SMART CARDS

Smart cards break out of traditional roles as chips advance
Junko Yoshida Junko Yoshida

EE Times (11/17/2003 1:26 PM EST)
PARIS — The curtain will go up on the second act for smart cards and related chips at the Cartes 2003 conference here this week. Technologies will be shown that go beyond the traditional roles in credit cards and European GSM phone security cards in a bid to take the technology global for a raft of everyday items.
Emerging applications include mass-transit cards in China, tiny consumer mass-storage devices for music and video downloads in Japan and South Korea, national ID cards, driver's licenses valid across the European Union and next- generation passports and visas that store biometric data. The U.S. government is pressuring 26 visa-waiver nations to embed biometric data in their passports.
The mobile-communications sector remains the largest market for smart-card chips today, with SIM secure ID cards-mandatory for GSM mobile phones in Europe but not used in the United States-taking a large share of the controllers. But that market isn't growing, and controller prices there are falling, said Derrick Robinson, senior analyst at IMS Research (Wellingborough, U.K.).
Consequently, many smart-card chip companies, including Atmel Corp., Hitachi Ltd., Infineon Technologies, Philips Semiconductors, Samsung Electronics and STMicroelectronics, are ready to jump on any new opportunity in government or industry, while continuing to pitch their higher-spec products to the mobile-communications sector.
At the Cartes show, Philips Semiconductors, a key player in the contactless and dual-interface smart-card market, will announce a public transportation project in China at will require a massive deployment of Philips' MiFare-based contactless smart-card chips.
Infineon Technologies will roll out the newest member of its 32-bit security controller family. The SLE88CFX4000P, built on Infineon's proprietary 32-bit core, features flexible on-chip memory of up to 400 kbytes of configurable E2PROM. It will be pitched as a highly integrated secure platform for high-end mobile SIM cards, national ID cards and payment cards, according to Juergen Kuttruff, vice president and general manager for the Secure Mobile Solutions business group at Infineon.
Sun Microsystems will use the show to unveil Java initiatives to push worldwide adoption of Java Card technology-based smart cards, including low-cost cards for fixed, single applications.
Smart cards continue to be almost invisible to most U.S. consumers, largely because CDMA-based mobile phones do not require SIM cards and because the on-line verification process established by U.S. credit card companies and banks is far more efficient and fraud-resistant than the European infrastructure.
But the cards may soon become more commonplace stateside, according to Christoph Duverne, Philips Semiconductor's global marketing segment director responsible for identification. As dual- or triple-mode mobile phones spread, SIM cards get added on. Further, a U.S. government mandate to equip electronic visas and passports for carrying biometric data by October, 2004, is fueling demand for smart-card chips, Duverne said.
Infineon's Kuttruff said the development of higher-density consumer mass-storage devices that pack smart-card-enabled security features is a hot prospect for smart-card chips. "A couple of projects are emerging both in Japan and Korea," he said. Such projects push secure consumer devices featuring mass storage to store multimedia applications, such as gaming, along with transaction functions. A prerequisite to success with such combo products is consensus among all parties involved, including network operators, banking- and credit-card companies and content owners.
IMS Research's Robinson cited "nation-scale projects" on secure identification-including work permits, health cards, national ID programs, passports and military secure access, involving cards with high security and multiple biometrics capabilities-as "the most encouraging driver for the smart-card market." But he also cautioned that many nationwide projects are long-term, often facing political barriers that could delay standardization, technology agreements and deployment.
Philips' Duverne cited trends toward smart-card controllers that are integrated with more memory and bigger processing power, that are focused more on security with a crypto engine and that feature a contactless interface for high user throughput.
A number of emerging smart-card applications, although not yet fully implemented, appear at last to be catching up to chip technology advancements introduced a few years ago.
For example, several smart-card chips companies are reporting an interest in smart-card chips based on 32-bit processors cores for mobile telecom. Although many chip companies have had 32-bit processor-based products for several years, most operators showed no appetite for the devices during the telecom slump. Today, new services being pondered by mobile operators are finally raising the demand for more powerful cores.
More important is the issue of security. As more transactions are made on handsets, mobile operators no longer blindly trust the security claims of smart-card vendors. "They have begun asking for documentation and test results of smart-card security," said Bernd Meier, director of 32-bit smart-card controllers at Infineon. Thus chip companies are investigating how to integrate crypto functions and implement secure layout on their devices.
Security looms even larger when smart-card chips go into national ID cards or international travel documents. "Storing a digitally signed photographic image along with other biometric data will require a 64-kbyte memory, or more, on the smart-card chip," said Kevin Kissell, principal architect responsible for smart-card projects at MIPS Technologies. "Further, it's pushing the requirement of a processor core in terms of the memory addressing and computational bandwidth necessary to verify the digital signature on the smart-card chip itself."
Many in the smart-card industry, hampered by the market saturation of prepaid telephone cards and by serious delays in Europe's third-generation mobile phone rollout, agree that the global contactless smart-card market is one bright spot for the industry. IMS Research forecasts 15 percent per year growth to 2007. Robinson estimates around 205 million contactless and dual-interface cards will have been sold in 2003. This is about 10 percent of the total volume of memory and microcontroller cards. In 2007, he predicts, the market will grow to 350 million cards, or 13 percent of all cards.
Infineon Technologies' big push at Cartes 2003 is the new addition to its 32-bit security controller family. At a time when many new high-end smart-card chips on the market incorporate 300 kbytes of ROM and 128 kbytes of E2PROM, Infineon has embarked on a ROM-less approach that uses 400 kbytes of E2PROM.
Skipping the ROM metal-mask process, Meier said, "allows us to complete the production of smart-card chips to the last process so that we can keep generic products in stock. When customers need our smart-card chips, we can quickly customize them with the addition of programming code and data into the E2PROM. We can deliver the smart-card chips to our customers in one to two weeks," while typical security controllers, involving a ROM mask-programming step, take about six weeks to turn around.
Meier claimed that Infineon, by leveraging its new "one-transistor" cell technology, can offer entirely E2PROM-based chips at a cost and a size similar to those using ROM. He acknowledged a "small overhead" in cost but said it is "no more than 10 percent" higher than competitors' ROM-based products.
Sun Microsystems, meanwhile, is launching initiatives to accelerate worldwide adoption of Java Card-based smart cards. Claiming that "every smart-card application I've seen has been already written in Java," Peter Cattaneo, director of Java Card business at Sun, stressed that Java Card technology "that is stable, well-understood and works" is well-established in the smart-card industry.
IMS Research estimates that around 370 million (or just under a half) of the microcontroller smart cards that will have been sold in 2003 have 32 kbytes or more E2PROM memory and thus can support multiple-application use, usually employing Java.
Sun has rolled out an initiative, called the Java Card S program, that it hopes will extend Java Card's reach beyond its current market in dynamic multi-application smart cards. Sun will allow Java Card licensees to incorporate the technology in a broad range of smart-card products, including traditional proprietary cards based on "static, fixed-use applications," said Cattaneo. "There are, for example, many banking cards that run a single EMV [credit payment] applet but nothing else."
By easing requirements, Sun aims to enable service providers to reuse the same Java Card applets in much lower-cost, single-function smart cards and to reduce the complexity of applications development, functional testing and security evaluation.
Security is also a critical issue for Sun, since the company pushes its Java Card technology for various national ID card projects. Java Card technology has been used in identity cards by the Defense Department, the Bureau of National Health Insurance of Taiwan and the Government of Belgium. Now, according to Sun, the Java Card Protection Profile has received final certification from La Direction Centrale de la Securite des Systemes d'Information (DCSSI), which Sun called one of the most widely respected Common Criteria Evaluation Centers.
Such certification is essential to Java Card technology's acceptance by some governments, especially if Java-based national ID cards are to be used as digital signature cards, said Cattaneo.