Electronic CARD or SMART CARD
electronic Card or Smart cards are defined according to 1). How the card data is read and written 2). The type of chip implanted within the card and its capabilities. There is a wide range of options to choose from when designing your system.
Type - the type of card, RFID, Mifare, EM, Proximity, Magnetic, Chip and PVC
I . RFID card / Smard Card:
Mifare card
Mifare card is a kind of semi-conductor cards are often used for public transportation, parking, ID card, attendance system, tickets, credit cards, toll cards, and many other applications. Frequency commonly used in card readers and tools (card reader) is 13.56MHz.
II . EM card
EM card in general is often referred to as proximity cards but in general the basic characteristics of these cards do not have the memory to store data such as MIFARE cards.
EM cards are widely used in access control system in which the basic characteristics of EM card that is unique frequency it is possible to be used in a security system.
III . Proximity cards (Proximity Card)
Prox Card or Proximity Card is the name commonly used for contactless cards are used to acces security system or payment system.
Frequency commonly used in card readers and tools (card reader) is 125 kHz or the newer generation works at a frequency of 13.56MHz.
Proximity Card, also known as RFID contactless smartcard. These cards generally Standardization as ISO / IEC 14443 (card reading distance) and ISO / IEC 15693.
Generally, a reading distance ranges from 0 to 3 inch making it possible to put in your purse or wallet.
IIII . Magnetic Cards (Magnetic Card) Magnetic Card is a plastic card PVC plain white on the front and rear, and on the back side there tambahahan black ribbon dg size (85.5 mm X 13mm). Black ribbon is called Magnetic Stripe. Pvc magnetic stripe on the card can be read and written (R / W). The process of writing the magnetic stripe is called Encode. To encode can use a tool or Magnetic Stripe Encoder can also use the ID card printer already existing Magnetic Encoder module. Moderate to his reading (READ) can use the tool MSR (Magnetic Stripe Reader).
For how to print in the same manner IDCard printer printing blank pvc card material wear.
Magnetic card consists of two types, namely the type HiCo (high coercivity) and LoCo (Low coercivity) where better quality are the kinds of Hi Co.
IIIII . Chip Cards
Chip card is a smart card that has the characteristics that the Integrated Circuit Card (ICC) or by naked eye we can see the last series of circuit in the metal plate, which often golden or silver.
Besides the chip card also has a memory that can hold data.
This chip card types currently used on a large scale for a credit card, the main ingredient of chip cards is usually adalha PVC.
The basic characteristic of chip cards is:
- The size of the Standard ISO / IEC 7810 (85.60 mm x 53.98 mm).
- Using cryptoprocessor security system.
- Ability to communicate with the card reader and writer.
IIIIII . PVC cards
Blank Card PVC (Poly Vinyl Chloride) is a plain white plastic cards with PVC material that has the size of CR80 (85,5mm x 53,6mm) and have a standard thickness of 30 mil.
Blank PVC cards are generally used for the main ingredient of all brands like IDCard Printer (Fargo, Zebra, Datacard, Evolis, Nisca, Hiti, Pointman, Edisecure, Polaroid and others).
For PVC card thickness varies according to the needs, there is a thin 10 miles, 20 miles, 30 miles and others. Generally, we often encounter around us like an ATM card, credit cards, student cards, TIN card etc. wear 30 mil thickness and size of a standard CR80 (85,5mm x 53,6mm)
Blank cards can be printed PVC Full Color (text, image, barcode, etc.) on both sides of his course with IDCard Printer. In its development, Blank Card PVC now there are several kinds of follow tingakat safety / security of his.
The function of a card will run with a system.
The system was created in the functioning of a card depends on the card application, the application of a card can be used for the following environments for example:
Parking-card
-Student card
Employee-card
Visitor-card
Access-card
Securi-card
Hotel-card
Communications-card
Lottery-card
-Credit card
-ATM card
Absent-card
patient-card
member-card
Discount-card
IIIIIII . Fargo ID Card Printer / Encoder and Membership
Is a special tool to print the data on identification cards such as Logo, Name, Number, Photo and Barcode with the desired background display. Fargo ID Card Printer / Encoder with reliability and high durability to reduce the total cost of your investment in ID card printing Card. Fargo ID Card / Encoder is capable of printing on a Smart Card in just 7 seconds. very well suited to use in Higher Education, Banking, Membership Program, Corporate and Government Institutions.
Type Fargo ID Card Printer / Encoder:
Fargo ID Card Printer / Encoder DTC1000
Fargo ID Card Printer / Encoder DTC4000
Fargo Id Card Printer / Encoder DTC4500
Fargo ID Card Printer / Encoders HDP5000
Card Construction
Mostly all chip cards are built from layers of differing materials, or substrates, that when brought together properly gives the card a specific life and functionality. The typical card today is made from PVC, Polyester or Poly carbonate. The card layers are printed first and then laminated in a large press. The next step in construction is the blanking or die cutting. This is followed by embedding a chip and then adding data to the card. In all, there may be up to 30 steps in constructing a card. The total components, including software and plastics, may be as many as 12 separate items; all this in a unified package that appears to the user as a simple device.
Contact Cards
These are the most common type of smart card. Electrical contacts located on the outside of the card connect to a card reader when the card is inserted. This connector is bonded to the encapsulated chip in the card.
Increased levels of processing power, flexibility and memory will add cost. Single function cards are usually the most cost-effective solution. Choose the right type of smart card for your application by determining your required level of security and evaluating cost versus functionality in relation to the cost of the other hardware elements found in a typical workflow. All of these variables should be weighted against the expected life cycle of the card. On average the cards typically comprise only 10 to 15 percent of the total system cost with the infrastructure, issuance, software, readers, training and advertising making up the other 85 percent. The following chart demonstrates some general rules of thumb:
Card Function Trade-Offs
Memory Cards
Memory cards cannot manage files and have no processing power for data management. All memory cards communicate to readers through synchronous protocols. In all memory cards you read and write to a fixed address on the card. There are three primary types of memory cards: Straight, Protected, and Stored Value. Before designing in these cards into a proposed system the issuer should check to see if the readers and/or terminals support the communication protocols of the chip. Most contactless cards are variants on the protected memory/segmented memory card idiom.
Straight Memory Cards
These cards just store data and have no data processing capabilities. Often made with I2C or serial flash semiconductors, these cards were traditionally the lowest cost per bit for user memory. This has now changed with the larger quantities of processors being built for the GSM market. This has dramatically cut into the advantage of these types of devices. They should be regarded as floppy disks of varying sizes without the lock mechanism. These cards cannot identify themselves to the reader, so your host system has to know what type of card is being inserted into a reader. These cards are easily duplicated and cannot be tracked by on-card identifiers.
These cards just store data and have no data processing capabilities. Often made with I2C or serial flash semiconductors, these cards were traditionally the lowest cost per bit for user memory. This has now changed with the larger quantities of processors being built for the GSM market. This has dramatically cut into the advantage of these types of devices. They should be regarded as floppy disks of varying sizes without the lock mechanism. These cards cannot identify themselves to the reader, so your host system has to know what type of card is being inserted into a reader. These cards are easily duplicated and cannot be tracked by on-card identifiers.
Protected / Segmented Memory Cards
These cards have built-in logic to control the access to the memory of the card. Sometimes referred to as Intelligent Memory cards, these devices can be set to write- protect some or the entire memory array. Some of these cards can be configured to restrict access to both reading and writing. This is usually done through a password or system key. Segmented memory cards can be divided into logical sections for planned multi-functionality. These cards are not easily duplicated but can possibly be impersonated by hackers. They typically can be tracked by an on-card identifier.
These cards have built-in logic to control the access to the memory of the card. Sometimes referred to as Intelligent Memory cards, these devices can be set to write- protect some or the entire memory array. Some of these cards can be configured to restrict access to both reading and writing. This is usually done through a password or system key. Segmented memory cards can be divided into logical sections for planned multi-functionality. These cards are not easily duplicated but can possibly be impersonated by hackers. They typically can be tracked by an on-card identifier.
Stored Value Memory Cards
These cards are designed for the specific purpose of storing value or tokens. The cards are either disposable or rechargeable. Most cards of this type incorporate permanent security measures at the point of manufacture. These measures can include password keys and logic that are hard-coded into the chip by the manufacturer. The memory arrays on these devices are set-up as decrements or counters. There is little or no memory left for any other function. For simple applications such as a telephone card, the chip has 60 or 12 memory cells, one for each telephone unit. A memory cell is cleared each time a telephone unit is used. Once all the memory units are used, the card becomes useless and is thrown away. This process can be reversed in the case of rechargeable cards.
These cards are designed for the specific purpose of storing value or tokens. The cards are either disposable or rechargeable. Most cards of this type incorporate permanent security measures at the point of manufacture. These measures can include password keys and logic that are hard-coded into the chip by the manufacturer. The memory arrays on these devices are set-up as decrements or counters. There is little or no memory left for any other function. For simple applications such as a telephone card, the chip has 60 or 12 memory cells, one for each telephone unit. A memory cell is cleared each time a telephone unit is used. Once all the memory units are used, the card becomes useless and is thrown away. This process can be reversed in the case of rechargeable cards.
CPU / MPU Microprocessor Multi function Cards
These cards have on-card dynamic data processing capabilities. Multi function smart cards allocate card memory into independent sections or files assigned to a specific function or application. Within the card is a microprocessor or micro controller chip that manages this memory allocation and file access. This type of chip is similar to those found inside all personal computers and when implanted in a smart card, manages data in organized file structures, via a card operating system (COS). Unlike other operating systems, this software controls access to the on-card user memory. This capability permits different and multiple functions and/or different applications to reside on the card, allowing businesses to issue and maintain a diversity of ‘products’ through the card. One example of this is a debit card that also enables building access on a college campus. Multi function cards benefit issuers by enabling them to market their products and services via state-of-the-art transaction and encryption technology. Specifically, the technology enables secure identification of users and permits information updates without replacement of the installed base of cards, simplifying program changes and reducing costs. For the card user, multi function means greater convenience and security, and ultimately, consolidation of multiple cards down to a select few that serve many purposes.
There are many configurations of chips in this category, including chips that support crypto graphic Public Key Infrastructure (PKI) functions with on-board math co-processors or JavaCard® with virtual machine hardware blocks. As a rule of thumb - the more functions, the higher the cost.
Contactless Cards
These are smart cards that employ a radio frequency (RFID) between card and reader without physical insertion of the card. Instead, the card is passed along the exterior of the reader and read. Types include proximity cards which are implemented as a read-only technology for building access. These cards function with a very limited memory and communicate at 125 MHz. Another type of limited card is the Gen 2 UHF Card that operates at 860 MHz to 960 MHz.
True read and write contact less cards were first used in transportation applications for quick de crementing and reloading of fare values where their lower security was not an issue. They communicate at 13.56 MHz and conform to the ISO 14443 standard. These cards are often protected memory types. They are also gaining popularity in retail stored value since they can speed up transactions without lowering transaction processing revenues (i.e. Visa and MasterCard), unlike traditional smart cards.
Variations of the ISO 14443 specification include A, B, and C, which specify chips from either specific or various manufacturers. A=NXP - (Philips) B=Everybody else and C=Sony only chips. Contact less card drawbacks include the limits of crypto graphic functions and user memory, versus microprocessor cards and the limited distance between card and reader required for operation.
Multi-mode Communication Cards
These cards have multiple methods of communications, including ISO 7816, ISO 14443 and UHF gen 2. How the card is made determines if it is a Hybrid or dual interface card. The term can also include cards that have a magnetic-stripe and or bar-code as well.
Hybrid Cards
Hybrid cards have multiple chips in the same card. These are typically attached to each interface separately, such as a MIFARE chip and antenna with a contact 7816 chip in the same card.
Dual Interface Card
These cards have one chip controlling the communication interfaces. The chip may be attached to the embedded antenna through a hard connection, inductive method or with a flexible bump mechanism.
Multi-component Cards
These types of cards are for a specific market solution. For example, there are cards where the fingerprint sensor is built on the card. Or one company has built a card that generates a one-time password and displays the data for use with an online banking application. Vault cards have re write able magnetic stripes. Each of these technologies is specific to a particular vendor and is typically patented.
Smart Card Form Factors
The expected shape for cards is often referred to as CR 80. Banking and ID cards are governed by the ISO 7810 specification. But this shape is not the only form factor that cards are deployed in. Specialty shaped cutouts of cards with modules and/or antennas are being used around the world. The most common shapes are SIM. SD and Micro SD cards can now be deployed with the strength of smart card chips. USB flash drive tokens are also available that leverage the same technology of a card in a different form factor.
Integrated Circuits and Card Operating Systems
The two primary types of smart card operating systems are (1) fixed file structure and (2) dynamic application system. As with all smart card types, the selection of a card operating system depends on the application that the card is intended for. The other defining difference lies in the encryption capabilities of the operating system and the chip. The types of encryption are Symmetric Key and Asymmetric Key (Public Key).
The chip selection for these functions is vast and supported by many semiconductor manufacturers. What separates a smart card chip from other micro controllers is often referred to as trusted silicon. The device itself is designed to securely store data withstanding outside electrical tampering or hacking. These additional security features include a long list of mechanisms such as no test points, special protection metal masks and irregular layouts of the silicon gate structures. The trusted silicon semiconductor vendor list below is current for 2010:
Many of the features that users have come to expect, such as specific encryption algorithms, have been incorporated into the hardware and software libraries of the chip architectures. This can often result in a card manufacturer not future-proofing their design by having their card operating systems only ported to a specific device. Care should be taken in choosing the card vendor that can support your project over time as card operating system-only vendors come in and out of the market. The tools and middle ware that support card operating systems are as important as the chip itself. The tools to implement your project should be easy to use and give you the power to deploy your project rapidly.
.
Fixed File Structure Card Operating System
This type treats the card as a secure computing and storage device. Files and permissions are set in advance by the issuer. These specific parameters are ideal and economical for a fixed type of card structure and functions that will not change in the near future. Many secure stored value and healthcare applications are utilizing this type of card. An example of this kind of card is a low-cost employee multi-function badge or credential. Contrary to some biased articles, these style cards can be used very effectively with a stored bio metric component and reader. Globally, these types of microprocessor cards are the most common.
This type treats the card as a secure computing and storage device. Files and permissions are set in advance by the issuer. These specific parameters are ideal and economical for a fixed type of card structure and functions that will not change in the near future. Many secure stored value and healthcare applications are utilizing this type of card. An example of this kind of card is a low-cost employee multi-function badge or credential. Contrary to some biased articles, these style cards can be used very effectively with a stored bio metric component and reader. Globally, these types of microprocessor cards are the most common.
Dynamic Application Card Operating System
This type of operating system, which includes the Java Card® and proprietary MULTOS card varieties, enables developers to build, test, and deploy different on card applications securely. Because the card operating systems and applications are more separate, updates can be made. An example card is a SIM card for mobile GSM where updates and security are downloaded to the phone and dynamically changed. This type of card deployment assumes that the applications in the field will change in a very short time frame, thus necessitating the need for dynamic expansion of the card as a computing platform. The costs to change applications in the field are high, due to the ecosystem requirements of security for key exchange with each credential. This is a variable that should be scrutinized carefully in the card system design phase.
SMART CARD READERS AND TERMINALS
Readers and terminals operate with smart cards to obtain card information and perform a transaction.
Generally, a reader interfaces with a PC for the majority of its processing requirements. A terminal is a self-contained processing device. Both readers and terminals read and write to smart cards.
This type of operating system, which includes the Java Card® and proprietary MULTOS card varieties, enables developers to build, test, and deploy different on card applications securely. Because the card operating systems and applications are more separate, updates can be made. An example card is a SIM card for mobile GSM where updates and security are downloaded to the phone and dynamically changed. This type of card deployment assumes that the applications in the field will change in a very short time frame, thus necessitating the need for dynamic expansion of the card as a computing platform. The costs to change applications in the field are high, due to the ecosystem requirements of security for key exchange with each credential. This is a variable that should be scrutinized carefully in the card system design phase.
SMART CARD READERS AND TERMINALS
Readers and terminals operate with smart cards to obtain card information and perform a transaction.
Generally, a reader interfaces with a PC for the majority of its processing requirements. A terminal is a self-contained processing device. Both readers and terminals read and write to smart cards.
Readers
Contact
This type of reader requires a physical connection to the cards, made by inserting the card into the reader. This is the most common reader type for applications such as ID and Stored Value. The card-to-reader communications is often ISO 7816 T=0 only. This communication has the advantage of direct coupling to the reader and is considered more secure. The other advantage is speed. The typical P T S Protocol Type Selection (ISO 7816-3) negotiated speed can be up to 115 kilo baud. This interface enables larger data transport without the overhead of anti-collision and wireless breakdown issues that are a result from the card moving in and out of the reader antenna range.
This type of reader requires a physical connection to the cards, made by inserting the card into the reader. This is the most common reader type for applications such as ID and Stored Value. The card-to-reader communications is often ISO 7816 T=0 only. This communication has the advantage of direct coupling to the reader and is considered more secure. The other advantage is speed. The typical P T S Protocol Type Selection (ISO 7816-3) negotiated speed can be up to 115 kilo baud. This interface enables larger data transport without the overhead of anti-collision and wireless breakdown issues that are a result from the card moving in and out of the reader antenna range.
Contactless
This type of reader works with a radio frequency that communicates when the card comes close to the reader. Many contact less readers are designed specifically for Payment, Physical Access Control and Transportation applications. The dominant protocol under the ISO 14443 is M I F A R E, followed by the E M V standards.
This type of reader works with a radio frequency that communicates when the card comes close to the reader. Many contact less readers are designed specifically for Payment, Physical Access Control and Transportation applications. The dominant protocol under the ISO 14443 is M I F A R E, followed by the E M V standards.
Interface
A contact reader is primarily defined by the method of it's interface to a PC. These methods include RS232 serial ports, USB ports, PCMCIA slots, floppy disk slots, parallel ports, infrared IRDA ports and keyboards and keyboard wedge readers. Some readers support more than one type of card such as the tri mode insert readers from MagTek. These readers support magnetic stripe-contact and contactless read operations all in one device.
A contact reader is primarily defined by the method of it's interface to a PC. These methods include RS232 serial ports, USB ports, PCMCIA slots, floppy disk slots, parallel ports, infrared IRDA ports and keyboards and keyboard wedge readers. Some readers support more than one type of card such as the tri mode insert readers from MagTek. These readers support magnetic stripe-contact and contactless read operations all in one device.
Reader & Terminal to Card Communication
All cards and readers that follow ISO 7816-3 standards have a standardized set of commands that enable communication for CPU cards.
These commands, called APDUs (Application Protocol Data Units) can be executed at a very low level, or they can be scripted into APIs which enable the user to send commands from an application to a reader.
The reader communicates with the card where the response to the request takes place.
From a technical perspective, the key is the APIs that are chosen. These layers of software can enable effective application communication with smart cards and readers from more than one manufacturer. Most terminal SDKs come with a customized API for that platform. They are typically in some form of C, C++ or C # and will have the header files included. Many smart card readers have specific drivers/APIs for memory cards. For ISO7816 processor cards the PC/SC interface is often employed, but it has limitations. This is especially important if you have both memory and microprocessor cards that can are used in the same system. Some APIs give the software designer the ability to select readers from multiple vendors.
The following are some of the function calls provided for transporting APDUs and their functions:
- Reader Select
- Reader Connect
- Reader Disconnect
- Card Connect
- Card Disconnect
- Proprietary Commands for specific readers and cards
- Allow ISO Commands to be passed to cards using standard ISO format
- Allow ISO Commands to be sent to cards using a simplified or shortcut format (As in the CardLogix Winplex® API)
All cards and readers that follow ISO 7816-3 standards have a standardized set of commands that enable communication for CPU cards.
These commands, called APDUs (Application Protocol Data Units) can be executed at a very low level, or they can be scripted into APIs which enable the user to send commands from an application to a reader.
The reader communicates with the card where the response to the request takes place.
From a technical perspective, the key is the APIs that are chosen. These layers of software can enable effective application communication with smart cards and readers from more than one manufacturer. Most terminal SDKs come with a customized API for that platform. They are typically in some form of C, C++ or C # and will have the header files included. Many smart card readers have specific drivers/APIs for memory cards. For ISO7816 processor cards the PC/SC interface is often employed, but it has limitations. This is especially important if you have both memory and microprocessor cards that can are used in the same system. Some APIs give the software designer the ability to select readers from multiple vendors.
The following are some of the function calls provided for transporting APDUs and their functions:
- Reader Select
- Reader Connect
- Reader Disconnect
- Card Connect
- Card Disconnect
- Proprietary Commands for specific readers and cards
- Allow ISO Commands to be passed to cards using standard ISO format
- Allow ISO Commands to be sent to cards using a simplified or shortcut format (As in the CardLogix Winplex® API)
Applications Development
The development of PC applications for readers has been simplified by the Personal Computer/Smart Card (PC/SC) standard. This standard is supported by all major operating systems. The problem with the PC/SC method is that it does not support all of the reader functions offered by each manufacturer such as LED control and card latching/locking. When just using the drivers for each reader manufacturer there is no connection the functions of the card.
The better choice is Application Programming Interfaces (API's) that are part of readily available in Software Design Kits (S D Ks) that support specific manufacturer's card families. Check these kits for a variety of reader manufacture supported. M.O.S. T. and Smart Toolz from CardLogix is a good example of a well rounded Smart Card S D K.
The development of PC applications for readers has been simplified by the Personal Computer/Smart Card (PC/SC) standard. This standard is supported by all major operating systems. The problem with the PC/SC method is that it does not support all of the reader functions offered by each manufacturer such as LED control and card latching/locking. When just using the drivers for each reader manufacturer there is no connection the functions of the card.
The better choice is Application Programming Interfaces (API's) that are part of readily available in Software Design Kits (S D Ks) that support specific manufacturer's card families. Check these kits for a variety of reader manufacture supported. M.O.S. T. and Smart Toolz from CardLogix is a good example of a well rounded Smart Card S D K.
Terminals
Unlike readers, terminals are more similar to a self contained PC, with most featuring operating systems and development tools. Terminals are often specific to the use case such as Security, health informatics or POS (Point of sale). Connectivity in the terminals is typically via Transmission Control Protocol/Internet Protocol (TCP-IP) or G S M network. Many terminals today feature regular OS's making deployment easier such as Datastrip with windows CE or Exadigm with Linux.
SMART CARDS STANDARD
Primarily, smart card standards govern physical properties, communication characteristics, and application identifiers of the embedded chip and data. Almost all standards refer to the ISO 7816-1,2 & 3 as a base reference.
Unlike readers, terminals are more similar to a self contained PC, with most featuring operating systems and development tools. Terminals are often specific to the use case such as Security, health informatics or POS (Point of sale). Connectivity in the terminals is typically via Transmission Control Protocol/Internet Protocol (TCP-IP) or G S M network. Many terminals today feature regular OS's making deployment easier such as Datastrip with windows CE or Exadigm with Linux.
SMART CARDS STANDARD
Primarily, smart card standards govern physical properties, communication characteristics, and application identifiers of the embedded chip and data. Almost all standards refer to the ISO 7816-1,2 & 3 as a base reference.
International Organization for Standardization (ISO)
The ISO facilitates the creation of voluntary standards through a process that is open to all parties. ISO 7816 is the international standard for integrated-circuit cards (commonly known as smart cards) that use electrical contacts on the card, as well as cards that communicate with readers and terminals without contacts, as with radio frequency (RF/Contactless) technology. Anyone interested in obtaining a technical understanding of smart cards needs to become familiar with what ISO 7816 and 14443 does NOT cover as well as what it does. Copies of these standards can be purchased through the American National Standards Institute (ANSI). Copies of ISO standards are for sale on the ISO website.
Application-specific properties are being debated with many large organizations and groups proposing their standards. Open system card interoperability should apply at several levels: 1). To the card itself, 2). The card's access terminals (readers), 3). The networks and 4). The card issuers' own systems. Open system card interoperability will only be achieved by conformance to international standards.
This site's sponsors are committed to compliance with ISO and ITSEC security standards as well as industry initiatives such as EMV, MULTOS, the Open Card Framework and PC/SC specifications.
This site's sponsors are committed to compliance with ISO and ITSEC security standards as well as industry initiatives such as EMV, the Global Platform and PC/SC specifications.
These organizations are active in smart card standardization: The following standards and the organizations that maintain them are the most prevalent in the smart card industry:
ISO/IEC is one of the worldwide standard-setting bodies for technology, including plastic cards. The primary standards for smart cards are ISO/IEC 7816, ISO/IEC 14443, ISO/IEC 15693 and ISO/IEC 7501.
The ISO facilitates the creation of voluntary standards through a process that is open to all parties. ISO 7816 is the international standard for integrated-circuit cards (commonly known as smart cards) that use electrical contacts on the card, as well as cards that communicate with readers and terminals without contacts, as with radio frequency (RF/Contactless) technology. Anyone interested in obtaining a technical understanding of smart cards needs to become familiar with what ISO 7816 and 14443 does NOT cover as well as what it does. Copies of these standards can be purchased through the American National Standards Institute (ANSI). Copies of ISO standards are for sale on the ISO website.
Application-specific properties are being debated with many large organizations and groups proposing their standards. Open system card interoperability should apply at several levels: 1). To the card itself, 2). The card's access terminals (readers), 3). The networks and 4). The card issuers' own systems. Open system card interoperability will only be achieved by conformance to international standards.
This site's sponsors are committed to compliance with ISO and ITSEC security standards as well as industry initiatives such as EMV, MULTOS, the Open Card Framework and PC/SC specifications.
This site's sponsors are committed to compliance with ISO and ITSEC security standards as well as industry initiatives such as EMV, the Global Platform and PC/SC specifications.
These organizations are active in smart card standardization: The following standards and the organizations that maintain them are the most prevalent in the smart card industry:
ISO/IEC is one of the worldwide standard-setting bodies for technology, including plastic cards. The primary standards for smart cards are ISO/IEC 7816, ISO/IEC 14443, ISO/IEC 15693 and ISO/IEC 7501.
ISO/IEC 7816
ISO/IEC 7816 is a multi-part international standard broken into fourteen parts. ISO/IEC 7816 Parts 1, 2 and 3 deal only with contact smart cards and define the various aspects of the card and its interfaces, including the card’s physical dimensions, the electrical interface and the communications protocols. ISO/IEC 7816 Parts 4, 5, 6, 8, 9, 11, 13 and 15 are relevant to all types of smart cards (contact as well as contactless). They define the card logical structure (files and data elements), various commands used by the application programming interface for basic use, application management, biometric verification, cryptographic services and application naming. ISO/IEC 7816 Part 10 is used by memory cards for applications such as pre-paid telephone cards or vending machines. ISO/IEC 7816 Part 7 defines a secure relational database approach for smart cards based on the SQL interfaces (SCQL).
ISO/IEC 7816 is a multi-part international standard broken into fourteen parts. ISO/IEC 7816 Parts 1, 2 and 3 deal only with contact smart cards and define the various aspects of the card and its interfaces, including the card’s physical dimensions, the electrical interface and the communications protocols. ISO/IEC 7816 Parts 4, 5, 6, 8, 9, 11, 13 and 15 are relevant to all types of smart cards (contact as well as contactless). They define the card logical structure (files and data elements), various commands used by the application programming interface for basic use, application management, biometric verification, cryptographic services and application naming. ISO/IEC 7816 Part 10 is used by memory cards for applications such as pre-paid telephone cards or vending machines. ISO/IEC 7816 Part 7 defines a secure relational database approach for smart cards based on the SQL interfaces (SCQL).
ISO/IEC 14443
ISO/IEC 14443 is an international standard that defines the interfaces to a "close proximity" contactless smart card, including the radio frequency (RF) interface, the electrical interface, and the communications and anti-collision protocols. ISO/IEC 14443 compliant cards operate at 13.56 MHz and have an operational range of up to 10 centimeters (3.94 inches). ISO/IEC 14443 is the primary contactless smart card standard being used for transit, financial, and access control applications. It is also used in electronic passports and in the FIPS 201 PIV card.
ISO/IEC 14443 is an international standard that defines the interfaces to a "close proximity" contactless smart card, including the radio frequency (RF) interface, the electrical interface, and the communications and anti-collision protocols. ISO/IEC 14443 compliant cards operate at 13.56 MHz and have an operational range of up to 10 centimeters (3.94 inches). ISO/IEC 14443 is the primary contactless smart card standard being used for transit, financial, and access control applications. It is also used in electronic passports and in the FIPS 201 PIV card.
ISO/IEC 15693
ISO/IEC 15693 describes standards for "vicinity" cards. Specifically, it establishes standards for the physical characteristics, radio frequency power and signal interface, and anti-collision and transmission protocol for vicinity cards that operate to a maximum of 1 meter (approximately 3.3 feet).
ISO/IEC 7501 describes standards for machine-readable travel documents and has made a clear recommendation on smart card topology.
ISO/IEC 15693 describes standards for "vicinity" cards. Specifically, it establishes standards for the physical characteristics, radio frequency power and signal interface, and anti-collision and transmission protocol for vicinity cards that operate to a maximum of 1 meter (approximately 3.3 feet).
ISO/IEC 7501 describes standards for machine-readable travel documents and has made a clear recommendation on smart card topology.
International Civil Aviation Organization (ICAO)
ICAO issues guidance on the standardization and specifications for Machine Readable Travel Documents (MRTD) such as passports, visas, and travel documents. ICAO has published the specification for electronic passports using a contactless smart chip to securely store traveler data.
ICAO issues guidance on the standardization and specifications for Machine Readable Travel Documents (MRTD) such as passports, visas, and travel documents. ICAO has published the specification for electronic passports using a contactless smart chip to securely store traveler data.
Federal Information Processing Standards (FIPS)
FIPS, developed by the Computer Security Division within the National Institute of Standards and Technology (NIST). FIPS standards are designed to protect federal assets, including computer and telecommunications systems. The following FIPS standards apply to smart card technology and pertain to digital signature standards, advanced encryption standards, and security requirements for cryptographic modules.
FIPS, developed by the Computer Security Division within the National Institute of Standards and Technology (NIST). FIPS standards are designed to protect federal assets, including computer and telecommunications systems. The following FIPS standards apply to smart card technology and pertain to digital signature standards, advanced encryption standards, and security requirements for cryptographic modules.
FIPS 140 (1-3)
The security requirements contained in FIPS 140 (1-3) pertain to areas related to the secure design and implementation of a cryptographic module, specifically: cryptographic module specification; cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.
The security requirements contained in FIPS 140 (1-3) pertain to areas related to the secure design and implementation of a cryptographic module, specifically: cryptographic module specification; cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.
FIPS 201
This specification covers all aspects of multifunction cards used in identity management systems throughout the U.S. government.
This specification covers all aspects of multifunction cards used in identity management systems throughout the U.S. government.
Europay, MasterCard, and Visa (EMV)
Europay, MasterCard, and Visa formed EMV Company, LLC and created the "Integrated Circuit Card Specifications for Payment Systems". These specifications are related to ISO7816 and create a common technical basis for card and system implementation of a stored value system. Integrated Circuit Card Specifications for Payment Systems can be obtained from a Visa, MasterCard or Europay member bank.
Europay, MasterCard, and Visa formed EMV Company, LLC and created the "Integrated Circuit Card Specifications for Payment Systems". These specifications are related to ISO7816 and create a common technical basis for card and system implementation of a stored value system. Integrated Circuit Card Specifications for Payment Systems can be obtained from a Visa, MasterCard or Europay member bank.
PC/SC
A globally implemented standard for cards and readers, called the PC/SC specification. This standard only applies to CPU contact cards. Version 2.0 also dictates PIN pad to card communications. Apple, Oracle-Sun, Linux and Microsoft all support this standard.
Microsoft has built PC/SC into their smart card services as a framework that supports many security mechanisms for cards and systems. PC/SC is now a fairly common middleware interface for PC logon applications. The standard is a highly abstracted set of middleware components that allow for the most common reader card interactions.
A globally implemented standard for cards and readers, called the PC/SC specification. This standard only applies to CPU contact cards. Version 2.0 also dictates PIN pad to card communications. Apple, Oracle-Sun, Linux and Microsoft all support this standard.
Microsoft has built PC/SC into their smart card services as a framework that supports many security mechanisms for cards and systems. PC/SC is now a fairly common middleware interface for PC logon applications. The standard is a highly abstracted set of middleware components that allow for the most common reader card interactions.
Comité Européen de Normalisation (CEN) and European Telecommunications Standards Institute (ETSI)
CEN and ETSI focus on telecommunications, as with the GSM SIM for cellular telephones. GSM 11.11 and ETSI300045. CEN can be contacted at Rue de Stassart, 36 B-1050 Brussels, Belgium, attention to the Central Secretariat.
CEN and ETSI focus on telecommunications, as with the GSM SIM for cellular telephones. GSM 11.11 and ETSI300045. CEN can be contacted at Rue de Stassart, 36 B-1050 Brussels, Belgium, attention to the Central Secretariat.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA adopts national standards for implementing a secure electronic health transaction system in the U.S. Example transactions affected by this include claims, enrollment, eligibility, payment and coordination of benefits. Smart cards are governed by the requirements of HIPAA pertaining to data security and patient privacy.
HIPAA adopts national standards for implementing a secure electronic health transaction system in the U.S. Example transactions affected by this include claims, enrollment, eligibility, payment and coordination of benefits. Smart cards are governed by the requirements of HIPAA pertaining to data security and patient privacy.
IC Communications Standards
The IC Communications Standards existed for non-volatile memories before the chips were adopted for smart card use. This specifically applies to the I2C and SPI EEPROM interfaces.
The IC Communications Standards existed for non-volatile memories before the chips were adopted for smart card use. This specifically applies to the I2C and SPI EEPROM interfaces.
Global System for Mobile Communication (GSM)
The GSM standard is dominant in the cell phone industry and uses smart cards called Subscriber Identification Modules (SIMs) that are configured with information essential to authenticating a GSM-compliant mobile phone, thus allowing a phone to receive service whenever the phone is within coverage of a suitable network. This standard is managed by the European Telecommunication Standards Institute. The two most common standards for cards are 11.11 and 11.14.
The GSM standard is dominant in the cell phone industry and uses smart cards called Subscriber Identification Modules (SIMs) that are configured with information essential to authenticating a GSM-compliant mobile phone, thus allowing a phone to receive service whenever the phone is within coverage of a suitable network. This standard is managed by the European Telecommunication Standards Institute. The two most common standards for cards are 11.11 and 11.14.
OpenCardT Framework
The OpenCardT framework is an obsolete standard. The following data is for informative purposes only.
The OpenCard framework was a set of guidelines announced by IBM, Netscape, NCI, and Sun Microsystems for integrating smart cards with network computers. The guidelines were based on open standards and provided an architecture and a set of application program interfaces (APIs) that enable application developers and service providers to build and deploy smart card solutions on any OpenCard-compliant network computer. Through the use of a smart card, an OpenCard-compliant system should have enabled access to personalized data and services from any network computer and dynamically download from the Internet all device drivers that are necessary to communicate with the smart card. By providing a high-level interface which can support multiple smart card types, the OpenCard Framework was intended to enable vendor-independent card interoperability. The system incorporated Public Key Cryptography Standard (PKCS) - 11 and was supposed to be expandable to include other public key mechanisms.
The OpenCardT framework is an obsolete standard. The following data is for informative purposes only.
The OpenCard framework was a set of guidelines announced by IBM, Netscape, NCI, and Sun Microsystems for integrating smart cards with network computers. The guidelines were based on open standards and provided an architecture and a set of application program interfaces (APIs) that enable application developers and service providers to build and deploy smart card solutions on any OpenCard-compliant network computer. Through the use of a smart card, an OpenCard-compliant system should have enabled access to personalized data and services from any network computer and dynamically download from the Internet all device drivers that are necessary to communicate with the smart card. By providing a high-level interface which can support multiple smart card types, the OpenCard Framework was intended to enable vendor-independent card interoperability. The system incorporated Public Key Cryptography Standard (PKCS) - 11 and was supposed to be expandable to include other public key mechanisms.
GlobalPlatform (GP)
GlobalPlatform is an international, non-profit association. Its mission is to establish, maintain and drive adoption of standards to enable an open and interoperable infrastructure for smart cards, devices and systems that simplifies and accelerates development, deployment and management of applications across industries. The GP standard has been adopted by virtually all the banks worldwide for JavaCard®-based loading of cryptographic data. The standard establishes mechanisms and policies that enable secure channel communications with a credential.
GlobalPlatform is an international, non-profit association. Its mission is to establish, maintain and drive adoption of standards to enable an open and interoperable infrastructure for smart cards, devices and systems that simplifies and accelerates development, deployment and management of applications across industries. The GP standard has been adopted by virtually all the banks worldwide for JavaCard®-based loading of cryptographic data. The standard establishes mechanisms and policies that enable secure channel communications with a credential.
Common Criteria (CC)
Common Criteria is an internationally approved security evaluation framework providing a clear and reliable evaluation of the security capabilities of IT products, including secure ICs, smart card operating systems, and application software. CC provides an independent assessment of a product's ability to meet security standards. Security-conscious customers, such as national governments, are increasingly requiring CC certification in making purchasing decisions. Since the requirements for certification are clearly established, vendors can target very specific security needs while providing broad product offerings.
Common Criteria is an internationally approved security evaluation framework providing a clear and reliable evaluation of the security capabilities of IT products, including secure ICs, smart card operating systems, and application software. CC provides an independent assessment of a product's ability to meet security standards. Security-conscious customers, such as national governments, are increasingly requiring CC certification in making purchasing decisions. Since the requirements for certification are clearly established, vendors can target very specific security needs while providing broad product offerings.
Biometric Standards
Many new secure ID system implementations are using both biometrics and smart cards to improve the security and privacy of an ID system.
Many new secure ID system implementations are using both biometrics and smart cards to improve the security and privacy of an ID system.
ANSI-INCITS 358-2002
ANSI-INCITS 358-2002, BioAPI Specification - (ISO/IEC 19784-1). BioAPI is intended to provide a high-level generic biometric authentication model-one suited for any form of biometric technology. It covers the basic functions of enrollment, verification, and identification, and includes a database interface to allow a biometric service provider (BSP) to manage the technology device and identification population for optimum performance. It also provides primitives that allow the application to separately manage the capture of samples on a client workstation, and the enrollment, verification, and identification functions on a server. The BioAPI framework has been ported to Win32, Linux, UNIX, and WinCE. Note that BioAPI is not optimum for a microcontroller environment such as might be embedded within a door access control reader unit or within a smart card processor. BioAPI is more suitable when there is a general-purpose computer available.
ANSI-INCITS 358-2002, BioAPI Specification - (ISO/IEC 19784-1). BioAPI is intended to provide a high-level generic biometric authentication model-one suited for any form of biometric technology. It covers the basic functions of enrollment, verification, and identification, and includes a database interface to allow a biometric service provider (BSP) to manage the technology device and identification population for optimum performance. It also provides primitives that allow the application to separately manage the capture of samples on a client workstation, and the enrollment, verification, and identification functions on a server. The BioAPI framework has been ported to Win32, Linux, UNIX, and WinCE. Note that BioAPI is not optimum for a microcontroller environment such as might be embedded within a door access control reader unit or within a smart card processor. BioAPI is more suitable when there is a general-purpose computer available.
ANSI-INCITS 398
ANSI-INCITS 398, Common Biometric Exchange Formats Framework (CBEFF) - (ISO/IEC 19785-1). The Common Biometric Exchange Formats Framework (CBEFF) describes a set of data elements necessary to support biometric technologies and exchange data in a common way. These data can be placed in a single file used to exchange biometric information between different system components or between systems. The result promotes interoperability of biometric-based application programs and systems developed by different vendors by allowing biometric data interchange. This specification is a revised (and augmented) version of the original CBEFF, the Common Biometric Exchange File Format, originally published as NISTIR 6529.
ANSI-INCITS 398, Common Biometric Exchange Formats Framework (CBEFF) - (ISO/IEC 19785-1). The Common Biometric Exchange Formats Framework (CBEFF) describes a set of data elements necessary to support biometric technologies and exchange data in a common way. These data can be placed in a single file used to exchange biometric information between different system components or between systems. The result promotes interoperability of biometric-based application programs and systems developed by different vendors by allowing biometric data interchange. This specification is a revised (and augmented) version of the original CBEFF, the Common Biometric Exchange File Format, originally published as NISTIR 6529.
ANSI-INCITS
ANSI-INCITS Biometric Data Format Interchange Standards. ANSI-INCITS has created a series of standards specifying the interchange format for the exchange of biometric data. These standards specify a data record interchange format for storing, recording, and transmitting the information from a biometric sample within a CBEFF data structure. The ANSI-INCITS published data interchange standards are shown below. There are ISO equivalents to each standard listed here.
ANSI-INCITS Biometric Data Format Interchange Standards. ANSI-INCITS has created a series of standards specifying the interchange format for the exchange of biometric data. These standards specify a data record interchange format for storing, recording, and transmitting the information from a biometric sample within a CBEFF data structure. The ANSI-INCITS published data interchange standards are shown below. There are ISO equivalents to each standard listed here.
ANSI-INCITS 377-2004
Finger Pattern Based Interchange Format
Finger Pattern Based Interchange Format
ANSI-INCITS 378-2004
Finger Minutiae Format for Data Interchange
Finger Minutiae Format for Data Interchange
ANSI-INCITS 379-2004
Iris Interchange Format
Iris Interchange Format
ANSI-INCITS 381-2004
Finger Image Based Interchange Format
Finger Image Based Interchange Format
ANSI-INCITS 385-2004
Face Recognition Format for Data Interchange
Face Recognition Format for Data Interchange
ANSI-INCITS 395-2005
Signature/Sign Image Based Interchange Format
Signature/Sign Image Based Interchange Format
ANSI-INCITS 396-2004
Hand Geometry Interchange Format
Hand Geometry Interchange Format
ISO/IEC 19794
ISO/IEC 19794 series on biometric data interchange formats. Part 1 is the framework, Part 2 defines the finger minutiae data, Part 3 defines the finger pattern spectral data, Part 4 defines the finger image data, Part 5 defines the face image data, Part 6 defines the iris image data, and still in development, Part 7 will define the signature/sign time series data, Part 8 will define the finger pattern skeletal data and Part 8 will define the vascular image data.
SMART CARD PLANNING AND DEPLOYMENT
Smart card system design requires advance planning to be successful and to avoid problems. It is highly recommended that you graphically diagram the flow of information for your new system. The first question to consider is 'will the card and system transact information, or value, or both?' If it stores keys or value (i.e.; gift certificates or sports tickets), greater design detail is required than in data-only systems. When you combine information types on a single card, other issues arise. The key to success is not to overrun the system with features that can confuse users and cause problems in management. It is recommended that you phase-in each feature set as each one is working. To properly implement a functional smart card system, you should be able to answer the following questions.
NOTE: These are only general guidelines, provided as a basis for your individual planning. Many other steps may be involved and are not mentioned here. For more extensive planning information regarding identity management and national IDs we recommend that you review the GSA Smart Card Handbook.
ISO/IEC 19794 series on biometric data interchange formats. Part 1 is the framework, Part 2 defines the finger minutiae data, Part 3 defines the finger pattern spectral data, Part 4 defines the finger image data, Part 5 defines the face image data, Part 6 defines the iris image data, and still in development, Part 7 will define the signature/sign time series data, Part 8 will define the finger pattern skeletal data and Part 8 will define the vascular image data.
SMART CARD PLANNING AND DEPLOYMENT
Smart card system design requires advance planning to be successful and to avoid problems. It is highly recommended that you graphically diagram the flow of information for your new system. The first question to consider is 'will the card and system transact information, or value, or both?' If it stores keys or value (i.e.; gift certificates or sports tickets), greater design detail is required than in data-only systems. When you combine information types on a single card, other issues arise. The key to success is not to overrun the system with features that can confuse users and cause problems in management. It is recommended that you phase-in each feature set as each one is working. To properly implement a functional smart card system, you should be able to answer the following questions.
NOTE: These are only general guidelines, provided as a basis for your individual planning. Many other steps may be involved and are not mentioned here. For more extensive planning information regarding identity management and national IDs we recommend that you review the GSA Smart Card Handbook.
Basic Setup
- Is there a clear business case? Including financial and consumer behavior factors?
- Will the system be single or multi-application?
- What type of information do I want to store in the cards (ie; data or value)?
- How much memory is required for each application?
- If multi-application, how will I separate different types of data?
- Will card data be obtained from a database? Or loaded every time?
- Will this data concurrently reside on a database?
- How many cards will be needed?
- Are card/infrastructure vendors identified? What are the lead times?
- Is there a clear business case? Including financial and consumer behavior factors?
- Will the system be single or multi-application?
- What type of information do I want to store in the cards (ie; data or value)?
- How much memory is required for each application?
- If multi-application, how will I separate different types of data?
- Will card data be obtained from a database? Or loaded every time?
- Will this data concurrently reside on a database?
- How many cards will be needed?
- Are card/infrastructure vendors identified? What are the lead times?
Security Planning
- What are the security requirements?
2. Does all, or only some of the data need to be secure?
3. Who will have access to this information?
4. Who will be allowed to change this information?
5. In what manner shall I secure this data i.e. encryption, Host passwords, card passwords/PINs or all of these?
6. Should the keys/PINs be customer or system-activated?
7. What form of version control do I want?
- What are the security requirements?
2. Does all, or only some of the data need to be secure?
3. Who will have access to this information?
4. Who will be allowed to change this information?
5. In what manner shall I secure this data i.e. encryption, Host passwords, card passwords/PINs or all of these?
6. Should the keys/PINs be customer or system-activated?
7. What form of version control do I want?
3. Who will have access to this information?
4. Who will be allowed to change this information?
5. In what manner shall I secure this data i.e. encryption, Host passwords, card passwords/PINs or all of these?
6. Should the keys/PINs be customer or system-activated?
7. What form of version control do I want?
Value Applications
- Should the value in the cards be re-loadable or will the cards be disposable?
- How will I distribute the cards?
- How will cards be activated and loaded with value?
- What type of card traceability should I implement?
- What is the minimum and maximum value to store on each card?
- Will there be a refund policy?
- Should the value in the cards be re-loadable or will the cards be disposable?
- How will I distribute the cards?
- How will cards be activated and loaded with value?
- What type of card traceability should I implement?
- What is the minimum and maximum value to store on each card?
- Will there be a refund policy?
General Issuance
- How many types of artwork will be included in the issuance?
- Who will do the artwork?
- What is needed on the card? For example signature panels, magnetic stripe, embossing etc.
- How many types of artwork will be included in the issuance?
- Who will do the artwork?
- What is needed on the card? For example signature panels, magnetic stripe, embossing etc.
Multi-Application Card Systems
It is highly recommended that you graphically diagram the flow of information as shown below.
(Click image for larger version.)
Large distributed multifunction systems require lots of advance planning to make them effective. Smart cards often act as the glue between disparate software applications and use cases. Below is an example of a multifunction card that is issued by a large enterprise or government. Everywhere you see a CD is a separate and distinct software application that interacts with the data and service from the card.
The critical first step in this type of planning is to understand the data requirements on the card as it relates to each disparate software application that your project will deploy.
Building a smart card system that stores value i.e. gift certificates, show tickets, redemption points or cash equivalents requires an attention to detail not necessary in other information management systems. The most important detail of a successful stored value card is that the card and program are perceived by users as being compelling, justifying the switch from other payment options.
User information and system wide training should be part of your budget. It is recommended that you phase-in each feature set after the first one is working. Here is a list of some questions that are pertinent to these systems in addition to the above questions.
It is highly recommended that you graphically diagram the flow of information as shown below.
(Click image for larger version.)
Large distributed multifunction systems require lots of advance planning to make them effective. Smart cards often act as the glue between disparate software applications and use cases. Below is an example of a multifunction card that is issued by a large enterprise or government. Everywhere you see a CD is a separate and distinct software application that interacts with the data and service from the card.
The critical first step in this type of planning is to understand the data requirements on the card as it relates to each disparate software application that your project will deploy.
Building a smart card system that stores value i.e. gift certificates, show tickets, redemption points or cash equivalents requires an attention to detail not necessary in other information management systems. The most important detail of a successful stored value card is that the card and program are perceived by users as being compelling, justifying the switch from other payment options.
User information and system wide training should be part of your budget. It is recommended that you phase-in each feature set after the first one is working. Here is a list of some questions that are pertinent to these systems in addition to the above questions.
Deployment
As the minimum steps in deploying a stored value or multi-application system, establish clear achievable program objectives:
SMART CARD SECURITY
Smart cards provide computing and business systems the enormous benefit of portable and secure storage of data and value. At the same time, the integration of smart cards into your system introduces its own security management issues, as people access card data far and wide in a variety of applications.
The following is a basic discussion of system security and smart cards, designed to familiarize you with the terminology and concepts you need in order to start your security planning.
As the minimum steps in deploying a stored value or multi-application system, establish clear achievable program objectives:
SMART CARD SECURITY
Smart cards provide computing and business systems the enormous benefit of portable and secure storage of data and value. At the same time, the integration of smart cards into your system introduces its own security management issues, as people access card data far and wide in a variety of applications.
The following is a basic discussion of system security and smart cards, designed to familiarize you with the terminology and concepts you need in order to start your security planning.
What Is Security?
Smart cards provide computing and business systems the enormous benefit of portable and secure storage of data and value. At the same time, the integration of smart cards into your system introduces its own security management issues, as people access card data far and wide in a variety of applications.
The following is a basic discussion of system security and smart cards, designed to familiarize you with the terminology and concepts you need in order to start your security planning.
Security is basically the protection of something valuable to ensure that it is not stolen, lost, or altered. The term "data security" governs an extremely wide range of applications and touches everyone's daily life. Concerns over data security are at an all-time high, due to the rapid advancement of technology into virtually every transaction, from parking meters to national defense.
Data is created, updated, exchanged and stored via networks. A network is any computing system where users are highly interactive and interdependent and by definition, not all in the same physical place. In any network, diversity abounds, certainly in terms of types of data, but also types of users. For that reason, a system of security is essential to maintain computing and network functions, keep sensitive data secret, or simply maintain worker safety. Any one company might provide an example of these multiple security concerns: Take, for instance, a pharmaceutical manufacturer:
Type of Data Security Concern Type of Access
Drug Formula Basis of business income. Competitor spying Highly selective list of executives
Accounting, Regulatory Required by law Relevant executives and departments
Personnel Files Employee privacy Relevant executives and departments
Employee ID Non-employee access. Inaccurate payroll, benefits assignment Relevant executives and departments
Facilities Access authorization Individuals per function and clearance such as customers, visitors, or vendors
Building safety, emergency response All employees Outside emergency response
Smart cards provide computing and business systems the enormous benefit of portable and secure storage of data and value. At the same time, the integration of smart cards into your system introduces its own security management issues, as people access card data far and wide in a variety of applications.
The following is a basic discussion of system security and smart cards, designed to familiarize you with the terminology and concepts you need in order to start your security planning.
Security is basically the protection of something valuable to ensure that it is not stolen, lost, or altered. The term "data security" governs an extremely wide range of applications and touches everyone's daily life. Concerns over data security are at an all-time high, due to the rapid advancement of technology into virtually every transaction, from parking meters to national defense.
Data is created, updated, exchanged and stored via networks. A network is any computing system where users are highly interactive and interdependent and by definition, not all in the same physical place. In any network, diversity abounds, certainly in terms of types of data, but also types of users. For that reason, a system of security is essential to maintain computing and network functions, keep sensitive data secret, or simply maintain worker safety. Any one company might provide an example of these multiple security concerns: Take, for instance, a pharmaceutical manufacturer:
Type of Data | Security Concern | Type of Access |
---|---|---|
Drug Formula | Basis of business income. Competitor spying | Highly selective list of executives |
Accounting, Regulatory | Required by law | Relevant executives and departments |
Personnel Files | Employee privacy | Relevant executives and departments |
Employee ID | Non-employee access. Inaccurate payroll, benefits assignment | Relevant executives and departments |
Facilities | Access authorization | Individuals per function and clearance such as customers, visitors, or vendors |
Building safety, emergency response | All employees | Outside emergency response |
What Is Information Security?
Information security is the application of measures to ensure the safety and privacy of data by managing its storage and distribution. Information security has both technical and social implications. The first simply deals with the 'how' and 'how much' question of applying secure measures at a reasonable cost. The second grapples with issues of individual freedom, public concerns, legal standards and how the need for privacy intersects them. This discussion covers a range of options open to business managers, system planners and programmers that will contribute to your ultimate security strategy. The eventual choice rests with the system designer and issuer.
Information security is the application of measures to ensure the safety and privacy of data by managing its storage and distribution. Information security has both technical and social implications. The first simply deals with the 'how' and 'how much' question of applying secure measures at a reasonable cost. The second grapples with issues of individual freedom, public concerns, legal standards and how the need for privacy intersects them. This discussion covers a range of options open to business managers, system planners and programmers that will contribute to your ultimate security strategy. The eventual choice rests with the system designer and issuer.
The Elements of Data Security
In implementing a security system, all data networks deal with the following main elements:
- Hardware, including servers, redundant mass storage devices, communication channels and lines, hardware tokens (smart cards) and remotely located devices (e.g., thin clients or Internet appliances) serving as interfaces between users and computers
- Software, including operating systems, database management systems, communication and security application programs
- Data, including databases containing customer - related information.
- Personnel, to act as originators and/or users of the data; professional personnel, clerical staff, administrative personnel, and computer staf
In implementing a security system, all data networks deal with the following main elements:
- Hardware, including servers, redundant mass storage devices, communication channels and lines, hardware tokens (smart cards) and remotely located devices (e.g., thin clients or Internet appliances) serving as interfaces between users and computers
- Software, including operating systems, database management systems, communication and security application programs
- Data, including databases containing customer - related information.
- Personnel, to act as originators and/or users of the data; professional personnel, clerical staff, administrative personnel, and computer staf
The Mechanisms of Data Security
Working with the above elements, an effective data security system works with the following key mechanisms to answer:
- Has My Data Arrived Intact? (Data Integrity) This mechanism ensures that data was not lost or corrupted when it was sent to you
- Is The Data Correct And Does It Come From The Right Person? (Authentication) This proves user or system identities
- Can I Confirm Receipt Of The Data And Sender Identity Back To The Sender? (Non-Repudiation)
- Can I Keep This Data Private? (Confidentiality) - Ensures only senders and receivers access the data. This is typically done by employing one or more encryption techniques to secure your data
- Can I Safely Share This Data If I Choose? (Authorization and Delegation) You can set and manage access privileges for additional users and groups
- Can I Verify The That The System Is Working? (Auditing and Logging) Provides a constant monitor and troubleshooting of security system function
- Can I Actively Manage The System? (Management) Allows administration of your security system
Working with the above elements, an effective data security system works with the following key mechanisms to answer:
- Has My Data Arrived Intact? (Data Integrity) This mechanism ensures that data was not lost or corrupted when it was sent to you
- Is The Data Correct And Does It Come From The Right Person? (Authentication) This proves user or system identities
- Can I Confirm Receipt Of The Data And Sender Identity Back To The Sender? (Non-Repudiation)
- Can I Keep This Data Private? (Confidentiality) - Ensures only senders and receivers access the data. This is typically done by employing one or more encryption techniques to secure your data
- Can I Safely Share This Data If I Choose? (Authorization and Delegation) You can set and manage access privileges for additional users and groups
- Can I Verify The That The System Is Working? (Auditing and Logging) Provides a constant monitor and troubleshooting of security system function
- Can I Actively Manage The System? (Management) Allows administration of your security system
Data Integrity
This is the function that verifies the characteristics of a document and a transaction. Characteristics of both are inspected and confirmed for content and correct authorization. Data Integrity is achieved with electronic cryptography that assigns a unique identity to data like a fingerprint. Any attempt to change this identity signals the change and flags any tampering.
This is the function that verifies the characteristics of a document and a transaction. Characteristics of both are inspected and confirmed for content and correct authorization. Data Integrity is achieved with electronic cryptography that assigns a unique identity to data like a fingerprint. Any attempt to change this identity signals the change and flags any tampering.
Authentication
This inspects, then confirms, the proper identity of people involved in a transaction of data or value. In authentication systems, authentication is measured by assessing the mechanisms strength and how many factors are used to confirm the identity. In a PKI system a Digital Signature verifies data at its origination by producing an identity that can be mutually verified by all parties involved in the transaction. A cryptographic hash algorithm produces a Digital Signature.
This inspects, then confirms, the proper identity of people involved in a transaction of data or value. In authentication systems, authentication is measured by assessing the mechanisms strength and how many factors are used to confirm the identity. In a PKI system a Digital Signature verifies data at its origination by producing an identity that can be mutually verified by all parties involved in the transaction. A cryptographic hash algorithm produces a Digital Signature.
Non-Repudiation
This eliminates the possibility of a transaction being repudiated, or invalidated by incorporating a Digital Signature that a third party can verify as correct. Similar in concept to registered mail, the recipient of data re-hashes it, verifies the Digital Signature, and compares the two to see that they match.
This eliminates the possibility of a transaction being repudiated, or invalidated by incorporating a Digital Signature that a third party can verify as correct. Similar in concept to registered mail, the recipient of data re-hashes it, verifies the Digital Signature, and compares the two to see that they match.
Authorization and Delegation
Authorization is the processes of allowing access to specific data within a system. Delegation is the utilization of a third party to manage and certify each of the users of your system. (Certificate Authorities).
Authorization is the processes of allowing access to specific data within a system. Delegation is the utilization of a third party to manage and certify each of the users of your system. (Certificate Authorities).
Authorization and Trust Model
Auditing and Logging
This is the independent examination and recording of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures.
This is the independent examination and recording of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures.
Management
Is the oversight and design of the elements and mechanisms discussed above and below. Card management also requires the management of card issuance, replacement and retirement as well as polices that govern a system.
Is the oversight and design of the elements and mechanisms discussed above and below. Card management also requires the management of card issuance, replacement and retirement as well as polices that govern a system.
Cryptography / Confidentiality
Confidentiality is the use of encryption to protect information from unauthorized disclosure. Plain text is turned into cipher text via an algorithm, then decrypted back into plain text using the same method.
Cryptography is the method of converting data from a human readable form to a modified form, and then back to its original readable form, to make unauthorized access difficult. Cryptography is used in the following ways:
- Ensure data privacy, by encrypting data
- Ensures data integrity, by recognizing if data has been manipulated in an unauthorized way
- Ensures data uniqueness by checking that data is "original", and not a "copy" of the "original". The sender attaches a unique identifier to the "original" data. This unique identifier is then checked by the receiver of the data.
The original data may be in a human-readable form, such as a text file, or it may be in a computer-readable form, such as a database, spreadsheet or graphics file. The original data is called unencrypted data or plain text.The modified data is called encrypted data or cipher text. The process of converting the unencrypted data is called encryption. The process of converting encrypted data to unencrypted data is called decryption.
Confidentiality is the use of encryption to protect information from unauthorized disclosure. Plain text is turned into cipher text via an algorithm, then decrypted back into plain text using the same method.
Cryptography is the method of converting data from a human readable form to a modified form, and then back to its original readable form, to make unauthorized access difficult. Cryptography is used in the following ways:
- Ensure data privacy, by encrypting data
- Ensures data integrity, by recognizing if data has been manipulated in an unauthorized way
- Ensures data uniqueness by checking that data is "original", and not a "copy" of the "original". The sender attaches a unique identifier to the "original" data. This unique identifier is then checked by the receiver of the data.
The original data may be in a human-readable form, such as a text file, or it may be in a computer-readable form, such as a database, spreadsheet or graphics file. The original data is called unencrypted data or plain text.The modified data is called encrypted data or cipher text. The process of converting the unencrypted data is called encryption. The process of converting encrypted data to unencrypted data is called decryption.
Data Security Mechanisms and their Respective Algorithms
(Click image for larger version.)
In order to convert the data, you need to have an encryption algorithm and a key. If the same key is used for both encryption and decryption that key is called a secret key and the algorithm is called a symmetric algorithm. The most well-known symmetric algorithm is DES (Data Encryption Standard).
The Data Encryption Standard (DES) was invented by the IBM Corporation in the 1970's. During the process of becoming a standard algorithm, it was modified according to recommendations from the National Security Agency (NSA). The algorithm has been studied by cryptographers for nearly 20 years. During this time, no methods have been published that describe a way to break the algorithm, except for brute-force techniques. DES has a 56-bit key, which offers 256 or 7 x 1016 possible variations. There are a very small numbers of weak keys, but it is easy to test for these keys and they are easy to avoid.
Triple-DES is a method of using DES to provide additional security. Triple-DES can be done with two or with three keys. Since the algorithm performs an encrypt-decrypt-encrypt sequence, this is sometimes called the EDE mode. This diagram shows Triple-DES three-key mode used for encryption:
If different keys are used for encryption and decryption, the algorithm is called an asymmetric algorithm. The most well-known asymmetric algorithm is RSA, named after its three inventors (Rivest, Shamir, and Adleman). This algorithm uses two keys, called the private key. These keys are mathematically linked. Here is a diagram that illustrates an asymmetric algorithm:
Asymmetric algorithms involve extremely complex mathematics typically involving the factoring of large prime numbers. Asymmetric algorithms are typically stronger than a short key length symmetric algorithm. But because of their complexity they are used in signing a message or a certificate. They not ordinarily used for data transmission encryption.
As the card issuer, you must define all of the parameters for card and data security. There are two methods of using cards for data system security, host-based and card-based. The safest systems employ both methodologies.
(Click image for larger version.)
In order to convert the data, you need to have an encryption algorithm and a key. If the same key is used for both encryption and decryption that key is called a secret key and the algorithm is called a symmetric algorithm. The most well-known symmetric algorithm is DES (Data Encryption Standard).
The Data Encryption Standard (DES) was invented by the IBM Corporation in the 1970's. During the process of becoming a standard algorithm, it was modified according to recommendations from the National Security Agency (NSA). The algorithm has been studied by cryptographers for nearly 20 years. During this time, no methods have been published that describe a way to break the algorithm, except for brute-force techniques. DES has a 56-bit key, which offers 256 or 7 x 1016 possible variations. There are a very small numbers of weak keys, but it is easy to test for these keys and they are easy to avoid.
Triple-DES is a method of using DES to provide additional security. Triple-DES can be done with two or with three keys. Since the algorithm performs an encrypt-decrypt-encrypt sequence, this is sometimes called the EDE mode. This diagram shows Triple-DES three-key mode used for encryption:
If different keys are used for encryption and decryption, the algorithm is called an asymmetric algorithm. The most well-known asymmetric algorithm is RSA, named after its three inventors (Rivest, Shamir, and Adleman). This algorithm uses two keys, called the private key. These keys are mathematically linked. Here is a diagram that illustrates an asymmetric algorithm:
Asymmetric algorithms involve extremely complex mathematics typically involving the factoring of large prime numbers. Asymmetric algorithms are typically stronger than a short key length symmetric algorithm. But because of their complexity they are used in signing a message or a certificate. They not ordinarily used for data transmission encryption.
As the card issuer, you must define all of the parameters for card and data security. There are two methods of using cards for data system security, host-based and card-based. The safest systems employ both methodologies.
Host-Based System Security
A host-based system treats a card as a simple data carrier. Because of this, straight memory cards can be used very cost-effectively for many systems. All protection of the data is done from the host computer. The card data may be encrypted but the transmission to the host can be vulnerable to attack. A common method of increasing the security is to write in the clear (not encrypted) a key that usually contains a date and/or time along with a secret reference to a set of keys on the host. Each time the card is re-written the host can write a reference to the keys. This way each transmission is different. But parts of the keys are in the clear for hackers to analyze. This security can be increased by the use of smart memory cards that employ a password mechanism to prevent unauthorized reading of the data. Unfortunately the passwords can be sniffed in the clear. Access is then possible to the main memory. These methodologies are often used when a network can batch up the data regularly and compare values and card usage and generate a problem card list.
A host-based system treats a card as a simple data carrier. Because of this, straight memory cards can be used very cost-effectively for many systems. All protection of the data is done from the host computer. The card data may be encrypted but the transmission to the host can be vulnerable to attack. A common method of increasing the security is to write in the clear (not encrypted) a key that usually contains a date and/or time along with a secret reference to a set of keys on the host. Each time the card is re-written the host can write a reference to the keys. This way each transmission is different. But parts of the keys are in the clear for hackers to analyze. This security can be increased by the use of smart memory cards that employ a password mechanism to prevent unauthorized reading of the data. Unfortunately the passwords can be sniffed in the clear. Access is then possible to the main memory. These methodologies are often used when a network can batch up the data regularly and compare values and card usage and generate a problem card list.
Card-Based System Security
These systems are typically microprocessor card-based. A card, or token-based system treats a card as an active computing device. The Interaction between the host and the card can be a series of steps to determine if the card is authorized to be used in the system. The process also checks if the user can be identified, authenticated and if the card will present the appropriate credentials to conduct a transaction. The card itself can also demand the same from the host before proceeding with a transaction. The access to specific information in the card is controlled by (1) the card's internal Operating System and (2) the preset permissions set by the card issuer regarding the files conditions. The card can be in a standard CR80 form factor or be in a USB dongle or it could be a GSM SIM Card.
These systems are typically microprocessor card-based. A card, or token-based system treats a card as an active computing device. The Interaction between the host and the card can be a series of steps to determine if the card is authorized to be used in the system. The process also checks if the user can be identified, authenticated and if the card will present the appropriate credentials to conduct a transaction. The card itself can also demand the same from the host before proceeding with a transaction. The access to specific information in the card is controlled by (1) the card's internal Operating System and (2) the preset permissions set by the card issuer regarding the files conditions. The card can be in a standard CR80 form factor or be in a USB dongle or it could be a GSM SIM Card.
Threats to Cards and Data Security
Effective security system planning takes into account the need for authorized users to access data reasonably easily, while considering the many threats that this access presents to the integrity and safety of the information. There are basic steps to follow to secure all smart card systems, regardless of type or size.
- Analysis: Types of data to secure; users, points of contact, transmission. Relative risk/impact of data loss
- Deployment of your proposed system
- Road Test: Attempt to hack your system; learn about weak spots, etc.
- Synthesis: Incorporate road test data, re-deploy
- Auditing: Periodic security monitoring, checks of system, fine-tuning
When analyzing the threats to your data an organization should look closely at two specific areas: Internal attacks and external attacks. The first and most common compromise of data comes from disgruntled employees. Knowing this, a good system manager separates all back-up data and back-up systems into a separately partitioned and secured space. The introduction of viruses and the attempted formatting of network drives is a typical internal attack behavior. By deploying employee cards that log an employee into the system and record the time, date and machine that the employee is on, a company automatically discourages these type of attacks.
(Click image for larger version.)
External attacks are typically aimed at the weakest link in a company's security armor. The first place an external hacker looks at is where they can intercept the transmission of your data. In a smart card-enhanced system this starts with the card.
(Click image for larger version.)
The following sets of questions are relevant to your analysis. Is the data on the card transmitted in the clear or is it encrypted? If the transmission is sniffed, is each session secured with a different key? Does the data move from the card reader to the PC in the clear? Does the PC or client transmit the data in the clear? If the packet is sniffed, is each session secured with a different key? Does the operating system have a back door? Is there a mechanism to upload and down load functioning code? How secure is this system? Does the OS provider have a good security track record? Does the card manufacturer have precautions in place to secure your data? Do they understand the liabilities? Can they provide other security measures that can be implemented on the card and or module? When the card is subjected to Differential Power attacks and Differential Thermal attacks does the OS reveal any secrets? Will the semiconductor utilized meet this scrutiny? Do your suppliers understand these questions?
Other types of problems that can be a threat to your assets include:
- Improperly secured passwords (writing them down, sharing)
- Assigned PINs and the replacement mechanisms
- Delegated Authentication Services
- Poor data segmentation
- Physical Security (the physical removal or destruction of your computing hardware)
Effective security system planning takes into account the need for authorized users to access data reasonably easily, while considering the many threats that this access presents to the integrity and safety of the information. There are basic steps to follow to secure all smart card systems, regardless of type or size.
- Analysis: Types of data to secure; users, points of contact, transmission. Relative risk/impact of data loss
- Deployment of your proposed system
- Road Test: Attempt to hack your system; learn about weak spots, etc.
- Synthesis: Incorporate road test data, re-deploy
- Auditing: Periodic security monitoring, checks of system, fine-tuning
When analyzing the threats to your data an organization should look closely at two specific areas: Internal attacks and external attacks. The first and most common compromise of data comes from disgruntled employees. Knowing this, a good system manager separates all back-up data and back-up systems into a separately partitioned and secured space. The introduction of viruses and the attempted formatting of network drives is a typical internal attack behavior. By deploying employee cards that log an employee into the system and record the time, date and machine that the employee is on, a company automatically discourages these type of attacks.
(Click image for larger version.)
External attacks are typically aimed at the weakest link in a company's security armor. The first place an external hacker looks at is where they can intercept the transmission of your data. In a smart card-enhanced system this starts with the card.
(Click image for larger version.)
The following sets of questions are relevant to your analysis. Is the data on the card transmitted in the clear or is it encrypted? If the transmission is sniffed, is each session secured with a different key? Does the data move from the card reader to the PC in the clear? Does the PC or client transmit the data in the clear? If the packet is sniffed, is each session secured with a different key? Does the operating system have a back door? Is there a mechanism to upload and down load functioning code? How secure is this system? Does the OS provider have a good security track record? Does the card manufacturer have precautions in place to secure your data? Do they understand the liabilities? Can they provide other security measures that can be implemented on the card and or module? When the card is subjected to Differential Power attacks and Differential Thermal attacks does the OS reveal any secrets? Will the semiconductor utilized meet this scrutiny? Do your suppliers understand these questions?
Other types of problems that can be a threat to your assets include:
- Improperly secured passwords (writing them down, sharing)
- Assigned PINs and the replacement mechanisms
- Delegated Authentication Services
- Poor data segmentation
- Physical Security (the physical removal or destruction of your computing hardware)
Security Architectures
When designing a system a planner should look at the total cost of ownership this includes:
- Analysis
- Installation and Deployment
- Delegated Services
- Training
- Management
- Audits and Upgrades
- Infrastructure Costs (Software and Hardware)
Over 99% of all U.S.- based financial networks are secured with a Private Key Infrastructure. This is changing over time, based on the sheer volume of transactions managed daily and the hassles that come with private key management. Private Key-based systems make good sense if your expected user base is less than 500,000 participants.
Public Key Systems are typically cost effective only in large volumes or where the value of data is so high that its worth the higher costs associated with this type of deployment. What most people don t realize is that Public Key systems still rely heavily on Private Key encryption for all transmission of data. The Public Key encryption algorithms are only used for non-repudiation and to secure data integrity. Public Key infrastructures as a rule employ every mechanism of data security in a nested and coordinated fashion to insure the highest level of security available today.
When designing a system a planner should look at the total cost of ownership this includes:
- Analysis
- Installation and Deployment
- Delegated Services
- Training
- Management
- Audits and Upgrades
- Infrastructure Costs (Software and Hardware)
Over 99% of all U.S.- based financial networks are secured with a Private Key Infrastructure. This is changing over time, based on the sheer volume of transactions managed daily and the hassles that come with private key management. Private Key-based systems make good sense if your expected user base is less than 500,000 participants.
Public Key Systems are typically cost effective only in large volumes or where the value of data is so high that its worth the higher costs associated with this type of deployment. What most people don t realize is that Public Key systems still rely heavily on Private Key encryption for all transmission of data. The Public Key encryption algorithms are only used for non-repudiation and to secure data integrity. Public Key infrastructures as a rule employ every mechanism of data security in a nested and coordinated fashion to insure the highest level of security available today.
PKI Public Key Infrastructure
The following images illustrate a typical PKI-based system:
CONCLUSSIONS
Smart cards can add convenience and safety to any transaction of value and data; but the choices facing today's managers can be daunting. We hope this site has adequately presented the options and given you enough information to make informed evaluations of performance, cost and security that will produce a smart card system that fits today's needs and those of tomorrow. It is our sincere belief that informed users make better choices, which leads to better business for everybody.
GLOSSARY
Wondering what an "Ankle biter" is? Looking for arcane information on smart cards? You've come to the right place. Click on the letter corresponding to the term you're wondering about. This glossary is an amalgamation of information from many sources The primary two being the US government N.I.S.T. site on security terms and the CardLogix Corporation Smart Card Glossary. This list is always growing...so if you don't find your answer, check back with us soon.
The following images illustrate a typical PKI-based system:
CONCLUSSIONS
Smart cards can add convenience and safety to any transaction of value and data; but the choices facing today's managers can be daunting. We hope this site has adequately presented the options and given you enough information to make informed evaluations of performance, cost and security that will produce a smart card system that fits today's needs and those of tomorrow. It is our sincere belief that informed users make better choices, which leads to better business for everybody.
GLOSSARY
Wondering what an "Ankle biter" is? Looking for arcane information on smart cards? You've come to the right place. Click on the letter corresponding to the term you're wondering about. This glossary is an amalgamation of information from many sources The primary two being the US government N.I.S.T. site on security terms and the CardLogix Corporation Smart Card Glossary. This list is always growing...so if you don't find your answer, check back with us soon.
A
- Active Attack
- An attack which results in an unauthorized state change, such as the manipulation of files, or the adding of unauthorized files.
- Administrative Security
- The management constraints and supplemental controls established to provide an acceptable level of protection for data.
- Automated Information System (AIS)
- Any equipment of an interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, control, display, transmission, or reception of data and includes software, firmware, and hardware.
- Alert
- A formatted message describing a circumstance relevant to network security. Alerts are often derived from critical audit events.
- Ankle-Biter
- A person who aspires to be a hacker/cracker but has very limited knowledge or skills related to AIS's. Usually associated with young teens who collect and use simple malicious programs obtained from the Internet.
- Anomaly Detection Model
- A model where intrusions are detected by looking for activity that is different from the user's or system's normal behavior.
- Application Level Gateway (Firewall)
- A firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application level firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host.
- Automated Security Incident Measurement (ASIM)
- Monitors network traffic and collects information on targeted unit networks by detecting unauthorized network activity.
- Assessment
- Surveys and Inspections; an analysis of the vulnerabilities of an AIS. Information acquisition and review process designed to assist a customer to determine how best to use resources to protect information in systems.
- Assurance
- A measure of confidence that the security features and architecture of an AIS accurately mediate and enforce the security policy.
- Attack
- An attempt to bypass security controls on a computer. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures.
- Audit
- The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures.
- Audit TraiL
- In computer security systems, a chronological record of system resource usage. This includes user login, file access, other various activities, and whether any actual or attempted security violations occurred, legitimate and unauthorized.
- Authenticate
- To establish the validity of a claimed user or object.
- Authentication
- To positively verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
- Authentication Header (AH)
- A field that immediately follows the IP header in an IP datagram and provides authentication and integrity checking for the datagram.
- Automated Security Monitoring
- All security features needed to provide an acceptable level of protection for hardware, software, and classified, sensitive, unclassified or critical data, material, or processes in the system.
- Availability
- Assuring information and communications services will be ready for use when expected.
- Active Attack
- An attack which results in an unauthorized state change, such as the manipulation of files, or the adding of unauthorized files.
- Administrative Security
- The management constraints and supplemental controls established to provide an acceptable level of protection for data.
- Automated Information System (AIS)
- Any equipment of an interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, control, display, transmission, or reception of data and includes software, firmware, and hardware.
- Alert
- A formatted message describing a circumstance relevant to network security. Alerts are often derived from critical audit events.
- Ankle-Biter
- A person who aspires to be a hacker/cracker but has very limited knowledge or skills related to AIS's. Usually associated with young teens who collect and use simple malicious programs obtained from the Internet.
- Anomaly Detection Model
- A model where intrusions are detected by looking for activity that is different from the user's or system's normal behavior.
- Application Level Gateway (Firewall)
- A firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application level firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host.
- Automated Security Incident Measurement (ASIM)
- Monitors network traffic and collects information on targeted unit networks by detecting unauthorized network activity.
- Assessment
- Surveys and Inspections; an analysis of the vulnerabilities of an AIS. Information acquisition and review process designed to assist a customer to determine how best to use resources to protect information in systems.
- Assurance
- A measure of confidence that the security features and architecture of an AIS accurately mediate and enforce the security policy.
- Attack
- An attempt to bypass security controls on a computer. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures.
- Audit
- The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures.
- Audit TraiL
- In computer security systems, a chronological record of system resource usage. This includes user login, file access, other various activities, and whether any actual or attempted security violations occurred, legitimate and unauthorized.
- Authenticate
- To establish the validity of a claimed user or object.
- Authentication
- To positively verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
- Authentication Header (AH)
- A field that immediately follows the IP header in an IP datagram and provides authentication and integrity checking for the datagram.
- Automated Security Monitoring
- All security features needed to provide an acceptable level of protection for hardware, software, and classified, sensitive, unclassified or critical data, material, or processes in the system.
- Availability
- Assuring information and communications services will be ready for use when expected.
B
- Back Door
- A hole in the security of a computer system deliberately left in place by designers or maintainers. Synonymous with trap door; a hidden software or hardware mechanism used to circumvent security controls.
- Bell-La Padula Security Model
- Formal-state transition model of computer security policy that describes a formal set of access controls based on information sensitivity and subject authorizations.
- Biba Integrity Model
- A formal security model for the integrity of subjects and objects in a system.
- Bomb
- A general synonym for crash, normally of software or operating system failures.
- Breach
- The successful defeat of security controls which could result in a penetration of the system. A violation of controls of a particular information system such that information assets or system components are unduly exposed.
- Buffer Overflow
- This happens when more data is put into a buffer or holding area, then the buffer can handle. This is due to a mismatch in processing rates between the producing and consuming processes. This can result in system crashes or the creation of a back door leading to system access.
- Bug
- An unwanted and unintended property of a program or piece of hardware, especially one that causes it to malfunction.
- Back Door
- A hole in the security of a computer system deliberately left in place by designers or maintainers. Synonymous with trap door; a hidden software or hardware mechanism used to circumvent security controls.
- Bell-La Padula Security Model
- Formal-state transition model of computer security policy that describes a formal set of access controls based on information sensitivity and subject authorizations.
- Biba Integrity Model
- A formal security model for the integrity of subjects and objects in a system.
- Bomb
- A general synonym for crash, normally of software or operating system failures.
- Breach
- The successful defeat of security controls which could result in a penetration of the system. A violation of controls of a particular information system such that information assets or system components are unduly exposed.
- Buffer Overflow
- This happens when more data is put into a buffer or holding area, then the buffer can handle. This is due to a mismatch in processing rates between the producing and consuming processes. This can result in system crashes or the creation of a back door leading to system access.
- Bug
- An unwanted and unintended property of a program or piece of hardware, especially one that causes it to malfunction.
C
- C2
- Command and Control.
- C2-attack
- Prevent effective C2 of adversary forces by denying information to, influencing, degrading or destroying the adversary C2 system.
- C2-protect
- Maintain effective command and control of own forces by turning to friendly advantage or negating adversary effort to deny information to, influence, degrade, or destroy the friendly C2 system. (Pending approval in JP 1-02).
- CGI
- Common Gateway Interface - CGI is the method that Web servers use to allow interaction between servers and programs.
- CGI Scripts
- Allows for the creation of dynamic and interactive web pages. They also tend to be the most vulnerable part of a web server.
- Check_Password
- A hacking program used for cracking VMS passwords.
- Chernobyl Packet
- Also called Kamikaze Packet. A network packet that induces a broadcast storm and network meltdown. Typically an IP Ethernet datagram that passes through a gateway with both source and destination Ethernet and IP address set as the respective broadcast addresses for the subnetworks being gated between.
- Circuit Level Gateway
- One form of a firewall. Validates TCP and UDP sessions before opening a connection. Creates a handshake, and once that takes place passes everything through until the session is ended.
- Clipper chip
- A tamper-resistant VLSI chip designed by NSA for encrypting voice communications. It conforms to the Escrow Encryption Standard (EES) and implements the Skipjack encryption algorithm.
- COAST
- Computer Operations, Audit, and Security Technology - is a multiple project, multiple investigator laboratory in computer security research in the Computer Sciences Department at Purdue University. It functions with close ties to researchers and engineers in major companies and government agencies. Its research is focused on real-world needs and limitations, with a special focus on security for legacy computing systems.
- Command and Control Warfare (C2W)
- The integrated use of operations security, military deception, psychological operations, electronic warfare, and physical destruction, mutually supported by intelligence, to deny information to, influence, degrade, or destroy adversary command and control capabilities, while protecting friendly command and control capabilities against such actions. Command and control warfare is an application of information operations in military operations and is a subset of information warfare. C2W is both offensive and defensive.
- Compromise
- An intrusion into a computer system where unauthorized disclosure, modification or destruction of sensitive information may have occurred.
- Computer Abuse
- The willful or negligent unauthorized activity that affects the availability, confidentiality, or integrity of computer resources. Computer abuse includes fraud, embezzlement, theft, malicious damage, unauthorized use, denial of service, and misappropriation.
- Computer Fraud
- Computer-related crimes involving deliberate misrepresentation or alteration of data in order to obtain something of value.
- Computer Network Attack
- Operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. (DODD S-3600.1 of 9 Dec 96).
- Computer Security
- Technological and managerial procedures applied to computer systems to ensure the availability, integrity and confidentiality of information managed by the computer system.
- Computer Security Incident
- Any intrusion or attempted intrusion into an automated information system (AIS). Incidents can include probes of multiple computer systems.
- Computer Security Intrusion
- Any event of unauthorized access or penetration to an automated information system (AIS).
- Confidentiality
- Assuring information will be kept secret, with access limited to appropriate persons.
- COPS
- Computer Oracle and Password System - A computer network monitoring system for Unix machines. Software tool for checking security on shell scripts and C programs. Checks for security weaknesses and provides warnings.
- COTS Software
- Commercial Off the Shelf - Software acquired by government contract through a commercial vendor. This software is a standard product, not developed by a vendor for a particular government project.
- Countermeasures
- Action, device, procedure, technique, or other measure that reduces the vulnerability of an automated information system. Countermeasures that are aimed at specific threats and vulnerabilities involve more sophisticated techniques as well as activities traditionally perceived as security.
- Crack
- A popular hacking tool used to decode encrypted passwords. System administrators also use Crack to assess weak passwords by novice users in order to enhance the security of the AIS.
- Cracker
- One who breaks security on an AIS.
- Cracking
- The act of breaking into a computer system.
- Crash
- A sudden, usually drastic failure of a computer system.
- Cryptanalysis
- 1. The analysis of a cryptographic system and/or its inputs and outputs to derive confidential variables and/or sensitive data including cleartext.
- 2. Operations performed in converting encrypted messages to plain text without initial knowledge of the crypto-algorithm and/or key employed in the encryption.
- Cryptographic Hash Function
- A process that computes a value (referred to as a hashword) from a particular data unit in a manner that, when a hashword is protected, manipulation of the data is detectable.
- Cryptography
- The art of science concerning the principles, means, and methods for rendering plain text unintelligible and for converting encrypted messages into intelligible form.
- Cryptology
- The science which deals with hidden, disguised, or encrypted communications.
- Cyberspace
- Describes the world of connected computers and the society that gathers around them. Commonly known as the Internet.
- C2
- Command and Control.
- C2-attack
- Prevent effective C2 of adversary forces by denying information to, influencing, degrading or destroying the adversary C2 system.
- C2-protect
- Maintain effective command and control of own forces by turning to friendly advantage or negating adversary effort to deny information to, influence, degrade, or destroy the friendly C2 system. (Pending approval in JP 1-02).
- CGI
- Common Gateway Interface - CGI is the method that Web servers use to allow interaction between servers and programs.
- CGI Scripts
- Allows for the creation of dynamic and interactive web pages. They also tend to be the most vulnerable part of a web server.
- Check_Password
- A hacking program used for cracking VMS passwords.
- Chernobyl Packet
- Also called Kamikaze Packet. A network packet that induces a broadcast storm and network meltdown. Typically an IP Ethernet datagram that passes through a gateway with both source and destination Ethernet and IP address set as the respective broadcast addresses for the subnetworks being gated between.
- Circuit Level Gateway
- One form of a firewall. Validates TCP and UDP sessions before opening a connection. Creates a handshake, and once that takes place passes everything through until the session is ended.
- Clipper chip
- A tamper-resistant VLSI chip designed by NSA for encrypting voice communications. It conforms to the Escrow Encryption Standard (EES) and implements the Skipjack encryption algorithm.
- COAST
- Computer Operations, Audit, and Security Technology - is a multiple project, multiple investigator laboratory in computer security research in the Computer Sciences Department at Purdue University. It functions with close ties to researchers and engineers in major companies and government agencies. Its research is focused on real-world needs and limitations, with a special focus on security for legacy computing systems.
- Command and Control Warfare (C2W)
- The integrated use of operations security, military deception, psychological operations, electronic warfare, and physical destruction, mutually supported by intelligence, to deny information to, influence, degrade, or destroy adversary command and control capabilities, while protecting friendly command and control capabilities against such actions. Command and control warfare is an application of information operations in military operations and is a subset of information warfare. C2W is both offensive and defensive.
- Compromise
- An intrusion into a computer system where unauthorized disclosure, modification or destruction of sensitive information may have occurred.
- Computer Abuse
- The willful or negligent unauthorized activity that affects the availability, confidentiality, or integrity of computer resources. Computer abuse includes fraud, embezzlement, theft, malicious damage, unauthorized use, denial of service, and misappropriation.
- Computer Fraud
- Computer-related crimes involving deliberate misrepresentation or alteration of data in order to obtain something of value.
- Computer Network Attack
- Operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. (DODD S-3600.1 of 9 Dec 96).
- Computer Security
- Technological and managerial procedures applied to computer systems to ensure the availability, integrity and confidentiality of information managed by the computer system.
- Computer Security Incident
- Any intrusion or attempted intrusion into an automated information system (AIS). Incidents can include probes of multiple computer systems.
- Computer Security Intrusion
- Any event of unauthorized access or penetration to an automated information system (AIS).
- Confidentiality
- Assuring information will be kept secret, with access limited to appropriate persons.
- COPS
- Computer Oracle and Password System - A computer network monitoring system for Unix machines. Software tool for checking security on shell scripts and C programs. Checks for security weaknesses and provides warnings.
- COTS Software
- Commercial Off the Shelf - Software acquired by government contract through a commercial vendor. This software is a standard product, not developed by a vendor for a particular government project.
- Countermeasures
- Action, device, procedure, technique, or other measure that reduces the vulnerability of an automated information system. Countermeasures that are aimed at specific threats and vulnerabilities involve more sophisticated techniques as well as activities traditionally perceived as security.
- Crack
- A popular hacking tool used to decode encrypted passwords. System administrators also use Crack to assess weak passwords by novice users in order to enhance the security of the AIS.
- Cracker
- One who breaks security on an AIS.
- Cracking
- The act of breaking into a computer system.
- Crash
- A sudden, usually drastic failure of a computer system.
- Cryptanalysis
- 1. The analysis of a cryptographic system and/or its inputs and outputs to derive confidential variables and/or sensitive data including cleartext.
- 2. Operations performed in converting encrypted messages to plain text without initial knowledge of the crypto-algorithm and/or key employed in the encryption.
- Cryptographic Hash Function
- A process that computes a value (referred to as a hashword) from a particular data unit in a manner that, when a hashword is protected, manipulation of the data is detectable.
- Cryptography
- The art of science concerning the principles, means, and methods for rendering plain text unintelligible and for converting encrypted messages into intelligible form.
- Cryptology
- The science which deals with hidden, disguised, or encrypted communications.
- Cyberspace
- Describes the world of connected computers and the society that gathers around them. Commonly known as the Internet.
D
- Dark-side Hacker
- A criminal or malicious hacker.
- DARPA
- Defense Advanced Research Projects Agency.
- Data Driven Attack
- A form of attack that is encoded in innocuous seeming data which is executed by a user or a process to implement an attack. A data driven attack is a concern for firewalls, since it may get through the firewall in data form and launch an attack against a system behind the firewall.
- Data Encryption Standard (DES)
- 1. An unclassified crypto algorithm adopted by the National Bureau of Standards for public use.
- 2. A cryptographic algorithm for the protection of unclassified data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
- Defense Information Infrastructure (DII)
- The shared or interconnected system of computers, communications, data applications, security, people, training and other support structures serving DoD local, national, and worldwide information needs. DII connects DoD mission support, command and control, and intelligence computers through voice, telecommunications, imagery, video, and multimedia services. It provides information processing and services to the subscribers over the Defense Information Systems Network and includes command and control, tactical, intelligence, and commercial communications systems used to transmit DoD information. (Pending approval in JP 1-02).
- Defensive Information Operations
- A process that integrates and coordinates policies and procedures, operations, personnel, and technology to protect information and defend information systems. Defensive information operations are conducted through information assurance, physical security, operations security, counter-deception, counter-psychological operations, counter-intelligence, electronic protect, and special information operations. Defensive information operations ensure timely, accurate, and relevant information access while denying adversaries the opportunity to exploit friendly information and information systems for their own purposes. (Pending approval in JP 1-02).
- Demon Dialer
- A program which repeatedly calls the same telephone number. This is benign and legitimate for access to a BBS or malicious when used as a denial of service attack.
- Denial of Service
- Action(s) which prevent any part of an AIS from functioning in accordance with its intended purpose.
- Derf
- The act of exploiting a terminal which someone else has absent mindedly left logged on.
- DES
- See Data Encryption Standard
- Differential Power
- Differential Thermal
- DNS Spoofing
- Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain.
- Dark-side Hacker
- A criminal or malicious hacker.
- DARPA
- Defense Advanced Research Projects Agency.
- Data Driven Attack
- A form of attack that is encoded in innocuous seeming data which is executed by a user or a process to implement an attack. A data driven attack is a concern for firewalls, since it may get through the firewall in data form and launch an attack against a system behind the firewall.
- Data Encryption Standard (DES)
- 1. An unclassified crypto algorithm adopted by the National Bureau of Standards for public use.
- 2. A cryptographic algorithm for the protection of unclassified data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
- Defense Information Infrastructure (DII)
- The shared or interconnected system of computers, communications, data applications, security, people, training and other support structures serving DoD local, national, and worldwide information needs. DII connects DoD mission support, command and control, and intelligence computers through voice, telecommunications, imagery, video, and multimedia services. It provides information processing and services to the subscribers over the Defense Information Systems Network and includes command and control, tactical, intelligence, and commercial communications systems used to transmit DoD information. (Pending approval in JP 1-02).
- Defensive Information Operations
- A process that integrates and coordinates policies and procedures, operations, personnel, and technology to protect information and defend information systems. Defensive information operations are conducted through information assurance, physical security, operations security, counter-deception, counter-psychological operations, counter-intelligence, electronic protect, and special information operations. Defensive information operations ensure timely, accurate, and relevant information access while denying adversaries the opportunity to exploit friendly information and information systems for their own purposes. (Pending approval in JP 1-02).
- Demon Dialer
- A program which repeatedly calls the same telephone number. This is benign and legitimate for access to a BBS or malicious when used as a denial of service attack.
- Denial of Service
- Action(s) which prevent any part of an AIS from functioning in accordance with its intended purpose.
- Derf
- The act of exploiting a terminal which someone else has absent mindedly left logged on.
- DES
- See Data Encryption Standard
- Differential Power
- Differential Thermal
- DNS Spoofing
- Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain.
E
- Electronic Attack (EA)
- That division of EW involving the use of electromagnetic, directed energy, or antiradiation weapons to attack personnel, facilities, or equipment with the intent of degrading, neutralizing, or destroying enemy combat capability. EA includes actions taken to prevent or reduce an enemy's effective use of the electromagnetic spectrum, such as jamming and electromagnetic deception and employment of weapons that use either electromagnetic or directed energy as their primary destructive mechanism (lasers, radio frequency, particle beams).
- Electronic Protection (EP)
- That division of EW involving actions taken to protect personnel, facilities, and equipment from any effects of friendly or enemy employment of EW that degrade, neutralize, or destroy friendly combat capability.
- Electronic Warfare (EW)
- Any military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy. The three major subdivisions within electronic warfare are electronic attack, electronic protection, and electronic warfare support.
- Electronic Warfare Support (ES)
- That division of EW involving actions tasked by, or under direct control of, an operational commander to search for, intercept, identify, and locate sources of intentional and unintentional radiated electromagnetic energy for the purpose of immediate threat recognition. Thus, electronic warfare support provides information required for immediate decisions involving EW operations and other tactical actions such as threat avoidance, targeting and homing. ES data can be used to produce signals intelligence. (JP 1-02).
- Encapsulating Security Payload (ESP)
- A mechanism to provide confidentiality and integrity protection to IP datagrams.
- Ethernet Sniffing
- This is listening with software to the Ethernet interface for packets that interest the user. When the software sees a packet that fits certain criteria, it logs it to a file. The most common criteria for an interesting packet is one that contains words like login or password.
- Electronic Attack (EA)
- That division of EW involving the use of electromagnetic, directed energy, or antiradiation weapons to attack personnel, facilities, or equipment with the intent of degrading, neutralizing, or destroying enemy combat capability. EA includes actions taken to prevent or reduce an enemy's effective use of the electromagnetic spectrum, such as jamming and electromagnetic deception and employment of weapons that use either electromagnetic or directed energy as their primary destructive mechanism (lasers, radio frequency, particle beams).
- Electronic Protection (EP)
- That division of EW involving actions taken to protect personnel, facilities, and equipment from any effects of friendly or enemy employment of EW that degrade, neutralize, or destroy friendly combat capability.
- Electronic Warfare (EW)
- Any military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy. The three major subdivisions within electronic warfare are electronic attack, electronic protection, and electronic warfare support.
- Electronic Warfare Support (ES)
- That division of EW involving actions tasked by, or under direct control of, an operational commander to search for, intercept, identify, and locate sources of intentional and unintentional radiated electromagnetic energy for the purpose of immediate threat recognition. Thus, electronic warfare support provides information required for immediate decisions involving EW operations and other tactical actions such as threat avoidance, targeting and homing. ES data can be used to produce signals intelligence. (JP 1-02).
- Encapsulating Security Payload (ESP)
- A mechanism to provide confidentiality and integrity protection to IP datagrams.
- Ethernet Sniffing
- This is listening with software to the Ethernet interface for packets that interest the user. When the software sees a packet that fits certain criteria, it logs it to a file. The most common criteria for an interesting packet is one that contains words like login or password.
F
- False Negative
- Occurs when an actual intrusive action has occurred but the system allows it to pass as non-intrusive behavior.
- False Positive
- Occurs when the system classifies an action as anomalous (a possible intrusion) when it is a legitimate action.
- Fault Tolerance
- The ability of a system or component to continue normal operation despite the presence of hardware or software faults.
- Firewall
- A system or combination of systems that enforces a boundary between two or more networks. Gateway that limits access between networks in accordance with local security policy. The typical firewall is an inexpensive micro-based Unix box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster.
- Fishbowl
- To contain, isolate and monitor an unauthorized user within a system in order to gain information about the user.
- Fork Bomb
- Also known as Logic Bomb - Code that can be written in one line of code on any Unix system; used to recursively spawn copies of itself, "explodes" eventually eating all the process table entries and effectively locks up the system.
- False Negative
- Occurs when an actual intrusive action has occurred but the system allows it to pass as non-intrusive behavior.
- False Positive
- Occurs when the system classifies an action as anomalous (a possible intrusion) when it is a legitimate action.
- Fault Tolerance
- The ability of a system or component to continue normal operation despite the presence of hardware or software faults.
- Firewall
- A system or combination of systems that enforces a boundary between two or more networks. Gateway that limits access between networks in accordance with local security policy. The typical firewall is an inexpensive micro-based Unix box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster.
- Fishbowl
- To contain, isolate and monitor an unauthorized user within a system in order to gain information about the user.
- Fork Bomb
- Also known as Logic Bomb - Code that can be written in one line of code on any Unix system; used to recursively spawn copies of itself, "explodes" eventually eating all the process table entries and effectively locks up the system.
G
H
- Hacker
- A person who enjoys exploring the details of computers and how to stretch their capabilities. A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn on the minimum necessary.
- Hacking
- Unauthorized use, or attempts to circumvent or bypass the security mechanisms of an information system or network.
- Hacking Run
- A hack session extended long outside normal working times, especially one longer than 12 hours.
- Host
- A single computer or workstation; it can be connected to a network.
- Host Based
- Information, such as audit data from a single host which may be used to detect intrusions.
- Hacker
- A person who enjoys exploring the details of computers and how to stretch their capabilities. A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn on the minimum necessary.
- Hacking
- Unauthorized use, or attempts to circumvent or bypass the security mechanisms of an information system or network.
- Hacking Run
- A hack session extended long outside normal working times, especially one longer than 12 hours.
- Host
- A single computer or workstation; it can be connected to a network.
- Host Based
- Information, such as audit data from a single host which may be used to detect intrusions.
I
- IDEA (International Data Encryption Algorithm)
- A private key encryption-decryption algorithm that uses a key that is twice the length of a DES key.
- IDIOT
- Intrusion Detection In Our Time. A system that detects intrusions using pattern-matching.
- Indicators & Warnings (I&W)
- I&W refers to how an event or series of events can provide enough information to classify it as an incident.
- Information Assurance (IA)
- Information Operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. (DODD S-3600.1 of 9 Dec 96).
- Information Operations (IO)
- Actions taken to affect adversary information and information systems while defending one's own information and information systems. (DODD S-3600.1 of 9 Dec 96).
- Information Security
- The result of any system of policies and/or procedures for identifying, controlling, and protecting from unauthorized disclosure, information whose protection is authorized by executive order or statute.
- Information Superiority
- The capability to collect, process, and disseminate an uninterrupted flow of information while exploiting or denying an adversary's ability to do the same. (DODD S-3600.1 of 9 Dec 96).
- Information Warfare (IW)
- 1. Actions taken to achieve information superiority by affecting adversary information, information based processes, and information systems, while defending our own information, information based processes, and information systems. Any action to deny, exploit, corrupt, or destroy the enemy's information and its functions, protect themselves against those actions; and exploiting their own military information functions.
- 2. Information Operations conducted during time of crisis or conflict to achieve or promote specific objectives over a specific adversary or adversaries. (DODD S-3600.1 of 9 Dec 96).
- Integrity
- Assuring information will not be accidentally or maliciously altered or destroyed.
- Internet Worm
- A worm program (see: Worm) that was unleashed on the Internet in 1988. It was written by Robert T. Morris as an experiment that got out of hand.
- Intrusion
- Any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource.
- Intrusion Detection
- Pertaining to techniques which attempt to detect intrusion into a computer or network by observation of actions, security logs, or audit data. Detection of break-ins or attempts either manually or via software expert systems that operate on logs or other information available on the network.
- IP Splicing / Hijacking
- An action whereby an active, established, session is intercepted and co-opted by the unauthorized user. IP splicing attacks may occur after an authentication has been made, permitting the attacker to assume the role of an already authorized user. Primary protections against IP splicing rely on encryption at the session or network layer.
- IP Spoofing
- An attack whereby a system attempts to illicitly impersonate another system by using IP network address.
- IDEA (International Data Encryption Algorithm)
- A private key encryption-decryption algorithm that uses a key that is twice the length of a DES key.
- IDIOT
- Intrusion Detection In Our Time. A system that detects intrusions using pattern-matching.
- Indicators & Warnings (I&W)
- I&W refers to how an event or series of events can provide enough information to classify it as an incident.
- Information Assurance (IA)
- Information Operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. (DODD S-3600.1 of 9 Dec 96).
- Information Operations (IO)
- Actions taken to affect adversary information and information systems while defending one's own information and information systems. (DODD S-3600.1 of 9 Dec 96).
- Information Security
- The result of any system of policies and/or procedures for identifying, controlling, and protecting from unauthorized disclosure, information whose protection is authorized by executive order or statute.
- Information Superiority
- The capability to collect, process, and disseminate an uninterrupted flow of information while exploiting or denying an adversary's ability to do the same. (DODD S-3600.1 of 9 Dec 96).
- Information Warfare (IW)
- 1. Actions taken to achieve information superiority by affecting adversary information, information based processes, and information systems, while defending our own information, information based processes, and information systems. Any action to deny, exploit, corrupt, or destroy the enemy's information and its functions, protect themselves against those actions; and exploiting their own military information functions.
- 2. Information Operations conducted during time of crisis or conflict to achieve or promote specific objectives over a specific adversary or adversaries. (DODD S-3600.1 of 9 Dec 96).
- Integrity
- Assuring information will not be accidentally or maliciously altered or destroyed.
- Internet Worm
- A worm program (see: Worm) that was unleashed on the Internet in 1988. It was written by Robert T. Morris as an experiment that got out of hand.
- Intrusion
- Any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource.
- Intrusion Detection
- Pertaining to techniques which attempt to detect intrusion into a computer or network by observation of actions, security logs, or audit data. Detection of break-ins or attempts either manually or via software expert systems that operate on logs or other information available on the network.
- IP Splicing / Hijacking
- An action whereby an active, established, session is intercepted and co-opted by the unauthorized user. IP splicing attacks may occur after an authentication has been made, permitting the attacker to assume the role of an already authorized user. Primary protections against IP splicing rely on encryption at the session or network layer.
- IP Spoofing
- An attack whereby a system attempts to illicitly impersonate another system by using IP network address.
J
K
- Key
- A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt.
- Key Escrow
- The system of giving a piece of a key to each of a certain number of trustees such that the key can be recovered with the collaboration of all the trustees.
- Keystroke Monitoring
- A specialized form of audit trail software, or a specially designed device, that records every key struck by a user and every character of the response that the AIS returns to the user.
- Key
- A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt.
- Key Escrow
- The system of giving a piece of a key to each of a certain number of trustees such that the key can be recovered with the collaboration of all the trustees.
- Keystroke Monitoring
- A specialized form of audit trail software, or a specially designed device, that records every key struck by a user and every character of the response that the AIS returns to the user.
L
- LAN (Local Area Network)
- A computer communications system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communications system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, front-end processors, controllers, switches, and gateways.
- Leapfrog Attack
- Use of user id and password information obtained illicitly from one host to compromise another host. The act of TELNETing through one or more hosts in order to preclude a trace (a standard cracker procedure).
- Letterbomb
- A piece of email containing live data intended to do malicious things to the recipient's machine or terminal. Under UNIX, a letter bomb can also try to get part of its contents interpreted as a shell command to the mailer. The results of this could range from silly to denial of service.
- Logic Bomb
- Also known as a Fork Bomb - A resident computer program which, when executed, checks for a particular condition or particular state of the system which, when satisfied, triggers the perpetration of an unauthorized act.
- LAN (Local Area Network)
- A computer communications system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communications system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, front-end processors, controllers, switches, and gateways.
- Leapfrog Attack
- Use of user id and password information obtained illicitly from one host to compromise another host. The act of TELNETing through one or more hosts in order to preclude a trace (a standard cracker procedure).
- Letterbomb
- A piece of email containing live data intended to do malicious things to the recipient's machine or terminal. Under UNIX, a letter bomb can also try to get part of its contents interpreted as a shell command to the mailer. The results of this could range from silly to denial of service.
- Logic Bomb
- Also known as a Fork Bomb - A resident computer program which, when executed, checks for a particular condition or particular state of the system which, when satisfied, triggers the perpetration of an unauthorized act.
M
- Mailbomb
- The mail sent to urge others to send massive amounts of email to a single system or person, with the intent to crash the recipient's system. Mail bombing is widely regarded as a serious offense.
- Malicious Code
- Hardware, software, of firmware that is intentionally included in a system for an unauthorized purpose; e.g. a Trojan horse.
- Metric
- A random variable x representing a quantitative measure accumulated over a period.
- Mimicking
- Synonymous with Impersonation, Masquerading or Spoofing.
- Misuse Detection Model
- The system detects intrusions by looking for activity that corresponds to a known intrusion techniques or system vulnerabilities. Also known as Rules Based detection.
- Mockingbird
- A computer program or process which mimics the legitimate behavior of a normal system feature (or other apparently useful function) but performs malicious activities once invoked by the user.
- Multihost Based Auditing
- Audit data from multiple hosts may be used to detect intrusions.
- Mailbomb
- The mail sent to urge others to send massive amounts of email to a single system or person, with the intent to crash the recipient's system. Mail bombing is widely regarded as a serious offense.
- Malicious Code
- Hardware, software, of firmware that is intentionally included in a system for an unauthorized purpose; e.g. a Trojan horse.
- Metric
- A random variable x representing a quantitative measure accumulated over a period.
- Mimicking
- Synonymous with Impersonation, Masquerading or Spoofing.
- Misuse Detection Model
- The system detects intrusions by looking for activity that corresponds to a known intrusion techniques or system vulnerabilities. Also known as Rules Based detection.
- Mockingbird
- A computer program or process which mimics the legitimate behavior of a normal system feature (or other apparently useful function) but performs malicious activities once invoked by the user.
- Multihost Based Auditing
- Audit data from multiple hosts may be used to detect intrusions.
N
- Nak Attack
- Negative Acknowledgment - A penetration technique which capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly and thus, leaves the system in an unprotected state during such interrupts.
- National Computer Security Center (NCSC)
- Originally named the DoD Computer Security Center, the NCSC is responsible for encouraging the widespread availability of trusted computer systems throughout the Federal Government. (AF9K_JBC.TXT) (NCSC) With the signing of NSDD-145; the NCSC is responsible for encouraging the widespread availability of trusted computer systems throughout the Federal Government. (NCSC-WA-001-85).
- National Information Infrastructure (NII)
- The nation-wide interconnection of communications networks, computers, databases, and consumer electronics that make vast amounts of information available to users. The NII encompasses a wide range of equipment, including cameras, scanners, keyboards, facsimile machines, computers, switches, compact disks, video and audio tape, cable, wire, satellites, fiber-optic transmission lines, networks of all types, monitors, printers and much more. The friendly and adversary personnel who make decisions and handle the transmitted information constitute a critical component of the NII. (Pending approval in JP 1-02).
- NCSC
- See National Computer Security Center.
- Network
- Two or more machines interconnected for communications.
- Network Based
- Network traffic data along with audit data from the hosts used to detect intrusions.
- Network Level Firewall
- A firewall in which traffic is examined at the network protocol (IP) packet level.
- Network Security
- Protection of networks and their services from unauthorized modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side-effects. Network security includes providing for data integrity.
- Network Security Officer
- Individual formally appointed by a designated approving authority to ensure that the provisions of all applicable directives are implemented throughout the life cycle of an automated information system network.
- Network Weaving
- Another name for "Leapfrogging".
- Non-Discretionary Security
- The aspect of DOD security policy which restricts access on the basis of security levels. A security level is composed of a read level and a category set restriction. For read-access to an item of information, a user must have a clearance level greater then or equal to the classification of the information and also have a category clearance which includes all of the access categories specified for the information.
- Non-Repudiation
- Method by which the sender of data is provided with proof of delivery and the recipient is assured of the sender's identity, so that neither can later deny having processed the data.
- Nak Attack
- Negative Acknowledgment - A penetration technique which capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly and thus, leaves the system in an unprotected state during such interrupts.
- National Computer Security Center (NCSC)
- Originally named the DoD Computer Security Center, the NCSC is responsible for encouraging the widespread availability of trusted computer systems throughout the Federal Government. (AF9K_JBC.TXT) (NCSC) With the signing of NSDD-145; the NCSC is responsible for encouraging the widespread availability of trusted computer systems throughout the Federal Government. (NCSC-WA-001-85).
- National Information Infrastructure (NII)
- The nation-wide interconnection of communications networks, computers, databases, and consumer electronics that make vast amounts of information available to users. The NII encompasses a wide range of equipment, including cameras, scanners, keyboards, facsimile machines, computers, switches, compact disks, video and audio tape, cable, wire, satellites, fiber-optic transmission lines, networks of all types, monitors, printers and much more. The friendly and adversary personnel who make decisions and handle the transmitted information constitute a critical component of the NII. (Pending approval in JP 1-02).
- NCSC
- See National Computer Security Center.
- Network
- Two or more machines interconnected for communications.
- Network Based
- Network traffic data along with audit data from the hosts used to detect intrusions.
- Network Level Firewall
- A firewall in which traffic is examined at the network protocol (IP) packet level.
- Network Security
- Protection of networks and their services from unauthorized modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side-effects. Network security includes providing for data integrity.
- Network Security Officer
- Individual formally appointed by a designated approving authority to ensure that the provisions of all applicable directives are implemented throughout the life cycle of an automated information system network.
- Network Weaving
- Another name for "Leapfrogging".
- Non-Discretionary Security
- The aspect of DOD security policy which restricts access on the basis of security levels. A security level is composed of a read level and a category set restriction. For read-access to an item of information, a user must have a clearance level greater then or equal to the classification of the information and also have a category clearance which includes all of the access categories specified for the information.
- Non-Repudiation
- Method by which the sender of data is provided with proof of delivery and the recipient is assured of the sender's identity, so that neither can later deny having processed the data.
O
- Open Security
- Environment that does not provide environment sufficient assurance that applications and equipment are protected against the introduction of malicious logic prior to or during the operation of a system.
- Open Systems Security
- Provision of tools for the secure internetworking of open systems.
- Operational Data Security
- The protection of data from either accidental or unauthorized, intentional modification, destruction, or disclosure during input, processing, or output operations.
- Operations Security
- 1. The process of denying adversaries information about friendly capabilities and intentions by identifying, controlling, and protecting indicators associated with planning and conducting military operations and other activities.
- 2. An analytical process by with the U.S. Government and its supporting contractors can deny to potential adversaries information about capabilities and intentions by identifying, controlling, and protecting evidence of the planning and execution of sensitive activities and operations.
- Operations Security (OPSEC)
- A process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to (1) identify those actions that can be observed by adversary intelligence systems; (2) determine indicators hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries; and (3) select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation. (JP 1-02).
- Orange Book
- See Trusted Computer Security Evaluation Criteria.
- OSI
- Open Systems Interconnection. A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network utility.
- Open Security
- Environment that does not provide environment sufficient assurance that applications and equipment are protected against the introduction of malicious logic prior to or during the operation of a system.
- Open Systems Security
- Provision of tools for the secure internetworking of open systems.
- Operational Data Security
- The protection of data from either accidental or unauthorized, intentional modification, destruction, or disclosure during input, processing, or output operations.
- Operations Security
- 1. The process of denying adversaries information about friendly capabilities and intentions by identifying, controlling, and protecting indicators associated with planning and conducting military operations and other activities.
- 2. An analytical process by with the U.S. Government and its supporting contractors can deny to potential adversaries information about capabilities and intentions by identifying, controlling, and protecting evidence of the planning and execution of sensitive activities and operations.
- Operations Security (OPSEC)
- A process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to (1) identify those actions that can be observed by adversary intelligence systems; (2) determine indicators hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries; and (3) select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation. (JP 1-02).
- Orange Book
- See Trusted Computer Security Evaluation Criteria.
- OSI
- Open Systems Interconnection. A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network utility.
P
- Packet
- A block of data sent over the network transmitting the identities of the sending and receiving stations, error-control information, and message.
- Packet Filter
- Inspects each packet for user defined content, such as an IP address but does not track the state of sessions. This is one of the least secure types of firewall.
- Packet Filtering
- A feature incorporated into routers and bridges to limit the flow of information based on pre-determined communications such as source, destination, or type of service being provided by the network. Packet filters let the administrator limit protocol specific traffic to one network segment, isolate email domains, and perform many other traffic control functions.
- Packet Sniffer
- A device or program that monitors the data traveling between computers on a network.
- Passive Attack
- Attack which does not result in an unauthorized state change, such as an attack that only monitors and/or records data.
- Passive Threat
- The threat of unauthorized disclosure of information without changing the state of the system. A type of threat that involves the interception, not the alteration, of information.
- PEM (Privacy Enhanced Mail)
- An IETF standard for secure electronic mail exchange.
- Penetration
- The successful unauthorized access to an automated system.
- Penetration Signature
- The description of a situation or set of conditions in which a penetration could occur or of system events which in conjunction can indicate the occurrence of a penetration in progress.
- Penetration Testing
- The portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, that may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users.
- Perimeter Based Security
- The technique of securing a network by controlling access to all entry and exit points of the network. Usually associated with firewalls and/or filters.
- Perpetrator
- The entity from the external environment that is taken to be the cause of a risk. An entity in the external environment that performs an attack, i.e. hacker.
- Personnel Security
- The procedures established to ensure that all personnel who have access to any classified information have the required authorizations as well as the appropriate clearances.
- PGP (Pretty Good Privacy)
- A freeware program primarily for secure electronic mail.
- Phage
- A program that modifies other programs or databases in unauthorized ways; especially one that propagates a virus or Trojan horse.
- PHF
- Phone book file demonstration program that hackers use to gain access to a computer system and potentially read and capture password files.
- PHF hack
- A well-known and vulnerable CGI script which does not filter out special characters (such as a new line) input by a user.
- Phracker
- An individual who combines phone phreaking with computer hacking.
- Phreak(er)
- An individual fascinated by the telephone system. Commonly, an individual who uses his knowledge of the telephone system to make calls at the expense of another.
- Phreaking
- The art and science of cracking the phone network.
- Physical Security
- The measures used to provide physical protection of resources against deliberate and accidental threats.
- Piggy Back
- The gaining of unauthorized access to a system via another user's legitimate connection.
- Ping of Death
- The use of Ping with a packet size higher than 65,507. This will cause a denial of service.
- Plaintext
- Unencrypted data.
- Private Key Cryptography
- An encryption methodology in which the encryptor and decryptor use the same key, which must be kept secret. This methodology is usually only used by a small group.
- Probe
- Any effort to gather information about a machine or its users for the apparent purpose of gaining unauthorized access to the system at a later date.
- Procedural Security
- See Administrative Security.
- Profile
- Patterns of a user's activity which can detect changes in normal routines.
- Promiscuous Mode
- Normally an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination.
- Protocol
- Agreed-upon methods of communications used by computers. A specification that describes the rules and procedures that products should follow to perform activities on a network, such as transmitting data. If they use the same protocols, products from different vendors should be able to communicate on the same network.
- Prowler
- A daemon that is run periodically to seek out and erase core files, truncate administrative logfiles, nuke lost+found directories, and otherwise clean up.
- Proxy
- A firewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all traffic passing through it. A software agent that acts on behalf of a user, typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.
- Psychological Operations (PSYOP)
- Planned operations to convey selected information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the behavior of foreign governments, organizations, groups, and individuals. The purpose of psychological operations is to induce or reinforce foreign attitudes and behavior favorable to the originator's objectives. (JP 1-02).
- Public Key Cryptography
- Type of cryptography in which the encryption process is publicly available and unprotected, but in which a part of the decryption key is protected so that only a party with knowledge of both parts of the decryption process can decrypt the cipher text.
- Packet
- A block of data sent over the network transmitting the identities of the sending and receiving stations, error-control information, and message.
- Packet Filter
- Inspects each packet for user defined content, such as an IP address but does not track the state of sessions. This is one of the least secure types of firewall.
- Packet Filtering
- A feature incorporated into routers and bridges to limit the flow of information based on pre-determined communications such as source, destination, or type of service being provided by the network. Packet filters let the administrator limit protocol specific traffic to one network segment, isolate email domains, and perform many other traffic control functions.
- Packet Sniffer
- A device or program that monitors the data traveling between computers on a network.
- Passive Attack
- Attack which does not result in an unauthorized state change, such as an attack that only monitors and/or records data.
- Passive Threat
- The threat of unauthorized disclosure of information without changing the state of the system. A type of threat that involves the interception, not the alteration, of information.
- PEM (Privacy Enhanced Mail)
- An IETF standard for secure electronic mail exchange.
- Penetration
- The successful unauthorized access to an automated system.
- Penetration Signature
- The description of a situation or set of conditions in which a penetration could occur or of system events which in conjunction can indicate the occurrence of a penetration in progress.
- Penetration Testing
- The portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, that may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users.
- Perimeter Based Security
- The technique of securing a network by controlling access to all entry and exit points of the network. Usually associated with firewalls and/or filters.
- Perpetrator
- The entity from the external environment that is taken to be the cause of a risk. An entity in the external environment that performs an attack, i.e. hacker.
- Personnel Security
- The procedures established to ensure that all personnel who have access to any classified information have the required authorizations as well as the appropriate clearances.
- PGP (Pretty Good Privacy)
- A freeware program primarily for secure electronic mail.
- Phage
- A program that modifies other programs or databases in unauthorized ways; especially one that propagates a virus or Trojan horse.
- PHF
- Phone book file demonstration program that hackers use to gain access to a computer system and potentially read and capture password files.
- PHF hack
- A well-known and vulnerable CGI script which does not filter out special characters (such as a new line) input by a user.
- Phracker
- An individual who combines phone phreaking with computer hacking.
- Phreak(er)
- An individual fascinated by the telephone system. Commonly, an individual who uses his knowledge of the telephone system to make calls at the expense of another.
- Phreaking
- The art and science of cracking the phone network.
- Physical Security
- The measures used to provide physical protection of resources against deliberate and accidental threats.
- Piggy Back
- The gaining of unauthorized access to a system via another user's legitimate connection.
- Ping of Death
- The use of Ping with a packet size higher than 65,507. This will cause a denial of service.
- Plaintext
- Unencrypted data.
- Private Key Cryptography
- An encryption methodology in which the encryptor and decryptor use the same key, which must be kept secret. This methodology is usually only used by a small group.
- Probe
- Any effort to gather information about a machine or its users for the apparent purpose of gaining unauthorized access to the system at a later date.
- Procedural Security
- See Administrative Security.
- Profile
- Patterns of a user's activity which can detect changes in normal routines.
- Promiscuous Mode
- Normally an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination.
- Protocol
- Agreed-upon methods of communications used by computers. A specification that describes the rules and procedures that products should follow to perform activities on a network, such as transmitting data. If they use the same protocols, products from different vendors should be able to communicate on the same network.
- Prowler
- A daemon that is run periodically to seek out and erase core files, truncate administrative logfiles, nuke lost+found directories, and otherwise clean up.
- Proxy
- A firewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all traffic passing through it. A software agent that acts on behalf of a user, typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.
- Psychological Operations (PSYOP)
- Planned operations to convey selected information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the behavior of foreign governments, organizations, groups, and individuals. The purpose of psychological operations is to induce or reinforce foreign attitudes and behavior favorable to the originator's objectives. (JP 1-02).
- Public Key Cryptography
- Type of cryptography in which the encryption process is publicly available and unprotected, but in which a part of the decryption key is protected so that only a party with knowledge of both parts of the decryption process can decrypt the cipher text.
Q
R
- Red Book
- See Trusted Network Interpretation.
- Reference Monitor
- A security control concept in which an abstract machine mediates accesses to objects by subjects. In principle, a reference monitor should be complete (in that it mediates every access), isolated from modification by system entities, and verifiable. A security kernel is an implementation of a reference monitor for a given hardware base.
- Replicator
- Any program that acts to produce copies of itself examples include; a program, a worm, a fork bomb or virus. It is even claimed by some that UNIX and C are the symbiotic halves of an extremely successful replicator.
- Retro-Virus
- A retro-virus is a virus that waits until all possible backup media are infected too, so that it is not possible to restore the system to an uninfected state.
- Rexd
- This Unix command is the Sun RPC server for remote program execution. This daemon is started by inetd whenever a remote execution request is made.
- Risk Assessment
- A study of vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures. The process of evaluating threats and vulnerabilities, known and postulated, to determine expected loss and establish the degree of acceptability to system operations.
- Risk Management
- The total process to identify, control, and minimize the impact of uncertain events. The objective of the risk management program is to reduce risk and obtain and maintain DAA (Designated Approving Authority) approval.
- Rootkit
- A hacker security tool that captures passwords and message traffic to and from a computer. A collection of tools that allows a hacker to provide a backdoor into a system, collect information on other systems on the network, mask the fact that the system is compromised, and much more. Rootkit is a classic example of Trojan Horse software. Rootkit is available for a wide range of operating systems.
- Router
- An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the network layer.
- Routing Control
- The application of rules during the process of routing so as to chose or avoid specific networks, links or relays.
- RSA Algorithm
- RSA stands for Rivest-Shamir-Aldeman. A public-key cryptographic algorithm that hinges on the assumption that the factoring of the product of two large primes is difficult.
- Rules Based Detection
- The intrusion detection system detects intrusions by looking for activity that corresponds to known intrusion techniques (signatures) or system vulnerabilities. Also known as Misuse Detection.
- Red Book
- See Trusted Network Interpretation.
- Reference Monitor
- A security control concept in which an abstract machine mediates accesses to objects by subjects. In principle, a reference monitor should be complete (in that it mediates every access), isolated from modification by system entities, and verifiable. A security kernel is an implementation of a reference monitor for a given hardware base.
- Replicator
- Any program that acts to produce copies of itself examples include; a program, a worm, a fork bomb or virus. It is even claimed by some that UNIX and C are the symbiotic halves of an extremely successful replicator.
- Retro-Virus
- A retro-virus is a virus that waits until all possible backup media are infected too, so that it is not possible to restore the system to an uninfected state.
- Rexd
- This Unix command is the Sun RPC server for remote program execution. This daemon is started by inetd whenever a remote execution request is made.
- Risk Assessment
- A study of vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures. The process of evaluating threats and vulnerabilities, known and postulated, to determine expected loss and establish the degree of acceptability to system operations.
- Risk Management
- The total process to identify, control, and minimize the impact of uncertain events. The objective of the risk management program is to reduce risk and obtain and maintain DAA (Designated Approving Authority) approval.
- Rootkit
- A hacker security tool that captures passwords and message traffic to and from a computer. A collection of tools that allows a hacker to provide a backdoor into a system, collect information on other systems on the network, mask the fact that the system is compromised, and much more. Rootkit is a classic example of Trojan Horse software. Rootkit is available for a wide range of operating systems.
- Router
- An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the network layer.
- Routing Control
- The application of rules during the process of routing so as to chose or avoid specific networks, links or relays.
- RSA Algorithm
- RSA stands for Rivest-Shamir-Aldeman. A public-key cryptographic algorithm that hinges on the assumption that the factoring of the product of two large primes is difficult.
- Rules Based Detection
- The intrusion detection system detects intrusions by looking for activity that corresponds to known intrusion techniques (signatures) or system vulnerabilities. Also known as Misuse Detection.
S
- Samurai
- A hacker who hires out for legal cracking jobs, snooping for factions in corporate political fights, lawyers pursuing privacy-rights and First Amendment cases, and other parties with legitimate reasons to need an electronic locksmith.
- SATAN
- Security Administrator Tool for Analyzing Networks - A tool for remotely probing and identifying the vulnerabilities of systems on IP networks. A powerful freeware program which helps to identify system security weaknesses.
- Secure Network Server
- A device that acts as a gateway between a protected enclave and the outside world.
- Secure Shell
- A completely encrypted shell connection between two machines protected by a super long pass-phrase.
- Security
- A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences.
- Security Architecture
- A detailed description of all aspects of the system that relate to security, along with a set of principles to guide the design. A security architecture describes how the system is put together to satisfy the security requirements.
- Security Audit
- A search through a computer system for security problems and vulnerabilities.
- Security Countermeasures
- Countermeasures that are aimed at specific threats and vulnerabilities or involve more active techniques as well as activities traditionally perceived as security.
- Security Domains
- The sets of objects that a subject has the ability to access.
- Security Features
- The security-relevant functions, mechanisms, and characteristics of AIS hardware and software.
- Security Incident
- Any act or circumstance that involves classified information that deviates from the requirements of governing security publications. For example, compromise, possible compromise, inadvertent disclosure, and deviation.
- Security Kernel
- The hardware, firmware, and software elements of a Trusted Computing Base that implement the reference monitor concept. It must mediate all accesses, be protected from modification, and be verifiable as correct.
- Security Label
- Piece of information that represents the sensitivity of a subject or object, such as its hierarchical classification (CONFIDENTIAL, SECRET, TOP SECRET) together with any applicable non-hierarchical security categories (e.g., sensitive compartmented information, critical nuclear weapon design information).
- Security Level
- The combination of a hierarchical classification and a set of non-hierarchical categories that represents the sensitivity of information.
- Security Officer
- The ADP official having the designated responsibility for the security of and ADP system.
- Security Perimeter
- The boundary where security controls are in effect to protect assets.
- Security Policies
- The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
- Security Policy Model
- A formal presentation of the security policy enforced by the system. It must identify the set of rules and practices that regulate how a system manages, protects, and distributes sensitive information.
- Security Requirements
- Types and levels of protection necessary for equipment, data, information, applications, and facilities.
- Security Service
- A service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers.
- Security Violation
- An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information contained therein or to system resources.
- Server
- A system that provides network service such as disk storage and file transfer, or a program that provides such a service. A kind of daemon which performs a service for the requester, which often runs on a computer other than the one which the server runs.
- Signaling System 7 (SS-7)
- A protocol used by phone companies. Has three basic functions: Supervising, Alerting and Addressing. Supervising monitors the status of a line or circuit to see if it is busy, idle, or requesting service. Alerting indicates the arrival of an incoming call. Addressing is the transmission of routing and destination signals over the network in the form of dial tone or data pulses.
- Simple Network Management Protocol (SNMP)
- Software used to control network communications devices using TCP/IP.
- Skipjack
- An NSA-developed encryption algorithm for the Clipper chip. The details of the algorithm are unpublished.
- Smurfing
- A denial of service attack in which an attacker spoofs the source address of an echo-request ICMP (ping) packet to the broadcast address for a network, causing the machines in the network to respond en masse to the victim thereby clogging its network.
- Snarf
- To grab a large document or file for the purpose of using it with or without the author's permission.
- Sneaker
- An individual hired to break into places in order to test their security; analogous to tiger team.
- Sniffer
- A program to capture data across a computer network. Used by hackers to capture user id names and passwords. Software tool that audits and identifies network traffic packets. Is also used legitimately by network operations and maintenance personnel to troubleshoot network problems.
- Spam
- To crash a program by overrunning a fixed-site buffer with excessively large input data. Also, to cause a person or newsgroup to be flooded with irrelevant or inappropriate messages.
- Special Information Operations (SIO)
- Information Operations that by their sensitive nature, due to their potential effect or impact, security requirements, or risk to the national security of the United States, require a special review and approval process. (DODD S-3600.1 of 9 Dec 96).
- SPI
- Secure Profile Inspector - A network monitoring tool for Unix, developed by the Department of Energy.
- Spoofing
- Pretending to be someone else. The deliberate inducement of a user or a resource to take an incorrect action. Attempt to gain access to an AIS by pretending to be an authorized user. Impersonating, masquerading, and mimicking are forms of spoofing.
- SSL (Secure Sockets Layer)
- A session layer protocol that provides authentication and confidentiality to applications.
- Subversion
- Occurs when an intruder modifies the operation of the intrusion detector to force false negatives to occur.
- SYN Flood
- When the SYN queue is flooded, no new connection can be opened.
- Samurai
- A hacker who hires out for legal cracking jobs, snooping for factions in corporate political fights, lawyers pursuing privacy-rights and First Amendment cases, and other parties with legitimate reasons to need an electronic locksmith.
- SATAN
- Security Administrator Tool for Analyzing Networks - A tool for remotely probing and identifying the vulnerabilities of systems on IP networks. A powerful freeware program which helps to identify system security weaknesses.
- Secure Network Server
- A device that acts as a gateway between a protected enclave and the outside world.
- Secure Shell
- A completely encrypted shell connection between two machines protected by a super long pass-phrase.
- Security
- A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences.
- Security Architecture
- A detailed description of all aspects of the system that relate to security, along with a set of principles to guide the design. A security architecture describes how the system is put together to satisfy the security requirements.
- Security Audit
- A search through a computer system for security problems and vulnerabilities.
- Security Countermeasures
- Countermeasures that are aimed at specific threats and vulnerabilities or involve more active techniques as well as activities traditionally perceived as security.
- Security Domains
- The sets of objects that a subject has the ability to access.
- Security Features
- The security-relevant functions, mechanisms, and characteristics of AIS hardware and software.
- Security Incident
- Any act or circumstance that involves classified information that deviates from the requirements of governing security publications. For example, compromise, possible compromise, inadvertent disclosure, and deviation.
- Security Kernel
- The hardware, firmware, and software elements of a Trusted Computing Base that implement the reference monitor concept. It must mediate all accesses, be protected from modification, and be verifiable as correct.
- Security Label
- Piece of information that represents the sensitivity of a subject or object, such as its hierarchical classification (CONFIDENTIAL, SECRET, TOP SECRET) together with any applicable non-hierarchical security categories (e.g., sensitive compartmented information, critical nuclear weapon design information).
- Security Level
- The combination of a hierarchical classification and a set of non-hierarchical categories that represents the sensitivity of information.
- Security Officer
- The ADP official having the designated responsibility for the security of and ADP system.
- Security Perimeter
- The boundary where security controls are in effect to protect assets.
- Security Policies
- The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
- Security Policy Model
- A formal presentation of the security policy enforced by the system. It must identify the set of rules and practices that regulate how a system manages, protects, and distributes sensitive information.
- Security Requirements
- Types and levels of protection necessary for equipment, data, information, applications, and facilities.
- Security Service
- A service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers.
- Security Violation
- An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information contained therein or to system resources.
- Server
- A system that provides network service such as disk storage and file transfer, or a program that provides such a service. A kind of daemon which performs a service for the requester, which often runs on a computer other than the one which the server runs.
- Signaling System 7 (SS-7)
- A protocol used by phone companies. Has three basic functions: Supervising, Alerting and Addressing. Supervising monitors the status of a line or circuit to see if it is busy, idle, or requesting service. Alerting indicates the arrival of an incoming call. Addressing is the transmission of routing and destination signals over the network in the form of dial tone or data pulses.
- Simple Network Management Protocol (SNMP)
- Software used to control network communications devices using TCP/IP.
- Skipjack
- An NSA-developed encryption algorithm for the Clipper chip. The details of the algorithm are unpublished.
- Smurfing
- A denial of service attack in which an attacker spoofs the source address of an echo-request ICMP (ping) packet to the broadcast address for a network, causing the machines in the network to respond en masse to the victim thereby clogging its network.
- Snarf
- To grab a large document or file for the purpose of using it with or without the author's permission.
- Sneaker
- An individual hired to break into places in order to test their security; analogous to tiger team.
- Sniffer
- A program to capture data across a computer network. Used by hackers to capture user id names and passwords. Software tool that audits and identifies network traffic packets. Is also used legitimately by network operations and maintenance personnel to troubleshoot network problems.
- Spam
- To crash a program by overrunning a fixed-site buffer with excessively large input data. Also, to cause a person or newsgroup to be flooded with irrelevant or inappropriate messages.
- Special Information Operations (SIO)
- Information Operations that by their sensitive nature, due to their potential effect or impact, security requirements, or risk to the national security of the United States, require a special review and approval process. (DODD S-3600.1 of 9 Dec 96).
- SPI
- Secure Profile Inspector - A network monitoring tool for Unix, developed by the Department of Energy.
- Spoofing
- Pretending to be someone else. The deliberate inducement of a user or a resource to take an incorrect action. Attempt to gain access to an AIS by pretending to be an authorized user. Impersonating, masquerading, and mimicking are forms of spoofing.
- SSL (Secure Sockets Layer)
- A session layer protocol that provides authentication and confidentiality to applications.
- Subversion
- Occurs when an intruder modifies the operation of the intrusion detector to force false negatives to occur.
- SYN Flood
- When the SYN queue is flooded, no new connection can be opened.
T
- TCP/IP
- Transmission Control Protocol/Internetwork Protocol. The suite of protocols the Internet is based on.
- tcpwrapper
- A software tool for security which provides additional network logging, and restricts service access to authorized hosts by service.
- Term Rule-Based Security Policy
- A security policy based on global rules imposed for all users. These rules usually rely on a comparison of the sensitivity of the resources being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on behalf of users.
- Terminal Hijacking
- Allows an attacker, on a certain machine, to control any terminal session that is in progress. An attack hacker can send and receive terminal I/O while a user is on the terminal.
- Threat
- The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest. A potential violation of security.
- Threat Agent
- Methods and things used to exploit a vulnerability in an information system, operation, or facility; fire, natural disaster and so forth.
- Threat Assessment
- Process of formally evaluating the degree of threat to an information system and describing the nature of the threat.
- Tiger
- A software tool which scans for system weaknesses.
- Tiger Team
- Government and industry - sponsored teams of computer experts who attempt to break down the defenses of computer systems in an effort to uncover, and eventually patch, security holes.
- Tinkerbell Program
- A monitoring program used to scan incoming network connections and generate alerts when calls are received from particular sites, or when logins are attempted using certain ID's.
- Topology
- The map or plan of the network. The physical topology describes how the wires or cables are laid out, and the logical or electrical topology describes how the information flows.
- Trace Packet
- In a packet-switching network, a unique packet that causes a report of each stage of its progress to be sent to the network control center from each visited system element.
- Traceroute
- An operation of sending trace packets for determining information; traces the route of UDP packets for the local host to a remote host. Normally traceroute displays the time and location of the route taken to reach its destination computer.
- Tranquillity
- A security model rule stating that the security level of an active object cannot change during the period of activity.
- Tripwire
- A software tool for security. Basically, it works with a database that maintains information about the byte count of files. If the byte count has changed, it will identify it to the system security manager.
- Trojan Horse
- An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.
- Trusted Computer System Evaluation Criteria (TCSEC)
- A system that employs sufficient hardware and software assurance measures to allow its use for simultaneous processing of a range of sensitive or classified information.
- Trusted Computing Base (TCB)
- The totality of protection mechanisms within a computer system including hardware, firmware, and software - the combination of which are responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system.
- Trusted Network Interpretation
- The specific security features, the assurance requirements and the rating structure of the Orange Book as extended to networks of computers ranging from isolated LANs to WANs.
- TTY Watcher
- A hacker tool that allows hackers with even a small amount of skill to hijack terminals. It has a GUI interface.
- TCP/IP
- Transmission Control Protocol/Internetwork Protocol. The suite of protocols the Internet is based on.
- tcpwrapper
- A software tool for security which provides additional network logging, and restricts service access to authorized hosts by service.
- Term Rule-Based Security Policy
- A security policy based on global rules imposed for all users. These rules usually rely on a comparison of the sensitivity of the resources being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on behalf of users.
- Terminal Hijacking
- Allows an attacker, on a certain machine, to control any terminal session that is in progress. An attack hacker can send and receive terminal I/O while a user is on the terminal.
- Threat
- The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest. A potential violation of security.
- Threat Agent
- Methods and things used to exploit a vulnerability in an information system, operation, or facility; fire, natural disaster and so forth.
- Threat Assessment
- Process of formally evaluating the degree of threat to an information system and describing the nature of the threat.
- Tiger
- A software tool which scans for system weaknesses.
- Tiger Team
- Government and industry - sponsored teams of computer experts who attempt to break down the defenses of computer systems in an effort to uncover, and eventually patch, security holes.
- Tinkerbell Program
- A monitoring program used to scan incoming network connections and generate alerts when calls are received from particular sites, or when logins are attempted using certain ID's.
- Topology
- The map or plan of the network. The physical topology describes how the wires or cables are laid out, and the logical or electrical topology describes how the information flows.
- Trace Packet
- In a packet-switching network, a unique packet that causes a report of each stage of its progress to be sent to the network control center from each visited system element.
- Traceroute
- An operation of sending trace packets for determining information; traces the route of UDP packets for the local host to a remote host. Normally traceroute displays the time and location of the route taken to reach its destination computer.
- Tranquillity
- A security model rule stating that the security level of an active object cannot change during the period of activity.
- Tripwire
- A software tool for security. Basically, it works with a database that maintains information about the byte count of files. If the byte count has changed, it will identify it to the system security manager.
- Trojan Horse
- An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.
- Trusted Computer System Evaluation Criteria (TCSEC)
- A system that employs sufficient hardware and software assurance measures to allow its use for simultaneous processing of a range of sensitive or classified information.
- Trusted Computing Base (TCB)
- The totality of protection mechanisms within a computer system including hardware, firmware, and software - the combination of which are responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system.
- Trusted Network Interpretation
- The specific security features, the assurance requirements and the rating structure of the Orange Book as extended to networks of computers ranging from isolated LANs to WANs.
- TTY Watcher
- A hacker tool that allows hackers with even a small amount of skill to hijack terminals. It has a GUI interface.
U
V
- Vaccines
- Program that injects itself into an executable program to perform a signature check and warns if there have been any changes.
- Virus
- A program that can "infect" other programs by modifying them to include a, possibly evolved, copy of itself.
- Vulnerability
- Hardware, firmware, or software flow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing.
- Vulnerability Analysis
- Systematic examination of an AIS or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
- Vaccines
- Program that injects itself into an executable program to perform a signature check and warns if there have been any changes.
- Virus
- A program that can "infect" other programs by modifying them to include a, possibly evolved, copy of itself.
- Vulnerability
- Hardware, firmware, or software flow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing.
- Vulnerability Analysis
- Systematic examination of an AIS or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
W
- WAIS
- Wide Area Information Service - An Internet service that allows you to search a large number of specially indexed databases.
- WAN
- Wide Area Network. A physical or logical network that provides capabilities for a number of independent devices to communicate with each other over a common transmission-interconnected topology in geographic areas larger than those served by local area networks.
- War Dialer
- A program that dials a given list or range of numbers and records those which answer with handshake tones, which might be entry points to computer or telecommunications systems.
- Worm
- Independent program that replicates from machine to machine across network connections often clogging networks and information systems as it spreads.
- WAIS
- Wide Area Information Service - An Internet service that allows you to search a large number of specially indexed databases.
- WAN
- Wide Area Network. A physical or logical network that provides capabilities for a number of independent devices to communicate with each other over a common transmission-interconnected topology in geographic areas larger than those served by local area networks.
- War Dialer
- A program that dials a given list or range of numbers and records those which answer with handshake tones, which might be entry points to computer or telecommunications systems.
- Worm
- Independent program that replicates from machine to machine across network connections often clogging networks and information systems as it spreads.
X
Smart Cards
The growing need for Smart Cards in almost every conceivable industry has placed increasing urgency on cutting-end technology, which can facilitate multiple functions seamlessly and effectively. Today, with Smart Cards fast replacing magnetic strip cards, the applications and functionality are expanding in scope and dimension.
We are India's first Smart Card Manufacturer equipped with the state-of-the-art unit with the Capability of manufacturing 60 million cards per annum. Our capabilities extend to the manufacture of Contact, Contactless and Combi cards, which find diverse application across industry verticals such as Banking, Telecom, Transportation and Government.
Bartronics India Limited is an ISO 9001:2000 certified company and first Indian Card manufacturing Company to certify as SCOSTA compliant with ISO7816 standards for 4K/16K/32K/64K and E-passport. Bartronics is first Indian Company to produce Smart Cards from Sheets till personalization and also the first company to have CTP process in South East Asia.
A continuous technology innovation has enabled us to offer a range of Smart Cards including:
We are India's first Smart Card Manufacturer equipped with the state-of-the-art unit with the Capability of manufacturing 60 million cards per annum. Our capabilities extend to the manufacture of Contact, Contactless and Combi cards, which find diverse application across industry verticals such as Banking, Telecom, Transportation and Government.
Bartronics India Limited is an ISO 9001:2000 certified company and first Indian Card manufacturing Company to certify as SCOSTA compliant with ISO7816 standards for 4K/16K/32K/64K and E-passport. Bartronics is first Indian Company to produce Smart Cards from Sheets till personalization and also the first company to have CTP process in South East Asia.
A continuous technology innovation has enabled us to offer a range of Smart Cards including:
- Memory Cards: Memory Cards are designed primarily for storing information or values and are commonly used for applications such as disposable prepaid telephone cards for public telephones.
- Crypto Memory Cards: Crypto Controller Cards uses Cryptography, made possible by an embedded Micro Processor, which confers high degree of security making them Chip Operating System based Crypto Controller cards.
- GSM Cards: GSM Cards, better known as SIM cards are used for initial authentication and providing various utility based service facilities such as Call Counters, Billing & Payment Data Transaction management, Phone Number, Memory Storage etc.
- Contactless Cards: Contactless cards have the ability to communicate data without physical contact of cards with the reader. The antenna etched on card with Capacitance based power is able to emit Wireless Signals, carrying the electronic data to remote located Read/Write unit, within certain proximity of the card activation device or target.
They are ideal for mass transit, parking, and access control, toll ways and other high-throughput environments. These cards exhibit high reliability and promise lower maintenance costs. - Biometric Cards: Bio-Metric Cards are used in the fingerprint, the handprint, and the retina / iris scan, in which the hand or eye is electronically scanned and the output is stored as a unique number which can be easily compared.
- National Cards: A national identity card is a portable document, typically a plasticized card with digitally-embedded information, which someone is required to carry as a means of confirming their identity.
Applications of Smart Cards:
Smart cards are used in a wide range of industries worldwide to support access, identity, payment and other applications. Systems that are enhanced with smart cards can benefit from the added features and security that smart cards provide includes
Smart cards are used in a wide range of industries worldwide to support access, identity, payment and other applications. Systems that are enhanced with smart cards can benefit from the added features and security that smart cards provide includes
- Mobile Communications
- Banking & Retail
- Electronic Purse
- Health Care
- ID Verification and Access Control
- Transportation
RFID
RFID is the emerging technology for tracking goods and assets around the world. It is indispensable for a wide range of automated data collection and identification applications across the supply chain. Whether you are a consumer, industrial goods manufacturer, a logistics company, a retailer, home sales / services provider or health care provider, we provide the complete end to end RFID solutions automating the entire business process.
Bartronics equipped with state of the art manufacturing facility for RFID tags in Hyderabad, India. The facility is ISO 9001 certified and Capability to manufacture 80 Million tags per annum.
The facility and the products manufactured at Bartronics are certified for:
ARSENAL (Arsenal research is an independent research and test center located in Vienna, Austria and offers Mifare ® Certification for cards and terminals)
ATEX (Represents Atmospheres Explosives and was introduced by the EEC to become effective by 1st July 2003)
ICAR (International Committee for Animal Recording which sets standards for animal tagging applications).
Bartronics RFID Products conform to the industry standards and withstand the rigorous environment conditions. the products provide comprehensive security, protecting the privacy and integrity of your data and network while making the repetitive tasks simple, efficient, easily up gradable and everlasting.
Bartronics equipped with state of the art manufacturing facility for RFID tags in Hyderabad, India. The facility is ISO 9001 certified and Capability to manufacture 80 Million tags per annum.
The facility and the products manufactured at Bartronics are certified for:
ARSENAL (Arsenal research is an independent research and test center located in Vienna, Austria and offers Mifare ® Certification for cards and terminals)
ATEX (Represents Atmospheres Explosives and was introduced by the EEC to become effective by 1st July 2003)
ICAR (International Committee for Animal Recording which sets standards for animal tagging applications).
Bartronics RFID Products conform to the industry standards and withstand the rigorous environment conditions. the products provide comprehensive security, protecting the privacy and integrity of your data and network while making the repetitive tasks simple, efficient, easily up gradable and everlasting.
list of electronics companies that offered us the most comprehensive range of electronic smart card products including the latest releases of the best producers in the world of electronic devices can be seen below:
Manufacturers List
ELECTRONIC MANUFACTURES