Smart Card Standards
Smart cards have the further advantage over magnetic
stripe cards of being reloadable, and allowing advanced features
like phone banking, automatic memory dialing and on-line services. Smart
cards are used as identification device for GSM digital mobile phonesPrimarily, smart card
standards govern physical properties, communication characteristics, and
application identifiers of the embedded chip and data. Almost all standards
refer to the ISO 7816-1,2 & 3 as a base reference.
International
Organization for Standardization (ISO)
The ISO facilitates the
creation of voluntary standards through a process that is open to all parties.
ISO 7816 is the international standard for integrated-circuit cards (commonly
known as smart cards) that use electrical contacts on the card, as well as
cards that communicate with readers and terminals without contacts, as with
radio frequency (RF/Contactless) technology. Anyone interested in obtaining a
technical understanding of smart cards needs to become familiar with what ISO
7816 and 14443 does NOT cover as well as what it does. Copies of these
standards can be purchased through the American National Standards
Institute (ANSI). Copies of ISO standards are for sale on the ISO
website.
Application-specific
properties are being debated with many large organizations and groups proposing
their standards. Open system card interoperability should apply at several
levels:
1). To the card itself,
2). The card's access
terminals (readers),
3). The networks and
4). The card issuers' own
systems. Open system card interoperability will only be achieved by conformance
to international standards.
This site's sponsors are committed to compliance with ISO and
ITSEC security standards as well as industry initiatives such as EMV, MULTOS,
the Open Card Framework and PC/SC specifications.
This site's sponsors are committed to compliance with ISO and
ITSEC security standards as well as industry initiatives such as EMV, the
Global Platform and PC/SC specifications.
These organizations are active in smart card standardization:
The following standards and the organizations that maintain them are the most
prevalent in the smart card industry:
ISO/IEC is one of the worldwide standard-setting bodies for
technology, including plastic cards. The primary standards for smart cards
are ISO/IEC 7816, ISO/IEC 14443, ISO/IEC 15693 and ISO/IEC
7501.
ISO/IEC 7816
ISO/IEC 7816 is a multi-part
international standard broken into fourteen parts. ISO/IEC 7816 Parts 1, 2 and
3 deal only with contact smart cards and define the various aspects of the card
and its interfaces, including the card’s physical dimensions, the electrical
interface and the communications protocols. ISO/IEC 7816 Parts 4, 5, 6, 8, 9,
11, 13 and 15 are relevant to all types of smart cards (contact as well as
contactless). They define the card logical structure (files and data elements),
various commands used by the application programming interface for basic use,
application management, biometric verification, cryptographic services and
application naming. ISO/IEC 7816 Part 10 is used by memory cards for
applications such as pre-paid telephone cards or vending machines. ISO/IEC 7816
Part 7 defines a secure relational database approach for smart cards based on
the SQL interfaces (SCQL).
ISO/IEC 14443
ISO/IEC 14443 is an
international standard that defines the interfaces to a "close proximity"
contactless smart card, including the radio frequency (RF) interface, the
electrical interface, and the communications and anti-collision protocols.
ISO/IEC 14443 compliant cards operate at 13.56 MHz and have an operational
range of up to 10 centimeters (3.94 inches). ISO/IEC 14443 is the primary
contactless smart card standard being used for transit, financial, and access
control applications. It is also used in electronic passports and in the FIPS
201 PIV card.
ISO/IEC 15693
ISO/IEC 15693 describes
standards for "vicinity" cards. Specifically, it establishes
standards for the physical characteristics, radio frequency power and signal
interface, and anti-collision and transmission protocol for vicinity cards that
operate to a maximum of 1 meter (approximately 3.3 feet).
ISO/IEC 7501 describes
standards for machine-readable travel documents and has made a clear
recommendation on smart card topology.
International Civil
Aviation Organization (ICAO)
ICAO issues guidance on the
standardization and specifications for Machine Readable Travel Documents (MRTD)
such as passports, visas, and travel documents. ICAO has published the
specification for electronic passports using a contactless smart chip to
securely store traveler data.
Federal Information
Processing Standards (FIPS)
FIPS, developed by the
Computer Security Division within the National Institute of Standards and
Technology (NIST). FIPS standards are designed to protect federal assets,
including computer and telecommunications systems. The following FIPS standards
apply to smart card technology and pertain to digital signature standards,
advanced encryption standards, and security requirements for cryptographic
modules.
FIPS 140 (1-3)
The security requirements
contained in FIPS 140 (1-3) pertain to areas related to the secure design and
implementation of a cryptographic module, specifically: cryptographic module
specification; cryptographic module ports and interfaces; roles, services, and
authentication; finite state model; physical security; operational environment;
cryptographic key management; electromagnetic interference/electromagnetic
compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other
attacks.
FIPS 201
This specification covers all
aspects of multifunction cards used in identity management systems throughout
the U.S. government.
Europay, MasterCard,
and Visa (EMV)
Europay, MasterCard, and Visa
formed EMV Company, LLC and created the "Integrated Circuit Card
Specifications for Payment Systems". These specifications are related to
ISO7816 and create a common technical basis for card and system implementation
of a stored value system. Integrated Circuit Card Specifications for Payment
Systems can be obtained from a Visa, MasterCard or Europay member bank.
PC/SC
A globally implemented
standard for cards and readers, called the PC/SC specification. This standard
only applies to CPU contact cards. Version 2.0 also dictates PIN pad to card
communications. Apple, Oracle-Sun, Linux and Microsoft all support this
standard.
Microsoft has built PC/SC into
their smart card services as a framework that supports many security mechanisms
for cards and systems. PC/SC is now a fairly common middleware interface for PC
logon applications. The standard is a highly abstracted set of middleware
components that allow for the most common reader card interactions.
Comité Européen de
Normalisation (CEN) and European Telecommunications Standards Institute (ETSI)
CEN and ETSI focus on
telecommunications, as with the GSM SIM for cellular telephones. GSM 11.11 and
ETSI300045. CEN can be contacted at Rue de Stassart, 36 B-1050 Brussels,
Belgium, attention to the Central Secretariat.
The Health Insurance
Portability and Accountability Act (HIPAA)
HIPAA adopts national
standards for implementing a secure electronic health transaction system in the
U.S. Example transactions affected by this include claims, enrollment,
eligibility, payment and coordination of benefits. Smart cards are governed by
the requirements of HIPAA pertaining to data security and patient privacy.
IC Communications
Standards
The IC Communications
Standards existed for non-volatile memories before the chips were adopted for
smart card use. This specifically applies to the I2C and SPI EEPROM interfaces.
Global System for
Mobile Communication (GSM)
The GSM standard is dominant
in the cell phone industry and uses smart cards called Subscriber
Identification Modules (SIMs) that are configured with information essential to
authenticating a GSM-compliant mobile phone, thus allowing a phone to receive
service whenever the phone is within coverage of a suitable network. This
standard is managed by the European Telecommunication Standards Institute. The
two most common standards for cards are 11.11 and 11.14.
OpenCardT Framework
The OpenCardT framework is an
obsolete standard. The following data is for informative purposes only.
The OpenCard framework was a
set of guidelines announced by IBM, Netscape, NCI, and Sun Microsystems for
integrating smart cards with network computers. The guidelines were based on
open standards and provided an architecture and a set of application program
interfaces (APIs) that enable application developers and service providers to
build and deploy smart card solutions on any OpenCard-compliant network
computer. Through the use of a smart card, an OpenCard-compliant system should
have enabled access to personalized data and services from any network computer
and dynamically download from the Internet all device drivers that are
necessary to communicate with the smart card. By providing a high-level
interface which can support multiple smart card types, the OpenCard Framework
was intended to enable vendor-independent card interoperability. The system
incorporated Public Key Cryptography Standard (PKCS) - 11 and was supposed to
be expandable to include other public key mechanisms.
GlobalPlatform (GP)
GlobalPlatform is an
international, non-profit association. Its mission is to establish, maintain
and drive adoption of standards to enable an open and interoperable infrastructure
for smart cards, devices and systems that simplifies and accelerates
development, deployment and management of applications across industries. The
GP standard has been adopted by virtually all the banks worldwide for
JavaCard®-based loading of cryptographic data. The standard establishes
mechanisms and policies that enable secure channel communications with a
credential.
Common Criteria (CC)
Common Criteria is an
internationally approved security evaluation framework providing a clear and
reliable evaluation of the security capabilities of IT products, including
secure ICs, smart card operating systems, and application software. CC provides
an independent assessment of a product's ability to meet security standards.
Security-conscious customers, such as national governments, are increasingly
requiring CC certification in making purchasing decisions. Since the
requirements for certification are clearly established, vendors can target very
specific security needs while providing broad product offerings.
Smart Card Links
ACT
Canada – Advanced Card Technology Association
of Canada.
EuroSmart – European Smart Card Association. Great resource.
JavaCard Forum – Promotes Java for multiple-application smart cards.
MULTOS – First open, Multiple-application OS for highest security.
MUSCLE – Smart cards in a Linux environment. PCSC lite.
HID Global– OMNIKEY Smart card reader and chipset manufacturer, maker of HID Prox and iCLASS cards
PACSprobe – Software to read PACS data (card number, facility code ..)
PCSC Workgroup – Standard for integrating smart cards and smart card readers.
Smart Card Alliance – Promotes smart card technology.
EuroSmart – European Smart Card Association. Great resource.
JavaCard Forum – Promotes Java for multiple-application smart cards.
MULTOS – First open, Multiple-application OS for highest security.
MUSCLE – Smart cards in a Linux environment. PCSC lite.
HID Global– OMNIKEY Smart card reader and chipset manufacturer, maker of HID Prox and iCLASS cards
PACSprobe – Software to read PACS data (card number, facility code ..)
PCSC Workgroup – Standard for integrating smart cards and smart card readers.
Smart Card Alliance – Promotes smart card technology.
Biometric Standards
Many new secure ID system
implementations are using both biometrics and smart cards to improve the
security and privacy of an ID system.
ANSI-INCITS 358-2002
ANSI-INCITS 358-2002, BioAPI
Specification - (ISO/IEC 19784-1). BioAPI is intended to provide a high-level
generic biometric authentication model-one suited for any form of biometric
technology. It covers the basic functions of enrollment, verification, and
identification, and includes a database interface to allow a biometric service
provider (BSP) to manage the technology device and identification population
for optimum performance. It also provides primitives that allow the application
to separately manage the capture of samples on a client workstation, and the
enrollment, verification, and identification functions on a server. The BioAPI
framework has been ported to Win32, Linux, UNIX, and WinCE. Note that BioAPI is
not optimum for a microcontroller environment such as might be embedded within
a door access control reader unit or within a smart card processor. BioAPI is
more suitable when there is a general-purpose computer available.
ANSI-INCITS 398
ANSI-INCITS 398, Common
Biometric Exchange Formats Framework (CBEFF) - (ISO/IEC 19785-1). The Common
Biometric Exchange Formats Framework (CBEFF) describes a set of data elements
necessary to support biometric technologies and exchange data in a common way.
These data can be placed in a single file used to exchange biometric
information between different system components or between systems. The result
promotes interoperability of biometric-based application programs and systems
developed by different vendors by allowing biometric data interchange. This
specification is a revised (and augmented) version of the original CBEFF, the Common
Biometric Exchange File Format, originally published as NISTIR 6529.
ANSI-INCITS
ANSI-INCITS Biometric Data
Format Interchange Standards. ANSI-INCITS has created a series of standards
specifying the interchange format for the exchange of biometric data. These
standards specify a data record interchange format for storing, recording, and
transmitting the information from a biometric sample within a CBEFF data
structure. The ANSI-INCITS published data interchange standards are shown
below. There are ISO equivalents to each standard listed here.
ANSI-INCITS 377-2004
Finger Pattern Based
Interchange Format
ANSI-INCITS 378-2004
Finger Minutiae Format for
Data Interchange
ANSI-INCITS 379-2004
Iris Interchange Format
ANSI-INCITS 381-2004
Finger Image Based Interchange
Format
ANSI-INCITS 385-2004
Face Recognition Format for
Data Interchange
ANSI-INCITS 395-2005
Signature/Sign Image Based
Interchange Format
ANSI-INCITS 396-2004
Hand Geometry Interchange
Format
ISO/IEC 19794
ISO/IEC 19794 series on
biometric data interchange formats. Part 1 is the framework, Part 2 defines the
finger minutiae data, Part 3 defines the finger pattern spectral data, Part 4
defines the finger image data, Part 5 defines the face image data, Part 6
defines the iris image data, and still in development, Part 7 will define the
signature/sign time series data, Part 8 will define the finger pattern skeletal
data and Part 8 will define the vascular image data.