Hi, here is a bit that I wrote up to vent on my lack of standards in the
smartcard industry. Let me know if you agree or not.
One of the biggest obstacles in the smartcard industry today is the lack
of standardization between different cards, readers, and even the platform
in which they are used. Back in the early days of the internet many
different standards existed like token ring, Dec Net, and others making
the existance of a single infrastructure in which anyone could plug into
difficult. Eventually the players began to see the light and one standard
emerged as the godfather of all internet connectivity standards: ethernet
and TCP/IP. Now anyone can plug into the internet and connect with nearly
everyone else in a simple and seamless manner. It is no wonder why
companies such as Cisco are doing as well as they are. Do you think that
these companies would be doing as well if many networking standards still
existed today ? The Internet would not be growing as quickly if not a
single standard emerged from the struggle because users need a seamless
way of connectivity. The same must exist for smartcards. Although
magnetic stripe cards are of a much simpler nature, it is still possible
for myself to travel to France and use an Automatic Teller Machine to gain
access to money. I can even use my VISA card in almost every terminal
that exists. Do you think that these cards would be as useful if every
bank issued their own proprietary location of information on the magnetic
stripe ?
Smartcards must also develop such standards to make communication to them
in a seamless manner. The following is a list of what I consider to be
necessary for the smartcard industry:
1) One communication protocol should be used. Currently there are
several: T=0, T=1, Synchronous, and others. My personal feeling is that
all cards should communicate in the T=1 block protocol. It is much more
efficient, and gives the card a way of communicating back to the reader to
establish resynchronization or to communicate the need for more waiting
time. T=0 does this through the ATR so if the card needs more time it has
to change the ATR to notify the host of this. I feel this is a poor way
of doing this.
2) The ATR should be used as a means for card identification. It is
ridiculous that much of the ATR can be changed except the protocol
information. I think the ATR should have 6 historical bytes reserved for
identification. 2 for manufacturer id, 2 for manufacturer mask, and 2 for
user definition. That makes 65,000 manufacturers, 65,000 masks and 65,000
user defines. The user can only change their 2 bytes. Thus the card can
still be identified by it's core OS 2 bytes manufactuer/2 bytes mask.
3) ISO-7816 should include a command for the creation of a
transparent file and a command for the listing of files.
4) Card manufacturers need to be ISO compliant. Class instructions
should be standardized to either 00 or C0 or whatever. I should be able
to list the directory of files on the card in 1 way on any card.
5) There must be a standard for putting the keys on the card. If RSA is
used then do pq... whatever but in the same order on each card. Also,
cards should have the same endianness. This is crazy that people haven't
learned their lessons on this one yet.
This is just a few for now. I'll post more as my frustrations build up.
Is there a forum for these kind of requests ?
Let me know if you have any suggestions. I have about 1.5 months off
right now as I take one class so I should have some free time.
Hope all is well,
Dave
*************************************************************
David Corcoran Internet Security/Smartcards
Home: Purdue University
1008 Cherry Lane Department of Computer Science
West Lafayette, IN 47906
Home: (765) 463-0096
Cell: (317) 514-4797
http://www.linuxnet.com
*************************************************************
***************************************************************
Linux Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
http://www.linuxnet.com/smartcard/index.html
***************************************************************
