PHASE 3 OF THE LIFE CYCLE IN DETAIL
Phase 3 primarily covers the part of the life cycle consisting of the visual and electrical personalization of the smart card. As with Phase 2, this phase normally occurs in a highly automated production environment that is designed for processing large numbers of cards.

Generating card-specific secret data
As a rule, the individual data for personalization are provided by the card issuer on a data storage medium or via data telecommunications. However, a special method is often used for providing secret data, such as PINs and keys, since such data must remain secret under all circumstances and are only allowed to be generated in highly secure environments. There are four methods that are used in practice for PINs. The simplest option is to generate a trivial PIN, which the cardholder must change to a PIN of his or her choice the first time the card is used (and before actually using the card for a valid transaction). However, for a variety of reasons this method cannot be implemented in all systems, even though it has the advantage of not requiring the printing and posting of PIN letters. A somewhat more elaborate option for producing PINs is for the card issuer to generate the PINs using a good random number generator, followed by secure transfer of the PINs to the card personalizer. The latter then writes the PINs to the cards to be personalized using the usual secure mechanisms and generates the associated PIN letters. A variation of this option is to generate the PINs in the cards, followed by the secure transfer of the PINs to the personalization machines for use in further processing.

The third possibility is generation of random PINs by the card personalizer. These PINs, which are generated in a secure environment, are written to the appropriate data fields in the smart cards, as with the previous options. In parallel with this, PIN letters are generated and sent to the cardholders. The associated smart cards reach the cardholders via a separate path. If the card issuer needs to have the PINs that have been generated in this manner, they can be provided to him in a secure manner. Otherwise it is generally not necessary to store the generated PINs anywhere except in the smart cards. Another way to generate PINs is to use an algorithm, which may be a cryptographic algorithm, to compute card-specific PINs using data present in the cards and a master key. The drawback of this method is that the master key and (in some cases) the algorithm must be kept secret. If the secret data to be generated are not PINs, but instead keys for cryptographic algorithms, essentially similar methods can be used. The principal difference is that in this case it is not necessary to generate PIN letters, although the keys must be provided to the system operator in a secure manner. This is done using what is called the ‘response data’, which are transferred from the party that generates the keys to the system operator in a cryptographically secured form via data telecommunications or a physical data storage medium.

Transferring data to the smart card
There are two fundamentally different methods that can be used to store the initialization data in the memory of the microcontroller. The first method, which aims to avoid direct physical addressing of the memory, uses only logical addresses in the microcontroller for initialization and personalization as much as possible. From a purely theoretical perspective, this is the preferable method, since it avoids the need to use physical addresses outside of the smart card. This automatically eliminates many potential sources of errors, and within certain limits it also makes loading data into the smart card independent of the type of microcontroller present in the smart card. The drawback of this approach is that it significantly increases the time required for initialization and personalization, and particularly in the case of mass production, time is a very critical factor. Consequently, there is a second method that is used in practice to load data into smart cards, which involves writing the initialization data directly to the microcontroller memory using externally specified physical addresses. This significantly reduces the amount of time required compared with a method based on logical addresses. Unfortunately, with this approach it is necessary to work with physical addresses external to the card, which carries corresponding drawbacks with regard to susceptibility to error and general usability. In practice, the method used is generally determined on a case-by-case basis. If the number of smart cards to be produced is sufficiently large, the increased cost of the software for the initialization machinery and the necessarily complicated testing can be justified.

In order to write data directly to physical addresses, the data must be suitably prepared in advance. One way to do this involves mimicking the complete file management system of the smart card operating system in the form of a simulation. A conversion program can then be used to load the data to be written into the appropriately coded file bodies of the simulation and provide them with their associated file headers. After this, all that is necessary is to relocate the files constructed in this manner to the proper addresses in memory. Naturally, the entire process must be performed without errors and in a manner that is matched to the operating system in question. Following this, the data can be read from the simulation and directly written to physical memory addresses in the smart card, using the usual commands. Unfortunately, this approach has not proved to be worthwhile in practice, since its costs far outweigh its potential benefits. In addition, the cost of testing to ensure the absence of errors, using expensive black-box tests, would be excessive. Consequently, this method is rarely used. The commonly used method is much simpler. A smart card containing a dump routine in an otherwise unused area of memory is first initialized using file management commands, which use logical addresses. The initialized memory is then read out using the dump routine, and the data so obtained are written to the physical addresses of the smart card to be initialized. This allows initialization and personalization times to be reduced by as much as 30 %. In principle, this method can be considered to be cloning. Its major advantage is that it is simple and robust, and the only critical aspect is that the smart card containing the dump routine must never be allowed to leave the processing facility. If this smart card were fully personalized, the dump routine it contains could be used to read out all of the secret data. Consequently, this smart card has suitable mechanisms to prevent it from ever being misused for reading out memory as the result of an exchange or an attack. This can be achieve relatively simply, for example by having the dump routine automatically delete itself the next time the card is reset. In this case, the smart card can be used only during a single session, since it will lose its dump capability the first time its supply voltage is interrupted.

Personalization / individualization
The next step in producing a smart card that is ready to be sent to the user is personalization, which is sometimes called individualization. In a more general sense, personalization means loading all data assigned to a particular person or a particular card into the smart card. This might be a name and address, for example, but it could also be card-specific keys. What is important is that the data are specific to a particular card. A basic distinction is made between visual and electrical personalization. The embossing characters, as well as text or pictures applied to the card using laser engraving, constitute the visual part of personalization. The electrical part consists of loading personal data into the microcontroller and writing data to the magnetic stripe. The processing time for visual personalization depends very strongly on the specific features and cannot be generally stated. Electrical personalization usually takes between 5 and 20 seconds, depending on the amount of data. Embossing names and similar card specific, character-based information is performed by a machine in which metal letter punches are hammered against the rear of the card at great speed and with considerable force. Since this is a relatively simple procedure, but one that is very loud and produces a lot of vibration, the embossing machines are usually physically separated from the rest of the processing equipment. Laser engraving equipment, which can be used to darken regions just below the overlay foil of the card body using a laser beam, is very often employed instead of mechanical embossing. This technique is also useful if it is necessary to have a black-and-white picture on the card body.

The data for the chip are written to the memory in the sameway as for initialization.However, to the extent that this involves secret keys, cryptographically protected data transmission11 is often used to prevent an attacker from deriving any benefit from tapping the data line. For cards that are used for financial transactions, an even more complex method is sometimes used. This involves using a special security module in the personalization machine to re-encrypt the encrypted personalization data received from the card issuer and then load it directly into the smart card. The advantage of this method is that the personalizer does not know the secret data in the card and also has no possibility of spying it out by tapping the data lines. The technical trend in smart card personalization is increasingly heading in the direction of using a process that is cryptographically fully secured. This means that in principle the work can be performed by inexpensive service firms in non-secure facilities. Nowadays, there are also processes in which the personalizer receives the card-specific data recorded on a CDROM. In this case, the production data set with its associated card-specific key is inseparably
linked to the unique chip number of the microcontroller. Among other things, this makes it impossible for the personalizer to produce duplicates of smart cards, unless he can somehow manipulate the operating system. However, this method has the disadvantage that some of the delivered data sets cannot be used if any of the chips are faulty, since the defective chips are no longer available. If this method is used, the personalizer must always report back to the party that generated the data to inform them which chips have actually been processed. This is not necessary with the personalization methods that are presently in common use, since it is easy to reproduce a faulty card. Incidentally, this is also why the personalization facilities of card producers are always secure areas. Unfortunately, the cryptographic procedures and security measures used in the realm of personalization are largely secret, so it is not possible for us to describe any specific application. However, Figure 10.63 shows an example of an initialization process followed by a personalization process, as seen from a cryptographic perspective. For the cryptographic protection to be effective, these two production steps must take place in separate rooms using separate personnel.

The illustrated procedure works as follows. During initialization, a card-specific key (KD) is derived in a security module using a unique chip number and a master key (KM). This key is sent as plaintext to the card, where it is stored. Naturally, a lot of other data must be written to the smart card during the initialization, but generating and storing the card-specific key KD is the only cryptographically relevant step. Following this, the card is personalized. This can be done immediately following the initialization, but it may also be done several weeks later. The important factor is that personalization must be completely separate from initialization, in order to prevent a KD that has been illicitly acquired during initialization from being used during personalization to decrypt the card-specific data. In the personalization process, the personalization data that have been encrypted using a shared key are decrypted for each individual card by the security module. This is necessary because the producer of the personalization data does not know the individual chip numbers, which are independently generated by the semiconductor manufacturer. The security module then computes the card-specific key (KD) from the card number that it receives from the smart card and the master key (KM). Nowthe security module and the smart card have a shared secret in the form of KD. This is used to encrypt the personalization data, which are then transferred in encrypted form to the smart card, where they are decrypted and written to the appropriate locations in the EEPROM. This process provides complete cryptographic protection of the personalization procedure. It protects the data to be used for personalization against being spied out, as long as the key (KD) that is written to the card during the initialization remains secret. Figure 10.64 shows an alternative method for securing loading data into smart cards, in which the first step consists of having the smart card and the terminal agree on a common secret key by means of a Diffie–Hellmann key exchange. After this, the data are transmitted to the smart card in encrypted form using this key. The major advantage of this method is that it never involves transmitting a secret key in non-encrypted form. At the conclusion of the personalization process, the personalization machine runs several quality control tests on the finished smart card. In the latest machines, for example, each card is scanned by a camera and the visual personalization is evaluated by a computer and checked against a production database. In case of an error, the card is ejected into a faulty-card bin and a new copy of the card is automatically produced. Normally, the personalization data in the microcontroller are also checked. However, this is technically difficult to do, since read access to many of the files is no longer allowed. Consequently, special security modules for these tests are frequently present in personalization machines. These modules contain secret master keys with which the personalized keys in the smart cards can be tested for correctness, possibly via an authentication.

 Another approach is to provide the personalizer with command strings and corresponding response strings for each individual card. The personalizer then sends these commands in the correct sequence to the smart card and compares the responses received from the card with the responses accompanying the commands. If they do not match, the smart card is not behaving as expected and a personalization error must have occurred.With this method, it is not necessary to have a special security module for the tests in the personalization machine. Once a smart card has been personalized, it is generally not possible to reverse the process, which means that an incorrectly personalized smart card is worthless. Of the various processes, electrical personalization is the most prone to errors, and any errors that occur in the personalization of a large batch of cards would result in major financial losses and delays. Consequently, there are a few smart card operating systems that allow the complete personalization to be fully deleted following a suitable authentication.With regard to the operating system, the smart card afterwards behaves the same as after semiconductor fabrication or completion. This capability is sometimes used for test cards, since it makes it possible to modify the software in the card instead of scrapping the card every time the software changes. Occasionally, such smart card operating system mechanisms are enabled for regular cards, thus allowing cards to be depersonalized if necessary. Generally speaking, smart card personalization is not performed for quantities less than (typically) 10,000 cards. However, many applications require the ability to reproduce individual, customer-specific smart cards. For instance, it must be possible to replace a defective or lost Eurocheque smart card within a few days, since otherwise the cardholder will no longer be able to obtain money from cash dispensers. With an increasing level of customer friendliness, there is an increasing demand for this sort of just-in-time personalization equipment. It is usually installed alongside the mass-production personalization equipment, receives card data via data telecommunications and uses smart cards that have already been initialized and held as partly-finished products. With this sort of card production, provision of a replacement card to the end user (the cardholder) within 24 hours can be guaranteed, should this be necessary. Such equipment, which is designed for fast turnaround, is naturally not suitable for the mass production of smart cards.

Envelope stuffing and shipping
The final processing step in the production of smart cards is packing and shipping the cards. This is not necessary with some types of cards, such as pre-paid phone cards, which are frequently supplied en masse to the card issuer. However, with more sophisticated and expensive cards it is common for the cardholder to receive a personalized letter containing his or her new card. With some applications, such as credit cards, the cardholder also receives a letter with the PIN. For reasons of security, this is sent separately and a few days later than the card. The area in which all of these activities take place is often called the lettershop. The envelope of the PIN letter is made with a carbon-paper coating on the inside. This allows a slip of paper inside the envelope to be printed from the outside using a dot-matrix impact printer. The envelope is constructed such that an unauthorized person cannot read the printed PIN code without visibly damaging the envelope. These measures ensure that it is not possible for someone to spy out PIN codes without being noticed, even while the PIN letters are being generated. High-performance printing systems for PIN letters can print up to 34,000 documents per hour. For posting the cards, the personal information (such as the cardholder’s name and address) is either read from the card or retrieved from the production database, depending on the card type. This information is printed on a ‘card carrier’, which is a pre-printed letter, using a highthroughput laser printer. The letter may have two punched slots to hold the corners of the card. Alternatively, a strip of easily removable adhesive material is often used to attach the card to the letter. Following this, the card carrier is folded and inserted into an envelope. After the envelope has been franked, the smart card with the personalized letter is ready to be posted to the cardholder. High-performance envelope stuffing machines have a throughput of around 7000 letters per hour.

The final quality control step is to automatically weigh the finished letters containing the cards. The weight of the card, which is around 6 grams, is easily sufficient to ensure reliable verification that each envelope actually contains a card. In order to minimize postage costs, it is common to presort the letters by postal code before handing them over to the post office. This optimization is most easily realized by producing the cards in the order necessary to satisfy the postal sorting criteria (such as a regional code followed by a local code). Practical experience with even such simple things as sending cards by post repeatedly brings new and interesting problems to light. For instance, one time a major producer of smart cards was confronted with sudden failures in smart cards sent by post. When the cause of these failures was investigated, it was discovered that the responsible postal distribution center had changed the arrangement of the feed rollers in the sorting machine. With the new arrangement, the letters containing the smart cards were bent so severely during sorting that the chips inside the modules broke in some of the cards. The problem was solved by shifting the position of the card on the carrier by a few centimeters. For this and other, similar reasons, a few hundred test letters are often posted in the target region and then analyzed prior to a major mailing, in order to ensure that the smart cards will not be damaged during transport or sorting. The production steps and phases that have been described thus far represent a mass production process, which is standard for cards such as GSM cards and credit cards with chips. Other applications or card issuers may have other basic requirements with regard to card production. For example, some GSM smart cards are personalized ‘on site’ in the shop and then handed directly to the customer. The customer naturally receives a favorable impression of the competence and capability of the shop if he or she can receive a personalized card immediately after subscribing and paying. However, this depends very strongly on the marketing policy and security requirements of the card issuer. In contrast to this example, producing card bodies and modules is basically independent of the ultimate card issuer or his marketing aspects, and thus largely the same for all applications.