Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Smart cards, tokens, security and applications (2nd ed.)
Mayes K., Markantonakis K., Springer International Publishing, New York, NY, 2017. 531 pp. Type: Book (978-3-319504-98-8)
Date Reviewed: Nov 21 2018

This edited book is divided into 18 chapters. Chapter 1 defines the concepts of smart cards, chips, and tamper resistance, and introduces issuer control and the main smart card applications, application development, roll out, and life cycle management.

Chapter 2, “Smart Card Production Environment,” starts with an eye-opening fact: about nine billion units were produced in 2015. This production volume requires industrial processes, while at the same time card and chip personalization are customer demands.

Chapter 3 presents smart card operating systems (OSs), adapted to their capabilities. The main ones are Java Card, MULTOS, and GlobalPlatform.

Chapter 4 zooms in on the subscriber identity module (SIM) card. About six billion SIM cards are produced every year, which is a very large percentage of all smart cards. This success is accredited to successful standardization, providing interoperability and transparency. This standardization is based on a combination of two layers: the universal SIM card standard; and the standard to use it for telecom, that is, the universal integrated circuit card (UICC). The SIM card’s main function is “strong enough” authentication to the network. Other functions include data storage and the SIM toolkit basic functions, and the choice of using the handset versus SIM for them. Near-field communication (NFC) turns a handset into a contactless smart card.

Chapter 5 dives into the financial smart card world. An estimated two billion cards, accepted by 30 million merchants, underlines its importance. The EMV (Europay, MasterCard, and Visa) specification covers offline data authentication, card authentication, issuer authentication, transaction certificate, offline personal identification number (PIN) validation, and card management functions. The 3D secure standard defines a process with 11 steps, putting the balance between complexity, security, and usability in question. Challenges come from card-not-present problems (Internet sales), wireless connections (for instance, with radio-frequency identification (RFID)), and the integration or battle with smartphone solutions.

Chapter 6 looks into pay TV smart cards. Especially for satellite pay TV, the context is challenging: from one source to millions of subscribers, with a focus on confidentiality. Some noteworthy differences: there is no return path, and the need to support a continuous stream that allows for no interruptions due to security. Furthermore, all broadcasts can be intercepted.

The system has to deal with massive key changes (one every 100 milliseconds) and short validity (five seconds). Two elements of the solution are the use of a shifting window with two keys and the use of a key stream next to the data streams. A key hierarchy is used for scaling. Access control is key. Rights are maintained in the receiver and updated via messages--the only way.

Chapter 7 presents the trusted platform module (TPM), defined as “some degree of secure processing, implemented in secure hardware.” It contains a description of the fundamental features and components. The TPM has built-in trust anchors: roots of trust for measuring the platform’s integrity, and storage and reporting on the integrity status.

Chapter 8 looks at the common criteria (CC) evaluation of smart cards. Explaining CC is allotted 14 pages and might have been shorter. Its application to smart cards is used as an example and provides a good description of smart card security work areas.

Chapter 9 looks specifically at smart card security features. The connectivity provides power, clock input, the actual communication channel, and finally a reset. Often a cryptographic coprocessor is present. A generator for secure random numbers is available. Anomaly sensors detect unusual conditions. The chip is protected against physical inspection. Side-channel attacks are also discussed: timing analysis, power analysis, and electromagnetic analysis. Fault analysis is another technique. The author exemplifies how to bypass security measures via an understanding of the algorithms and physical monitoring and tweaking.

Chapter 10 is about application development. It starts with Java Card development for universal SIMs. The differences with other environments are due to limitations like limited memory, limited processing power, limited number of application programming interfaces (APIs), and limited data bandwidth. The chapter presents the Java Card open platform, the SIM application toolkit (SAT), and Java Card Classic and Connected. It lists the main tools for development: compilers and integrated development environments (IDEs), simulators, protocol analyzers, and utilities. The presence of a high-speed interface, a contactless interface, and peer-to-peer connections adds more options.

Chapter 11 addresses over-the-air (OTA) secure SIM management. The data on a SIM needs to be able to change in a secure way. The secure authentication of the SIM can be used for other functions requiring similar security, for example, banking and the safekeeping of private data. The chapter discusses SAT and SIM life cycle management.

Chapter 12 is the longest because of code fragments and very helpful architecture drawings. The presence of standards facilitates application development. The applications must communicate with the reader (chip card interface device (CCID) standard) and the reader must communicate with the card (application protocol data unit (APDU) standard).

There is a choice of software stacks that abstract the communication protocols: Java smart card I/O API standard (JSR 268) for Java development, Microsoft PC/SC, and the older OpenCard Framework (OCF).

Mobile APIs get the attention they deserve, with subsections on Android and the security and trust services API, as well as proprietary APIs for Bluetooth, audio jack readers, and universal serial bus (USB) card connectors.

Chapter 13 is about RFID. These systems are low-resource devices, in contrast to the more advanced contact-less or proximity tokens. There is a broad range of RFID tokens, from memory-only tokens and fixed logic to full micro-controller equipped tokens. A significant part of the chapter is devoted to technical communication issues, like modulation, inductive coupling, and the technical differences between reader and card transmission. It goes over the important standards. After discussing the mobile NFC architecture, it focuses on NFC security, especially relay and cloning attacks.

Chapter 14 includes eID and ePassport smart cards. The security features of ID cards include human inspection based, those that can be validated using simple tools, and specialized ones, including the built-in smart card. Card production is rather complex to suit these three validation methods, and it must also assure lifetime use and wear-and-tear resistance. Typical eID card functions are authentication, signature and encryption, and information storage, including biometric data. Another use relates to machine-readable official travel documents, to replace the international passport.

Chapter 15 claims to look at the future. It takes a rather safe approach, discussing trends over the years and then some limited extrapolation. Some upcoming technologies are highlighted: embedding security integrated circuits (ICs) and trusted platform modules; embedding financial security like the secure access module (SAM); usage as an information security technology, for instance, dongles, and as a provider of a trusted execution environment (TEE).

Chapter 16 is about the Internet of Things (IoT), a hot topic. Securing IoT is essential. To do this one must provide directives for security and privacy. Proposed IoT solutions require a risk assessment. New technology will change significantly over time and must be anticipated. IoT lets information technology (IT) escape from IT systems into the “things” of our lives. It impacts privacy, physical security, and safety in an unprecedented way. Security incidents have happened already. One could explain these based on lack of skills, device capabilities, and architectural challenges. In the formulation of a security strategy for IoT, the author discusses reputation, fair use of data, privacy, and liability--all nontechnical concerns. The proposed framework to define and measure IoT security has four axes: strategy, development, operation, and evolution.

Chapter 17 is devoted to MULTOS, a multi-application OS running on top of a virtual machine. Applications are shielded from one another and can only communicate through a secured mechanism. Application loading follows a standard process, that is, three types of application units with increasing security: plaintext, protected, and confidential. Each unit can have code and data. Certificates and signatures are used to protect their loading. SmartDeck, an application development environment, can be used with the Eclipse IDE, a commonly used development environment.

Finally, Chapter 18 covers two related topics: TEE and host card emulation (HCE). Mobile devices keep expanding their functionality, and as a consequence their exposure to direct threats as they are directly connected. TEE and HCE are two ways to secure applications. Using TEE is a way of keeping control over the device by providing a security bootstrap feature, a trusted computing base (TCB). HCE, on the other hand, simulates a smart card via an application and its risk must be brought to an acceptable level. TEE can provide isolated execution, secure storage, remote attestation, secure provisioning, and a trusted path. Example implementations are ARM’s TrustZone, Samsung’s Knox, and Intel’s Software Guard Extensions (SGX).

To summarize, this book provides a good overview of the most important aspects of smart cards. It maintains a near-consistent level of detail and technical depth across the topics, and includes many references for readers who need more than a solid introduction. It could be extended with other applications, for example, toll payment systems and the implantation of smart cards in animals and humans. It is likely that some domains included in the book fall outside of the reader’s experience and may provoke new ideas and insights--a perfect reason to read it cover to cover.

More reviews about this item: Amazon

Reviewer:  A. Mariën Review #: CR146326 (1902-0025)
Bookmark and Share
  Reviewer Selected
Featured Reviewer
 
 
Security and Protection (K.6.5 )
 
 
Security and Protection (C.2.0 ... )
 
 
Signal Processing Systems (C.3 ... )
 
 
General (C.2.0 )
 
 
Special-Purpose And Application-Based Systems (C.3 )
 
Would you recommend this review?
yes
no
Other reviews under "Security and Protection": Date
CIRCAL and the representation of communication, concurrency, and time
Milne G. ACM Transactions on Programming Languages and Systems 7(2): 270-298, 1985. Type: Article
Oct 1 1985
Computer security risk management
Palmer I., Potter G., Van Nostrand Reinhold Co., New York, NY, 1989. Type: Book (9780442302900)
Apr 1 1991
Computers at risk
, National Academy Press, Washington, DC, 1991. Type: Book (9780309043885)
Oct 1 1991
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy