Typical values of EMV operations from the RSA algorithm

Consider the execution times of various RSA operations on the Crypto@1408Bit cryptoprocessor used in Infineon’s SLE88CFX1M00P and SLE88CFX8002P chips . The crypto processor has a private memory of size 880 bytes.
Note that the speed of RSA operations depends linearly on the clock frequency of the cryptoprocessor. The RSA key generation time is a random variable (see the description of the algorithm in app. C), so the table shows the average values of this indicator. Finally, note that the public key exponent value F_4 = 216+ 1 = 65,537 bits is used.
Cryptographic coprocessors are designed to perform arithmetic operations with large numbers and have their own RAM for performing such operations. The presence of a cryptographic coprocessor is an increase in the size of the chip, which means an increase in the cost of the card. Today, this increase in price is on average 30-40 cents per card.
At the same time, research is underway to expand the basic instruction set of the main processor to implement the RSA algorithm using it. The solution to this problem, due to the above, will reduce the cost of the card.
When implementing a number of procedures specific to a smart card, random numbers generated by the card are used. As an example, you can use the procedures for generating a pair of RSA public and private keys and encrypting the cardholder’s PIN code. An algorithm or procedure for generating random numbers is called a Random Number Generator (RNG). Of course, the concept of an algorithm, each step of which gives a deterministic result, contradicts the concept of randomness. Therefore, RNG software implementations have an inherent disadvantage and only generate pseudo-random numbers. However, if the range of values of the pseudo-random number generator and the period of their repeatability are large, then this implementation can be considered acceptable.
Along with software implementations of the random number generator, there are hardware implementations that use physical variable chip parameters, such as the thermal noise characteristics of the chip. The hardware implementation is preferable to the software implementation, because it allows you to generate a sequence of numbers that cannot be calculated using any deterministic algorithm. In this sense, the resulting numbers are really random. Therefore, chip modules that implement random number generators in hardware are called True Random Generator (TRNG). The FIPS 140-2 standard (Federal Information Processing Standards, Publication 140-2) describes tests for randomness of a sequence of numbers generated by a random number generator.
To implement a random number generator in a chip, a separate coprocessor is usually used.
A separate coprocessor is also used to implement the module for calculating the verification sequence of cyclic code described by the IS0/IEC 3309 standard. (For the characteristics of this code and its use in the communication Protocol D=1, see section 2.4.2.) This module can also be used to ensure the integrity of information stored in EEPR0M memory.
The cheapest type of non-volatile memory is ROM (Read-Only Memory). This memory is also known as ROM (permanent storage). In it, an array of cells is a set of conductors organized in a matrix structure (some of the conductors are rows of this structure, and some are columns).
Some conductors remain intact, and some are destroyed during the” burning ” of the ROM mask corresponding to the application that will be stored in this type of memory.
The closed state of the conductor can be set to a logical zero, and open the logical units. If you now measure the voltage between one of the column lines and one of the row lines (i.e., access a specific memory cell), then its high value (the open state of the conductor) corresponds to a logical unit, and its zero value (the closed state of the conductor) corresponds to a logical zero.
There are other ways to create a ROM mask. The most famous of them is the implantation ROM method, in which memory encoding is performed by irradiating the surface of the crystal occupied by the ROM with a powerful ion beam.
The main disadvantage of ROM is the inability to update the contents of memory cells, i.e. write information. For this reason, smart cards load the card’s operating system and static applications (applications that do not require changes during the time the card is used) into the ROM. In particular, all utility programs are stored in the ROM, including programs for maintaining the card file system, providing communication, and performing cryptographic operations. These programs are written (“sewn”) in the ROM when the card is made and can not be changed later.
General-purpose smart cards have ROM memory ranging from 16 to 136 KB. The ROM size in record cards is 400 KB.
RAM (or otherwise operating memory) is the most energy-dependent and most expensive memory on a smart card. It is used by the processor to store fragments of executable code and intermediate data when performing various operations, because it is the fastest type of memory for reading and writing data. The access time (the period of time during which the contents of a single memory cell can be read or written) of RAM is several tens of nanoseconds. The speed of processor operations depends on the size of RAM memory (sometimes, due to the small size of RAM memory, one operation has to be split into several consecutive operations, which increases its execution time).
Strict limits on RAM memory size are the most sensitive from the point of view of writing card applications. Even using high-level languages makes writing smart card apps an art that needs to be learned. The programmer constantly feels the need to use temporary variables economically or even come up with special algorithms for implementing operations that use large variables. Moreover, RAM is used by both the programmer’s applications and all the card utilities, and the programmer must know not only how much RAM is used by his applications, but also how much memory is required for the utilities that his applications access during their execution. This is why, despite the emergence of open Java Card and MULTI0S platforms that allow millions of software developers to write applications for smart cards, this activity is still the prerogative of smart card providers.
As shown in Fig. 5, the size of the crystal occupied by the RAM and ROM memory needed to store the same amount of information is about 16:1. In the first approximation, the cost of a chip component is proportional to the area of the crystal it occupies. Therefore, the increase in the cost of the card with the increase in the size of RAM memory is the fastest in comparison with other types of memory.
Champion cards (usually Java cards) have a RAM size of 4 to 8 KB, although for many payment applications (with support only for the DES algorithm and the G= 0 Protocol), it is sufficient to have the size of this memory in a few hundred bytes. Record-breaking cards (for example, the already mentioned Infineon SLE88 family cards) have a RAM size of 16 KB.
There is another widely used type of non-volatile rewritable memory in smart cards-EEPR0M memory. a Unit of this memory is about 4 times cheaper than a unit of RAM memory and 4 times more expensive than a unit of ROM memory. The EEPR0M memory can host some card applications and store card operating system data and all card application data, regardless of whether these applications are stored in ROM or EEPR0M. this is Obviously due to the fact that EEPR0M is the only rewritable and non-volatile type of memory on a smart card. When the card power is turned off, data recorded in EEPR0M can be stored for more than ten years.
EEPR0M memory has two important limitations. The first limitation is limited memory performance. It usually takes between 3 and 10 milliseconds to erase and then write data to EEPR0M memory.
The second limitation is related to the wear and tear of this type of memory. EEPR0M memory wears out after performing a certain number of data rewriting cycles (on the order of 100-500 thousand cycles).
Important for using smart cards is the problem of ensuring the integrity of information stored on the card during transaction processing. Since the card can be extracted from the terminal reader at any time during the transaction, this can happen in the middle of calculations related to the execution of the transaction. This card extraction is called a break. If a break occurs, it is important that the information in the chip does not remain in the incomplete operation state. In particular, if the card supports the functionality of an e-wallet, it is important that the amount of the wallet is not higher than at the beginning of the operation. Otherwise, it will become an obvious way to commit fraud.
Smart cards use a number of mechanisms to deal with the gap. The most common mechanism is similar to the transaction mechanism adopted in database management systems and consists of the following. At the beginning of the operation, the “transaction flag” is set and the most important application parameters are stored in EEPR0M at this time. This flag and its associated data are removed only after the operation is completed. If a flag is seen at the beginning of the next operation, it will indicate that the previous transaction was interrupted and not completed. When this state is recognized, the application parameters are “rolled back” to the state at the beginning of the previous transaction, and only then does the new operation begin.
The integrity of the most important information stored on the card, such as keys, personal data of the cardholder, etc., is ensured by the hardware and software of the card. Special sensors microchips prohibit the change of the memory chip, if
the processor does not process the data write command (i.e., while storing or reading data). In addition, the card operating system uses verification sequences to detect whether the integrity of stored information has been violated.
The I/o channel of the smart card chip is a unidirectional serial interface. This means that only 1 bit of information can be transmitted over it at any given time, and it can only be transmitted in one direction (half-duplex communication). In accordance with the IS0/IEC 7816 standard, data exchange between the smart card and the card reader can be performed at a speed of up to 115,200 bits / s. Modern contact cards support data transfer rates 9600, 19 200, 38 400, 55 800 and 76,800 bps.
Two lines of the card interface are used for transmitting traffic between the reader and the card. Data bits are “passed” over one of the lines, the I/ o line. The second line, the clock line, specifies when to make a selection in the I / o line to get the data bit.
The USB interface uses two additional lines to form a second input/output channel. This method creates a duplex connection.
The communication Protocol between the reader and the smart card uses the master (reader) and slave (smart card) relationship. The reader sends commands to the card and receives a response from it. The smart card never sends data to the reader, except in response to its command.
The standard channel-level protocols (T = 0, G=1, T=CL) used between the reader and the card are half-duplex. This means that either data is delivered to the I/o line by the reader and read by the card, or it is delivered by the card and read by the reader. In this way, each data exchange participant (reader and terminal) tracks whether it is in the transmit or receive state.
The communication protocols used are not complex, and therefore complete-taking into account all possible situations. Therefore, there may be a case when, for example, receiving an erroneous message causes one or both sides of the data exchange to be in an undefined state. When this happens, the reader is responsible for restarting the card to fix a line failure.

Smart card operating systems support character-by-character and / or block-by-block data exchange.
There are smart cards on the market that support working with the terminal over the USB Protocol, which provides a duplex data transfer mode with a speed of up to 12 Mbit / s.it Should be noted that the weak communication capabilities of today’s microprocessor cards are one of the key limitations for expanding the scope of their use. Improving the communication characteristics of the smart card (duplex nature of the exchange, support for a stack of Internet protocols, including TCP/IP, increasing the speed of data transfer), taking into account some changes in the architecture of the card, will make the smart card an independent device that can directly conduct a dialogue with network servers.
The card is powered by a reader. All smart cards used today can operate at a power supply voltage of 5 volts (more precisely, in accordance with section 5.3.6 Of book 1 of the EMV 4.1 standard, the card must support a voltage in the range of 4.5 to 5.5 volts, and in accordance with section 5.5.6, the card must be supplied with a voltage in the range of 4.6 to 5.4 volts). Some chips are able to operate at lower supply voltage values, namely-3 and 1.8 volts.
Currently, cards that support only 5 volts are being migrated to cards that support two voltage values of 5 and 3 volts, and cards that support three voltage values of 5, 3 and 1.8 volts. The migration process in accordance with section 5.1 of Book 1 of the EMV 4.1 standard should be completed by the end of June 2009.thus, from July 2009, only cards that support two or three power supply voltage values will be used in payment systems. Cards that support a single 5-volt supply voltage will be retired.
After the migration is complete, it will be possible for banks to install terminals that support only 3 volts. However, terminals that support only 5 volts remain operational, and there are no plans to put these terminals out of use. To date, EMVCo, which manages EMV specifications, has not developed a plan to start installing terminals that support only 1.8 volts.