Since 1998 Bull CP8 works on a smart card specifically dedicated to the Internet network. The basic idea is to consider the card as a network computer able to use the resources of the terminal to which it is connected (keyboard - screen - mouse - navigator - Internet access). Our goal is to transform a smart card into a true node of the Internet network; a card implements applications of the internet world (http, electronic mail). In short smart card is a web server, it can be accessed from a web browser, and is able to manage several TCP connection (as a client or a server), for example card will work like a security proxy
A first generation of (Java) card internet has been developed. Our objective is to integrate these cards into the Internet community and to improve the security (authentication, integrity, and confidentiality) required by the new services provided by the network
We enter the era of the ubiquitous computing. What means that more and more current objects integrate a microprocessor, and have the capacity to be connected to Internet (according to Frost & Sullivan 40 % of the devices connected to Internet into 2001 will not be personal computers). A user (sometimes mobile) will use several types of terminals connected to internet, for example
In this context, the internet card is used to authenticate a (mobile) user who uses an anonymous terminal. If necessary it manages the configuration of this terminal which is required for the setting of a particular service. This technology constitutes a revolution of the ergonomics of the card and its use through the Internet network.
The smart card (SPOM - Self-Programmable One-chip Microcomputer) was invented at the end of the Seventies per Michel Ugon (Bull CP8). The french grouping of bankcards CB was created in 1985 and allowed the diffusion of 10 million banking cards (cash card). Today smart card are used as electronic purse, in transport application (contact less card), mobile phone (card SIM), Health, and for network security purpose (RSA card). One estimates a market of a billion of card with chip for the year 2000.
Today the card technology works on 8 bits processors associated with memory sizes about a few ten KB. The size of the chips is limited (# 25 mm2) by the flexibility of the support plastic (PVC). A new generation of 32 bits RISC processor will be defined at the beginning of the next millenium.
In addition to the physical security, which is based on the fact that it is impossible to read the code or the data stored in the chip, the card traditionally provides two kinds of facilities:
This traditional vision of the card can be found in network applications, maybe because these devices are not specifically designed for such environment. As an example card is introduced in security architecture working with SSL thanks to software modifications (DLLs.) in the host system (including a web browser), and also in the server. Card knows nothing about network protocol, on the host side a specific piece of software plays with the card in order to authenticate its bearer by a challenge mechanism.
In a more general way the networks applications (user authentication, electronic commerce.) use a fat client approach, each application dealing with a card required specific software running on the terminal. This model generates difficulties of management if an application must be available through a set of heterogeneous terminals (PCs, machine Unix, portable GSM, Internet terminals...).
The fat client model doesn't meet the requirements needed by networks applications in which a mobile customer uses several terminals (laptop, mobile phone, internet kiosk ..) able to reach Internet. For example if an application consists in taking out an electronic subscription to a newspaper it seems legitimate that the recipient can read this newspaper from his office, his home, in a hotel or from his mobile phone.
Our new approach of the network card consists to adapt it to each terminal by means of an unique protocol that we wish to standardize. This protocol is particularly adapted to the support of the TCP/IP protocols These new concepts are largely based on the Java Card technology, introduced in 1997 , which enables the realization of secure and open architectures (the card is not dedicated to a specific application).
The card implements the Internet protocols, it becomes a new object of the Internet community. The convergence of the world of traditional telephony and that of the networks, the availability of cheap internet terminals are as many factors which encourage the emergence of virtual objects (music, movies ...) that can be bought and used through the network without a physical support. Our approach is a first step towards this type of model.
Smart card is a single embedded chip including CPU and RAM/ROM, the only mean of communicating with the outside world is a serial link. As the chip has a single and bi-directional IO pin this link can only support half duplex protocol. The main difference between a smart card and an usual computer is that this device has no basic I/O devices such as keyboard, screen or ethernet card. Smart card is well adapted to store small quantities of secret code and data (about 64 kbytes). The internet card approach means that the card is able to use the terminal network resources.
The card does not have physical resources giving access to the network (Ethernet card, modem...), the basic idea is to reach the software communication interfaces available on the host system.
In fact the same concept is used when a when browser navigates, the application (the browser) is able to use the networks resources of the host system. The use of the network by an application is reduced to a cooperation with software layers provided by the host system, whose application knows an access point (or a method).
In the TCP/IP architecture a network application (such as a web browser) is based on a model which comprises the first 4 layers of OSI model.
Layers 1 (physical layer) and 2 (data link layer) represent for example the ethernet card or a modem. The machine sees (uses) a network resource (card...) through a particular software interface sometimes named low-level driver (for example NDIS is a low-level driver developed by Microsoft). In fact, working with a network card means accessing to a low level driver, in ISO terminology this interface is named SAP (Service Access Point) of level 2 (SAP2)
In a similar way an application uses TCP/IP layers by means of a network library provided by the host system, a network application can work with such a library through SAP of levels 3 (SAP3 or network layer SAP)) or 4 (SAP4 or transport layer SAP). For example winsock.dll is the dynamic library which makes possible to use TCP/IP on a Windows machine.
In short a terminal offers three access points to the network
As we previously mentioned it smart card is connected to the outside world through a serial (half duplex) link whose baud rate is between 9600 and 105900. ISO 7816-3 standard has specified two types of transmission protocol between the reader and the card
ISO 7818-3 T protocols are equivalent to an osi data link layer (layer 2), because they are responsible of errors detection and correction. We will call T layer the services which are defined by ISO 7816-3 standard , and we shall consider that the link between the card and the reader as a point to point connection, all the errors are corrected by a T layer