1.What is an IC card (smart card)?
The IC card evolved from the magnetic stripe card. It embeds an integrated circuit chip into a card. Compared to magnetic stripe cards, IC cards are more reliable, have larger storage capacity, and possess a certain level of “intelligence.”
IC cards can be roughly divided into two main categories: memory cards and “smart” cards. A memory card incorporates an EEPROM memory chip, which gives it a “memory” function. Information can be “written (stored)” onto or “read (retrieved)” from the card. In principle, the read/write process is unrestricted, and the entire memory space is open. The management of this storage space is done externally to the card, which means memory cards lack good security features.
Later, memory cards were improved by adding a password verification feature to control the access process. However, they still lacked robust storage management functions.
On the other hand, a “smart” card not only embeds an EEPROM memory chip but also integrates a “microcontroller unit (MCU)” into the card. This MCU includes software to manage the EEPROM memory on the card, which is typically referred to as the “Card Operation System (COS).” Any data sent from outside the card is processed by the MCU. In other words, the MCU and its software (COS) control the access to information and manage the allocation and use of the memory.
In summary, the essence of an IC card is the process of information access. The so-called “intelligence” of a smart card lies in the strict control of this access process and the flexible management of the memory, with the goal of making the information stored in the card more secure and easier to use.
2.IC Card-Related Standards
IC cards are highly standardized products. Their physical design, internal chip electrical characteristics, and even their usage methods are controlled by strict protocols. The most fundamental and important set of standards is the ISO/IEC 7816 protocol. This protocol not only defines the mechanical and electrical characteristics of IC cards but also specifies the application methods for IC cards (especially smart cards), including many data structures within the COS.
Apart from the 7816 protocol, specific fields where IC cards are used have more detailed protocols. For example, in China, the PBOC standard is used in the financial sector, and there are also specific standards for transportation management systems and social welfare systems. These protocols are built on the foundation of the 7816 protocol and further refine it.
Of course, the 7816 protocol does not exist in isolation. Many of its concepts are derived from other related standards. For example, in the 7816 protocol, some data structures use “BER-TLV” formatting, and the detailed explanation of the “BER-TLV” concept is provided in the IEC 8825 ASN.1 protocol. This shows that the 7816 protocol does not create concepts arbitrarily but adopts existing standard concepts when applicable. This approach helps form a comprehensive and cohesive system of protocols.
3.How Smart Cards Manage Their Memory
Ordinary memory cards do not have the ability to manage memory internally; this management is done externally. Only “smart” cards have the capability to manage their memory. Therefore, the following discussion focuses on smart cards.
The most common way to manage memory is by dividing it into blocks, but this method should not be too simplistic. It would be too difficult for users to remember the numbers and attributes of each memory block. Hence, a more abstract, logical representation of these memory blocks is typically used.
Consider how large storage devices (like hard drives) on a desktop computer are also organized in blocks, which we commonly refer to as “sectors.” However, in everyday use, we don’t deal with “sectors” directly. Instead, we see “files” and “subdirectories.” A “file” is essentially a collection of data stored in a series of memory blocks, and a “subdirectory” organizes these files into groups. Files and subdirectories make data easier to manage and use.
The ISO/IEC 7816 protocol defines that smart cards manage their memory in the form of “files,” and these files are divided into three categories: MF, DF, and EF.
- MF (Master File) is equivalent to the “root directory” on a desktop system.
- DF (Dedicated File) functions like a “subdirectory.”
- EF (Elementary File) is where specific data is stored, much like individual files.
Unlike desktop systems, the levels of DFs (similar to directory levels) in smart cards are typically fixed. In most cases, there is only one level (MF – DF), though some cards may have two levels (MF – DF – SubDF). The 7816 protocol itself does not strictly limit the number of DF levels. Additionally, the 7816 protocol provides basic definitions for EF file types, so many files on the card follow a specific format (such as “fixed-length record” files). These are not as “transparent” as files in desktop systems, where you can manipulate them based on offsets and lengths.
Higher-level protocols (such as EMV or PBOC) provide more specific definitions for EF file types, tailored to their respective applications. For instance, the “wallet file” defined in the PBOC protocol is designed to make smart cards suitable for financial use. However, these specific definitions must ultimately map to a file format specified in the 7816 protocol.
4.How Smart Cards Control the Process of Accessing Information
Accessing or modifying files stored in a smart card is not something that can be done freely. Every smart card has a set of rules (which can be understood as a security model) that restrict file access operations. Generally, protocols specify which algorithms a smart card should support (e.g., DES, 3DES, RSA), and in certain fields, they may mandate the use of specific algorithms to ensure security. However, there are no strict requirements on how these algorithms are integrated into the security model.
Additionally, communication between the card and the card terminal (the device that can access the card) must be secure in certain cases. This means the information transmitted between the card and the terminal should not be intercepted or compromised by a third party, and the integrity of the data must be preserved. The ISO/IEC 7816 protocol defines rules for “secure messaging,” which must be supported by any smart card compliant with this protocol.
Some cards (or certain card operations) require specific terminals for access, and sometimes the cardholder’s authorization is also necessary. In these special cases, mutual authentication between the card and the terminal, and between the card and the cardholder, is required. The authentication between the card and the cardholder is widely known—every card comes with a PIN code for this purpose.
