The following views represent my personal opinions. If you disagree, please leave a comment; discussions are welcome.
In my work, I often encounter IC cards, ID cards, M1 cards, and CPU cards, and I’ve been curious about their connections and differences. Here, my understanding for future reference (though it might not be entirely accurate and only represents my viewpoint).
Since I mainly deal with contactless cards in my work, I will focus on these types (though contact cards also fall under the category of IC cards). Contactless cards, also known as RF cards, mainly rely on the internal RF module to communicate with a card reader via near-field communication. Their power source comes from an induction coil that powers itself through electromagnetic induction.
In my understanding, current cards can be divided into IC cards and ID cards. Why? This distinction is based on whether they can be operated. IC cards can be seen as a general term for all smart cards, encompassing both contact and contactless types. They can read and write data through a series of encryption and decryption algorithms. In contrast, ID cards only include a card number that is fixed by the manufacturer before leaving the factory. Therefore, they can only be read, not written, and the reading is limited to the card number itself, lacking encryption and data storage capabilities.
Since IC cards are a general term for smart cards, I believe that M1 cards and CPU cards also belong to the category of IC cards.
I have encountered two types of M1 cards: S50 and S70 cards. Their internal data structures are similar, with fixed capacities and unique serial numbers (also called SN numbers), storing data in blocks. Each sector has an independent password block, divided into A and B passwords, with each password occupying 6 bytes. The middle 4 bytes are control units that determine whether each block in the sector has read or write permissions. Because the M1 card's password is fixed and of a fixed length, knowing the password allows access to all data except the card number, which presents a low security level and makes it vulnerable to brute-force attacks. Specialized tools can intercept the interaction process between the card and reader to obtain the password, potentially leading to losses for users. Generally, M1 cards are used in low-security environments, such as access control, parking lots, and attendance systems
S50 Card: It has a capacity of 1024 bytes (8 Kbit), divided into 16 sectors, with each sector containing 4 blocks, and each block has 16 bytes.
S70 Card: It has a capacity of 4096 bytes (32 Kbit), divided into 40 sectors, but they are not evenly distributed. The first 32 sectors each contain 4 blocks of 16 bytes, while the last 8 sectors each contain 16 blocks of 16 bytes.
CPU cards are also widely used today. They have their own operating system (COS), a random number generator, and hardware encryption algorithms. Their authentication process involves both parties sending a string of data calculated by encryption algorithms to each other. After decrypting, each party generates a new string for the other to decrypt. Only if the decryption results are mutually accepted can the next operation proceed; otherwise, the system will refuse to execute the command. Since the password is generated by an algorithm each time, neither party knows the password during authentication, making CPU cards relatively more secure and advanced than M1 cards.
Currently, CPU cards are commonly used in fields with high-security requirements, such as finance, ID cards, and passports.
The security performance of CPU cards is significantly higher than that of M1 cards, and correspondingly, their prices are also much higher. However, with technological advancements and increasing security demands, it is likely that in the future, everyone will switch to CPU cards.
