A beginner guide to Smart Cards

Smart Cards

 

 

Since this has been my current subject of interest I'll post a bit here.

I'll be focusing on a subset of RFID called smart chips, smart cards, SIM cards, etc. A lot of what I say here is taken from what I've been reading, and my next step is to start interacting with them. This is a really quick introduction.


Does this pin out look familiar? Beyond just your phones SIM these are integrated into your credit cards now as well in the US. How weird is that? While the pin out looks the same, they actually very quite heavily with internal technology, looks, etc, but they still use often use T=0 and T=1 protocols to communicate, which if that sounds familiar, are protocols used by GSM.

These only store a small amount of information. It's really important to remember that is their primary function as these chips  CAN contain an OS, a CPU, RAM, and applications.

The pin-outs are as follows. It is important to know that of the 8 contacts only 6 are defined (The two that arent are C4 and C8)

C1 Vcc: +5 VDC power supply input (optional use by the card). As we move towards the future we will likely see this change to +3 VDC

C2 RESET: Reset signal, used to reset the card's communications. Either used itself (reset signal supplied from the interface device) or in combination with an interal reset control circuit (optional use by the card). If internal reset is implemented, the voltage supply on Vcc is mandatory. Reset is the signal line that is used to initiate the state of the integrated circuit after power on and it is an integral complex process that I will hopefully get too later.

C3 CLOCK: Provides the card with a clock signal, from which data communications timing is derived. The clock signal is used drive the logic of the IC and is also used as the reference for the serial communications link, the two most common being 3.57 MHz and 4.92 MHz . Which is weird right?! Why not just straight 5MHz? Its because the cheap crystals used to form the clock oscillator. Both frequencies are used by televisions for the color sub carrier frequency. PAL operates at 4.92MHz while the American NTSC standard operates at 3.57 MHz. Remember kids, being cheap is the best thing you can do to make people mistrustful of your actions, intentions, and question your sanity. Be above the influence, or not.

C4 RESERVED AUX1: optionally used for USB interfaces and other uses.

C5 GND: Ground (reference voltage). Vss is the substrate or ground reference voltage against which the Vcc potential is measured.

C6 VPP: Programing voltage input (optional). This contact may be used to supply the voltage required to program or to erase the internal non-volatile memory. The Vpp connector is used for the high voltage signal that is necessary to program the EPROM memory. ISO/IEC 7816-3:1997 designated this as a programming voltage: an input for a higher voltage to program persistent memory (e.g., EEPROM). ISO/IEC 7816-3:2006 designates it SPU, for either standard or proprietary use, as input and/or output.

C7 I/O: Input or Output for serial data (half-duplex) to the integrated circuit inside the card. Used for sending and receiving commands with either T=0 or T=1 protocol. Their is a communication unit between a smart card and a smart card reader called an APDU (Application Protocol Data Unit. There are two categories of APDUs: command APDUs and response APDUs.

C8 RESERVED AUX2: optionally used for USB interfaces and other uses.

 Memory

As applications became more advanced we implemented more technology into these chips. Where old telphone cards such as SIM could operate with EEPROM memory (128 - 512 bytes) and the memory control logic. More sophisticated applications will demand ROM, EEPROM, RAM and a CPU depending on the application. It might be easiest to think of the ROM as the operating systems location, the RAM as normal with a device (being where the OS is loaded into), and the EEPROM as a kind of hard drive where you can store data that wont be erased even after we remove power to the card.
 
The control logic is necessary not only for communication protocols but also to offer some protection of the memory against fraudulent use. We can differentiate the different types of integrated circuitry by their content.
  • Memory Only
  • Memory with security logic
  • Memory with CPU
Memory only is exactly as it sounds. The security logic can be used to control access to the memory for authorized use only. Meaning the use of EEPROM memory must be strictly controlled. The security advantage of the CPU device is of course more significant because the CPU is capable of implementing cryptographic algorithms.

Applications


I hope this is a good introduction to how they work. I go more in depth on my github's cheatsheet, and while you may not be interested on the physical side of things, I am not familiar enough to offer adequate advice on this yet. I can at the very least point you in the right direction. There are two notable operating systems running on cards out there Java Card OS and MULTOS are notable, keep in mind there are others like Microsoft Windows for smart cards (no joke) that may better suit your purposes.


Comments

Post a Comment

Popular posts from this blog

Thoughts on ISSA talk on using AI to automate security

Recently I attended the ISSA presentation in MN, the description of it: The Power and Potential of Robotic Process Automation. And the Security Risks. Please join us on March 22 nd  as we explore the powerful and emerging Robotic Process Automation technology in regards to what IT security professionals need to know about RPA platforms . Robotic process automation (RPA) is a powerful and emerging technology that streamlines and standardizes many human user processes as well as harmonizes different systems across an organization’s environment. So what do IT security professionals need to know about RPA platforms? Very simply, it is a new attack vector and organizations need to start to understand their risk. Because RPA software interacts directly with business applications and mimics the way applications use and mirror human credentials and entitlements, this can introduce risks when the software robots automate and perform routine business processes across multiple
Read more

Bandit 12

Bandit 12 bandit12@bandit:~$ ls data.txt bandit12@bandit:~$ mkdir data bandit12@bandit:~$ cp data.txt ./data bandit12@bandit:~$ cd data bandit12@bandit:~/data$ ls data.txt bandit12@bandit:~/data$ file data.txt data.txt: ASCII text 0000000: 1f8b 0808 4572 4259 0203 6461 7461 322e ....ErBY..data2. 0000010: 6269 6e00 0143 02bc fd42 5a68 3931 4159 bin..C...BZh91AY 0000020: 2653 59a3 fd61 8800 0019 ffff dffb 1ff5 &SY..a.......... 0000030: f7d7 dfdb fe4f ffb3 b5f7 ffdf b2d8 fefb .....O.......... 0000040: e7dd fffa fefd 7f7b d1fb fe3f b001 3b56 .......{...?..;V 0000050: a106 81a0 1a00 07a8 0068 01a1 a69a 0000 .........h...... 0000060: d1a0 d034 6868 34f5 0641 a000 000d 000f ...4hh4..A...... 0000070: 5064 00d0 321a 69e9 0323 1a27 a883 4003 Pd..2.i..#.'..@. 0000080: 41a0 01ea 0000 0003 4000 0068 7a4f 4800 A.......@..hzOH. 0000090: 0c8c 803d 41a0 64d1 a3d4 d1a3 6a68 01a0 ...=A.d.....jh.. 00000a0: 34da 8340 003d 4347 a83a 69a6 8699 0034 4..@.=CG.:i....4 00000b0: 3203 4610 3
Read more

Bandit level 14

Bandit 14 Level Goal The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost . Commands you may need to solve this level ssh, telnet, nc, openssl, s_client, nmap Helpful Reading Material How the Internet works in 5 minutes (YouTube) (Not completely accurate, but good enough for beginners) IP Addresses IP Address on Wikipedia Localhost on Wikipedia Ports Port (computer networking) on Wikipedia Okay so I know telnet doesn't have authentication. I know I'm probably using that so I check the man page. Synopsis telnet [ -8EFKLacdfrx ] [ -X authtype ] [ -b hostalias ] [ -e escapechar ] [ -k realm ] [ -l user ] [ -n tracefile ] [ host [ port ]] Okay so the command will be "telnet localhost 30000", remember those instructions from the previous level on where that password was? Neither do , lets read it again! "The pa
Read more