Recent Reports have focused world attention on card security. Since the first story that Bellcore announced a theoretical way to breach card security broke on the New York Times, there have been many debates upon security of smart cards and smart-card-related systems. A barrage of articles, press releases, newsletters and even a few conferences have addressed the security of smart cards. Pay-TV systems are probably the most publicized cases of security attacks and compromises of smart cards. Issuers of Pay-TV systems worldwide know that it is only a matter of time before their systems are compromised. Many of them have discovered that smart cards are a cost-effective way of updating the security of their system without having to replace entire boxes. Are smart cards secured?

The most obvious and direct attack on a smart card is a physical attack on the card itself. In the case of a stored-value card, the owner of a card may even carry out this sort of attack. Physical attacks attempt to reverse engineer the card and determine the secret key(s). Such attacks have been demonstrated in practice against commercial secure smart card chips, most notably by three groups of researchers: Dan Boneh, Richard DeMillo, and Richard Lipton of Bellcore; Ross Anderson of Cambridge and Marcus Kuhn of Purdue; and Paul Kocher and colleagues of Cryptography Research, Inc.

Boneh, DeMillo, and Lipton, three Bellcore researchers, published a paper called On the Importance of Checking Cryptographic Protocols for Faults in which they pointed out that an adversary who can introduce computational errors into a smart card can deduce the values of cryptographic keys hidden in the smart card [Boneh, et al., 1997]. The surprising part is that an attacker can do this even without precisely controlling the nature of the errors or even the exact timing of the errors. By comparing the result of an erroneous encryption with the result of a correct encryption of the same data, the attacker can learn something about the correct encryption key. By doing enough of these comparisons, the attacker can learn enough information to deduce the entire encryption key. How does the attacker introduce errors? There are plenty of ways. The attacker can subject the smart card to fluctuations in temperature, input voltage, or clock rate; point a radiation source at the card; or hit the card with a rubber mallet. Anything that is likely to cause voltages inside the card to fluctuate will do.

Biham and Shamir later generalized this attack with a technique called Differential Fault Analysis, which works against a wide range of cryptographic algorithms. A determined attacker might extract the upshot of all this is that unless a smart card cryptography mechanism is very carefully designed, any secret keys stored inside the card.

In 1998, Researchers at Cryptography Research, Inc., led by Paul Kocher, publicly announced a new set of attacks against smart cards called Differential Power Analysis (DPA). DPA can be carried out successfully against most smart cards currently in production. DPA is a complicated attack that relies on statistical inferences drawn on power consumption data measured during smart card computation. The equipment required to perform DPA is simple: a modified smart card reader and some off-the-shelf PCs. The algorithm itself is quite complex, but details have been widely published.

Chips inside a smart card use different amounts of power to perform different operations. By hooking a card up to an oscilloscope, a pattern of power consumption can be measured. Particular computations create particular patterns of spikes in power consumption. Careful analysis of the peaks in a power consumption pattern can lead to the discovery of information about secret keys used during cryptographic computations. Sometimes the analysis is straightforward enough that a single transaction provides sufficient data to steal a key. More often, thousands of transactions are required. The types of sensitive information that can leak include PINs and private cryptographic keys.

Possible solutions include masking power consumption with digital noise or throwing random calculations into the mix. Another potential solution is randomizing the order of card computations so that in the end, the same computation is performed using different patterns of primitives. All of these potential technological solutions are ways to mask the giveaway patterns in the power consumption of the card.

Any system is only as strong as its weakest link, any issuer or vendor that guarantees 100% security is misleading the marketplace. The smart card is an intrinsically secure device. It is a safe place to store valuable information such as private keys, account numbers, passwords, or valuable personal information such as medical records. It's also a secure place to perform processes that one doesn't want exposed to the world, for example, performing a public key or private key encryption. Then how we can make use of the smart card to protect and secure our systems in the real life? By setting up the access condition and password on files of the smart cards, only authorized persons or authorities, such as government departments, are allowed to access the information. Moreover, together with the biometrics technology, biometrics information of the cardholder can be placed on the card, so that the smart card can corporate with biometrics scanner to identify or verify whether the card is owned by the card holder or not.

The operation procedures of the smart card could be similar to the traditional paper based identification system. However, instead of verifying the documents by observation of an inspection officer, a card acceptor device will be used. The device, which contains the authorized code and PIN, can unlock the file and retrieve the owner’s information for verification. Because of the on-board computing power of the smart card, it is possible to achieve off-line transactions and verifications. For instance, a smart card and a card acceptor device (CAD) can identify each other by using the mutual active authentication method. Moreover, data and codes stored on the card are encrypted by the chip that is manufacturer by using computational scrambling encryption, making the circuit chip almost impossible to be forged. In the case when biometrics is used, placing the required portion of his/her body onto a biometrics reader can authenticate the user, the data collected by the reader can be used to compare with the one in the card.

Nowadays, many organizations or governments in different countries already have research on these issues. For example, many airlines intend to develop their electronic tickets by using smart cards, which co-operate with the baggage handling system in some airports. The smart cards typically stores the passenger’s flight details such as name seat number, flight number, baggage details and so on. This helps to verify correct passenger checked-in and identify the owner of baggage in case of lost or unclaimed baggage. More importantly the system may help to identify criminals and terrorists.

Access control is one of the important usages of the smart card technology. It is also the motivation behind the development of smart card. Then how to control the access of an operating system in a personal computer by using the smart card? The original idea is come from Paul and Lance in their paper "BITS: A Smart card Protected Operating System, 1994". The single-user nature of personal computers is lack of security protection on their system, especially the system areas such as the boot sector of a hard disk or floppy. They are allowed to be modified by anyone without any protection; this causes the possibility of infection by computer virus. In the present days, a personal computer is powerful enough to take the place of mini-computers to act as a network server, but its single-user nature has not changed and this has caused the problem to become more serious. The BITS makes use of smart card technology to protect the operating system. The host computer is booted actually from a smart card or it requires critical information from the card to complete the boot sequence. So that even if an attacker can gain physical access to the hardware, it is impossible to guarantee system integrity.

The smart card is configured to require user authentication prior to the data access. During system startup, two authentications have to be performed before the completion of boot sequence. At first, the user is authenticated to the smart card by means of a password. And then the host authenticates the card by reading the shared secret from the card. After both of them are matched, host reads boot section information from the smart card and completes the boot sequence. Then the PC operates as normal.

The smart card can also store the checksum of critical data and executable programs. It is effective against virus by validating file integrity rather than scan for known virus signatures. In general, the use of smart card here enhanced the security of the computer by utilizing the inherent secure storage and processing capabilities.

The use of biometric identification for controlling access is becoming increasingly popular today for government and military applications and in areas like healthcare and e-commerce. As well as helping to deliver the enhanced levels of security these sectors are seeking. Biometric Verification Delivery (BVD) technology relies on referencing stored details of unique personal attributes - such as fingerprints, voice, facial characteristics - to verify identity, and is becoming increasingly popular for secure and sensitive applications. By storing this personal information on a smart card, users will in future carry a completely foolproof means of identification, which can be checked off-line within a smart card terminal, using the processing capability of voice/face verification DSP chip. This ability to check identity locally - potentially using a spoken password - means for example that public and mobile phone networks could provide the infrastructure for highly secure communications. This significantly improves the reliability of the document the smart card carries.

Another new technique called Layered Biometric Verification (LBV) technology has been used recently. LBV uses the traditional Biometric Verification Delivery technology as a platform and open architecture allows several different biometric verification technologies to be integrated, further enhancing flexibility and providing considerable scope for tailored solutions. LBV specializes in applied biometrics - the science of verifying an individual's identity by means of personal characteristics such as voice, face and fingerprints. These unique and inimitable biometric features are recorded, analyzed and matched against previously stored spoken passwords, prints and facial snapshots and ensure the highest possible security levels. LBV also uses these to create security solutions for multiple markets including network and data security (e.g. Internet & Intranet, remote access, desktop access), telephony and physical access control.

It is important to realize that attacks against any secure systems are nothing new or unique. Any systems or technologies claiming 100% secure are irresponsible. The main consideration of determining whether a system is secure or not depends on whether the level of security can meet the requirement of the system. Furthermore, most of the attacks available today are classified as class 3 attacks, which means that the costs associated to break the system are far more than the cost of the system itself, or it has to spend several or hundred years of computing power to break into a single transaction. As the technology advances quickly, manufacturers update and enhance their products constantly. Therefore, as soon as the hackers find ways of hacking the system, the problems could be solved by the new generation of technology.

It is believed that smart cards offer more security and confidentiality than the other kinds of information or transaction storage. Moreover, applications applied with smart cards technologies are illustrated which demonstrate smart card is one of the best solutions to provide and enhance their system with security and integrity.