In smart cards, the DES algorithm is primarily used in the two block-oriented modes (ECB and CBC). However, since the data communicated to the card do not always fit exactly into a certain number of blocks, it is occasionally necessary to fill up a block. Filling up a data block so that its length is an exact multiple of a given block size is called padding. The recipient of a padded data block has a problem after the data have been decrypted, since he does not know where the actual data stop and the padding bytes start. One solution to this would be to state the length of the message at the beginning of the message, but this would change the structure of the message, which is generally undesirable. It would also be especially onerous with data that do not always have to be encrypted, since in this case no padding would be needed and thus no length as well. In many cases, therefore, the structure of the message may not be changed. This means that a different method must be used to identify the padding bytes. The algorithm defined in the ISO/IEC 9797 standard is described here in detail as an example, although there are a variety of other methods available. The most significant bit (msb) of the first padding byte following the useful data is set to 1. This byte thus has the hexadecimal value’80′. If additional padding bytes are needed, they have the value’00′. The recipient of the padded message thus searches from the beginning to the end of the message for a byte with the msb set to 1, or for the value ’80′. If such a byte is found, the recipient knows that this byte and all subsequent bytes are padding bytes and not part of the message. In this regard, it is important for the recipient to know whether messages are always padded or padded only if necessary. If padding only takes place when the length of the data to be encrypted is not an integer multiple of the block length, the recipient must take this into account. Consequently, there is often an implicit understanding that padding always takes place, which of course has the disadvantage that occasionally an unnecessary block of padding data must be encrypted, transferred and decrypted. In some applications, only the value ’00′ is used for padding. This is because this value is normally used for padding in MAC computations, and using only one padding algorithm reduces the size of the program code. Of course, in this case the application must know the exact structure of the data to allow it to distinguish between user data and padding.

Message authentication code and cryptographic checksum
The authenticity of a message is far more important than its confidentiality. The term ‘authenticity’ means that the message has not been altered or manipulated, and is thus genuine. To ensure authenticity, a ‘message authentication code’ (MAC) is computed and appended to the message before it is sent to the recipient. The recipient can then compute the MAC for the message and compare it with the received MAC. If the two values match, the message has not been altered during its journey. A cryptographic algorithm with a secret key is used to generate a MAC. This key must be known to both parties to the communication. In principle, a MAC is a sort of error detection code (EDC), which can naturally only be verified if the associated secret key is known. For this reason, the term ‘cryptographic checksum’ (CCS) is also used (as well as some other terms), but technically a CCS is fully identical to a MAC. In general, the difference between the two terms is that ‘MAC’ is used for data transmission and ‘CCS’ is used for all other applications. The term ‘signature’ is often encountered as an equivalent to ‘MAC’. However, this is not the same as a ‘digital signature’, since the latter is generated using an asymmetric cryptographic algorithm. In principle, any cryptographic algorithm can be used to compute a MAC. In practice, however, the DES algorithm is used almost exclusively. This algorithm is used here to demonstrate the process (see Figure 4.35). If the message is encrypted using the DES algorithm in the CBC mode, each block is linked to its previous block. This means that the final block depends on all previous blocks. This final block, or a portion of it, represents the MAC of the message. However, the actual message remains in plaintext, rather than being transmitted in encrypted form. There are a fewimportant conditions relating to generating aMACusing the DES algorithm. If the length of the message is not an exact multiple of eight bytes, it must always be extended, which generally involves padding. However, in most cases only the value ’00′ is used for padding (in line with ANSI X.99 – Message Authentication). This is allowed in this case because there must be prior agreement regarding the length and location of the MAC within the message. The actual MAC consists of the left-most (most significant) four bytes of the final block produced by CBC-mode encryption. However, the padding bytes are not sent when the message is transmitted. This limits the data to be transmitted to the protected data and the appended MAC.

The sole objective of all administrative principles relating to keys for cryptographic algorithms is to minimize the consequences to the system and the smart card application if one or more secret keys become known to unauthorized persons. If it could be guaranteed that the keys would always remain secret, a single secret key for all smart cardswould be sufficient. However, it is impossible to guarantee such secrecy. Using the security-enhancing principles described here for keys used with cryptographic algorithms causes the number of keys to increase dramatically. If all of the principles and methods described in this section are implemented in a single smart card, the keys will usually take up more than half of the memory available for application data. However, it is not always necessary to use every possible principle and method, depending on the application. For example, there is no need to support multiple generations of keys if the card is valid for only a limited length of time, since the additional administrative effort and memory space cannot be justified.

Derived keys
Since smart cards, in contrast to terminals, can be taken home by anyone and possibly subjected to thorough and painstaking analysis, they are naturally exposed to the most severe attacks. If no master key is present in the card, the consequences of a successful attempt to read out the card contents can be minimized. Consequently, the keys that are found in the card are only those that have been derived from a master key. Derived keys are generated using a cryptographic algorithm. The input values are a cardspecific feature and a master key. The triple-DES or AES algorithm is usually used. For the sake of simplicity, the card number is usually used as the specific feature. This number, which is generated when the card is manufactured, is unique in the entire system and can be used throughout the system to identify the card. Derived keys are thus unique. One function that can be used to generate derived keys, as illustrated in Figure 4.36, is: derived key = enc (master key; card number)

Key diversification
In order to minimize the consequences of a key being compromised, a separate key is often used for each cryptographic algorithm. For example, different keys can be used for signatures, secure data transmission, authentication and data encrypting. For each type of key, there must be a separate master key from which the individual keys can be derived.

Key versions
It is normally not adequate to employ only one key generation for the full lifetime of a smart card. For example, suppose that a master key could be computed as the result of a successful attack. In this case, all application vendorswould have to shut down their systems and card issuers would have to replace all their cards. The resulting loss would be enormous. Consequently, all modern systems include the possibility of switching to a new key generation. Switching to a new generation of keys may be forced by the fact that a key has been compromised, but it can also take place routinely at a fixed or variable interval. The result of a switch is that all of the keys in the system are replaced by new ones, without any need for the cards to be recalled. Since the master keys are located in the terminals and the higher level parts of the system, a secure data exchange is all that is needed to provide new, confidential keys to the terminals.