Smart Card Terminal authentication
The authenticity of the smart card user is verified by entering the PIN code. However, the user may also want to verify the authenticity of the terminal. Consider the potential threats of an attacker using a false terminal. An attacker could use such a machine to collect card PIN values entered by uninformed users. If the attacker who installed the terminal then stole these cards, he could use the PIN codes requested by the false terminal to perform any operations with the smart cards.
There is a procedure that can be used to protect against this type of attack. This procedure ensures that the PIN code can only be entered by the user after the terminal has been authenticated. This procedure involves storing the user’s password in a file on the smart card. This type of security procedure was used by us when creating a system for monitoring and controlling access to the Customer’s building based on smart cards, which produces industrial cabins and various modular structures, and the password is known only to an employee of the company (the user of the smart card) and can only be changed by this employee. The password can be a name or a number chosen by the user. The smart card operating system allows access to this file only after the terminal is authenticated by the smart card.
After the user has inserted the smart card into the terminal, the process of mutual authentication between the smart card and the terminal is performed. If this authentication is successful, then each party knows that its partner is authentic. The smart card then allows the terminal to access a file containing the user’s secret password, which is then displayed on the terminal screen. The user sees his password and now knows that this terminal is authentic, because otherwise this terminal would not have access to the file containing his password. Now the user can safely enter the PIN code.
This procedure can also be used as a simple means to prevent the entry of PIN codes into terminals whose integrity has been compromised. Any arbitrary word or number can be used for the password. To prevent potential attackers from finding out this password, the smart card holder should be able to change it whenever it sees fit. This procedure can also be modified to solve other problems of this kind.
Security of systems with smart cards
An important feature of a smart card is its ability to provide a secure environment for data and application programs. The reliability and security of a smart card is due to the fact that it can control access to the information contained in its memory. In essence, a smart card is a highly integrated, secure device designed to handle sensitive information in a hostile environment.
It is almost impossible to create such an ideal system or smart card that will be completely protected from any persons and any influences. If a very large amount of money and effort is spent on the attack, the probability of hacking the system is quite high. However, each attacker involuntarily or consciously decides how his expenditure of forces and resources correlates with the likely result of the attack. The task of security means is to make the attacker’s actions as difficult as possible and eventually bring his costs of forces and resources to the level where they will no longer pay off.
The security of a smart card depends not only on the special hardware of the microcontroller and the algorithms implemented in the operating system software. The design principles used by smart card developers and the security of the smart card application are also important. For example, the project of an integrated security system based on smart cards implemented by our specialists for one of the Customers, which offers a welded mesh for fences, allowed the company’s management to obtain reliable protection of corporate information by accessing it only through individual employee cards.
The security of the smart card is ensured by the effective interaction of the security features of the following four components:
- card case;
- hardware in the form of a chip;
- operating system;
- the application.
A microcontroller is built into the plastic case of the smart card. Many of the security features applied to the card case are not only machine readable, but can also be visually checked by humans. The methods used for this purpose are not only specific to smart cards, they are also used for other types of cards. The remaining components – the hardware in the form of a chip, the operating system, and the application-protect the data and programs in the smart card microcontroller. The security of a smart card is guaranteed only when all these components and their protective mechanisms work correctly. If any of these components fail, or if any one of them does not meet the requirements, the smart card loses its security.