 |
The WAVE Report on Digital Media 3D --- Media Creation --- Shared Space ---Published by 4th Wave, Inc.--- Issue #0550------------------12/16/05 |
The WAVE Report is Searchable on
http://www.3dlinks.com
http://www.wave-report.com
--------------------------------------
Cartes 2005
Due to extensive reporting from Cartes 2005, this issue will contain this single article.
The WAVE will not be published on 12/23 and 12/30. To all of our readers, we wish each of you the Best of the Season and success in the New Year.
--------------------------------------
0550.1 Story of the Issue
***Cartes 2005
By John Latta
Paris, France
11/15 – 17/05
There is no doubt this is THE smart card event. Two halls are occupied with exhibitors which make up the ecosystem of smart card technology. 1,500+ are registered for the technical sessions, up 15% over last hear. The show floor will be filled by 16,000+. The top tier players in the market are here. There is excitement in the air.
The market for smart cards was established in Europe and it is slowly migrating to other countries. The US has been especially slow in its adoption of smart cards. Japan is seen as a leader in micropayments.
The statistics provided by Eurosmart, the international association of the industry, provide much insight into the market:
Sector Memory
Card Microprocessor Card
(M
Units)
M
Units % Growth
Telecom 620 1220 16
Finance/Banking 40 330 18
Government 20 60 33
Transport 70 25 67
TV 65 18
Security 20 15 25
Others 10 12
Total 780 1727 18
2507
The seed for growth has been the GSM phone, which is another example where the cell phone industry has been a driver, especially in Europe. As with any mature market the supply chain looks to the growth markets to fuel the industry. These include:
Logical and Physical Security
This is where biometrics can have a role but it only fits in niches where it can be justified. The purchases here tend to be smaller with the exception of large projects such as PIV in the US Government with 7m+ cards.
Micropayments
Japan is ahead here. This is a complex area because it was claimed that the company doing the processing has to have bank like functions. In Japan NTT DoCoMo apparently bought a credit card company to do this. Thus, there are many barriers to break down for this market to get established.
ePassports
This is a growing area, which raises the visibility of both smart cards and biometrics. It will eventually impact everyone who travels internationally. The US is a driver in making ePassports a requirement but it has become a worldwide effort under ICAO.
Transportation
Transportation has been a driver for contactless smart cards. All over Europe and in Japan one only has to get the transportation smart card close to the reader and it works.
Multi-Applications
This is the use of a smart card for more than one application. In Hong Kong the government foresees the use of their identity card in commerce applications. As the card processing and memory capabilities increase this sector is likely to increase considerably.
SCM Microsystems
SCM Microsystems has an elegant mobile smart card reader. This can read a smart card, allow the user to insert a pin and see an output on a small display, all about the size of a 50¢ piece. The reader has a USB connector on it. A typical application is to insert a bank smart card, such as a credit card, type in a PIN and get out a response number that could be used as a prefix or suffix for a OTP. Or the reader could output an OTP to the PC for online banking authentication. In this way it operates just like an ATM machine on the PC at home.
In the same SCM display was a biometric reader. This was in two product forms: a PC Card with a fingerprint reader or a mouse like device which is actually a smart card reader. The user would put their finger on the top and the smart card into the reader. The operation of this mouse shaped device would be similar to the smart card reader described above except that any input would be done on the PC keyboard.
When the WAVE asked how well each was selling the response was:
The mobile device is selling units in the millions to the banking community while the biometric device has very small sales only to niche markets. The cost of the biometric device is just too expensive.
Later, the WAVE returned to SCM to learn more about its personal smart card readers for strong authentication on line banking.
The Netherlands was able to reduce its retail bank branches to 1/10 of the number before the online banking era.
The personal online smart card readers have a radical impact on fraud. When these began use in Malaysia the level of fraud dropped 90%. It was the experience that those who committed to fraud moved their activities to other countries in Asia with less stringent protection means.
One of the strongest incentives to use smart cards, has been that some countries put the responsibility for fraud on the card holder if they do not use a smart card.
The dominant smart card standard for banking and POS transactions is EMV (Europay, Master Card Visa) - Global Framework for Smart Card Payments. The first version of this was released in 1996. A turning point was reached in 1998 as stated in the following from Verifone:
In May 1998, Europay, MasterCard and Visa published EMV 3.1.1, which defines the specifications for smart card-based debit and credit transactions. By creating a much-needed base for interoperability between chip cards and terminals on a global basis, these specifications provide a reliable global framework for the growth of smart card payment applications. In addition, EMV-based smart cards offer a solid foundation for a broad selection of payment-related and nonpayment applications such as stored value, e-purse, and loyalty.
Interoperability is achieved by granting two levels of “Type Approval”:
• Level 1—Applies to the mechanical, electrical, and logical interfaces between chip cards and payment devices EMV: Global Framework for Smart Card Payments–2003 7
• Level 2—Governs all application software. The EMV specifications envision that there likely will be multiple payment, payment-related, and even nonpayment applications on each chip card—ranging from traditional debit and credit applications to other value-added solutions.
For example, in the case of Master Card they do not require a challenge response and Visa does.
Banks not only gain from significant fraud reduction using smart cards but when combined with on line banking there is a reduction in costs. For example, a typical bank call is $10 and this is the cost of the personal smart card reader. Most banks also see a lower churn with on line banking.
When it comes to supplying personal smart card readers to the banks this is a very competitive market. We have found the following:
Most banks give the readers to the customers;
Banks are very cost driven and we have to fight for the business with price being a key factor.
The banks want differentiation of their personal readers which means identity and logos.
Typical orders are on the scale of 1m units. A bank, when they go to strong authentication, does not do this on a partial basis.
AuthenTec
AuthenTec, manufacturer of fingerprint sensor chips, took a different approach to how biometrics use becomes widespread. Using the tag line “The Power of Touch” they argued that biometric sensors will be embedded and pervasive in cell phones and notebook computers. Using data from Frost & Sullivan they predicted that 500m fingerprint sensors would be sold in 2010. Of this, 350m would be in wireless devices and 150m in PCs and network security. It was claimed that 1 in 10 notebooks will have fingerprint readers by 2006. \
Supporting their claim that the prices are declining, the price of a sensor was $30 in 1999 and now a sensor, assumed to be a swipe sensor, is <$5.
In order to enhance the value of the finger print sensor AuthenTec is claiming that it can be used for navigation similar to a mouse. Further, on a cell phone it has a similar function in playing games by offering navigation that would be otherwise hard to accomplish on the phone. This same navigation technology supports full motion navigation in interactive map applications on a cell phone.
byometric – Bayer Innovation
Bayer, the makers of asprin, were promoting a domain logon solution using their smart card technology and Iris recognition or other biometrics. This is a new product which implements strong authentication. Either fingerprint or Iris recognition is supported but only one can be selected for a specific user. Log on is accomplished not by an AD schema modification but with a Java server which intercepts the log on. Thus, the desktop must have a reader, such as the small Iris camera on the desktop. This camera can also support enrollment but this is under the control of an administrator. When the WAVE asked byometric why this product and what does it bring to the market, the response was the smart card. The storage area on the card is similar to a CD recording not Flash memory. This is actually an encoded hologram which is very secure. byometric has built on this technology to create an identity management product. On the workstation basis the license fee is >70 €.
Wave
Wave is offering its EMBASSY Trust Suite which is based on the presence of TPM. They will also support smart cards or a biometric in lieu of TPM. This system also has a server to manage access. The workstation costs for EMBASSY is $60.
The EMBASSY product is one in a layer of software which the company provides. First, they have the low level software which manages TPM on motherboards, then they are offering support to the OEMs seeking to use TPM in shipping products and lastly support for end products which use TPM.
Flexion Shows Innovative Battery
It is seldom that the WAVE sees battery innovation but Flexion had an interesting twist – pun is relevant. This is a flexible thin battery for smart cards. In the booth was a flexible test stand showing how the battery could be flexed and still work. The specifications are:
Lithium Polymer
3.0 volts
.37mm thick
10 mAh or 18 mAh Capacity
Passes ISO 7816 flex tests
The booth demo was impressive.
Vasco – Supplying Personal Smart Card Readers
Vasco has a full line of personal smart card readers which are used to provide strong authentication for online banking transactions. These are small handheld devices that the smart cards get inserted into. One which was demonstrated had a challenge response. That is, when logging on to the bank site a number was provided. This was inserted into the reader, after the users provided the PIN to access the smart card. With the correct PIN the smart card gave a response to the challenge number from the bank. This resulting number was then entered on the web site to get access to the bank account. This is considered very secure by the banks.
From a banking and user perspective the personal smart card reader emulates an ATM machine in the home. This is consistent with the way the bank operates and the user experience.
The secure online banking industry began in The Netherlands about 5 years ago. It has been very successful. The banks gain because:
The number of calls to their help centers is radically reduced;
The number of tellers is much less – some banks have only one teller and the rest of the bank is occupied by terminals which use the smart card readers.
Most services are provided on line.
The personal smart card readers cost <$10 to the banks and they provide it free to the customers.
When asked why not biometrics the banks have stated to Vasco:
The technology is not sufficiently mature to be used in the same way as personal smart card readers for the mass market;
Biometrics, in the current state, would only be provided if there was a backup technology in the hands of the customers, in the event of problems with the biometric readers.
Too expensive.
The recently released Federal Financial Institutions Examination Council guidelines for Authentication in Internet Banking Environment (see DigitalID World), which mandates strong authentication for on line banking is felt to be a positive step forward. It is uncertain at this time which way the banking industry will go to implement the guidelines. One of the reasons, that it may not go the way of personal smart card readers, is that Europe had in place smart cards from which to implement strong authentication, the US does not.
To date Vasco has sold 18m personal smart card readers to over 420 different banks.
Pricing Survey from the Floor
The WAVE probed various exhibitors on the pricing of products in smart cards and strong authentication.
5¢ - Mag strip plastic card
20¢ - Contact smart card
25¢ - low end contactless smart card
<1$ - high end smart card
<$10 – consumer personal smart card reader (bank cost)
<$75 – RSA hardware token
<$100 – biometric reader for consumer use as bought by a bank
Disruption with HFC
Contactless smart cards have high visibility at Cartes. But EMV does not yet support contactless. One of the most visible applications of contactless is in public transit and it is here that the MIFARE technology dominates. From Philips the following is provides a good overview:
The key application for the MIFARE Interface Platform is electronic ticketing in public transport. Travelers just wave their card over a reader at the turnstiles or entry. MIFARE products can be important to future individual mobility, supporting multiple applications including road tolling, airline tickets, access control and many more.
There are some 400 million cards issued and 2 million readers installed. MIFARE is based on RF communication technology for transmitting data between a card and a reader device which is ISO 14443A compliant. The market share in transport contactless interfaces is estimated at 80% (Source: IMS Research 2003).
Yet, the next logical step is to ask the question:
Is the physical smart card really needed to gain thebenefits from contactless?
The WAVE posed this question to Philips at Cartes knowing that NFC would be the response:
Conceptually think of NFC as a communications technology which allows the functionality of the smart card to be buried in a cell phone and to communicate with contractless smart card readers which are NFC capable. Thus, NFC adheres to many of the standards in use for smart cards.
From the NFC organization site:
NFC offers a unique link to the contactless smart card by being compatible with the infrastructure based on ISO 14443 A (i.e., Philips MIFARE technology), ISO 14443 B, as well as Sony’s FeliCa card used for electronic ticketing in public transport and for payment applications. NFC devices can operate in a reader mode that allows communication with contactless smart cards or RF transponders (tags). NFC devices can also work in a card emulation mode, which enables NFC device to act as a smart card towards smart card readers, such as public transport and point of sale terminals.
Thus, an NFC phone has the equivalent of a card reader in the handset. When a credit card is in the phone it is possible to buy by just waving the phone. Further, one can wave the phone in front of surfaces which are NFC capable and pick up information. An example used by Philips is a map which has an interface to allow for the transfer of map information to the phone.
Presentations at Cartes gave a time line for NFC – 2005 was when the components of NFC came into place, trials were conducted in 2005 and continuing to 2006 and initial deployments in 2006 and beyond. The WAVE asked Philips what is the incentive to transport operators to equip their busses and subways with NFC capabilities especially if they already have MIFARE in place? Dual mode transport infrastructure would reduce the cost of supplying cards for transport. That is, one could buy value for transport and have this resident in the phone. The phone holder would only need wave the phone for transport access/use. It is expected that trials will happen in 2006 in the transport sector.
NFC has a potential impact far beyond the transport sector. By placing the smart card in the phone it makes possible for smart card transactions anytime anyplace. The phone can now take on a new role – the equivalent of ones personal banker. It also dramatically changes the role which the phone can play. However, there are important business model impacts. For example, banks value their trusted relationship with the customer and customers regard banks with a reciprocal degree of trust that does not exist with the cellular operator. When it comes to the embedded smart cars in the phone, who owes the banking relationship – the bank or the operator?
Another market factor which will determine the ability of NFC to achieve scale are the sales of phones. Today there are only 2 models and Philips claims many more a coming. Philips also claimed that it is in discussions with all the operators in the US. In fact, the US is an opportunity to leap frog the NFC enabled market because the penetration of smart cards is virtually zero.
NFC is also a back door opportunity for biometrics. That is, when fingerprint readers are embedded in phones it provides an easy method of authentication on the platform when using smart card features.
One conversation went so far as to claim that NFC phones would make obsolete the personal smart card readers. But this was dismissed by others given the bank’s reluctance to give up security responsibility to others.
Philips went beyond just the confines of NFC in phones. If NFC is embedded in CE it makes possible to have smart card functionality in many devices – that is, a bank in many devices. This can include a set top box and a television. Thus, all such devices become a POS opportunity. Another extension is what was called “wireless association.” That is, interoperability between NFC and Bluetooth and WiFi. Thus, NFC could connect to the network not by the cell phone but other wireless technology. This is being developed in the NFC Forum. An outline of the activities of the forum standards efforts includes:
NFC Devices Technical Working Group
The NFC Devices Technical Working Group handles the baseline NFC functionalities. The Working Group covers the following activities:
Develop a modular architecture for NFC devices
Develop and maintain specifications for interoperable data exchange and protocols for device discovery and device capability
Develop and maintain specifications for NFC compatible tags
Specify functionality for device-to-device communication
Specify functionality for reader/writer communication and card emulation
Reference Applications Framework Technical Working Group
The Reference Applications Framework Technical Working Group develops and maintains the application framework for NFC. The Working Group has the following initial range of activity:
Specifying how to configure other communication systems like Wireless LAN and Bluetooth easily by using NFC, and discuss with other special interest groups
Developing a "SmartPoster" application which enables the storage of content like SMS, phone numbers and URLs on smart tags
Evaluating and specifying a service discovery method for NFC if needed
The Working Group may also develop the framework for new applications and use cases.
NFC is much more than another contactless interface – it gets to the heart of the functionality of smart cards but adds wireless WAN mobility. At the same time it buries the visible attributes of the smart card. The ramifications go well beyond the smart card industry and if successful could be very disruptive to it.
ETS Integrates Security into the Keyboard
When it comes to a secure keyboard there is not much to add to eKrypto. The feature set includes:
Smart card reader which supports ISO 7816
Support for EMV 2000 Level 1 and 2
2 track magnetic card reader
Swipe finger print reader
USB 2.0 interface
2 X 16 character display
3 Encryption Accelerators
Support for PKI and 3 DES
Key lengths of 512, 1024 and 2048 bits
Operating System – eKrypto OS
Security is assured with MOC fingerprint verification thus the PIN never leaves the keyboard. Once a secure transaction is accomplished on the keyboard a signed applet is downloaded to the keyboard from the host. All data from the keyboard is transmitted to the host encrypted. The keyboard processor can support up to 18 secure applications. Applet downloads enable the keyboard to be updated remorely. Remote programmability of the keyboard is also possible including the ability to download remote security keys.
It is technically possible to secure every keystroke but EMS felt the overhead on the host might be excessive. Thus, the keyboard encryption functions are based on the application, and for example, it is assumed that all passwords would be encrypted.
The keyboard is also serialized and a keyboard can be uniquely associated with an individual.
When asked about the Cherry keyboards, which are widely seen in secure applications, this was characterized as a “low end” keyboard.
The keyboard retails for about $150.
Also in the booth was a secure image terminal. This was actually just another form of keyboard with some specialized components. It includes a check scanner at the top of the keyboard and a document scanner embedded in the bottom of the keyboard. The advantage of this device, which just looks like a keyboard, is that it is possible to combine scanning with digital signatures applied to the scanned document. An individual could scan a document, insert a smart card, apply a pin and thus digitally sign the document being scanned.
EMS has applied a new level of thinking about what it takes to secure not only the desktop but the relationship between key entry and the host.
Web Server smaller than a 25¢ piece
We saw two web servers operating within cell phones in the Axalto and Oberthur Card Systems booths. The impact of this technology could be enormous but this requires time with the thinking cap on to comprehend the implications. Conversations in both booths also confirmed that the full ramifications have yet to be understood by each of the companies. Both web servers used the new 128MB sim cards. These cards are of the same size as those used in GSM phones today.
Axalto
Axalto takes the view that downloadable content to a phone with a web server provides the operator with many new options for the phone. The emphasis in the booth was on how operators could take advantage of this capability. That is, operators could download movies, phone books and many other forms of content. The user experience would be based on HTML. Content authoring would be the same as web site development today.
Axalto believes strongly in the USB based interface between the sim card and the phone. This provides the best interface for devices and device support. However, the phone in the booth was Linux based and new phones must be developed which fully support USB.
Axalto also recognizes that having a phone with a web server has significant business potential. The network must support the demands being placed on accessing the phone. Open issues remain in the business model for the operators.
Axalto plans on exhibiting at 3GSM in the spring. But even from Cartes they felt that the operators get the implications of this technology but remain uncertain how to fully exploit it.
Oberthur Card Systems
Oberthur Card Systems chose as the interface MMC between the sim card and the phone. This may require a few more pins but there are few other impacts. In fact, the demo used Windows Mobil 2003 on what they described is a standard smart phone. Thus, any smart phone could be come a web server. One point not fully addressed, when the phone is accesses from the outside, is the necessity for packet routing within the phone. When asked if this was supported in Windows Mobil 2005 it was not clear as Oberthur has not tested this OS.
The Oberthur sim card uses an ARM processor. Pricing was not available for the 128MB card.
Oberthur Card Systems characterized their web server as fully capable with a TCP/IP stack. The security could be as strong as any realized in a smart card. That is, https could be supported and even a VPN to the web site. Their phone was quite fast.
An example was given of downloading their corporate phone book to the phone server. One could navigate the phone book, including photos of the individuals, just like a web service. One advantage of using secure web services on the phone is that the phone book is fully secured. They see this as enabling a new class of services.
Dynamic decryption was also shown. The illustration was the playback of an encrypted music file. A key was required to open the file. This generated a new key that decrypted the file in real time as it was playing back. During the play back the key was changed and the music stopped.
Oberthur also recognized that there are many ways to look at this technology. If it is contained on the sim card the operator remains in full control as they provide the sim card for the phone. If, however, the sim card or equivalent is plugged into a phone using MMC this is just another device or service to the phone. This changes the business model because the operators can no longer control the MMC insertion into the phone and what is done by the phone.
Applications
The WAVE discussed with both Axalto and Oberthur what could be done with this technology. It was clear that the conceptualization is in the early stages. Here are some examples:
As a sim card the business model is driven by the operator. The Oberthur card is portioned in two parts – the phone sim and the web server. The operator can thus control how the web server is used and the content it contains. This has many options including the downloading of content. Both Axalto and Oberthur showed movie trailers on the phones.
The phone could be opened up to the enterprise and it could represent an extension of the intranet with full security support. One of the advantages of using phone and the smart card security is that combined they provide a very secure platform.
Oberthur was especially concerned about network performance when the web site is hosted on the phone and made available for external access. Here is the case where both HSDPA and HSUPA would be required for the best experience.
Another approach to making such a web server available is to remove the capability from the phone sim. This technically could be done in a dual sim phone or as a plug-in to the phone or even a PDA. In the case of Oberthur support for MMC would be required and Axalto it would be USB. Here the content and external, i.e., Internet visibility to the phone, is totally up to the user.
A web service, with external access to a tiny server, could give rise to a whole new set of services and content. Web sites could be micro-persistent. A family could take pictures and video during the day while on a vacation. In the evening the phone would be a web server and other family members could share the experiences of the day. An SMS, for example, could inform others of the web address and preview of the content. This provides a means to utilize a phone tiny server so that many others could access content.
The phone could also be a web services transaction engine. Given that the security of the smart card is embedded in the card this web server could also be a transaction server. Again the model is likely to be only of short Persistence
Tiny web servers drive new business model considerations. Consider this:
Traditional operators are likely to be more focused on their network and less the ways in which the user could take advantage of the native web site capabilities. Key considerations are bandwidth usage and revenue generation.
The tiny web serves are just as viable in WiFi or WiMAX or even Bluetooth. The technology is currently expressed in a sim card but this is not a requirement.
Google and its quest to wire cites for wireless broadband would equip every node on the network with a local tiny server.
The power of a tiny web server will likely to be driven by what consumers can do with it. This has the potential of making web content available in many new ways. For example, the only analogy for mobile content are photos taken from cell phones but their distribution beyond the phone is limited. A tiny web server can change this.
It is possible, for example, to construct a set of dynamic web services supported by many tiny web servers.
There are interesting possibilities which link NFC with tiny servers over associated wireless networks.
WAVE Comments:
It feels like a time warp as the WAVE walked the floor of Cartes:
Similar to walking the West Coast Computer Faire shortly after the IBM PC was announced.
We all knew this was big but had no idea what it all meant. The WAVE has the same feeling here at Cartes. Yes, the smart card market is already large, as indicated in the market numbers yesterday, but this is only the beginning. As the WAVE went to conference sessions and walked the floor there was the over riding impression that the revolution of small computing has just begun.
In the identity management conferences the WAVE has attended, the argument has been made that identity is the missing layer in the network model. The reality of billions of small computers all connected who have as their function the processing of money does nothing to intrinsically address this issue. At Cartes this is a missing topic.
The bias at Cartes is obviously the heritage of smart cards and the role in banking. But in the world of billions of small computers another aspect is sensor networks. This is but another form of computers everywhere and not addressed at Cartes.
The 10,000’ view of pervasive computing, even as biased here at Cartes, is revealing. It gets tiring to hear of the endless arguments about “triple play” and consumer’s fondness for media and talking. In the end consumers make choices every day in how they spend money and time. The smart card, and especially the contactless smart card, are showing how transaction mobility can change commerce while increasing convenience. Now technology can significant aid what consumers do every day – carry out part of their lives by how they spend the money they earn. We have yet to realize the impacts of this when money as a tangible entity ceases to exist.
--------------------------------------
Copyright 2005 4th WAVE, Inc.
To subscribe to WAVE go to
To unsubscribe also use the Wave Report Home page or send the preformatted UNSUBSCRIBE message:
Previous issues of WAVE, as well as other info can be found at
http://www.wave-report.com
http://www.3dlinks.com
Comments on or questions about the WAVE may be sent to:
or the below individuals below:
John N. Latta - Editor-In-Chief
Michael Robertson - Web Editor
The WAVE Report may be redistributed in full for individual readership and posted to newsgroups, Web, and FTP sites. This publication may not be reprinted or redistributed for profit. Short quotes are permitted but must be attributed to the WAVE Report. 4th Wave retains the copyright to the WAVE Report.