Contents
Preface................................................................................................................3
1. Introduction...............................................................................4
2. Smart Card Basic.....................................................................8
2.1 What is smart card........................................................................................8
2.2 History of smart card development..............................................................9
2.3 Different types of smart cards......................................................................9
2.3.1 Memory Cards...........................................................................................9
2.3.2 Contact CPU Cards................................................................................10
2.3.3 Contactless Cards...................................................................................10
2.3.4 Combi-Card.............................................................................................11
2.4 Different standards of smart cards............................................................12
3. Current Smart Card Applications...........................................14
3.1 Electronic payment Applications................................................................14
3.1.1 Electronic Purse......................................................................................14
3.1.2 Stored Value Cards.................................................................................15
3.2 Security and Authentication Applications..................................................15
3.2.1 Cryptographic uses.................................................................................15
3.2.2 Identity card.............................................................................................16
3.2.3 Access control card.................................................................................16
3.2.4 Digital certificate......................................................................................17
3.2.5 Computer login........................................................................................17
3.3 Transportation uses....................................................................................18
3.4 Telecommunication Applications...............................................................18
3.5 HealthCare Applications..............................................................................19
3.6 Loyalty Applications....................................................................................19
4. Technology Aspects of Smart Card.......................................21
4.1 Overview of ISO 7816 Standards ..............................................................21
4.2 Communication Protocol between Terminal and Smart Cards.................22
4.3 Overview of File Systems ...........................................................................26

7.4.2 Smart card as Computer access logon key............................................74
7.4.3 Smart card in Intrusion detection System as user-profile holder............75
7.4.4 Biometric authentication..........................................................................77
8. Summaries and Conclusions..................................................78
Glossary......................................................................................82
References..................................................................................91
Appendix.....................................................................................97
A. Price Comparison of different cards and readers.......................................97
B. Resources.................................................................................................101
Collections of Smart Card Books..................................................................101
Collections of General Smart Card Internet Resources................................101
Collections of Java Card Technology on Internet.........................................102
Collections of Smart Card Security Technology on Internet.........................102
Collections of Smart Card Payment Technology on Internet........................103
Collections of Smart Card Vendors...............................................................103
Guide to Smart Card Technology Page 2
Preface
This handbook aims to provide a comprehensive overview of the current state of
the art in smart card software technology development, applications, and future
trends. The information would be useful to IT managers and executives wishing to
explore the possibility of developing smart card applications.
The handbook consists of three sections. The basic concepts of smart cards and
current applications are presented in the first section in layman's language. The
second section gets into some of the technical aspects of smart card internals, and
offers suggestions on smart card development procedures as well as general ideas in
programming smart cards, including the new Java Card. This section is for
programmers and IT managers who would like to go beyond the basic concepts and
get an idea on what it takes to develop smart card applications. Finally, the third
section presents our views on future trends in smart card development framework,
standards and possible applications. A list of useful reference materials is also

based cards will grow from 544 million units in 1995 to 3.4 billion units by 2001. Of
that figure, microprocessor-based smart cards, which accounted for only 84 million
units in 1995 will grow to 1.2 billion units in 2001.
Based on the report from Hong Kong SAR Government Industry Department on
the Development and Manufacturing Technology of Smart Card [HKSAR1997], Hong
Kong industries have the capability and should participate in development and
manufacturing of smart card IC chips, readers and card operating systems. To
promote this, Hong Kong SAR government has decided to form a Hong Kong Smart
Card Forum. Under this active participation and encouragement from the Hong Kong
SAR Government, smart card development and support will expand in Hong Kong.
Although the Octopus card is relatively new to Hong Kong, smart cards have
already been introduced in Hong Kong for at least two years. These include Mondex
by Hong Kong bank and GSM cards in the mobile phone market. However, using this
powerful and highly secure card on Personal computer (PC) as well as the Internet is
still not common. Many international companies have identified the smart card as one
of the new directions in electronic money and personal identification and
authentication tools.
In May 1996, several companies including Microsoft, Hewlett-Packet and
Schlumberger formed a PC/SC workgroup which aimed at integrating the smart card
with personal computer (PC). This workgroup mainly concentrates on producing a
common smart card and PC interface standards for the smart card and PC software
producers. Many of the interface standards and hierarchy have already been
established. Some of these prototype products are now available on the market.
Moreover, Netscape and Microsoft have also announced that the smart card will
be their new direction in computer security and electronic commerce area. Microsoft
has even published some documents on its role in the smart card market. Although it
will not be a smart card manufacturing company, it has indicated that the smart card
will be a key component in Microsoft Windows 98 and Windows NT 5.0. Together with
Guide to Smart Card Technology Page 4
the latest smart card operating system announcement [Microsoft1998a], Microsoft will

In the first section, basic concepts of smart cards will be described. In chapter 2,
we review the history of smart cards. Then we outline the different types of smart
cards and their standards. Current applications and uses of smart cards are
mentioned in chapter 3.
In the second section, technical aspects of smart card internals as well as
programming tips are briefly described in chapter 4. Because programming and
design methodology for the Java card is different from traditional card programming,
in chapter 5, we describe the basics in Java Card programming. In chapter 6,
procedures of smart card development are given.
Guide to Smart Card Technology Page 5
In the last section of this handbook, the future of smart card development is
presented. Different ideas on future smart card applications are used in formulating a
forecast in chapter 7.
Lastly, we conclude the handbook with a summary of different research, survey
and reports on smart cards. References and glossaries are provided at the end of this
handbook.
We hope that based on our handbook, company executives, technical managers
and software developers would gain knowledge and insight into the emerging smart
card technology and applications.
Guide to Smart Card Technology Page 6
Part I. Smart card
Overview
Guide to Smart Card Technology Page 7
2. SMART CARD BASIC
A smart card is a plastic card with a microprocessor chip embedded in it. The
card looks like a normal credit card except for its metal contact (in contact card only),
but applications performed could be totally different. Other than normal credit card
and bankcard functions, a smart card could act as an electronic wallet where
electronic cash is kept. With the appropriate software, it could also be used as a
secure access control token ranging from door access control to computer

Guide to Smart Card Technology Page 8
the card. Because it is hard to get the data without authorization, and because it fits in
one’s pocket, a smart card is uniquely appropriate for secure and convenient data
storage. Without permission of the card holder, data could not be captured or
modified. Therefore, smart card could further enhance the data privacy of user.
Therefore, smart card is not only a data store, but also a programmable, portable,
tamper-resistant memory storage. Microsoft considers smart card as an extension of
a personal computer and the key component of the public-key infrastructure in
Microsoft Windows 98 and 2000 (previous known as Windows NT 5.0)
[Microsoft1997a].
2.2 Histor y of smar t card
development
A card embedded with a microprocessor was first invented by 2 German
engineers in 1967. It was not publicized until Roland Moreno, a French journalist,
announced the Smart Card patent in France in 1974 [Rankl1997]. With the advances
in microprocessor manufacturing technology, the development cost of the smart card
has been greatly reduced. In 1984, a breakthrough was achieved when French Postal
and Telecommunications services (PTT) successfully carried out a field trial with
telephone cards. Since then, smart cards are no longer tied to the traditional
bankcard market even though the phone card market is still the largest market of
smart cards in 1997.
Due to the establishment of the ISO-7816 specification in 1987 (a worldwide smart
card interface standard), the smart card format is now standardized. Nowadays,
smart cards from different vendors could communicate with the host machine using a
common set of language.
2.3 Different types of smar t cards
According to the definitions of “smart card” in the Smart card technology
frequently asked questions list [Priisalu1995], the word smart card has three different
meanings:
• IC card with ISO 7816 interface

codes are stored in the non-volatile memory, usually EEPROM, which could be
modified after the card manufacturing stage.
One of the main features of a CPU card is security. In fact, contact CPU card has
been mainly adopted for secure data transaction. If a user could not successfully
authenticate him/herself to the CPU, data kept on the card could not be retrieved.
Therefore, even when a smart card is lost, the data stored inside the card will not be
exposed if the data is properly stored [Rankl1997]. Also, as a secure portable
computer, a CPU card can process any internal data securely and outputs the
calculated result to the terminal.
2.3.3 Contactless Cards
Even though contact CPU smart card is more secure than memory card, it may
not be suitable for all kinds of applications, especially where massive transactions are
involved, such as transportation uses. Because in public transport uses, personal
data must be captured by the reader within a short period of time, contact smart card
which requires the user to insert the card to the reader before the data can be
captured from the card would not be a suitable choice. With the use of radio
frequency, the contactless smart card can transmit user data from a fairly long
Guide to Smart Card Technology Page 1 0
distance within a short activation period. The card holder would not have to insert the
card into the reader. The whole transaction process could be performed without
removing the card from the user’s wallet.
Contactless smart cards use a technology that enables card readers to provide
power for transactions and communications without making physical contact with the
cards. Usually electromagnetic signal is used for communication between the card
and the reader. The power necessary to run the chip on the card could either be
supplied by the battery embedded in the card or transmitted at microwave
frequencies from the reader onto the card.
Contactless card is highly suitable for large quantity of card access and data
transaction. However, contactless smart card has not been standardized. There are
about 16 different contactless card technologies and card types in the market [ADE].

Throughout the history of smart card development, various standards have been
established for resolving the interoperability problem. The very first standard is the
ISO 7816 smart card standard published by the International Organization for
Standardization (ISO) in 1987. Before this, card vendors and manufacturers
developed their own proprietary cards and readers which could not interoperate. With
the ISO standard, smart cards could communicate using the same protocol. The
physical appearance and dimensions of a card is also fixed. The meaning and
location of the contacts, the protocols and contents of the high and low level
messages exchanged with the IC card are all standardized. This ensures that card
manufactured and issued by one company can be accepted by a device from other
companies. Because this specification is important to card programming
development, details of this standard is given in Chapter 4, “Technical Aspects of
smart card”, of this handbook.
Two other important standards in this area are EMV (Europay, Mastercard and
Visa) and GSM (Global Standard for Mobile Communications). EMV standard is for
debit/credit cards where major international financial institutions Visa, Mastercard and
Europay are involved. It started in 1993 and was finalized in 1996 [HKSAR1997]. This
standard covers the electromechanical, protocol, data elements and instruction parts
together with the transactions involving bank microprocessor smart cards. The goal of
the EMV specification is for payment systems to share a common Point of Sales
(POS) Terminal, as they do for magnetic stripe applications. Because the magnetic
stripe-based banking card would soon be replaced by the smart card, this standard
has to be established to ensure that the new smart card based banking card would be
compatible with the bank transaction system. Based on this specification, all bank-
related smart card solutions would be compatible with one another as well as the
previous magnetic stripe card solution. Terminal manufacturers could develop and
modify their own sets of API in EMV standard for their terminals, so these terminals
could be used in different payment systems. Credit, debit, electronic purse and loyalty
functions could be processed on these EMV-compliant terminals. With the flexibility
provided by the EMV standard, banks are allowed to add their own options and

APPLICATIONS
With the rapid expansion of Internet technology and electronic commerce, smart
cards are now more widely accepted in the commercial market as stored-value and
secure storage cards. Moreover, it has also been widely used as an identity card. For
instance, in City University of Hong Kong, the old student/staff cards have been
replaced by the hybrid-card based identity cards. This identity card can be used for
normal access control as well as electronic payment.
The smart card has also been used in transportation such as the Octopus card
which has been adopted by the MTRC and KCRC to replace of the old Magnetic
stripe card. Medical record can also be stored in the smart card. This enables critical
information of the patient to be retrieved whenever it is required. With the help of
smart card technology, many secure data such as the computer login name and
password can also be kept, so user need not remember a large number of
passwords.
In this chapter, we shall briefly describe some current applications of smart cards.
These applications can be classified into 6 main categories: Electronic Payment,
Security and Authentication, Transportation, Telecommunications, Loyalty Program
and Health Care Applications.
3.1 Electronic payment Applications
3.1.1 Electronic Purse
The Electronic Purse is also known as electronic cash. Funds can be loaded onto
a card for use as cash. The electronic cash can be used for small purchases without
necessarily requiring the authorization of a PIN. The card is credited from the
cardholder’s bank account or some other ways. When it is used to purchase goods or
services, electronic value is deducted from the card and transferred to the retailer’s
account. Similar to a real wallet, the cardholder could credit his/her card at the bank
any time when required.
Electronic cash transactions do not usually require the use of a PIN. This speeds
up the transactions but the electronic cash on the card is then vulnerable like
conventional cash. The amounts involved, fortunately, are usually small, so loses will

verify the cardholder’s identity, users are required to enter their PIN code (personal
identification number). This PIN code is kept in the card rather than on the terminals
or host machines.
Identification and authentication procedures take place at the card terminal. One
of the problems is to ensure that the card furnishes some sort of machine-readable
authenticity criterion. This can be solved by the use of encrypted communications
between the card and terminal. It is well known that encryption can be used to ensure
secrecy of messages sent and also to authenticate messages.
In order to perform the encryption procedure, the cryptographic smart cards must
have the following properties:
Guide to Smart Card Technology Page 1 5
• The cards must have sufficient computational power to run the cryptographic
algorithms.
• The cryptographic algorithms must be theoretically secure. This means that it
is not possible to derive the secret key from the corresponding texts.
• The smart cards must be physically secure. It should not be possible to
extract the secret key from the card’s memory.
Provided these conditions are met, and with advances in card microcontroller
technology, the microprocessor-based smart card can be made to meet the required
security level [Chaum1989].
For instance, Verisign and Schlumberger have developed the use of Cryptoflex
smart card for carrying a Verisign Class 1 Digital ID [Verisign9701]. Cryptoflex card is
the first cryptographic smart card in the industry, which is designed based on the
PC/SC specifications. This enables the use of smart card for portable Internet access
with Microsoft Internet Explorer 3.0 at all sites accepting Verisign Digital IDs.
In Michigan University, the Cyberflex card has been used for storing Kerberos
keys in a secure login project [Michgan9701].
3.2.2 Identity card
The identification of an individual is one of the most complex processes in the field
of Information Technology. It requires both the individual to identify himself and for the

of public key cryptosystem, so called digital signature, are typically used.
A digitally signed message containing a public key is called a certificate. In
addition to a public key, a certificate typically contains a name, address, and other
information describing the holder of the corresponding secret key. All of these carry
the digital signature of a registry service that records public keys for all members of
the community. To become a member of this community, a subscriber must do two
things:
• Provide the directory service with a public key and the associated
identification information so that other people will be able to verify his/her
signature.
• Obtain the public key of the directory service so that he/she can verify other
people’s signatures.
Because certificates are extremely tamper resistant, the authenticity of a certificate is
a property of the certificate itself, rather than of the authenticity of the channel over
which it was received. This important property allows certificates to be employed in
very much the same way as a passport. The border police expect to see your
passport and in most cases count on the passport’s tamper resistance to guarantee
its authenticity. Because of the fragility of paper credentials, however, there are
circumstances in which this is not considered adequate. In making a classified visit to
a military installation, for example, no badge or letter of introduction by itself is
sufficient. Prior arrangements must have been made using channels maintained for
the purpose. Because public key certificates are more secure than any paper
document, they can be safely authenticated by direct signature checking and no
trusted directory is needed.
3.2.5 Computer login
Access to the Computer room and its services can be controlled by the smart
card. In terms of network access, smart card can authenticate the user to the host.
Furthermore, depending on the environment being protected the network access
card can also perform the following functions:
• Manipulation of different authentication codes for different levels of security.

used at the entrance of the bus or station and also at the exit. This process would
then calculate the amount owed for a certain journey [Devargas1992].
3.4 Telecommunication Applications
Telecommunication is one of the largest markets for smart card applications. In
1997, payphone cards occupy the largest share of the smart card market. Over 70%
of the smart cards are issued as payphone cards [CardTech1997] and this will
continue be the largest market in at least the next 3 years.
Guide to Smart Card Technology Page 1 8
Since 1988, smart card has become an essential component in cellular phone
systems. Network data, subscriber’s information and all mobile network critical data
are kept inside the card. With this card, subscribers could make calls from any
portable telephone. Moreover, through the IC card, any calls through the mobile
phone could be encrypted, and thus ensure privacy. In the future, more and more
value-added services, such as electronic banking, could be supported by using this
microprocessor card. Examples can be found in chapter 7.
3.5 HealthCare Applications
Due to the level of security provided for data storage, IC cards offer a new
perspective for healthcare applications. Medical applications of smart cards can be
used for storing information including personal data, insurance policy, emergency
medical information, hospital admission data and recent medical records. Numerous
national hospitals in France, Germany and even Hong Kong have already started to
implement this kind of healthcare card.
With the microcontroller on-board, smart cards could be used for managing the
levels of information authorized for different users similar to a workflow control
system. Doctors would be able to access the medical record from the patient’s card,
while chemists could make use of the prescription information stored on the card for
preparing the medical treatment. Emergency data kept on the patient’s card, which
includes the cardholder’s identity, persons to contact in case of accident and special
illness details, can be used for saving the patient’s life. In some countries, medical
insurance is required for hospital payment. With the insurance records stored in the

In this chapter, we are going to describe the overview concepts of smart card
programming.
4.1 Overview of ISO 7816 Standards
ISO 7816 is the interface standard for smart card. The following sub-parts are of
interest to the smart card application programmer:
ISO 7816-1: Physical characteristics of cards
Defines the dimensions of cards and the physical constraints.
ISO 7816-2: Dimensions and locations of the contacts
Defines the dimensions, location and role of the electrical contacts (the power VCC,
the ground GND, the clock CLK, the reset RST, the I/O port I/O, the programming
power VPP and two additional reserved contacts for future use) on the microchip.
ISO 7816-3: Electronic signals and transmission protocols
Defines the characteristics of the electronic signals exchanged between the card and
terminal and two communication protocols: T=0 (Asynchronous half duplex character
transmission protocol) and T=1 (Asynchronous half duplex block transmission
protocol)
ISO 7816-4: Inter-industry commands for interchange
Defines a set of standard commands and a hierarchical file system structure.
ISO 7816-5: Numbering system and registration procedure for application
identifiers
Defines a unique card application name.
ISO 7816-7: Inter-industry commands for Structured Card Query Language
(SCQL)
Defines a set of commands to access smart card content and relational database
structure.
Guide to Smart Card Technology Page 2 1
Other parts are not covered here since smart card application programmers do
not need to know them and also some of them are still under preparation. We shall
discuss ISO 7816-3, ISO 7816-4 and ISO 7816-5 below.
4.2 Communication Protocol

The class byte (CLA): A class of instructions. The values of some class bytes can
have a specific meaning pertaining to a certain class of commands. For example, the
class byte of ACS ACOS1 smart card is 80
H
and Gemplus 32 bit Java Card is A8
H
.
The instruction byte (INS): A particular instruction. For example, the SUBMIT CODE
instruction of ACS ACOS1 smart card is 20
H
.
The parameter bytes (P1 & P2): The parameters for the instruction. For example, the
parameters of SUBMIT PIN command are P1 = 06
H
and P2 = 00
H
.
The parameter byte (P3): The number of data bytes which are transmitted with the
command during the exchange. This byte may indicate the number of bytes that the
terminal will send to the card (Lc) or the number of bytes that the terminal expects to
receive from the card (Le). For example, the P3 in the SUBMIT PIN CODE instruction
is 08
H
since the PIN (Personal Identification Number) code in ACS ACOS1 smart card
is 8 bytes long.
After receiving the header, the terminal waits for a procedure byte from the smart
card:
• An acknowledge byte: Based on the INS byte, it may indicate the terminal should
send data or expect to receive data. Based on the acknowledge byte, the
application level protocol APDU (Application Protocol Data Units) command is

6D 00 Unknown INS
6E 00 Invalid CLA
Based on SW1 and SW2, an APDU will be returned in the following format. The
Data part is optional, because some APDU commands do not require any data from
the smart card as in cases 1 and 3 above.

Data SW1 SW2
Format of response APDU
The communication between the terminal and smart card (as shown in figure 4-1)
includes a command APDU which is sent by the terminal to the smart card and a
response APDU by the smart card to the terminal based on the result of the command
APDU. These exchanges are all encoded in transport protocol level TPDUs. A
command/response exchange at the application protocol level APDU may require
more than one TPDU exchange.
Guide to Smart Card Technology Page 2 4
Figure 4-1. Communication protocol between terminal and smart card.
Here is an example of command/response APDU between the ACS ACOS1 smart
card and a terminal. The command is used by the smart card to submit the PIN code
for authentication to the terminal.
SUBMIT PIN:
To submit a secret code (PIN) to the smart catd.
Command APDU:
CLA INS P1 P2 P3 DATA
80 20 6 00 08 PIN Code or DES(PIN Code,#Ks)
PIN Code Eight bytes PIN Code
DES(Code,#Ks) Eight bytes PIN Code encrypted with Session Key (Ks)
Response APDU:
4.2.1.2 SW1 SW2
Status
Specific Status Codes: