A smart card normally refers to a card with a microprocessor and memory. The cost of each card rangs from $2 to $10. Vendors guarantee 10,000 read/write cycles. The operating system on the chip is called COS (Chip Operating System). The capacity of EEPROM is about 8K to 128K bit. ISO 7816 limits contact cards to an 9600 baud transimission rate. A card transaction can often finish in one or two seconds. Older version cards use 8-bit micro-controller up to 16 MHZ. Current trend is toward a 32-bit RISC processor running at 25 to 32MHZ. The power supply is 5V DC. A card reader terminal provides a asynchronous clock, a serial interface, and a 5V power supply. Each card reader costs $100-$250 for low volume orders. ISO 7816 serials define the standard for smart cards. ISO 7816-8 governs security related inter-industry commands. It is still in progress. No standard COS has been defined.

Current obstacles include relatively higher cost compared to magnetic stripe card, present lack of infrastructure, proprietary nature of COS, lack of standards to ensure interoperability among smart card programs, and unresolved legal and policy issues.

Links

• Common Criteria for IT security evaluation at NIST
• Egov

Papers

• Klaus Vedder and Franz Weikmann, "Smart Cards - requirement, Properties, and Applications," Course on Computer Security and Industrial Cryptography 1997 (COSIC'97), Lecture Notes in Computer Science (LNCS 1528), pp. 307-331, Springer, ISBN 3-540-65474-7, 1998 [PDF]

  An overview about smart cards.

• Clemens H. Cap, Nico Maibaum and Lars heyden, "Extending the data storage capabilities of a Java-based smartcard," Proceedings of Sixth IEEE Symposium on Computers and Communications (2001), pp. 680 -685, July 2001 [PDF]

  The memory on a smartcard is limited. So a concept like "virtual memory" is proposed to enlarge the memory a smartcard can access. The data that can not be saved on the card are stored on the network. The data and communication therefore need to be encrypted.

• Naomaru Itoi and Peter Honeyman, "Practical security systems with smartcards," Proceedings of the Seventh Workshop on Hot Topics in Operating Systems (1999), pp. 185-190, 1999 [PDF]

  Considered as a secure device, Smartcard can be used to build a secure platform. The key idea is to store sensitive information in a smartcard and carry out sensitive computation in it. Three efforts toward this goal are described in the paper: smartcard intergration with Kerberos V5, Unix Filesystem for smartcard and Internet Protocol on smartcard.

• Bruno Struif and Dirk Scheuermann "Smartcards with biometric user verification," Proceedings of 2002 IEEE International Conference on Multimedia and Expo, vol. 2, pp. 589-592, 2002 [PDF]

  Inorder to read data from the smartcard, user will be asked to offer the Personal Identification Number(PIN). The more secure scheme is to use the biometric information just as proposed in this paper. It's a big progress to change the authorization from what you know to what you is!

• J.P. Thomasson and L. Baldi, "Smartcards: portable security," Proceedings of Second Annual IEEE International Conference on Innovative Systeims in Silicon, pp. 259 - 265, 1997 [PDF]

  A brief history of Smartcard is given. It also mentions some technical trends in Smartcard industry.

• Paul C. Clark and Lance J. Hoffman, "BITS: a smartcard protected operating system," Communication of the ACM, vol. 37, no. 11, pp. 66-70, November 1994 [PDF]

  Cryptography applications should be build on secure operating system. In this paper, a possible solution using smartcard is brought up. The idea is that the information required for successful system booting is stored on smartcard. We assume the smartcard is secure, so the security of operating system is obtained. However, the issue of remote login is NOT addressed.

• Mark D. Corner and Brian D. Noble, "Zero-interaction authentication," Proceedings of the eighth annual international conference on mobile computing and networking, pp. 1-11, 2002 [PDF]

• Siu-cheung Charles Chan, "An Overview of Smart Card Security," [WEB]