AUTHENTICATION
The purpose of authentication is to verify the identity and genuineness of a communications partner. Translated into the world of smart cards, this means that the card or the terminal determines whether its communications partner is a genuine terminal or a genuine smart card, respectively. For the sake of clarity, the term ‘identification’ is consistently used in this book to refer to verifying the authenticity of persons, although in principle it falls under the general concept of authentication. Authentication requires the communicating parties to share a common secret that can be verified by means of an authentication procedure. Such a procedure is significantly more secure than a pure identification procedure, such as a PIN test. In the latter case, all that happens is that a secret (the PIN) is sent to the card, which confirms its genuineness if it is correct. The drawback of this procedure is that the secret is sent as plaintext to the card, which means that an attacker could easily come to know the secret (the PIN). By contrast, with an authentication procedure it is not possible to discover the common secret by tapping the communications channel, since the secret does not have to be sent openly via the interface. A distinction is also made between static and dynamic authentication. In a static procedure, the same (static) data are always used for the authentication. A dynamic procedure, by contrast, is constructed such that it is protected against being attacked by reentering data recorded during a previous session. This is because each authentication is based on different data when dynamic authentication is used.

There is also a fundamental difference between unilateral and mutual authentication procedures. A unilateral authentication, if it is successful, establishes the authenticity of one of the two communications partners. Mutual authentication, when successful, establishes the authenticity of both of the communications partners. Authentication procedures based on cryptographic algorithms and used with smart cards can be further classified into symmetric and asymmetric procedures. Currently, the procedures used with smart cards are almost exclusively symmetric. Due to their slow execution speeds, asymmetric procedures, which means those based on the RSA algorithm or similar algorithms, do not yet have any practical significance with regard to smart cards systems. However, it can be foreseen that this will change in the future. In any case, the operating principle of asymmetric procedures is the same as that of symmetric procedures. There are several standards relating to the authentication of equipment. The ISO/IEC 9798 standard is the most prominent of these. Part 2 of this standard describes symmetric procedures, while Part 3 describes asymmetric procedures. Fundamentally, the five parts of the ISO/IEC 9798 standard form an outstanding compilation of the commonly used authentication procedures, including symmetric, asymmetric, MAC-based and zero-knowledge-based procedures. The principle of authentication in the field of smart cards is always based on a challenge–response procedure. In this procedure, one of the communications partners first asks the other one a randomly generated question (the challenge). The second partner computes an answer using an algorithm and sends the answer (the response) back to the first one. Naturally, the algorithm is preferably an encryption using a shared secret key that represents the common secret of the two communications partners.

Symmetric unilateral authentication
A unilateral authentication serves to assure one party of the trustworthiness of the other party to a communication. For it to be possible, both parties must have a shared secret, the knowledge of which is verified by the authentication procedure. This secret is the key for an encryption algorithm, and the entire security of the authentication procedure depends on this key. If the key should become known, an attacker could authenticate himself just as readily as a genuine communications partner. The principle of unilateral authentication with a symmetric cryptographic algorithm is illustrated in Figure 4.47. For the sake of clarity, it is assumed that the terminal authenticates a smart card. This means that the terminal determines whether the smart card is trustworthy. The terminal generates a random number and sends it to the smart card. This is the challenge. The smart card encrypts the random number it receives, using a key known to both the card and the terminal. The security of the procedure depends on this key, since only the possessor of the secret key can generate the correct response to be sent to the terminal. The card then returns the result of the encryption to the terminal. This is the response to the challenge. The terminal uses the secret key to decrypt the encrypted random number it has received, and then compares the result with the random number it originally sent. If the two numbers match, the terminal knows that the smart card is authentic. This procedure cannot be attacked by replaying a challenge or response that has been intercepted from an earlier session, since a different random number is generated for each session. The only type of attack with a moderately good chance of success would be to systematically search for the secret key. Since the challenge and response are simply a plaintext–ciphertext pair, the secret key could be discovered using a brute-force attack. If all the cards for a given application have the same key and this key becomes known, the entire system will be discredited. In order to avoid exactly this possibility, in practice only card-specific keys are used as a matter of principle. This means that every card has an individual key, which may be derived from a non-secret feature of the card. This specific feature can be the serial number of the chip, which is written to the chip when it is manufactured, or some other number that is specific to each card.

In this case, the terminal requests the chip number from the smart card in order to compute the card-specific key. The chip number is specific to the card and unique within the system, so there is no other card in the system that matches this card. The value of the card-specific secret key is a function of the card number and the master key, which is known to the terminal. In practice, a portion of the card number is encrypted using the master key, and the result is used as the card-specific authentication key.ADES or triple-DES algorithm can be used for the encryption. It must of course be borne in mind that if the master key (which is known only to the terminal) becomes compromised, the entire system will be compromised, since all card-specific authentication keys can be computed using the master key. The master key must therefore be securely stored in the terminal (in a security module, for example), and, if possible, it should be actively erasable in case of an attack. Once the terminal has computed the necessary authentication key for the card, the usual challenge–response procedure occurs. The smart card receives a random number, encrypts it using its individual key and returns the result to the terminal. The terminal executes the reverse function of the computation performed by the card and compares the two results. If they match, the terminal and the smart card have a common secret, which is the secret card-specific key, and the smart card has been authenticated by the terminal. In this case, the authentication process is somewhat time-intensive due the use of the DES algorithm (to the extent that it is implemented in software) and the data transmission from and to the card. This can cause problems in some applications. Given certain assumptions, we can roughly calculate the time required to perform a unilateral authentication. We assume that the smart card has a 3.5-MHz clock, uses the T = 1 transmission protocol, has a divisor of 372 and uses a DES algorithm that takes 17 ms per block. Without going into details, we assume that the internal routines in the smart card take 9 ms. This simplifies the calculation without significantly distorting the result, which is shown in Table 4.21. As can clearly be seen from this calculation, a single authentication takes around 65 ms. This will not usually cause any time-related problems in an application.