Emerging Problems with Smart Card Technologies1.2.2000 -- ERG trade data forum

[ Show ]

Support VoyForums

[ Shrink ]

VoyForums Announcement: Programming and providing support for this service has been a labor of love since 1997. We are one of the few services online who values our users' privacy, and have never sold your information. We have even fought hard to defend your privacy in legal cases; however, we've done it with almost no financial support -- paying out of pocket to continue providing the service. Due to the issues imposed on us by advertisers, we also stopped hosting most ads on the forums many years ago. We hope you appreciate our efforts.

Show your support by donating any amount. (Note: We are still technically a for-profit company, so your contribution is not tax-deductible.) PayPal Acct: Feedback:

Donate to VoyForums (PayPal):

[ Login ] [ Contact Forum Admin ] [ Main index ] [ Post a new message ] [ Search | Check update time | Archives: 1, 2, 3, [4], 5, 6, 7 ]

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Date Posted: 20:15:38 02/23/03 Sun
Author: Finland.
Subject: Emerging Problems with Smart Card Technologies1.2.2000

http://www.tml.hut.fi/Opinnot/Tik-110.501/1999/papers/smartcard/smartcard.html

Emerging Problems with Smart Card Technologies
1.2.2000

Anssi Kanninen
CSE
Helsinki University of Technology
anssi@iki.fi

Abstract
At the end of this year, the new electronic identity services will be introduced to the public in Finland. The system is based on the smart card where the identification information is stored. The goal of the EID-project is to get an EID-card for everyone, so the security of the cards is an essential object of inspection. This paper is about electronic identity and smart card technologies focusing their emerging security problems. General backgound information about the EID-project and the smart cards itself is also included. The main part of the paper is the descriptions of different attacks against the cards and the EID-system.

--------------------------------------------------------------------------------

Contents
1 Introduction

2 Electronic Identification (EID)

2.1 Network Security

2.2 EID Security Services

2.3 FINEID Project in General

2.4 Security Issues of FINEID

3 Smart Cards

3.1 Background

3.2 Specification

3.3 Basic Technologies

3.4 Smart Cards in FINEID Project

4 Common Attacks on Smart Cards

4.1 Introduction for the Attack Classification

4.2 Classifying the Attackers

4.3 Attacks by the Terminal Against the Cardholder or Data Owner

4.4 Attacks by the Cardholder Against the Terminal

4.5 Attacks by the Cardholder Against the Data Owner

4.6 Attacks by the Issuer Against the Cardholder

4.7 Attacks by the Manufacturer Against the Data Owner

5 Security Problems in Smart Card Based EID System

5.1 General Securing Issues

5.2 Solutions in FINEID Project

5.3 Emerging Problems

6 Conclusions

Glossary

References

Further Information

--------------------------------------------------------------------------------

1 Introduction
Smart card technology has already became familiar to every people as GSM SIM cards, telephone cards and bankcards. The old magnetic stripe cards will slowly be replaced with smart cards which have an integrated circuit merged into them. When the old cards could be used only as a static identification tool for specific operations (bank cards) or as a very small magnetic memory (old-fashion telephone cards), the IC in a smart card makes it possible to use the card for much complex operations.

One of the most important applications of the IC card is a general identification of the cardholder. This application will soon be available for all Finnish people as a result of the FINEID project. The purpose of the electric identification of to offer more secure and practical way to identify a person and make it possible to sign a document electrically. Also the security of the network and the smart card terminal are a fixed part of the whole EID system.

When using a smart card as a legal identification, the card and the identification itself have to be very secure and reliable. What are the major benefits and weaknesses of the smart card? How are the cards protected against possible attacks? How secure can the terminals be made?

In this paper I have focused on smart cards generally, their security problems and the security of the electronic identification system which will be used in Finland and Sweden.

Chapter 2 describes the electronic identification in general and the FINEID project. Chapter 3 gives the basic information of the smart card technology and using it in FINEID project. Chapter 4 presents some examples of the common attacks used against smart cards and chapter 5 describes the protection methods used against the attacks. Chapter 5.3 summarizes the security issues and chapter 6 gathers the whole paper. Chapter 7 lists the glossary user in this paper.

2 Electronic Identification (EID)
2.1 Network Security
Network security is an essential part of the security of the whole EID system. Formerly, when for example the payment orders were done between the bank offices, the information flowed in the network that is owned by the bank. There was no need to secure the traffic because it was assumed that no one could break into the private network of the bank. In a case of Internet, the traffic must be secured somehow to prevent misusing because we can�t rely only on the physical security of the terminals and network lines.

Information security is considered to consist of integrity, confidentiality, availability and non-repudiation of the information [1]. Information integrity means that the secured information can't be changed without authorization for that information. Confidentiality means that the contents of the information sent between two parties are not readable by any third party. Availability stands for the requirement for that the information must be available when it's needed by users. Non-repudiation means that the sender can't deny that he/she has sent a message.

Experience has shown that there are three primary elements of network security: [1]

Encryption of the actual data and the user information
Protocols for authentication and secrecy
Trusted components are needed because of the complexity of the networked environment.
None of these elements is safe alone. All of them must be covered for achieving the complete security in the network.

Network attacks can be divided to three different types: [1]

Communication attacks. These types of attacks cover the actions against the transmission media itself. The most vulnerable transmission types are radio transmission and public telephone lines.
Modem attacks. Depending to characteristics and configuration settings of the modem, certain spoofing and call forwarding attacks are possible.
Network system attacks.These attacks are probably the most common ones in a global network system. Most common network system attack types are masquerading (attacker pretends to have an authorization for a service), repudiation (false acknowledgement for receiving data), playback (listening and recording some traffic and playing it back afterwards) and blocking (denying some service from authorized users).
2.2 EID Security Services
The electronic identification system, which uses the smart card as an identification tool, must support the following security services: [1]

Certification of the identification card. The card performs the certification of the cardholder. The holder must certify him/herself by a PIN-code. After this the EID system certifies the card itself with public-key encryption procedures.
Digital signature. The sender of the electronic document must be able to digitally sign the document.
Origin, authenticity and wholeness of an electronic document. The receiving party can verify the origin, authenticity and wholeness of an electronic document sent by another party.
Verification of timing and undisputability of material reception and sending. The system must be able to verify the sending and receiving times of the document or notify if the document has not been sent at all.
Encryption of material. It must be possible to encrypt the material, which is either sent or archived to network system. Of course the receiving party must be able to decrypt the material sent.
Confidentiality of connection. Both the connection parties must be able to verify the confidentiality of the connection and identify the opposite party.
These services must follow the ISO/IEC-standards mentioned in the EID �specification [1].

2.3 FINEID Project in General
The goal of the FINEID is to offer an electronic identification to all the Finnish people. New digital services will be introduced to the public in December 1999. Finnish Population Register Centre serves as a certificate authority of official information.

The benefits of this task are obvious. In the future, most of the people have an own home computer or at least they are using some computer at least once a day which have some kind of connection to the Internet. There�s no need to leave earlier from work to make it to the bureau in time. Not to mention the rushing between different bureaus and waiting in the line in every office. Filling applications digitally also reduced the work of the bureau employee because the computer does the dirty mathematical and statistical work and there are no different handwritings. In addition to public sector services, the same identification can be used in the private sector everywhere where some identification of the person is needed.

FINEID, like EID generally, is based on public key infrastructure and the use of the identification card. To use a card, the user must have a card reader and a personal PIN-code for the card.

The Finnish Population Register Centre is responsible for manufacturing the cards, creating the keys, issuing and storing the certificates. Also the services related to blocked-card registers and time stamps and the distribution of the cards would belong to their responsibility [2].

Security Issues of FINEID
FINEID EID system is based on Swedish SEIS-standards. FINEID application specification is the same as the corresponding SEIS standard. The certification contents have some minor changes with SEIS standard [2].

Secure digital transactions always need a third trusted party, a certification authority (CA). In FINEID project, that authority will be the Finnish Population Register Centre. According to the FINEID information in FPRC�s WWW-page, they were chosen to be a CA because "Finnish Population Register Centre has experience in manage the social security ID's of citizens reliably and because of that, have been a natural choice for an administrator of the electronic identification".

The services provided by CA are:

forming the certification policy
manufacturing and distribution of the cards
creation of the encryption keys
creation and saving the certifications
key directory services
service for the blocked card lists
time stamp services
international co-operation
3 Smart Cards
3.1 Background
As said, smart cards are slowly replacing the old-fashion magnetic stripe cards. The old cards have very limited memory and their information security is very limited. The most famous misusing of the magnetic stripe cards in Finland happened about one year ago when the magnetic stripes and pass codes of some cards were copied and used afterwards [3]. That can�t happen with IC cards because the card itself verifies the PIN code and the card can�t be copied, at least not so fast and cheap as the magnetic stripe card. Most of the people had considered the old cards safe before that but nowadays their weaknesses are better known. Copying the magnetic stripe card is not an expensive action. Because an IC card actually includes a working computer, the contents of the memory can more easily be hidden.

3.2 Specification
The term "smart card" is commonly used when discussing about a plastic card including an integrated circuit. However, more exact term for the card which is used by ISO, is an Integrated Circuit Card (ICC) [4]. The ISO/IEC 7816 standard specifies an accurate card size, chip location, card material and optional parts like magnetic stripe or photo etc.

There are two forms of the IC card, contact and contactless. The contactless card may have an own power supply as it is with the "Super Smart Cards" which have an integrated keyboard and LCD display. The operational power can also be supplied to the contactless card with an inductive loop. I�ll focus on the contact cards in this paper because they are much more commonly used.

3.3 Basic Technologies
Contact IC cards feature eight contacts as specified in the ISO standard but only six of them are actually used to communication. The supply voltage that drives the chip is called Vcc and is generally 5 volts. In the future we will also have cards which have 3 V Vcc. The other signal line in the card is a reset line, which initiates the card when the power is turned on. The card has also a clock signal line. The clock frequency is usually either 3,5795 MHz or 4,9152 MHz [4]. The last 2 lines are Vpp and I/O line. Vpp is a high voltage, which is used when programming the EPROM memory in the card. The I/O line is the interface for the commands and data between the card reader and the card.

Primary use of the card is as storage of small amounts of data. There are several different memory types used with the cards and there can be one or more memory types in the same card. Most used types in IC cards are ROM, EPROM, EEPROM and RAM. EPROM memory is used in so called one time programmable mode (OTP) because there is no ultraviolet light window in IC cards.

The card may have memory only, memory with security logic or memory with CPU. The simple telephone cards may have just the EEPROM memory and the memory controller logic whereas more sophisticated applications demand ROM, EEPROM, RAM and a CPU. Chip specification describes the parameters of the chip which are for example the microcontroller type (e6805, 8051 etc.), ROM size, RAM size, clock speed, co-processor and so on. One possible co-processor may be a public-key cryptography processor.

3.4 Smart Cards in FINEID Project
Smart card usage in the FINEID project follows the SEIS standards.

The card contains three different private RSA keys [5]. They are used to the following purposes:

Digital signature and authentication
Key encipherment
Non-repudiation
The length of each of the keys is 1024 bits [5].

The card contains also several PIN codes for different purposes. The User Master PIN is referred as PIN number 1 and it protects the digital signature (authentication) key and the key encipherment key. PIN code 2 protects the non-repudiation key. If the key has been blocked through three consecutive incorrect PIN verifications, it can be unblocked with an unblocking procedure, which is defined in the issuer�s policy declaration. [5]

Table 1 describes the file access conditions used in the EID application directory in the card.

File
Read
Update

AUF
Always
Issuer verification

CIF
Always
User Master PIN (PIN1)

Certificates
Always
User Master PIN (PIN1)

RSA keys
Never
Never

Table 1: EID card file access conditions [5]

For each of the private keys there must exist at least one associated certificate

4 Common Attacks on Smart Cards
4.1 Introduction for the Attack Classification
The smart card marketing people often claim that smart cards cannot be attacked successfully. As we may notice in the Internet sites of the smart card hackers [6], this is definitely not the case.

One method for classifying the possible attacks against smart cards is to categorize the attacks by the parties involved in the attack action [8]. The different parties in the smart card based system are the following:

The cardholder is the person who uses the card
The data owner is the party who has the control of the data in the card. As in case of the electronic ID card, the data owner is the person whose secret key is contained in the card.
The terminal is the device, which offers the interaction between the card and the outside world. As with EID card, this is the card reader and the computer attached to the reader with the screen and the keyboard.
The card issuer is the party who has issued the smart card. This party controls the operating system and the data in the card.
The card manufacturer is the party who produces the card itself.
The software manufacturer is the party that produces the software for the card.
The attack types described in the next sections are the ones that can be considered with EID cards. Attackers are considered as two different classes: those who are parties to the system and those who are outsiders.

4.2 Classifying the Attackers
The possible attackers can be divided to following categories: [9]

Class I (clever outsiders). This type of attackers are often intelligent but their knowledge of the system may be insufficient. They may have access to only moderately sophisticated equipment. They seldom create weakness of the system by themselves but try to take advantage of an existing weakness.
Class II (knowledgeable insiders). They have some specialized technical education and experience. The may understand some parts of the system and have a potential access to most of it. They often have high quality tools and instruments for analysis.
Class III (funded organizations). They may assembly teams of skilled specialists and they also have great funding resources. They are able to perform some in-depth analysis of the system, design powerful attacks and use the most advanced analysis tools.
4.3 Attacks by the Terminal Against the Cardholder or Data Owner
This attack class is also known as the trusted terminal problem. The cardholder must somehow trust to the terminal that the terminal does what the cardholder wants and only that. This is very important in EID system because of the digital signing service. If the cardholder wants to sign some data, he/she must have some confidence that the terminal doesn�t sign anything else than just the wanted data. The above scam with the old magnetic stripe cards is the attack of this type. The terminal copied the card so that the cardholder didn�t notice anything.

4.4 Attacks by the Cardholder Against the Terminal
This type of attack is performed with fake or modified cards running some rogue software. The goal is to break the protocol between the card and the terminal.

4.5 Attacks by the Cardholder Against the Data Owner
With EID cards, this type of attacks are relevant only if the card has been stolen. The data owner should be the only one who knows the PIN code for the data (secret key) so the new cardholder tries to get or modify the data some other way. These following techniques have already used with great success against some pay-TV- and public telephone cards [9]. Also some early smart cards have been successfully hacked.

Tamper resistance must be considered more careful in smart card systems than in the old magnetic stripe card systems. The old systems had cryptographic systems in a secure place and the passcodes for the card were verified remotely from the card terminals. In smart card system, the card itself must be secured very carefully because the cryptographic keys are in the card itself and not in some safe deposit of the bank. The attacker can steal a card and take it to the private lab and examine it with care and time. When planning the tamperproofing, it�s important to know the class of attackers we want the cards to be protected against.

The card may be vulnerable to the attacks, which try to operate the card in an environment, which is against the specifications of the card. For example, the card can be driven with unusual clock rate or voltage levels and this can cause some malfunctioning in the poorly secured card. This failure can cause an operating system crash or some output of secure data. These techniques are called differential fault analysis [7].

The attacker may also try a straight physical attack to the card like removing secure components or burning some parts of memory. The IC may not be so difficult to remove from the card than one might expect. The circuit in some of the cards can be successfully removed with some quite cheap home lab equipment so this type of attack could be performed even by class I attacker [9]. There is also some very sophisticated attack methods so tamperproofing is very essential process for smart card manufacturers.

Differential power analysis is quite new attack type, which has successfully used against certain smart cards [10]. The power consumption of the card is measured and analyzed. If an attacker has some hint what the card might be doing when measuring the power consumption, the attacker can obtain a quite accurate picture of the internal behaviour of the card. Multiplication, division and other arithmetic operations consume different amounts of power.

4.6 Attacks by the Issuer Against the Cardholder
These types of attacks are typically some violations against the privacy of the cardholder. This is very important in the EID system because the issuer is able to generate the secret keys for the cardholder.

4.7 Attacks by the Manufacturer Against the Data Owner
When the data owner uses the card, how can he/she be sure what programs there are really running in the card? For example, when verifying a PIN code fails, how can we ensure that the card has actually tried to verify it? Or what if the card accepts all the PIN codes? There are many possibilities for the manufacturer to attack against the data owner and these attacks would obviously be very harmful.

5 Security Problems in Smart Card Based EID System
5.1 General Securing Issues
When planning the tamper proofing the card and other security issues it�s important to classify the possible attackers against our system. EID system must obviously be protected against class II and even the class III attackers whereas for example in a case of PayTV-cards it could be enough if we just secure them against class I attackers.

Terminal and card reader security can be improved by setting some limitations for the allowed transactions and other user actions. For example, we could allow the user to sign only certain types of data. Also some time limits like actions per minute or maximum time for the terminal to access the card can be set. When the users will have their own card readers and software at home, it�s very difficult to be sure that everybody has trusted security modules. Because of that, the most secure attack prevention mechanisms are those which have nothing to do with the interface between the card and the terminal [7]. They monitor the terminals operations and log all the suspicious behaviour in the information net.

The manufacturer of the card must be trusted organization, which has well known products. Also the organization, which has the responsibility for initializing the keys the card, must be known to be very reliable. The system, which creates the key pair, must secure itself that the secret key cannot be revealed. The organization, which personalizes the cards, must have a very high-class quality assurance. It must also have a clear way to administer the other important information for activating the card. The register organization must also be reliable and it must have a secure way to identify a person when issuing and registering his/her EID card. The CA must have reliable information systems and also the methods for generating the certifications. The users themselves must understand their own responsibilities in the EID system and they must also have enough skill to use it. The authority, which offers some EID-related services, must ensure that the services work the way they are supposed to and that the secure information is certified and it can not be changed when delivered. The same authority must also be able to put time stamps for the data it handles. Also the help desk and blocking list services must be secure and some limited number of staff must be authorized to administer them and identify the users. [11]

5.2 Solutions in FINEID Project
The maintaining of the proper security level is a continuing process. New technologies appear to the market all the time so the security demands will also grow. It�s important to use security methods which are widely known and always question the commercial announces about "100%" secure systems which the manufactures willingly tell about.

The terminal and the card reader are major factors in the security of the whole EID system as noticed in section "4.3 Attacks by the Terminal Against the Cardholder or Data Owner". In the future, there will certainly be many kinds of card readers, software and computer equipment which together build up the terminal equipment. The FINEID specifications don�t specify the terminals. They just mention that the card readers and software must be "approved". [11] So, that means they have to be purchased from some trusted organization. All the workstation components and software of the issuer must also be approved.

Tamperproofing of the card is the other obvious demand for preventing the attacks mentioned in the section "4.5 Attacks by the Cardholder Against the Data Owner". The cards must fulfill the ISO/IEC 7816 standard, which specifies most the characteristics of the card. The FINEID specification doesn�t take any attitude on physical security of the card.

The attacks described in section "4.4 Attacks by the Cardholder Against the Terminal" can be prevented by careful specification of the protocol. The software and the protocol specifications are based on the SEIS standards with only few modifications [2]. An important demand is that the cardholder must not be able to manipulate the data inside the card [7]. The FINEID specification for the protocol is quite extensive and the fake cards are very difficult to manufacture because the secret keys are not readable from the card.

The attack types mentioned in sections "4.6 Attacks by the Issuer Against the Cardholder" and "4.7 Attacks by the Manufacturer Against the Data Owner" must be prevented by the trusted organizations, which are responsible for issuing and manufacturing the cards. The main demand is that no one organization is able to reveal the keys by itself. The manufacturing methods and quality assurance must be accepted in public [11].

5.3 Emerging Problems
The FINEID documents specify clearly and in detail the protocol- and data specifications of the smart cards. But what about the physical tamper resistance? All that is mentioned about it is that it fulfills the ISO/IEC 7816 standard. Nothing more is said about the physical characteristics. However, there is already some critical discussion about the standard. For example, it doesn�t clearly define the conditions (voltage, temperature etc.) where the card is proved to function properly [12]. This hole in the standard may give an attacker a chance to use DFA or other sophisticated methods to make the card function improperly. It�s also well known that some straight physical attacks against the older cards have been successful even by class I attackers [9]. There�s no guarantee that the new cards are secure against physical attacks. We just have to trust that the cards made by the manufacturer have a high physical security level. FINEID project doesn�t seem to give any rules to the manufacturer about the physical security of the cards.

Trusted terminal problem is the other critical issue of the specifications. The specification mentions vulnerable terminals as "unapproved readers" [11]. This is an essential part of the whole EID security but there is not any kind of description of a reader or other terminal equipment, which would be secure to use. We have no use for the fine security protocols of long secret keys if the terminal is truly untrusted. The security of the terminals may not be a problem right now but when the smart card readers become cheaper and there will be a reader in every home computer, the attacks against the reader and the software will certainly become more common.

According to the specification, Finnish Population Register Centre will be the one and only Certification Authority. Now, if there�s some security leak in FPRC, all the identifications for Finnish citizens are in danger. The other solution would be distributing the CA to several places and let each one of them certify the others. Of course this solution would have it�s own problems but at least the consequences of the security leak would not be so serious than they are in the solution of one CA.

6 Conclusions
Electronic identification will come as a part of every-day life of all the Finnish citizens. Starting from December 1999, Finnish people will be able to get a smart card based electronic identification. With that card, several public services can be reached from the Internet and other remote terminals. Internet is not safe by default so we must use strong public-key cryptography and other methods to improve the network security.

We specified smart card as a plastic card, which has an integrated circuit included. We examined the basic smart card techniques and their use in the FINEID project. Attacks against smart cards can be classified by categorizing them by the parties involved in the attack action. Attackers can be categorized based on their skills and available funding resources and tools. EID Smart card system must be secured against the most powerful attackers. We must tamperproof the cards and also secure the card readers and computers, which they attach to. Also all the other modules in the EID system must be secured.

We noticed that FINEID project doesn�t specify all the security issues properly. Neither do the standards the specifications are based on. Tamperproofing and the trusted terminal problem are major parts of the security and they are hardly mentioned in the specification. FINEID project specifies also that we�ll have the Finnish Population Register Centre as a certification authority. To have only one CA is also considered as security a risk.

Glossary
IC Integrated Circuit
EID Electronic Identification
CA Certificate Authority
ROM Read Only Memory
EPROM Erasable Programmable ROM
EEPROM Electronically Erasable Programmable ROM

References
[1] Amoroso, E., Fundamentals of Computer Security Technology. Prentice-Hall, 1994 [referred 24.10.1999]

[2] Finnish Population Register Centre, FINEID Technical specifications, 18.11.1998 [referred 24.10.1999]

[3] Helsingin Sanomat 8.10.1998 [referred 10.11.1999]

[4] Dr. David B Everett, Smart Card Technology: Introduction to Smart Cards, Smart Card News Ltd, 1999 [referred 24.10.1999]

[5] Identification Cards � Electronic ID Card � Swedish Profile [referred 4.10.1999]

[6] HIP (Smart Card Hacking In Progress) home page [referred 4.10.1999]

[7] Ross Anderson and Markus Kuhn, Low Cost Attacks on Tamper Resistant Devices , [referred 10.11.1999]

[8] B. Schneier and A. Shostack, Breaking Up Is Hard to Do: Modeling Security Threats for Smart Cards, 5.2.1999 [referred 21.10.1999]

[9] Ross Anderson, Markus Kuhn, Tamper Resistance - a Cautionary Note, 18.11.1996 [referred 4.10.1999]

[10] Paul Kocher, Joshua Jaffe, and Benjamin Jun, Introduction to Differential Power Analysis and Related Attacks, 1998 [referred 4.10.1999]

[11] HST-hankesuunnitelman tietoturva- ja riskitarkastelu , 12.8.1998 [referred 12.11.1999]

[12] Peter Tomlinson, Iosis, Comments on the 1996 DIS of the new edition of 7816-3 (DC 97/641150), 27.4.1997 [referred 4.10.1999]

Further Information
http://www.geocities.com/ResearchTriangle/Lab/1578/smart.htm
Smart Card security information page
http://www.hut.fi/~zam/sid/
Samuli Mattila, S�hk�inen identiteetti, Special Assignment on Software Technology, Helsinki University of Technology, Laboratory of Information Processing Science, 1998
http://www.ioc.ee/atsc/faq.html
A Frequently Asked Questions list (FAQ) for alt.technology.smart cards
http://www.seis.se/eid.pdf
Using Electronic ID Cards - A guide for users and Application Developers
http://cuba.xs4all.nl/hip/
HIP (Hacking in Progress) Smart card Homepage
http://www.infowar.com/class_2/class2_091197a.html-ssi
Tamperproofing of Chip Card
http://www.geocities.com/ResearchTriangle/Lab/1578/artic02.htm
Defending Against DFA (Dirrefential Fault Analysis)
http://www.vaestorekisterikeskus.fi/sahtun.htm
Finnish Population Register Centre, Henkil�n s�hk�inen tunnistaminen, 22.9.1999 [referred 24.10.1999]
http://www.smartcard.co.uk/pdf/t-pages.pdf>
Dr. David B Everett, Smart Card Tutorials, Smart Card News Ltd, 1999 [referred 24.10.1999]
http://www.geocities.com/ResearchTriangle/Lab/1578/cophack.txt
Hacking EPROM based microcontrollers in general, an article posted to SatHack BBS UK
http://www.vaestorekisterikeskus.fi/hstjul.htm
V�est�rekisterikeskus, HST-julkaisuja
http://www.vaestorekisterikeskus.fi/fineidspec.htm
V�est�rekisterikeskus, FINEID Technical Specifications
http://www.vaestorekisterikeskus.fi/hankeeng.doc
V�est�tekisterikeskus, HST-henkil�korttihankkeen tietotekninen arkkitehtuuri, 12.8.1998
http://www.vaestorekisterikeskus.fi/VRK Hanke Liite 3.doc
V�est�rekisterikeskus, FINEID Project Plan
http://home.hkstar.com/~alanchan/papers/smartCardSecurity/
CHAN, Siu-cheung Charles, An Overview of Smart Card Security

[ Next Thread | Previous Thread | Next Message | Previous Message ]