrucci of IBM filed for an American patent entitled simply "Information Card". The patent, US 3,702,464, was issued on November 7, 1972.
Between 1974 and 1979 a French journalist, Roland Moreno, filed 47 smart card related patents in 11 countries and founded the French company Innovatron to license these patents. US 3,971,916, "Methods of data storage and data storage systems" is a foundational US filing. The square-on-top-of-a-stick or two-piece flag that you see printed on some smart cards is the trademark of an Innovatron license.
Bull under the leadership of Michel Ugon has also historically been very active in patenting smart card technology, filing over 1,200 patents starting in 1977. Bull claims that all smart cards use their SPOM (Self-Programmable One-Chip Microcomputer) technology. US 4,404,464, "Method and apparatus for electrically connecting a removable article, in particular a portable electronic card" issued September 13, 1983, is a key Bull patent. The tiny circular smart card contact that you see printed on some smart cards is the trademark of a Bull license.
Many of the original smart card patents have expired. Some pundits have opined that the vigorous enforcement of these patents has inhibited smart card use and that their expiration will open up the smart card market. About the only thing that has happened so far however is that Bull CP8 died when it was taken off royalty payment life support.
A surprising number of entities, not historically associated with the smart card industry, are applying for and getting smart card patents these days. Some smart card software and business process patents applied for or issued in the last 12 months of interest at least to the editor are:
WO03003772A2: METHOD FOR REMOTE LOADING OF AN ENCRYPTION KEY IN A TELECOMMUNICATION NETWORK STATION, Gemplus (Hu, Fan, Zhao), January 9, 2003.
US6502748: SYSTEM FOR CARD TO CARD TRANSFER OF SECURE DATA, SunSystem for card to card transfer of secure data. (Berg, Nelson) January 7, 2003.
WO0223472A1: MULTIPORT CARD, Nanagracard (Hill), March 21, 2002.
Smart cards and smart card readers can be subjected to various national information technology security evaluations and certifications. In the past this was ITSEC in Europe, TCSEC in the US and ITSET in Canada. The shortcoming of these evaluation schemes was that one didn't know what had been evaluated and thus had no basis on which to judge the utility of the evaluation to one's application context.
Only one smart card has received the higest possible ITSEC certification, the Multos card, which has been certified at the E6 High level.
These diverse evaluation criteria and protocols are slowly being harmonized and homogenized into a world-wide standard called the Common Criteria. http://csrc.nist.gov/cc/linklist.htm lists the Common Criteria Web sites of the countries actively involved in this effort.
A property of Common Criteria testing is that the tests performed are public. The tests are called protection profiles. A number protection profiles have been proposed for smart cards:
Smartcard Integrated Circuit, PP/9806, Version 2.0, September 1998.
Intersector Electronic Purse and Purchase Device, PP/9808, Version 1.2, February 1999.
Smart Card Integrated Circuit with Embedded Software, PP/9809, Version 1.0, Issue October 1998.
Smartcard Embedded Software, PP/9810, Version 1.0, November, 1998.
Smart Card Integrated Circuit with Embedded Software, PP/9811, Version 2.0, Issue June 1999.
PP/9806, PP/9908, PP9909 and PP/9811 are available at -http://www.eurosmart.com/download.
Large card issuers have also published their security evaluation and certification criteria. Visa's, for example, can be found at
For complete information on the Common Criteria approach and the Smart Card Security Users Group (SCSUG) check out
Common Criteria is also known as ISO 15408.
The ISO is finally starting to standardize the tests used to validate claims about 7816 conformance. The first such is ISO FCD 10373-3 which is specification of the test methods for ISO 7816-3.
Four chips have received Common Criteria certification:
The following organizations do smart card testing and certification and/or
sell testing tools:
The following four have been certified as Common Criteria laboratories by the US NSA and NIST agencies:
Computer Sciences Corp. (Hanover, Md.);
CygnaCom Solutions (McLean, Va.);
Science Applications International Corp. (Columbia, Md.)
TuViT Inc. (Austin, Texas).
Besides the general-purpose FIPS 140 cryptographic token certification
there are two Common Criteria protection profiles specifically
for US government smart cards:
There is also a strong initiative achieve interoperability between smart cards used by the US government. See the patent application:
WO02073337A2: SYSTEMS AND METHODS FOR PROVIDING SMART CARD INTEROPERABILITY
and "Government Smart Card Interoperabilty Specification" available at csrc.nist.gov/smartcard/GSCISV2-0.pdf.
To build your own smart card you can either work with a full-service smart card manufacturer who has the know-how and equipment to take your software and return finished cards. Or you can work directly with a chip manufacturer to produce smart card chips or modules which contain your software and then work with an embedder to put your module into a card.
Chip manufacturers include include Advanced Logic, Atmel, Dallas Semiconductor, Hitachi, Infineon, Inside Technologies, Microchip, NEC, Philips, Samsung, STMicroelectronics, Texas Instruments, Toshiba and Xicor.
Embedders include Micromodular Data Solutions, Integrated Card Technology, ACG, and NBS.
Of course if you're really into doing it yourself and the folks downstairs don't mind a little noise, you can make your own smart cards: Muehlbauer (http://www.muehlbauer.de), Meinen, Ziegel & Co. (http://www.meinen-ziegel.com).
STMicroelectronics publishes a nice set of data sheets on their chips. Look under Smartcard ICs on http://www.st.com.
Good articles on the various physical attacks that are mounted
on smart cards can be found at the following two sites:
A smart card operating system is a type of embedded operating system. There are many of them for the same reasons that there are many embedded and real-time operating systems. It is not certain that there will ever be a DOS for smart cards although many companies continue to pursue this vision.
Historically smart card operating systems have been bundled with smart card hardware so it was difficult to buy a smart card chip and an operating system independently. It was even harder to license a smart card operating system that you could customize and put on your own chip. This situation is changing slowly.
Open Source Projects
There are a couple open source smart card operating system efforts
underway. One, Gnu Card O/S (gcos), was lead by Christian
Kahlo (C.Kahlo@intershop.de) but has been shutdown. The obituary is
at www.gcos.de. There is also an open source smart card
operating system project going on at the University of Michigan
(www.citi.umich.edu). Contact Jim Rees (rees@umich.edu).
There is also a smart card communications project going
on at the University of Cape Town:
http://www.cs.uct.ac.za/Research/DNA/SOCS/projectpage.html
Simple Operating System for Smartcard Education (SOSSE) is a smart card operating system for Atmel processors. It move sooner or later to www.opensc.org/sosse/. Currently at www.mbsks.franken.de/sosse/.
http://www.franken.de/users/mbsks/sosse/index.html
www.gcos.de
Development Kits and Emulators
A number of embedded software tool companies are spotting
an opportunity for growth by including smart cards in their
offerings. Most of these are as expected chip specific.
You'll need ...
- a C compiler for the chip
- a workstation-based chip simulator to do first level debugging
- an in-circuit emulator (ICE) that contains the real chip in a electronic debugging harness and let's you single step your program and examine memory
- developer cards with a ROM loader that contain the chip you're working with so you can alpha and beta test your program
Blank Cards, White Cards and Soft Masks
These cards let you download executable code directly to the
EEPROM memory of the smart card chip. They contain a small
loader in ROM which loads Motorola S-records or Intel extended
hex records or some other industry standard binary core image
representation. After you finish downloading, you flip a bit
that tells the chip to execute your program rather than the ROM
loader the next time it is reset. Clearly these are the most
flexible cards you can use from an application developer's point
of view. They are also the hardest to get hold of. There is
much heavy breathing about security considerations regarding
blank cards but in fact there is nothing you can do with a blank
card that you can't do with a Java Card or a Windows card so
the heavy breathing really all about market control not security.
Atmel sells a development kit for building your own smart cards from scratch using flash memory AVR chips
A particularly interesting development in the blank card area are the PIC cards being offered by MDS. See also the discussion of creating your own mask in the smart card operating section above.
Multisat (http://www.multisat.de/) makes some nice programmer tools for those building their own smart cards.
Finim (http://www.electronic-devices.com/ and http://www.finimusa.com) also makes some useful smart card development tools including serial port paddle boards.
Cards and Loggers
Some work as been done in research settings on the specification of smart card operating systems and their components. For example ...
http://citeseer.nj.nec.com/glaser96structuring.html
http://citeseer.nj.nec.com/44724.html
http://citeseer.nj.nec.com/hartel94towards.html
http://www.research.microsoft.com/scripts/pubs/view.asp?TR_ID=MSR-TR-99-07
Paul C. Clark and Lance J. Hoffman, "Bits: A Smartcard Protected Operating System", Communications of the ACM, pp. 66 - 94, November 1994 Vol 37 Number 11.
Naccache, David and David M'Raïhi. 1996. Cryptographic Smart Cards. IEEE Micro 6:14, 16-19, 21 - 24.
The following smart card operating systems can be licensed independently and customized to a greater or lesser extent.
Procos( Protekila Smart Card Operating System)
Protekila
Husrev Gerede Cd. No 112 D 6
Tesvikiye 80200
Istanbul Turkey
TELEPHONE: +90 212 2610163
FAX: +90 212 2610494
E-MAIL: info@protekila.com.tr
SuperTech STCOS
Address: Yinhua Building 16th Floor
Wuyi Middle Road
Changsha, Hunan 410011
China
Phone : (86)731-445-3191 (86)©731-445-6556
Fax : (86)731-445-6319
Email : stsinfo@public.cs.hn.cn
E-mail : supertec@public.cs.hn.cn
Phone : (86)731-445-3191 (86)731-445-6556
Fax : (86)731-445-6319
Web Site : http://www.supertech.com.cn
Flash COS and Logos SIM iMP
Logos SmartCard
Sorgenfrivej 18
DK-2800 Kgs.Lyngby
Denmark
Mr. Mads Pii or
Mr. Hans Peter Riggelsen
Voice: (+45) 70 25 02 66
FAX: (+45) 70 25 02 67
sales@logossmartcard.com
Also at http://www.acg.de
STS-COS
SuperTech Systems, Inc.
2425N. Central Expressway
Richardson, Texas 75080, USA
Tel: +1 (972)231-2037
FAX: +1 (972)231-2041
E-mail: stsinfo@supertechsystems.com
http://supertechsystems.com/products/COS.htm
AMOS-SC and AMOS-SIM
American Microdevice Manufacturing, Inc.
1830-A Bering Drive
San Jose, CA 95112-4226
California, USA
Voice: +1 (408) 573-7070
FAX: +1 (408) 573-7607
On-Track S2COS-5
Z.H.R. Industrial Zone
P.O.Box 32
Rosh Pina
12000 Israel
Tel: +972-6-6938884
Fax: +972-6-6938887
mailto:e-mail:ontrack@oti.co.il
Exceldata
http://www.exceldata.es
M.MAR ISO - ISO 7816 Card
M.MAR GSM - GSM SIM Card
M.MAR J+ - GSM SIM with J+ virtual machine
M.MAR CEN/WG.10 - CEN e-purse card
MioCOS
Peter Öhman
Miotec Oy
Kamreerintie 6
FIN-02770 ESPOO, FINLAND
Tel (+358) 9 8045 3094
FAX (+358) 9 859 4041
GSM (+358) 40 547 4905
peter.ohman@miotec.fi
www.miotec.fi
IBM MFC
Michael Schilling
Project Manager Smart Card Projects
schilling@de.ibm.com
IBM Java Card Operating System
Peter Buhler
bup@zurich.ibm.com
Gator and SCOS
Amazing Smart Card Technologies
1615 Wyatt Drive
Santa Clara, CA 95054
U.S.A.
Voice: +1 408 566 0300
FAX: +1 408 748 7724
Email: sales@amazingtechnologies.com
Smart Card for Windows
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
U.S.A.
Contact: Mike Dusche
mdusche@microsoft.com
SCOS
Techtronics Ltd
Katesbridge
Thurlby
Bourne
Lincolnshire PE10 0EN
UK
Voice: +44 1778 562920
FAX: +44 1778 561174
Email: sales@techtronics.com
SCOS
Personal Cipher Card Corporation (PC3)
3211 Bonnybrook Dr.
North Lakeland, FL 33811
Voice: +1 941 644 5026
FAX: +1 941 644 1933
Contact: Kip Wheeler
Also available from
Micromodular Data Solutions
1582 Norman Avenue
Santa Clara CA 95054 USA
Voice: +1 408-986-9000
FAX: +1 408-986-9829
sales@micromodular.com
DVK1
SoftChip Technologies Ltd.
38 Nerot Shabbat St.
P.O. Box 23411
Jerusalem 91233
Israel
Voice: +972 2 5864086
FAX: +972 2 5864008
Contact: Eitan Mizrotsky
eitan@softchip.com
Blue
eCash Technologies
Bothell, WA
David Watson
david.watson@ecashtechnologies.com
OSSCA
Keycorp Limited
Level 9
67 Albert Avenue
Chatswood NSW 2067
Australia
Voice: +61 2 9414 5297
FAX: +61 2 9415 1363
http://www.keycorp.net
DKCCOS
Datakey
407 West Travelers Trail
Burnsville, MN 55337
Voice: 612-890-6850
FAX: 612-890-2726
http://www.datakey.com
Secure Java O/S
David Samyde, quadra@worldnet.fr
Gilles Dumortier, dgil@ieee.org
http://perso.wanadoo.fr/dgil/jaya/index.htm
Siemens CardOS M3 and M4
Werner Braun
werner.braun@nbg.siemens.de
Information and Communication Group,
Smart Cards and Security
Otto-Hahn-Ring 6
D-81730 Munich
Germany
FAX: +49 (0)89 636 46400
http://www.siemens.com/sbs/en/offerings/services/SmartCard/Products/cardos_m4.html
WebKomputing
649 S Main St.
Milpitas, CA 95035
Phone: +1 408-262-8638
http://www.webkomputing.com
Hive Minded, Inc.
2110A Vine Street,
Berkeley, California, 94709
USA
info@hiveminded.com
http://www.hiveminded.com
Simple Operating System for Smartcard Education
http://www.franken.de/users/mbsks/sosse/index.html
If you license one of these operating systems or write your own the next step is getting it onto a smart card. Most of the chip manufacturers can supply "blank" cards that contain a simple loader in ROM which will load your O/S into EEPROM and run it from there. Unfortunately you may have to commit to very large orders and pledge your first born child in order to get these loader cards. The old economy smart card manufacturers could also provide this service but they won't because they want to sell you cards containing their operating systems.
There are a growning number of firms that are setting about
to serve the exploding demand for low-volume batches of custom
smart cards. Here are some to check out:
The GNU folks have a program for managing passwords on
smart cards.
Smart cards for developers come in four forms:
Off-the-Shelf Programmable Cards
Programmable cards such as the Multos card, Microsoft's Smart Card for
Windows, Zeitcontrol's Basic Card and the many Java Cards offer the
developer maximum flexibility at the cost of some performance. With these
cards you can download a program to the card that implements the
commands that you want your application to use to access the card.
In other words, you control both the host side and the card side.
All of these cards run a virtual machine on the card which interprets
the downloaded code.
EVerybody and his dog are putting out Java Cards these days. In spite of the "Write-Once-Run-Everywhere" hype, there is no binary compatibility between them. To move an applet from one card to another you have to have the source code and recompile it. What's worse is that there is not even source compatibility between the various versions of the Java Card specifications.
There is a vast speed difference between competing implementations of the
Java Card Virtual Machine. The IBM JVM called JCOP is fastest EEPROM
implementation. It is roughly five (5) times faster than the other
EEPROM implementations. The Fujitsu implementation is even faster than
JCOP due in no small part to the use of FRAM rather than EEPROM memory.
Motorola fielded a 32-bit smart card with a 32-big Java Card implementation but it's gone.
IBM has put up a good Web resource on Java Card at http://www.zurich.ibm.com/csc/infosec/smartcard.html.
In general it is difficult to compile non-Java languages to a Java virtual machine. Thus, if you use a Java card you are stuck with using the Java programming language. Bug or feature, your choice.
Two programmable card designers have taken a different approach which is to
provide a language-independent virtual machine on the card and let the
programmer write in any one of a number of languages and then compile this
language to the virtual machine.
The ZeitControl (www.zeitcontrol.de) Basic card sports a language-independent
virtual machine but only a Basic compiler is available for it. The ZeitControl
SDK is is available from
Hiveminded (www.hiveminded.com) has announced a smart card based on Microsoft-designed and ECMA-standardized .NET architecture. Smartcard.NET supports multiple programming languages.
Off-the-Shelf Non-Programmable Cards
Off-the-shelf non-programmable cards are "classic" smart cards
with fixed command sets. You can send commands to these cards through
the smart card reader API or through the PC/SC or OpenCard APIs. If you
go this route be sure to get the detailed technical documentation
for the card including a bit-level description of each command
the card supports, the files and the file system, the access controls
on the files, and any keys you need to unlock the card.
Schlumberger makes the full documentation for their multi-purpose card, Multiflex, and their cryptographi card, Cryptoflex, available for free on-line at http://cardstore.slb.com; click down to the individual card descriptions to find the docs.
Application-Specific Packages
Application-specific, ready-to-go packages expensive and they may only work
with certain cards but if you only have one thing to do they can get
on the air very quickly. Examples of application-specific packages:
Tools and Libraries
Freeware Smart Card Tools and Libraries
Other Smart Card Tools and Libraries
Card-Lab has created a combined simulator/emulator for Multos, Check it out at www.card-lab.com.
Smart card readers used to come with their own homegrown APIs and not look like other peripheral devices in the computing environment. A group of companies got together to create a specification for treating smart card readers as standard peripherals. This specification is called Personal Computer/Smart Card or PC/SC for short. The PC/SC specification has been implemented on Windows and Linux. The multi-part specification can be obtained at http://www.pcscworkgroup.com.
The list of PC/SC readers that work with Windows can be found at:
under Smart Card Readers.
Linux PC/SC implementations for many smart card readers can be found at
Smart card reader manufacturers that sell readers in small quantities
include:
Maxking even provides schematics for you to build your own smart card reader.
Here's a high-end reader that is connected with its own Cryptographic Service Provider:
http://www.wave.com/technology/csp.html
Here are some schematics for building your own reader:
http://www.technick.net/index.php?load_page=http%3A//www.technick.net/cir_smartcardemu.php
There are a growing number of portable or handheld readers.
Most of them can double as a serial port reader on your PC.
Almost all readers are micro-processor based and contain an internal API of some sort. Smart card reader manufacturers have been slow to surface these APIs to allow smart card developers to build their own application-specific functionality into the readers. A delightful exception is Traditor in Finland which makes a nice line of smart card readers with SDKs. Contact Antti Saksa at aes@traditor.fi. The Spyrus Rosetta PAR 2 (Personal Access Reader) (www.spyrus.com) has a programmable API and program loading features.
There is a German standard for smart card readers called the Card Terminal Application Programming Interface (CT-API). There is an English version of the specificaiton at http://www.microdatec.de/download/ctapi11e.pdf
The Small Terminal Interoperability Platform consortium is trying to standardize smart card terminals. The latest version of their specification is available at their Web site (http://www.stipgroup.org/). Rarely does one see so much code do so little.
Europay International (http://www.europay.com) has also put together a specification for terminals called the Open Terminal Architecture (OTA). OTA includes a Forth virtual machine. The OTA VM is a derivative of the FORTH VM designed by MicroProcessor Engineering (www.mpeltd.demon.co.uk) for the SENDIT Esprit project. The VM uses a two-stack architecture derived from Forth, and extended to be language neutral so that code can be compiled from languages other than Forth. C is in fact used more than Forth. Europay has submitted this specification for ISO standardization.
Bull is pushing an Electronic Funds Transfer Point Of Sale (EFT-POS) terminal based on Sun's K virtual machine (which should not be confused with a virtual machine for the K programming language found at http://www.kx.com).
Point of Sale (POS) terminals have a lot in common with smart
card readers. Check out:
A number of efforts are underway to improve the speed of communication between the smart card and the terminal. Most of these use the two spare contacts on the module interface. The USB protocol is a popular candidate and it is in the process of being standardized through the ISO process.
There are a number of software tools available for working with smart cards (even setting aside all the DSS hacking tools which we won't cover).
SmartX by ThinkPulse (http://www.thinkpulse.com) is XML script that makes one smart card look like another or like a fantasy smart card such as one that abides by the ISO standards.
The Smart Card Explorer by Smart Dynamics (http://www.smartdynamics.com/) lets you configure smart card file systems. It works with a number of different cards and card readers and includes a scripting language that lets you add your own. Unfortunately, it doesn't run on top of PC/SC.
Smart Toolz (http://www.smarttoolz.com/) provides software and APIs that work with CardLogix smart cards. CardLogix (www.cardlogix.com) also provides software that supports these cards. The Smart Toolz and CardLogix packages also support CardLogix's memory cards.
Netissmo (http://www.netissimo.com) is a smart card SDK for Internet applications.
PocketServer (http://www.pocketserver.com) is a smart card and smart card SDK for personal information and transaction processing.
One of the best books on smart card hardware is the Smart Card Handbook by Wolfgang Rankl and Wolfgang Effing. The first author has made available a freeware smart card simulator written in Visual Basic. http://www.geocities.com/SiliconValley/Foothills/4710/tscs.html.
IFDTEST is a program that was built to exercise a card reader and check it for PC/SC compliance. It is also a very handy low-level, command-line card editor. You can download it form http://www.microsoft.com/hwtest/device/smartcard.asp.
THe list of all the readers that are PC/SC compliant is at http://www.microsoft.com/hcl/
Perhaps the most revolutionary event in the history of smart cards over the last 25 years is the recent emergence of programmable smart cards. Rather than freezing the program that runs in the smart card in read-only memory at the time the card is manufactured, programmable smart cards let you add executable code to the smart card at any time in its lifetime. The primary intended use of programmable smart cards is to create multi-application smart cards on which applications can be added and deleted at will. Thus you might decide to get rid of the Koffee Klub Frequent Drinker program and add the Budapest Transport System ticket program.
There are a number of programmable smart cards on the market. Some can be programmed in high-level languages, some can be programmed in virtual assembly language and some can only be programmed in the assembly language of the chip on the smart card.
The Basic Card from Zeitcontrol (www.basiccard.com) can be programmed in Basic. Zeitcontrol has done a excellent job of integrating the development of the program on the smart card with the development of the program on the host or terminal that is using it. The Basic Card is available directly from Zeitcontrol and from Versatile Card Technologies in the US.
The MULTOS (www.multos.com) smart card is a smart card defined by MAOSCO, a spin-off of MONDEX and MasterCard. The MULTOS card can be programmed in C, Java, Basic and MEL (MAOS Executable Language), which is the assembly language for the virtual machine on the card.
Keycorp (www.keycorp.com.au) once marketed a smart card called OSSCA (Operating System for Smart Card Applications) which you could program in the Forth language. This may have been the first smart card with a virtual machine.
The HOST operating system from Oberthur (www.oberthurusa.com) is also advertised as supporting the field loading of interpreted applications written in an undefined high-level language.Contact Michael Cariou of Oberthur for details (michael.cariou@Oberthurusa.com).
Both Syprus (www.spyrus.com) and Datakey (www.datakey.com) have cards that let you add programs written in native assembler if you are approved by their respective creators. The operating system on the Spyrus card is called SPYCOS and the operating system on the Data key card is called DKCCOS.
Java Card
A number of card manufacturers have announced smart cards which can be
programmed in Java. Each defines its own Java byte code set so you can't
take an applet off the card of one manufacturer and run it on the card of
another. This problem has been recognized and is starting to change
for the better. The Java Card Forum (www.javacardforum.org) controls
the technical specification of the Java Card. Only Schlumberger sells
its Java Card and Software Development Kit (SDK) on-line:
The other vendors of Java Cards and Java Card SDKs are:
The current version of Java Card is 2.2.
Windows for Smart Cards
The Windows for Smart Card smart card operating system has been licensed by Smart Card Integrators and Sagem. You can obtain cards from them.
Smart Card Integrators (SCI): http://www.sci-s.com
Sagem: http://www.sagem-online.com
.NET Card
Hive Minded (www.hiveminded.com) has created a .NET smart card that sports a language-independent virtual machine a lots of other goodies.
-
The SIM cards in GSM mobile phones (and soon other mobile phones and wireless communication devics) sport an application programming interface called the SIM Application Toolkit or SAT for short.
There are at least ten SIM cards that support SAT.
Eight run applications written in Java:
All of these are separate from the general purpose Java card offered by these vendors. They cost more than the general purpose SDKs and are harder to order.
The Multos SecureSIM SIM Card runs applications written in C, Java or MEL. Information about SecureSIM can be obtained from Derek Ross, derek.ross@mobecom.com.
The interesting thing about the Multos SIM card is that the SIM functionality (11.11 and 11.14) is just an interpreted application written on top of a standard Multos card. This means that the Multos SIM is the most secure of the SIMs since it has an E6 ITSEC rating and the others are unrated. It also means that telecom operators can customize their SIMs without becoming beholden to card manufacturers by simply customizing the SIM application.
Microelectronica offers a SIM card with SAT
as does Miotec
and Setec Oy
Contactless card applications are starting to get some traction
outside the transportation industry. Think of a contactless
card as a secure RFID tag. There are a number of kits on the
market that let you explore contactless card application development:
Smart cards are starting to show up in some new places and none are more interesting (IMHO) than system control and data acquisition applications. Their environental robustness coupled with their tamper-resistance make them perfect places to collect data from or inject sensitive information to autonomous digital systems.
Home medical applications are particularly interesting because of the ease with which self-help patients can manage the cards that are monitoring and controling their treatments. Resptronics (http://www.respironics.com/ and http://www.cpapman.com/respiron.html) has done some very innovative work here with their Encore SmartCard.
We're also starting to see some patents in the area, for example:
Once you start loading to and unloading applications from smart cards after they have been issued, you immediately are confronted with the problem of managing a card population where all the cards are different and which can change their application load daily. This is called the card and application management problem. Many people believe that card and application management is where the trust goes into a card scheme and the money comes out.
The Java Card Forum (www.javacardforum.org) has published an overview paper that describes the problem. It's free. Justin Monk and Judy Henderson have published a report entitled "Implementing a Multi-Application Smart Card Project: A Practical Guide to the Smart Card Project Life Cycle" available at SMi Publishing (http://www.smi-online.co.uk). It costs $775.
There are a number of competing specifications and commercial
systems for doing card and application management. The three
leading specifications are:
Only the MAOSCO specification has been converted to a fielded system. It is in actual use and in fact has been for a number of years. There have been some noises recently that the Visa system (Open Platform) and the MasterCard system (MXI) are going to at least interoperate which means essentially that they will recognize and support each other's cards.
The current version of the Open Platform specification is at http://www.visa.com/nt/suppliers/open/docs.html.
There are a number of commercial systems that have set about to solve
the card and application management problem including
Most of the major smart card manufacturers are also fielding card and application management systems.
Total System Services and DataCard have implemented a version of the Visa GlobalPlatform card management system. Gemplus and IBM have also announced a system. Both are in the press release stage of development.
Some of the vendors run discussion forums or newsgroups to catch
questions about their products and provide answers.
There is a French smart card group at:
Besides alt.technology.smartcards and fr.comp.carte-a-puce, there are other newsgroups
that while not devoted exclusively to smart cards carry information relevant to
smart cards.
There are many smart card resources on the Web and they change so quickly that it would be futile to try to list them all here. There are however a number of people who have built wonderful pages of pointers to smart card resources. Therefore rather than listing the original resources, we just include pointers to these pages of pointers here. Please let the FAQ maintainer (sguthery@mobile-mind.com) know about your favorites.
CardInsight Magazine
http://www.cardinside.com/E_Inhalt_Useful_links.html
Wolfgang Rankl's Smart Card Link Farm
http://www.wrankl.de/links.htm
Peter Gutman's Security Products
http://www.cs.auckland.ac.nz/~pgut001/links/products.html
Crypto Links
http://info.aanekoski.fi/~mpe/suojaus/smart.html
E-Panorama
http://www.epanorama.net/links/smartcards.html
InfoSec on Smart Cards
http://www.infosyssec.org/infosyssec/secsmc1.htm
Peter J. Ognibene's List
http://members.aol.com/pjsmart/page4.htm
University Cards
http://www.mcard.umich.edu/otherLinks.htm
Sesam Vitale Health Card
http://www.sesam-vitale.fr/
Bo Lavare's Smart Card Security Information Page http://www.geocities.com/ResearchTriangle/Lab/1578/smart.htm
Giovanni Motta's Smart Card Links
http://www.cs.brandeis.edu/~gim/smartcards.html
Peter J. Ognibene Smart Card Development Services http://members.aol.com/pjsmart/index.htm
Tomi Engdahl's Card Technology Technology Page http://www.epanorama.net/links/smartcards.html
University of Michigan MCard Links
http://www.mcard.umich.edu/otherLinks.htm
Smart Card News (under Links)
http://www.smartcard.co.uk
Smart Card Resources on the Web
http://www.dice.ucl.ac.be/crypto/card.html
Smart Card Manufacturers and Services
http://www.smartcard.co.uk/links.html
Smart Card Security Information Page
http://www.geocities.com/ResearchTriangle/Lab/1578/smart.htm
HIP Smart Card
http://cuba.xs4all.nl/~hip/
General Smart Card Information
http://www.cryptsoft.com/scard/
Smart Card Security News
http://www.geocities.com/ResearchTriangle/Lab/1578/smart.htm
The Smart Card Cybershow
http://www.cardshow.com/
The Smart Card Club
http://www.smartcardclub.co.uk/
S. Prasad's Page of Pointers
http://home.att.net/~s-prasad/ecsc.htm
Smart Card Central
http://www.smartcardcentral.com/
Smart (U.S.) Government
http://smart.gov
U.S. Campus Cards
http://www.allcampuscard.com/huber/card.htm
Goran Vlaski's Software Page
http://vlaski.virtualave.net/
Maxking
http://www.maxking.demon.co.uk/cardprog1.html
The Story of What Happens To You If You Blow Away the Security-Through-Obscurity Smoke Screen http://www.parodie.com/humpich/home.htm
Leo Van Hove's Master List of E-Purses
http://cfec.vub.ac.be/cfec/purses.htm
Smart Cards On-Line
http://www.smartex.com/
Smart Card Basics
http://www.smartcardbasics.com/links.html
Asia Pacific Smart Card Forum
http://www.smartcardforum.asn.au/index.html
Card Europe (www.cardeurope.demon.co.uk), The Association For Smart Card And Related Industries, 146 Valley Road Rickmansworth Herts WO3 4BP United Kingdom, Voice: +44 1923-897477, FAX: +44 1923-897414. Alan Leibert (alan@cardeurope.demon.co.uk), Director
Smart Card Industry Association (www.scia.org), 191 Clarksville Road Princeton Junction, NJ 08550 USA Voice: +1 609-799-5654 FAX: +1 609-799-7032 Charles Cagliostro (ccagliostro@scia.org).
Smart Card Forum (www.smartcardforum.org). 2000 L Street, NW, Suite 200, Washington, DC 20036 USA Voice: +1 202-530-5306 FAX: +1 202-530-5307 Email: info@smartcardforum.org, Donna Farmer, President & CEO.
Smart Card Alliance (www.smartcardalliance.org). This is a merger of the two above organizations, SCIA and SCF. 26 Broadway, Suite 400, New York, NY 10004, Phone: (212) 837-7713, Fax: (212) 837-7720
ACT Canada (www.actcda.com) 831 Miriam Road, Pickering, Ontario, L1W 1X7 Voice: +1 905-420-3520, FAX: +1 905-420-27297
AIM USA (www.aimusa.org) 634 Alpha Drive Pittsburgh, PA 15238-2802 Voice: +1 412-963-8588 FAX: +1 412-963-8753 Email: adc@aimusa.org, Tomo Razmilovic, Board Chairman
Electronic Funds Transfer Association (www.efta.org) 950 Herndon Parkway, Suite 390 Herndon, VA 22070 Voice: +1 703-435-9800 FAX: +1 703-435-7157 Lisa Eyler, Director of Marketing
EuroSmart (www.eurosmart.com) Mr Lutz Martiny, Rue Montoyer, 47. B-1000 BRUSSELS. Voice: +32 2-506-88-68, Email: info@eurosmart.com,
Federal Smart Card Users Group, Financial Management Services Department of the Treasury, 6449 Gildar Street, Alexandria, VA 22310 Voice: +1 703-971-6339, FAX: +1 703-971-6331 John G. Moore (john.moore@fms.sprint.com), Chairman
International Card Manufacturers Association (www.icma.com) 34-C Washington Road Princeton Junction, NJ 08550 Voice: +1 609-799-4900 FAX: +1 609-799-7032 Justin D'Angelo, President
National Association of Campus Card Users (www.naccu.org) 21 Colony West, Suite. 180, Durham, NC 27705, Voice: +1 919-403-2273 FAX: +1 919-403-1324
Global Chipcard Alliance (www.chipcard.org) 1420 Fifth Avenue, 22nd Floor Suite 2222, Seattle, WA 98101, Seattle, Washington, USA, Voice: 206-613-4430 FAX: 206-613-4431
GlobalPlatform, PO Box 8999, San Francisco, CA 94128-8999, USA, Voice: +1 650-432-4116, FAX: +1 650-432-3980.
IBM Student Chipcard Innovation Team
http://www.iscit.surfnet.nl
Center for Information Technology Integration at the University of Michigan http://www.citi.umich.edu/projects/sinciti/smartcard
Smart Card and Biometrics Group at Purdue University http://www.cerias.purdue.edu/coast/projects/smartcard.html
A schedule of upcoming smart card conferences is maintained by the Smart Card Club (www.smartcardclub.co.uk/conferences.html). Notable are:
European Smart Card Application and Technology - held regularly in the beginning of September.
Cards UK Exhibition & Conference - annual fall conference in London.
CARDIS Primarily academic and research center presentations. No "floor show". Every eighteen months.
Cartes - The annual smart card show in Paris typically at the end of October.
Cards Australia. Annual show down-under.
Asia Card Technology. New but rapidly growing show.
CardTech/SecurTech (www.ctst.com) conferences in the U.S. The proceedings from these shows are useful summarizations of the current state of the market.
Omnicard (www.omnicard.de) The leading German smart card conference.
Mobile Application Development with SMS and the SIM Toolkit by Scott
Guthery and Mary Cronin ... $59.95 at
http://www.amazon.com/exec/obidos/ASIN/0071375406/smartcarddevelopA/
Smart Card Security and Applications by Mike Hendry ... $79 at http://www.amazon.com/exec/obidos/ASIN/1580531563/smartcarddevelopA/
Smart Card Developers Kit (including a CD-ROM and a working smart card) by Scott Guthery and Tim Jurgensen ... $79.95 at http://www.amazon.com/exec/obidos/ASIN/1578700272/smartcarddevelopA/
Smart Card Handbook by Wolfgang Rankl and Wolfgang Effing ... $125.00 at http://www.amazon.com/exec/obidos/ASIN/0471988758/smartcarddevelopA/
Smart Cards by Jose Luis Zoreda and Jose Manuel Oton ... $67.00 at http://www.amazon.com/exec/obidos/ASIN/0890066876/smartdevelopA/
Smart Card Application Develoment Using Java ... $59.95 at http://www.amazon.com/exec/obidos/ASIN/3540658297/smartdevelopA/
Java Card Technology for Smart Cards ... $39.95 at http://www.amazon.com/exec/obidos/ASIN/0201703297/smartdevelopA/
Personal Identification Newsletter (PIN), Warfel & Miller Publishing, 12300 Twinbrook Parkway #300, Rockville, MD, 20852, Voice: +1 301 881-6668 FAX: +1 301-881-2554, Email: Cardsmarts@aol.com
Smart Card Monthly, Mr. Stephan Seidman, Editor & Publisher, P.O. Box 548, Lopez Island, WA 98261, Voice: +1 360-468-3570, FAX: +1 360-468-3571
Smart Cards and Comments, Mr. Jerome Svigals, Publisher, 221 Yarborough Lane, Redwood City, CA 94061, Voice: +1 415-365-5920, FAX: +1 415-363-2198
The Nilson Report, Mr. H. Spencer Nilson , Publisher, P.O. Box 49936 (Barrington Station), Los Angeles, CA 90049, Voice: +1 310-396-0615, FAX: +1 805-983-0792
World Card Technology, Ms. Jane Adams, International Managing Editor, European Office: 42 Phoenix Court, Hawkins Road, Colchester, Essex CO2 8JY, Voice: +44 31-337-3311, FAX: +44 31-337-7739
Smart Card News, PO Box 1383, Rottingdean Brighton, East Sussex BN2 8WX United Kingdom Voice : +44 1273-236677, FAX : +44 1273-624433 Email: scn@pavilion.co.uk
Report on Smart Cards, 1333 H Street NW, Suiote 100-East, Washington, D.C., 20005-4606, Voice: +1 202-842-0520, FAX: +1 202 842-3023, www.tr.com.
Card News, Phillips Business Information, 1201 Seven Locks Road, P.O. Box 60037, Potomac, MD 20859-0037, Voice: +1 301-424-3338, FAX: +1 301-309-3847, Email: clientservices@phillips.com.
Card Technology, http://www.faulknergray.com/
Smart Card Central, http://www.smartcardcentral.com/
These people can provide technical and marketing assistance in specifying, designing, engineering and rolling-out a smart card program.
If you are smart card consultant and would like to be added to this list simply send an e-mail to Scott Guthery (sguthery@mobile-mind.com).
Philip E. Andreae
E-Mail: philip@andreae.com
1505 McCarthy Road
Eagan, MN 55121
Tel/Fax: +1 (651) 493 6771
Mobile: +1 (651) 308 5646
www.andreae.com
David Brich
E-Mail: daveb@hyperion.co.uk
CONSULT HYPERION
Voice: +44 1483 301793
8 Frederick Sanger Road,
Guildford, Surrey, GU2 5YD, UK
Matthias Bruestle
E-Mail: matthias.bruestle@ecore.net
Siegertsbuehl 9
91077 Neunkirchen am Brand
Voice: +49-9134-995521
Fax: +49-9134-995722
Larry Carnes
E-Mail: larry.carnes@prodigy.net
Voice: +1 409 684 1290
P.O. Box 1068
Crystal Beach, TX 77650 USA
Bonar Dickson
E-Mail: bonar@xicom.com.au
Voice: +61 2 6290 0850
FAX: +61 2 6290 0851
Mobile: +61 0408 499 086
Unit 5, Southlands House,
18-28 Mawson Place,
Mawson ACT 2607
Canberra, Australia
Ian Donald
E-Mail: donaldif@iaccess.com.au
Voice: +61 3 9614 2400
FAX: +61 3 9614 2444
Level 2, 517 Flinders Lane
Melbourne Victoria 3000 Canada
Uli Dreifuerst
Open Domain Inc.
E-mail: u3f@opendomain.com
Voice: 925-855-0558
FAX: 925-855-0460
9 Crow Canyon Court Suite 100
San Ramon, CA 94583
USA
Henry Dreifus
Dreifus Associates, Ltd.
E-Mail: info@dreifus.com
Voice: +1 407 862-3398
P.O. Box 915746, Longwood,
FL 32791-5746 USA
Robert Elliott Phd
TekCard Corporation.
Voice 703.530-8144
Fax 703.530-8155
E-Mail Drbob1@gte.net
143 Forrest St
Manassas Park Va. 20111
Scott Guthery
E-Mail: sguthery@rcn.com
Voice: +1 617 964 1798
Mobile: +1 617 290 3963
FAX: +1 617 795 1630
Tim Jurgensen
E-Mail: tmjurgensen@jump.net
Voice: +1 512 452 8090
Mobile: +1 512 965 4806
2720 Mt. Laurel Lane
Austin, TX 78703 USA
Dmitriy Kruglyak
Aquave Group
E-Mail: dkruglyak@aquave.com
Voice: 650-329-0397
Mobile: 650-678-1480
www.aquave.com
METACA Corporation
460 Applewood Crescent,
Concord, Ontario, Canada L4K 4Z3
Tel. (905) 761-8222
Fax. (905) 761-8220
sales@cards.ca
Micro Szience and Athena Five
25 Fell Mead, East Peckham,
Tonbridge, Kent, UK TN12 5EQ
Voice: +44 1622 873 102
Joe Naujokas
E-Mail: JA_Naujokas@compuserve.com
Naujokas & Associates
Peter J. Ognibene
Smart Card Development Services
E-mail: pjsmart@aol.com
Voice: +1-301 434 8572
P.O. Box 3013
Silver Spring, Maryland 20918-3013
U.S.A.
Walter Oney
Consulting and Training
PC/SC drivers a specialty
http://www.oneysoft.com
E-Mail: waltoney@oneysoft.com
Dr. Gerd Pfeiffer
Unternehmensberatung Dr. Gerd Pfeiffer
Hängerweg 2
D-34281 Gudensberg
Germany
Phone: +49 5603 911855
Email: info@cardinsight.de
Jonathan Rosenne
QSM Programming Ltd.
E-Mail: rosenne@qsm.co.il
Voice: + 972 3 561 2015
Mobile: + 972 54 246 522
FAX: + 972 3 561 6049
74 Petah Tiqva Road
P O Box 51298
Tel Aviv 67215
Israel
Jim Russell
Russell Technology Associates
E-Mail: jfrussell1@aol.com
Voice: +1 302 234 3319
675 Montgomery Woods Drive,
Hockessin, DE 19707-9323 USA
Bill Shaw
Westbrook Systems
Email: bshaw@connix.com
Voice: 860-399-5334
176 Dennison Road
Westbrook, CT 06498
Andrew W. Tarbox
Thornebrook Associates, LLC.
E-Mail: andy@thornebrook.com
Voice: +1 518 279 1000
FAX: +1 518 279 9677
Mobile +1 518-441-8810
PO Box 3038 (Center Brunswick)
Troy, New York 12181-3038 USA
Hardy Tichenor
E-Mail: info@hardysoft.com
Voice: +1 415 331 5077
FAX: +1 415 331 5472
44 Edwards Avenue
Sausalito, CA 94965 USA
These people can help you create the graphics to be printed on a smart card and get the card produced.
If you are smart card designer or printer and would like to be added to this list simply send an e-mail to Scott Guthery (sguthery@mobile-mind.com).
Maria Nekam
Smart Card Design
Voice: +1 512 258 0758
Email: nekam@austin.rr.com
eCard Solutions Limited
Attn:Milind Changire
73/1/2 Samarth Nagar
New Sangavi
Pune 411027
INDIA
Tel: +91(20)728-0515
email: changire@yahoo.com
Paul Tripi or Jenny Baird
Data Manufacturing Inc.
Chesterfield, MO
Voice: +1 888 526 2273
http://www.datamfg.com
Micromodular Data Solutions
1582 Norman Avenue
Santa Clara CA 95054 USA
Voice: +1 408 986 9000
FAX: +1 408 986 9829
Email: sales@micromodular.com
http://www.micromodular.com
Smart ID Card, Ltd.
450 N. Causeway Blvd., Suite D
Mandeville, LA 70448
Voice: +1 504 727 4865
FAX: +1 504 727 0133
Email: sales@smartidcard.com
http://www.smartidcard.com
Bantry Technologies
25 Ballsbridge Terrace
Ballsbridge, Dublin 4
Ireland
Tel: +353 1 664 29 30
Fax: +353 1 664 29 33
http://www.bantry-technologies.com
CDN Print Plastic
91 Kelfield St, #6
Toronto, ON Canada
M9W-5A4
Tel: (1) 416.240.7775
Fax: (1) 416.241.0825
http://www.cdnprintplastic.com/index.htm
Dawar Technologies
1020 Ridge Avenue
Pittsburgh, PA 15233
Phone: 800-366-1904
Phone: 412-322-9900
http://www.dawar.com/
Digital Solutions
www.smartcard.bz
Gemplus
http://store.gemplus.com
Net Informatique Services
http://www.nis-infor.com/
Nexsmart Technologies
2102 business Center Dr. Suite 217
Irvine, CA 92612
U.S.A.
Tel: (949) 453-8588
Fax: (949) 453-8587
http://www.nexsmart.com/
Oak-Tech.com
Room 2607
APEC Plaza, 49 Hoi Yuen Road
Kwun Tong, Kowloon
Hong Kong
Phone: + (852) 2771 3898
FAX: + (852) 2771 3399
market@hkaok-tech.com
info@hkoak-tech.com
http://www.hkoak-tech.com
Schlumberger Smart Card Store
http://www.scmegastore.com/
SDLOGIC Technologies, Inc.
545 Thrush Dr.
Big Bear Lake, CA 92315-1403 USA
SDLOGIC Toll-Free Phone - Sales (866) 524-7272
SDLOGIC Toll-Free Phone - Tech Support (866) 584-8697
SDLOGIC Fax - (909) 878-4733
Sales / Dealer Enquiries Email: sales@sdlogic.com
Technical Support Email: techsupport@sdlogic.com
http://www.sdlogic.com/index.asp
Smart Card Integrators
1380 W. Washington Blvd.
Los Angeles, CA 90007
+1 213 743 9181
info@sci-s.com
http://www.sci-s.com
Smart Dynamics
3601 Wilson Blvd.
Suite 500
Arlington, VA 22201
Phone: (703) 312-7383
Fax: (703) 812-5190
http://www.smartdynamics.com/
SmartcardFocus
37 Kew Road,
Richmond,
Surrey TW9 2NQ,
UK
Voice (UK Customers): 0800 068 1219
Voice (Outside UK): +44 (0)20 8241 9596
Fax: +44 (0)20 8241 2192