THE FIVE PHASES OF THE SMART CARD LIFE CYCLE
In addition to the manufacturing process, the life cycle of a smart card depends on the application in which it is used. A smart card for the GSM mobile telecommunications system, for example, has a considerably different career after manufacturing than a credit card containing a chip. Nevertheless, the various types of cards still have much in common. The ISO 10202-1 standard attempts to define a card life cycle that is equally valid for all manufacturing methods and a wide variety of applications. This standard is very strongly oriented towards financial transaction applications and the information technology used in these applications, rather than the actual production of card bodies and chips. Nevertheless, it represents a quite successful attempt to provide a structured description of the life history of smart cards from the beginning to the end. This is why it is used here as the basis for describing the smart card life cycle. According to the ISO 10202-1 standard, the life of a card is divided into five phases, which are interconnected by precisely specified transitions. All stores of cards required by the technical implementation of the production process and all transportation paths between
the various firms that perform the various production operations must be physically or cryptographically secured in order to preclude the manipulation or theft of partly finished products. All production steps must naturally be accompanied by appropriate quality assurance. Since smart cards are normally used in areas in which security is an issue, it is presently common to guarantee the traceability of the manufacturing process in accordance with the ISO 9000 family of standards. At minimum, this means that all production steps must be logged using batch and chip numbers. It must be possible to reconstruct the production steps undergone by each individual smart card, at any desired time after it has been manufactured. This makes it easier to analyze the cause of any manufacturing faults that may show up. Since each individual chip has a unique chip number, no two microcontrollers are identical following the semiconductor fabrication process, which makes it relatively easy to implement traceability on the basis of chip numbers. Manufacturing traceability can be implemented either by storing the relevant information in a manufacturing database or by writing all the information relevant to the manufacturing of each chip in the chip itself. The ISO 10202-1 standard recommends storing the manufacturing data in the chips, which has certain advantages compared with storing the data in a database. If the data are stored in the chips, the manufacturing data for any chip can be obtained without having to access a database, although this comes at the cost of valuable space in the microcontroller EEPROM.

PHASE 1 OF THE LIFE CYCLE IN DETAIL
The first phase of the ISO 10202-1 standard life cycle can be subdivided into two parts. The first of these covers the generation of the smart card operating system and the semiconductor manufacturing process for the microcontroller, while the second part covers all of the technology for producing the card body.

Generating the operating system and producing the chip
Operating systems and other software for smart card microcontrollers are so complex that we have devoted a separate chapter to them, in which all aspects of the subject are described in detail.2 However, we must not overlook the fact that a significant part of the technical basis for the security of the remainder of the card’s life cycle is established in the fabrication of the chip. No matter how high the quality of the operating system may be and how much cryptographic protection is used, they are of little use if all the secret data can be read from the chip thanks to an error in the design or fabrication of the chip. Semiconductor chips are usually produced in protected facilities with restricted access. Restricted access is relatively easy to achieve with cleanrooms, which can anyway only be entered via interlocked doorways. However, this is also important with regard to security, since it is the only way to guarantee that no ICs containing Trojan horses in their software can be smuggled into the system during chip fabrication or after the dice have been separated. This would otherwise be a very serious and relatively dangerous form of attack on the security of smart card applications.

Chip design
The geometric structure of a chip for a memory or microcontroller card should be square or as nearly possible square, since this minimizes the risk of the chip being broken by the stresses that arise when the card is bent. Complete protection of the chip against bending stresses is in principle technically possible with an extremely stiff module package, but this is not desirable in practice. Such a stiff module would eventually cause the card body to crack, due to the alternating bending stresses to which the card is recurrently exposed. The semiconductor components used for the chip, such as theCPUand numeric coprocessor, are normally standard components3 that have been technically modified for increased security. Semiconductor components for the automotive industry are often used for this purpose, since they must be designed to meet similarly severe environmental and reliability requirements. However, such components must be modified as necessary to fully adapt them to the security requirements imposed on smart card microcontrollers. In the chip design process, the first step after establishing the functional specification is generating a general chip architecture, with a block diagram of the circuit and a rough layout of the future microcontroller. Following this, the overall block diagram is refined step by step into logic blocks, gate-level functions, transistors and ultimately the geometric structures of the individual exposure masks. Each step is accompanied by circuit simulation and extensive testing. This is a complex process, consisting of many individual steps, and a fair amount of experience is necessary to arrive at the optimum arrangement of the elements of the chip. At the end of this process, sample chips are produced on a test fabrication line in a semiconductor manufacturing plant. These are the first reference devices, which are very precisely measured and exercised. A security assessment is often performed in parallel, although this assessment cannot be completed any earlier than the time when the first regular chips are produced. The process of designing a chip can take several months to a year before a fully operational chip is obtained that can meet all the necessary requirements for mass production. The fact that it takes so much time and effort to design a chip is the reason that the interval between successive generations of smart card microcontrollers is two to three years. Due to the high cost of making significant changes to an existing chip, the most substantial modifications are predominantly ‘shrinking’ the chip, in order to better utilize the wafer area, and making minor improvements or extensions to the hardware.