Table of Contents


FOREWORD

Five years ago the annual issue of smart cards was measured in the tens of millions—described by the cynical as “a solution looking for a problem.” Today the annual issue of smart cards is measured in the hundreds of millions, and by the year 2002 smart card issue will be measured in billions of cards.

Smart cards are a fundamental and increasingly important part of any delivery strategy, enabling existing and new products and services to be delivered more efficiently, more conveniently, and more securely.

Smart cards have been adopted by governments to counter benefit fraud, by payment associations such as MasterCard and Visa (via their members) to secure payment whether in-person or over the telephone or the Internet, by mobile telephone companies to secure access to their services and to make those services more useful and user friendly, by retailers and airlines for loyalty programs, by network managers to secure access, and by companies such as Mondex and Proton to enable the new payment product—electronic cash.

Smart cards are the hottest tool in the IT armory, with a unique and complementary set of properties: portability, highly secure and tamper-resistant data storage capability (for cryptographic keys and other data), programmable, affordable, and well-accepted by consumers. This is clearly evident as we see the smart card business moving from being a separate industry to being an extension of the IT industry and with companies such as Microsoft and Sun Microsystems becoming increasingly engaged.

Historically, smart cards were perhaps only economical and practicable for large-scale projects with thousands of cards. However, this is also changing; it is now entirely viable to use a smart card for projects requiring a few dozen cards—such as a company security card or the Internet access token for a club or group. This change has been enabled through the development of operating systems with open APIs such as MULTOS and Java Card.

This book provides anybody who is interested in using smart cards with a ready entry point, speeding the learning process and lowering—if not eliminating—many of the traditional barriers to entry.

Smart Card Developer’s Kit steers the reader through the constraints as well as the benefits of the smart card, navigating through the myriad of specifications and standards, evaluating the development tools, discussing the security issues and implications, and providing some useful, illustrative examples. The many references to contacts, suppliers, and sources of information will save much time and frustration.

The book does not solely focus on on-card elements, but also explains the role and importance of the reader-side part of the solution. It discusses many of the key standards and specifications, including, for example, the PC-to-smart-card (PC/SC) interface.

This book combines an eminently helpful combination of theory, analysis, and information supported by practical examples, suggestions, and advise—no doubt derived from the hard-won experience of the authors. The inclusion of the CD and Multiplex card will allow readers to consolidate their new-found knowledge by allowing them to develop and test actual smart card applications.

Although the book is perhaps aimed at the IT community and programmers (it forms an excellent conversion text for those switching from general IT into smart cards), it will certainly also appeal to product and project managers as a point of education and reference.

I wish that Smart Card Developer’s Kit had been available when I first joined the industry!

Nick Habgood

Chief Executive, MAOSCO Ltd.

email: nick.habgood@multos.com

Internet: www.multos.com

PREFACE

The smart card as a general-purpose software application platform has been shrouded in secrecy for almost the entire 25 years of its existence. Early deployment of smart card-based systems with their requirements for large infrastructure investment was facilitated by large, often governmental card issuers. Applications were concentrated in the transportation, telecommunications, and financial business sectors. Security concerns among card issuers in all these areas led to significantly restricted flows of information to the general computing and networking communities regarding smart card systems, their software architectures and development environments, along with their hardware technology. Coupled with an overarching concern for low cost and high reliability which tended to be best served by “mature” technologies, this has caused the evolution of the smart card, as a general-purpose computing platform, to fall far behind the pace of advancement found in other arenas such as desktop computing.

Just as the public Internet and the World Wide Web have opened up the discussion of encryption technology, so have they brought the capabilities of the smart card to the attention of the open market and technical and product innovators. This book reaches beyond generic discussions of smart card capabilities and programs and gets down to the bits, bytes, and details of real-life smart card programming. The goal of the book is to put into the reader’s hands a significant body of the information and resources needed to build and field new and innovative smart card applications.

The Smart Card Computer

It is a common perception that the computer in a smart card is so small and so insignificant as to be useful for doing little more than adding and subtracting small integers and comparing byte-size values. From the point-of-view of people dealing with today’s 100 MIP, 100 MB desktop machines, this perception is certainly understandable.

The authors of this book came to smart cards after spending 17 and 23 years, respectively, involved with the building, deployment, operations, and support of truck-mounted oil well logging systems using computers with roughly the same computing power of a smart card. Coming from an environment in which one could log an oil well on the North Slope of Alaska with a quarter MIP, it seemed plausible that one could certainly do some very interesting things with a quarter MIP in a nice warm shopping mall, a corporate office, or a student’s home PC. With a self-assurance heavily rooted in a profound ignorance of the smart card industry, but enticed by the seemingly glaring opportunities open to smart card applications, we looked for the signposts which would guide us into this new (at least for us) frontier. Finding them typically sparse, usually covered by myriad non-disclosure agreements, sometimes behind locked doors, and often written in German and French, we decided to take a stab at providing something of a nuts-and-bolts guidebook that we more often found in other disciplines of the computing world.

As firm believers in the conventional wisdom that, historically, killer applications for a technology do not come from the providers of the technology, the authors set about to contribute their efforts to opening up smart card software development opportunities to software communities outside the normal smart card world. Scott Guthery lead the small team at Schlumberger’s Austin System Center that invented the Java Card smart card and Tim Jurgensen participated in the PC/SC Workgroup’s efforts that are encouraging an open specification-based smart card infrastructure in personal computer operating systems.

It is our fervent hope that you will find the information contained herein to be a substantial aid in understanding smart card technology as it can apply to the general computing and networking environments and perhaps even sow the seeds of the killer app that’s lurking out there somewhere.

Organization of the Book

The book is divided into three major parts: Smart Card Background and Basics, Smart Card Software Development, and Smart Card Application Examples.

Part I, “Smart Card Background and Basics,” consists of five chapters that describe the smart card computer from a programmer’s perspective. Chapter 1 is a general overview of smart card software with particular emphasis on what makes smart card software different from other kinds of software. Chapter 2 discusses the general physical properties of a smart card so that the smart card programmer can understand why the hardware resources of a smart card are the way they are and how they were intended by their designers to be used. Interoperability of smart cards is a constant concern, although perhaps an underachieved reality of the smart card industry. Chapter 3 familiarizes the reader with the major standards and specifications that are the foundation sourcebooks of smart card programmers. Chapters 4 and 5 take a detailed look at the commands that you send to a smart card to make it do what you want. Chapter 4 covers communication with industry standard commands, while Chapter 5 zeros in on the particular properties of the Schlumberger 3K Multiflex card included with the book.

Part II, “Smart Card Software Development,” includes four chapters that catalog the many software tools that are available to support smart card software development projects. Chapter 6 introduces the various software development and debugging aids that a smart card programmer might use in the course of a software project. The chapter includes names, telephone numbers, email addresses and URLs of the tool providers. Chapter 7 is about application programming interfaces available to host computer applications that want to incorporate the capabilities of smart cards. The chapter includes thumbnail sketches of the many APIs together with a description of strengths, weaknesses, and current developments. Chapter 8 is about writing software that runs on the smart card itself. While writing software for the card is definitely the exception rather than the rule right now, we expect to see more card software written as application writers discover the capabilities of the smart card. Finally, Chapter 9 focuses on smart cards as they impinge on the security goals that are the focus of so much Internet and intranet development activity.

Part III, “Smart Card Application Examples,” walks you through the development of two smart card applications that are representative of two application areas that are particularly popular today: loyalty programs in Chapter 10 and electronic commerce in Chapter 11. The 3K Multiflex card included with the book is used to develop these applications and thus the example applications serve as further instruction on how to harness the Multiflex card.

Part IV, “Appendixes,” is a useful reference to smart card commands. Appendix A lists the ISO 7816-4 command set, and Appendix B lists the Multiflex command set.

The Schlumberger 3K Multiflex Card

The Schlumberger 3K Multiflex smart card included in this book is a general-purpose off-the-shelf smart card that supports typical industry-standard smart card commands together with some additional commands that are particularly useful for electronic purses and loyalty programs. The book includes a full chapter and an appendix documenting the card together with an extended loyalty program application that illustrates the use of the card.

Corrections, Updates, and Additions

Despite the efforts of many, there are undoubtedly errors in the book. Furthermore, we know first-hand that the information we have sought to include in the books is subject to change almost as quickly as we record it. Finally, our time resources were finite so we have surely overlooked material that should have been included.

We encourage you to let us know via email about shortcomings you find in the book. The authors will be maintaining a Web page at http://www.scdk.com/ to distribute corrections, updates, and additions to the information presented herein.

Scott B. Guthery
Boston, Massachusetts
sguthery@tiac.net
Timothy M. Jurgensen
Austin, Texas
tjurgensen@austin.asc.slb.com
December 1997


Table of Contents