multifunctional plastic cards.
Much has been written about multifunctional smart cards. At first, it was a completely natural interest in the new product, then came the turn of studies of varying degrees of depth and seriousness, but nevertheless, undoubtedly, useful and necessary. What is the situation now? And (given the subject of the magazine) what are the prospects for the further implementation of smart cards in security systems.
In Russia, a smart card is usually Mifare.
There are currently two main international standards for smart cards: ISO 14443 and ISO 15693. The first is intended for identification at short distances of up to 10 cm. The second is for identification at long distances of up to 1–1.5 m.
Today, in many countries around the world, the most common smart card is Mifare (ISO 14443 A standard) from NXP (formerly Philips Semiconductor). If we talk about Russia and, in particular, about Moscow, it is enough to cite just one fact: the so-called Muscovite social card is a Mifare Standard card, and single travel tickets in the Moscow metro are Mifare Ultralight. That is, millions of people own and use such cards in the capital alone.
In fairness, it should be said that Mifare is not the only technology used on the market. HID Corporation is actively and quite successfully promoting its iClass technology. This technology complies with ISO 14443 and ISO 15693 standards, but is compatible with Mifare only at the level of reading card serial numbers. In the security systems market, iClass readers and identifiers actively compete with Mifare.
What's inside
In order to more clearly demonstrate the differences between smart cards and traditional proximity cards, let's consider the architecture of the Mifare card using the example of the most common modification — Mifare Standart 1K. The internal data structure of the card is shown in Table 1.
As can be seen from the table, the entire memory of the card is divided into 16 equal-sized sectors, each 64 bytes in size. In turn, each sector is divided into 4 blocks, and the last block of each sector contains keys and rules for accessing the sector, which allows the card to be used in 16 different non-overlapping applications. Due to the fact that each application «knows» only its own access keys, other sectors of the card are inaccessible to it. The assignment of keys for each sector is determined by access bits, which allows for the division of read and write rights for different subjects even within a single application.
The zero sector differs from the others in that it contains only two data blocks. The zero block of the zero sector contains service information recorded during production — the serial number of the card (4 bytes) and the manufacturer's data.
Access to the zero block is always open for reading, while all other blocks require knowledge of the access keys for access (even for reading).
In addition to Mifare Standard (versions with a memory capacity of 1 and 4 kilobytes), Mifare Ultralight, Mifare Mini, Mifare Plus, Mifare DESFire and Mifare SmartMX cards are currently being produced. The first is a greatly simplified version of the standard card with a smaller memory capacity and without cryptographic protection of the radio channel. It is intended mainly for single travel tickets (as mentioned above, these are the cards that are currently used for single trips on the Moscow Metro), made in the form of a cardboard card and has an extremely low price. On the contrary, Mifare SmartMX is a card with significantly expanded arbitrarily configurable memory (up to 144 KB), a built-in microcontroller and additional cryptographic protection mechanisms. In addition, this card has two interfaces: a radio channel and a standard for Smart cards — contact, which allowed it to be certified as a payment card for use in banking systems to replace magnetic stripe cards, which should soon cease to exist.Mifare is an open platform, available for development and production of devices in any company with the relevant experience. Mifare support for system integrators, card and reader manufacturers, software developers is provided through the Mifare Certification Institute (MCI) Testhouse Arsenal.
Advantages and capabilities
Regular proximity cards contain nothing but a serial number. Smart cards, in addition to this, as shown above, also have a separate memory area inside the card, from which information can not only be read, but also written. In addition, this memory, depending on the type of card, is either divided into several areas, or a file structure can be organized there. This allows the card to be used in several independent applications at once.
Smart card security systems are only a small area of application. They are much more common in various transport and logistics applications, payment systems. In these cases, account balances, debt information, owner information, various characteristics of the product to which such an identifier is attached, etc. can be stored in protected areas. For example, a person uses various services in a hotel, and all the information is accumulated on the card. At the same time, the person gets access to the hotel and to his room using the same card. The security of a smart card against counterfeiting is incomparably higher than that of a proximity card. It would take hundreds of years to pick up an encryption password using modern computing resources.
Cards have only recently come into use in security systems. In addition, the introduction of new technologies is much slower than expected. And there are a number of quite objective reasons for this.
Firstly, the TSB market is very conservative. Anything new takes a long time to take root there. Secondly, the price of identifiers and readers. Until recently, smart cards were several times more expensive than proximity cards. And in most cases, the required costs did not justify the advantages that the cards provide. In fact, in an ordinary office building, using information exchange with a reader using a cryptographically protected algorithm was not always cost-effective. For example, we can give a simple calculation: with costs for a security system of 000 and a need for 3000 cards, paying each one is very, very expensive. As a result, it turns out 20% of the cost of the entire system. Today, the price of a smart card has significantly decreased and already costs less than a dollar at retail. For the above example, the cost of the cards will already be about 2% of the cost of the entire system. Proximity cards have also become noticeably cheaper, but in the total cost of the system, this difference is no longer so noticeable.
High card security is generally relevant only for serious strategic and military facilities, secret production facilities, etc.
Thirdly, the vast majority of existing security systems do not allow for the full use of the advantages of smart cards. Until controllers support the functions of recording information into cards, there are no serious and obvious competitive advantages for the user and a powerful breakthrough of this technology in security systems is unlikely to be expected. The displacement of proximity cards by smart cards is a long process and will continue for another 10–15 years.
But as soon as the developers «teach» the controllers to write information to the smart card, there should be shifts that the market will certainly notice. The simplest example is the anti-passback function. Let's take a facility with five checkpoints. A person enters through one of the checkpoints. Accordingly, this card cannot enter a second time until the person leaves the territory. And he can leave through any other checkpoint. In order for the system to know whether he is on the territory or left, information in large volumes (with anti-passback, if five controllers limit five access points, with one pass in the system four additional events occur at once, one for each of the other access points) constantly circulates between all five controllers. And if the connection is broken, the controller of another checkpoint will simply not let the employee out, since it has not received information that the employee is on the territory. If the controllers were able to record information about the employee's location in the card itself, then it would no longer matter whether there is a connection between the controllers or not. Moreover, the load on communication lines would be significantly reduced, which, in turn, would increase the speed of information transfer in the system.
And one more thing: the existing trends of increasing integration of security systems with various business process automation systems, payment systems will allow smart cards to gain serious competitive advantages in the foreseeable future. But again, the market is quite cautious about everything new, and it is necessary to spend enough effort and time to explain to the consumer the advantages of this or that solution.