About Smart Cards : Introduction : Standards
Smart Card Standards
A number of standards and specifications are relevant for smart card implementations, with some focused on industry-specific applications. A summary of the standards bodies and different smart card standards and specifications is presented below.*
- ISO/IEC Standards
- Federal Information Processing Standard 201 – FIPS 201
- Other Federal Information Processing Standards
- American National Standards Institute (ANSI) Standards
- Global Platform (GP) (formerly Open Platform)
- Common Criteria (CC)
- International Civil Aviation Organization (ICAO)
- International Airline and Transportation Association (IATA)
- G-8 Health Standards
- The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Public Law 104-191)
- Global System for Mobile Communication (GSM) Standards
- EMV 2000 Specifications
- Personal Computer/Smart Card (PC/SC) Workgroup Open Specifications
- OpenCard(TM) Framework
- Biometric Standards
International Standards Organization (ISO)/International Electrotechnical Commission (IEC) Standards
ISO/IEC is one of the worldwide standard-setting bodies for technology, including plastic cards. The primary standards for smart cards are ISO/IEC 7816, ISO/IEC 14443, ISO/IEC 15693 and ISO/IEC 7501.
- ISO/IEC 7816 is a multi-part international standard broken into fourteen parts. ISO/IEC 7816 Parts 1, 2 and 3 deal only with contact smart cards and define the various aspects of the card and its interfaces, including the card’s physical dimensions, the electrical interface and the communications protocols. ISO/IEC 7816 Parts 4, 5, 6, 8, 9, 11, 13 and 15 are relevant to all types of smart cards (contact as well as contactless). They define the card logical structure (files and data elements), various commands used by the application programming interface for basic use, application management, biometric verification, cryptographic services and application naming. ISO/IEC 7816 Part 10 is used by memory cards for applications such as pre-paid telephone cards or vending machines. ISO/IEC 7816 Part 7 defines a secure relational database approach for smart cards based on the SQL interfaces (SCQL).
- ISO/IEC 14443 is an international standard that defines the interfaces to a “close proximity” contactless smart card, including the radio frequency (RF) interface, the electrical interface, and the communications and anti-collision protocols. ISO/IEC 14443 compliant cards operate at 13.56 MHz and have an operational range of up to 10 centimeters (3.94 inches). ISO/IEC 14443 is the primary contactless smart card standard being used for transit, financial, and access control applications. It is also used in electronic passports and in the FIPS 201 PIV card.
- ISO/IEC 15693 describes standards for “vicinity” cards. Specifically, it establishes standards for the physical characteristics, radio frequency power and signal interface, and anticollision and transmission protocol for vicinity cards that operate to a maximum of 1 meter (approximately 3.3 feet).
- ISO/IEC 7501 describes standards for machine-readable travel documents and has made a clear recommendation on smart card topology.
A basic summary of ISO/IEC 7816, ISO/IEC 14443 and ISO/IEC 15693 can be found in the Smart Card Alliance report, Contactless Technology for Secure Physical Access.
As a result of Homeland Security Presidential Directive 12 (HSPD-12), issued by President George W. Bush on August 27, 2004, NIST published Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors, on February 25, 2005. FIPS 201 provides the specifications for a standard Federal smart ID card, called the PIV card, that must be used for both physical and logical access and can be used for other applications as determined by individual agencies. The PIV card is a smart card with both contact and contactless interfaces. Government agencies are currently implementing FIPS 201-compliant systems.
NIST has also issued a number of special publications with additional specifications for PIV card implementations. Published specifications are available at http://csrc.nist.gov/publications/nistpubs/index.html. Draft special publications are available at http://csrc.nist.gov/piv-program/index.html.
FIPS standards are developed by the Computer Security Division within NIST. FIPS standards are designed to protect Federal computer and telecommunications systems. The following FIPS standards apply to smart card technology and pertain to digital signature standards, advanced encryption standards, and security requirements for cryptographic modules.
- FIPS 186-2 specifies a set of algorithms used to generate and verify digital signatures. This specification relates to three algorithms specifically, the Digital Signature Algorithm (DSA), the RSA digital signature algorithm, and the Elliptic Curve Digital Signature Algorithm (ECDSA) algorithm.
- ANSI X9.31-1998 contains specifications for the RSA signature algorithm. The standard specifically covers both the manual and automated management of keying material using both asymmetric and symmetric key cryptography for the wholesale financial services industry.
- ANSI X9.62-1998 contains specifications for the ECDSA signature algorithm.
- FIPS 197: The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt and decrypt information.
- FIPS 140: The security requirements contained in FIPS 140 (currently version 2) pertain to areas related to the secure design and implementation of a cryptographic module, specifically: cryptographic module specification; cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.
ANSI recommends standards directed to the needs of the U.S. and supervises standards-making activities. It does not write or develop standards itself. Thus, in the U.S., any group that participates in ISO must first participate in ANSI. The International Committee for Information Technology Standards (INCITS) serves as ANSI’s Technical Advisory Group (TAG). Working groups within INCITS – such as B10 (Identification Cards and related devices), T6 (Radio Frequency Identification Technology) and M1 (biometrics) contribute directly to ISO groups (for example, the ISO/IEC Joint Technical Committee 1/Subcommittee 17 (JTC 1/SC 17)).
GlobalPlatform (GP) is an international, non-profit association. Its mission is to establish, maintain and drive adoption of standards to enable an open and interoperable infrastructure for smart cards, devices and systems that simplifies and accelerates development, deployment and management of applications across industries. As of January 2002, over 20 million GlobalPlatform smart cards were in circulation across the world, with an additional 200 million GSM cards that use GlobalPlatform technology for Over-The-Air (OTA) application download.
Common Criteria (CC) applies to security evaluation for IT products and systems. CC’s goal is to provide a common or standardized way to evaluate IT products and services, thus producing a certain assurance level for those products and systems. CC was developed by organizations that sponsored previous criteria from the United States, Canada, and Europe. These organizations came together and developed the Common Criteria in 1993. In 1996, Common Criteria v1.0 was produced; in 1998, v2.0 was produced; and in 1999, the most recent version, v2.1, was produced. CC v2.1 complies with ISO/IEC 15448.
The International Civil Aviation Organization (ICAO) is responsible for issuing guidance on the standardization and specifications for Machine Readable Travel Documents (MRTD) – i.e., passports, visas, and travel documents. ICAO has published a new specification for electronic passports that uses a contactless smart chip in the passport to securely store information on the passport holder’s data page.
The IATA develops standards for recommendation to the airline and transportation industry. IATA has formed a task force to develop interoperability standards for smart card-based ticketless travel. Its mission is to ensure easy and convenient negotiation of electronic airline tickets.
The G-8 countries have come together to develop a standard format for populating data on a health card. This standard attempts to create interoperability across health cards from the G-8 countries. It addresses file formats, data placement on the card, and use of digital certificates in health care.
This law states that the Secretary of Health and Human Services (HHS) is to adopt national standards for implementing a secure electronic health transaction system. Examples of these transactions include: claims, enrollment, eligibility, payment, and coordination of benefits. The goal of HIPAA is to create a secure, cost-effective means for individuals to efficiently accomplish electronic health care transactions. HHS has designated the Centers for Medicare and Medicaid Services the responsible entity for enforcing HIPAA. All applicable entities must be in compliance by October 16, 2003.
The mobile phone industry has several telecommunication standards, but the predominant one globally is GSM (also often called PCS in the United States). The GSM standard uses smart cards called Subscriber Identification Modules (SIMs) that are configured with information essential to authenticating a GSM-compliant mobile phone, thus allowing a phone to receive service whenever the phone is within coverage of a suitable network. In mid-2006 there were more than 2 billion phones around the world using GSM/SIM technology. (See GSM statistics at http://www.gsmworld.com.) This standard is managed by the European Telecommunication Standards Institute.
To expedite the issuance of globally interoperable financial smart cards, Europay, MasterCard, and Visa (EMV) published the first version of standard card and transaction terminal specifications in 1995. The specifications are built on the ISO/IEC 7816 standard and serve as an expansion to accommodate debit and credit transactions. Version 4.1 was published in June 2004.
- Book 1, Application-Independent Integrated Circuit Card (ICC) to Terminal Interface Requirements, describes the minimum functionality required for integrated circuit cards and terminals to ensure correct operation and interoperability independent of the application to be used.
- Book 2, Security and Key Management, describes the minimum security functionality required for integrated circuit cards and terminals to ensure correct operation and interoperability. Additional requirements and recommendations are provided on online communication between ICC and issuer and the management of cryptographic keys at terminal, issuer and payment system level.
- Book 3, Application Specification, defines the terminal and integrated circuit card procedures necessary to effect a payment system transaction in an international interchange environment.
- Book 4, Cardholder, Attendant, and Acquirer Interface Requirements, defines the mandatory, recommended, and optional terminal requirements necessary to support the acceptance of integrated circuit cards in accordance with Books 1, 2 and 310.
The PC/SC Workgroup was formed in 1996 and included Schlumberger Electronic Transactions, Bull CP8, Hewlett-Packard, Microsoft, and other leading vendors. This group has developed open specifications for integrating smart cards with personal computers. The specifications are platform-independent and based on existing industry standards. They are designed to enable application developers to create smart card-based secure network applications for banking, health care, corporate security, and electronic commerce. The specifications include cryptographic functionality and secure storage, programming interfaces for smart card readers and PCs, and a high-level application interface for application development. The specifications are based on the ISO/IEC 7816 standard and support EMV and GSM application standards.
The OpenCard Framework is a set of guidelines announced by IBM, Netscape, NCI, and Sun Microsystems for integrating smart cards with network computers. The guidelines are based on open standards and provide an architecture and a set of application program interfaces (APIs) that enable application developers and service providers to build and deploy smart card solutions on any OpenCard-compliant network computer. Through the use of a smart card, an OpenCard-compliant system will enable access to personalized data and services from any network computer and dynamically download from the Internet all device drivers that are necessary to communicate with the smart card. By providing a high-level interface which can support multiple smart card types, the OpenCard Framework is intended to enable vendor-independent card interoperability. The system incorporates Public Key Cryptography Standard (PKCS) – 11 and is expandable to include other public key mechanisms.
The American Public Transportation Association (APTA) Uniform Transit Fare Standard (UTFS) specifications are currently under development. A set of documents should be available soon defining the Regional Interoperability Standard (RIS) for electronic transit fare payments. The APTA UTFS goal is to provide a series of documents that allows industry to create an open architecture payment environment and that facilitates the integration of independent transit payment systems.
Many new secure ID system implementations are using both biometrics and smart cards to improve the security and privacy of the ID system.
- ANSI-INCITS 358-2002, BioAPI Specification – (ISO/IEC 19784-1). BioAPI is intended to provide a high-level generic biometric authentication model–one suited for any form of biometric technology. It covers the basic functions of enrollment, verification, and identification, and includes a database interface to allow a biometric service provider (BSP) to manage the technology device and identification population for optimum performance. It also provides primitives that allow the application to separately manage the capture of samples on a client workstation, and the enrollment, verification, and identification functions on a server. The BioAPI framework has been ported to Win32, Linux, UNIX, and WinCE. Note that BioAPI is not optimum for a microcontroller environment such as might be embedded within a door access control reader unit or within a smart card processor. BioAPI is more suitable when there is a general-purpose computer available.
- ANSI-INCITS 398, Common Biometric Exchange Formats Framework (CBEFF) – (ISO/IEC 19785-1). The Common Biometric Exchange Formats Framework (CBEFF) describes a set of data elements necessary to support biometric technologies and exchange data in a common way. These data can be placed in a single file used to exchange biometric information between different system components or between systems. The result promotes interoperability of biometric-based application programs and systems developed by different vendors by allowing biometric data interchange. This specification is a revised (and augmented) version of the original CBEFF, the Common Biometric Exchange File Format, originally published as NISTIR 6529.
- ANSI-INCITS Biometric Data Format Interchange Standards. ANSI-INCITS has created a series of standards specifying the interchange format for the exchange of biometric data. These standards specify a data record interchange format for storing, recording, and transmitting the information from a biometric sample within a CBEFF data structure. The ANSI-INCITS published data interchange standards are shown below. The ISO equivalent standards for each are in process but not yet finalized.
- ANSI-INCITS 377-2004 – Finger Pattern Based Interchange Format
- ANSI-INCITS 378-2004 – Finger Minutiae Format for Data Interchange
- ANSI-INCITS 379-2004 – Iris Interchange Format
- ANSI-INCITS 381-2004 – Finger Image Based Interchange Format
- ANSI-INCITS 385-2004 – Face Recognition Format for Data Interchange
- ANSI-INCITS 395-2005 – Signature/Sign Image Based Interchange Format
- ANSI-INCITS 396-2004 – Hand Geometry Interchange Format
- ISO/IEC 19794 series on biometric data interchange formats. Part 1 is the framework, Part 2 defines the finger minutiae data, Part 3 defines the finger pattern spectral data, Part 4 defines the finger image data, Part 5 defines the face image data, Part 6 defines the iris image data, and still in development, Part 7 will define the signature/sign time series data, Part 8 will define the finger pattern skeletal data and Part 8 will define the vascular image data.