The Gene Ontology (GO) is a major bioinformatics initiative to unify the representation of gene and gene product attributes across all species. More specifically, the project aims to: 1) maintain and develop its controlled vocabulary of gene and gene product attributes; 2) annotate
genes and gene products, and assimilate and disseminate annotation
data; and 3) provide tools for easy access to all aspects of the data
provided by the project, and to enable functional interpretation of
experimental data using the GO, for example via enrichment analysis. GO is part of a larger classification effort, the Open Biomedical Ontologies, being one of the Initial Candidate Members of the OBO Foundry.
Whereas gene nomenclature
focuses on gene and gene products, the Gene Ontology focuses on the
function of the genes and gene products. The GO also extends the effort
by using markup language to make the data (not only of the genes and their products but also of curated attributes) machine readable, and to do so in a way that is unified across all species (whereas gene nomenclature conventions vary by biological taxon).
Terms and ontology
From
a practical view, an ontology is a representation of something we know
about. "Ontologies" consist of representations of things that are
detectable or directly observable, and the relationships between those
things.
There is no universal standard terminology in biology and related
domains, and term usages may be specific to a species, research area or
even a particular research group. This makes communication and sharing
of data more difficult. The Gene Ontology project provides an ontology of defined terms representing gene product properties. The ontology covers three domains:
molecular function, the elemental activities of a gene product at the molecular level, such as binding or catalysis;
biological process,
operations or sets of molecular events with a defined beginning and
end, pertinent to the functioning of integrated living units: cells, tissues, organs, and organisms.
Each GO term within the ontology has a term name, which may be a word
or string of words; a unique alphanumeric identifier; a definition with
cited sources; and an ontology indicating the domain to which it
belongs. Terms may also have synonyms, which are classed as being
exactly equivalent to the term name, broader, narrower, or related;
references to equivalent concepts in other databases; and comments on
term meaning or usage. The GO ontology is structured as a directed acyclic graph, and each term has defined relationships
to one or more other terms in the same domain, and sometimes to other
domains. The GO vocabulary is designed to be species-neutral, and
includes terms applicable to prokaryotes and eukaryotes, single and multicellular organisms.
GO is not static, and additions, corrections and alterations are
suggested by, and solicited from, members of the research and annotation
communities, as well as by those directly involved in the GO project.
For example, an annotator may request a specific term to represent a
metabolic pathway, or a section of the ontology may be revised with the
help of community experts (e.g.). Suggested edits are reviewed by the ontology editors, and implemented where appropriate.
The GO ontology and annotation files are freely available from the GO website in a number of formats, or can be accessed online using the GO browser AmiGO. The Gene Ontology project also provides downloadable mappings of its terms to other classification systems.
Example term
id: GO:0000016
name: lactase activity
ontology: molecular_function
def: "Catalysis of the reaction: lactose + H2O=D-glucose + D-galactose." [EC:3.2.1.108]
Genome annotation
encompasses the practice of capturing data about a gene product, and GO
annotations use terms from the GO ontology to do so. Annotations from
GO curators are integrated and disseminated on the GO website, where
they can be downloaded directly or viewed online using AmiGO. In addition to the gene product identifier and the relevant GO term, GO annotations have at least the following data:
The reference used to make the annotation (e.g. a journal article);
An evidence code denoting the type of evidence upon which the annotation is based;
The date and the creator of the annotation
Supporting information, depending on GO term and evidence used and
supplementary information, such as the conditions the function is
observed under, may also be included in a GO annotation.
The evidence code comes from a controlled vocabulary of codes, the Evidence Code Ontology, covering both manual and automated annotation methods. For example, Traceable Author Statement
(TAS) means a curator has read a published scientific paper and the
metadata for that annotation bears a citation to that paper; Inferred from Sequence Similarity
(ISS) means a human curator has reviewed the output from a sequence
similarity search and verified that it is biologically meaningful.
Annotations from automated processes (for example, remapping annotations
created using another annotation vocabulary) are given the code Inferred from Electronic Annotation
(IEA). In 2010, over 98% of all GO annotations were inferred
computationally, not by curators, but as of July 2, 2019, only about 30%
of all GO annotations were inferred computationally.
As these annotations are not checked by a human, the GO Consortium
considers them to be marginally less reliable and they are commonly to
higher level, less detailed terms. Full annotation data sets can be
downloaded from the GO website. To support the development of
annotation, the GO Consortium provides workshops and mentors new groups
of curators and developers.
Many machine learning algorithms have been designed and implemented to predict Gene Ontology annotations.
There are a large number of tools available
both online and to download that use the data provided by the GO
project. The vast majority of these come from third parties; the GO
Consortium develops and supports two tools, AmiGO and OBO-Edit.
AmiGO
is a web-based application that allows users to query, browse and
visualize ontologies and gene product annotation data. It also has a BLAST tool, tools allowing analysis of larger data sets, and an interface to query the GO database directly.
AmiGO can be used online at the GO website to access the data
provided by the GO Consortium, or can be downloaded and installed for
local use on any database employing the GO database schema (e.g.). It is free open source software and is available as part of the go-dev software distribution.
OBO-Edit
is an open source, platform-independent ontology editor developed and
maintained by the Gene Ontology Consortium. It is implemented in Java, and uses a graph-oriented
approach to display and edit ontologies. OBO-Edit includes a
comprehensive search and filter interface, with the option to render
subsets of terms to make them visually distinct; the user interface can
also be customized according to user preferences. OBO-Edit also has a reasoner
that can infer links that have not been explicitly stated, based on
existing relationships and their properties. Although it was developed
for biomedical ontologies, OBO-Edit can be used to view, search and edit
any ontology. It is freely available to download.
Consortium
The Gene Ontology Consortium is the set of biological databases and research groups actively involved in the gene ontology project. This includes a number of model organism databases and multi-species protein databases, software development groups, and a dedicated editorial office.
History
The Gene Ontology was originally constructed in 1998 by a consortium of researchers studying the genomes of three model organisms: Drosophila melanogaster (fruit fly), Mus musculus (mouse), and Saccharomyces cerevisiae (brewer's or baker's yeast). Many other Model Organism Databases
have joined the Gene Ontology Consortium, contributing not only
annotation data, but also contributing to the development of the
ontologies and tools to view and apply the data. Many major plant,
animal and microorganism databases make a contribution towards this
project. As of July 2019, the GO contains 44,945 terms; there are 6,408,283 annotations to 4,467 different biological organisms. There is a significant body of literature on the development and use of the GO, and it has become a standard tool in the bioinformatics
arsenal. Their objectives have three aspects: building gene ontology,
assigning ontology to gene/gene products and developing software and
databases for the first two objects.
Several analyses of the Gene Ontology using formal,
domain-independent properties of classes (the metaproperties) are also
starting to appear. For instance, an ontological analysis of biological
ontologies see.
Functional genomics is a field of molecular biology that attempts to describe gene (and protein) functions and interactions. Functional genomics make use of the vast data generated by genomic and transcriptomic projects (such as genome sequencing projects and RNA sequencing). Functional genomics focuses on the dynamic aspects such as gene transcription, translation, regulation of gene expression and protein–protein interactions, as opposed to the static aspects of the genomic information such as DNA sequence
or structures. A key characteristic of functional genomics studies is
their genome-wide approach to these questions, generally involving
high-throughput methods rather than a more traditional “gene-by-gene”
approach.
Deep mutational scan of the RNA recognition motif(RRM2) of a yeast PolyA binding protein (Pab1)
Definition and goals of functional genomics
In order to understand functional genomics it is important to first define function. In their paper
Graur et al. define function in two possible ways. These are "Selected
effect" and "Causal Role". The "Selected Effect" function refers to the
function for which a trait(DNA, RNA, protein etc.) is selected for. The
"Causal role" function refers to the function that a trait is sufficient
and necessary for. Functional genomics usually tests the "Causal role"
definition of function.
The goal of functional genomics is to understand the function of
genes or proteins, eventually all components of a genome. The term
functional genomics is often used to refer to the many technical approaches to study an organism's genes and proteins, including the "biochemical, cellular, and/or physiological properties of each and every gene product" while some authors include the study of nongenic elements in their definition. Functional genomics may also include studies of natural genetic variationover time (such as an organism's development) or space (such as its body regions), as well as functional disruptions such as mutations.
The promise of functional genomics is to generate and synthesize
genomic and proteomic knowledge into an understanding of the dynamic
properties of an organism. This could potentially provide a more
complete picture of how the genome specifies function compared to
studies of single genes. Integration of functional genomics data is
often a part of systems biology approaches.
Techniques and applications
Functional genomics includes function-related aspects of the genome itself such as mutation and polymorphism (such as single nucleotide polymorphism (SNP) analysis), as well as the measurement of molecular activities. The latter comprise a number of "-omics" such as transcriptomics (gene expression), proteomics (protein production), and metabolomics. Functional genomics uses mostly multiplex techniques to measure the abundance of many or all gene products such as mRNAs or proteins within a biological sample.
A more focused functional genomics approach might test the function of
all variants of one gene and quantify the effects of mutants by using
sequencing as a readout of activity. Together these measurement
modalities endeavor to quantitate the various biological processes and
improve our understanding of gene and protein functions and
interactions.
At the DNA level
Genetic interaction mapping
Systematic pairwise deletion of genes or inhibition of gene
expression can be used to identify genes with related function, even if
they do not interact physically. Epistasis refers to the fact that
effects for two different gene knockouts may not be additive; that is,
the phenotype that results when two genes are inhibited may be different
from the sum of the effects of single knockouts.
DNA/Protein interactions
Proteins
formed by the translation of the mRNA (messenger RNA, a coded
information from DNA for protein synthesis) play a major role in
regulating gene expression. To understand how they regulate gene
expression it is necessary to identify DNA sequences that they interact
with. Techniques have been developed to identify sites of DNA-protein
interactions. These include Chip-sequencing, CUT&RUN sequencing and Calling Cards.
DNA accessibility assays
Assays
have been developed to identify regions of the genome that are
accessible. These regions of open chromatin are candidate regulatory
regions. These
assays include ATAC-seq, DNase-Seq and FAIRE-Seq.
Microarrays measure the amount of mRNA in a sample that corresponds
to a given gene or probe DNA sequence. Probe sequences are immobilized
on a solid surface and allowed to hybridize
with fluorescently labeled “target” mRNA. The intensity of fluorescence
of a spot is proportional to the amount of target sequence that has
hybridized to that spot, and therefore to the abundance of that mRNA
sequence in the sample. Microarrays allow for identification of
candidate genes involved in a given process based on variation between
transcript levels for different conditions and shared expression
patterns with genes of known function.
SAGE
Serial analysis of gene expression
(SAGE) is an alternate method of analysis based on RNA sequencing
rather than hybridization. SAGE relies on the sequencing of 10–17 base
pair tags which are unique to each gene. These tags are produced from poly-A mRNA
and ligated end-to-end before sequencing. SAGE gives an unbiased
measurement of the number of transcripts per cell, since it does not
depend on prior knowledge of what transcripts to study (as microarrays
do).
RNA sequencing
RNA sequencing has taken over microarray and SAGE technology in
recent years, as noted in 2016, and has become the most efficient way to
study transcription and gene expression. This is typically done by next-generation sequencing.
A subset of sequenced RNAs are small RNAs, a class of non-coding
RNA molecules that are key regulators of transcriptional and
post-transcriptional gene silencing, or RNA silencing. Next generation sequencing is the gold standard tool for non-coding RNA discovery, profiling and expression analysis.
Massively Parallel Reporter Assays (MPRAs)
Massively parallel reporter assays is a technology to test the cis-regulatory activity of DNA sequences.
MPRAs use a plasmid with a synthetic cis-regulatory element upstream of
a promoter driving a synthetic gene such as Green Fluorescent Protein. A
library of cis-regulatory elements is usually tested using MPRAs, a
library can contain from hundreds to thousands of cis-regulatory
elements. The cis-regulatory activity of the elements is assayed by
using the downstream reporter activity. The activity of all the library
members is assayed in parallel using barcodes for each cis-regulatory
element. One limitation of MPRAs is that the activity is assayed on a
plasmid and may not capture all aspects of gene regulation observed in
the genome.
STARR-seq
STARR-seq is a technique similar to MPRAs to assay enhancer activity
of randomly sheared genomic fragments. In the original publication,
randomly sheared fragments of the Drosophila genome were placed
downstream of a minimal promoter. Candidate enhancers amongst the
randomly sheared fragments will transcribe themselves using the minimal
promoter. By using sequencing as a readout and controlling for input
amounts of each sequence the strength of putative enhancers are assayed
by this method.
Perturb-seq
Overview of Perturb-seq workflow
Perturb-seq couples CRISPR mediated gene knockdowns with single-cell
gene expression. Linear models are used to calculate the effect of the
knockdown of a single gene on the expression of multiple genes.
At the protein level
Yeast two-hybrid system
A yeast two-hybrid screening
(Y2H) tests a "bait" protein against many potential interacting
proteins ("prey") to identify physical protein–protein interactions.
This system is based on a transcription factor, originally GAL4,
whose separate DNA-binding and transcription activation domains are
both required in order for the protein to cause transcription of a
reporter gene. In a Y2H screen, the "bait" protein is fused to the
binding domain of GAL4, and a library of potential "prey" (interacting)
proteins is recombinantly expressed in a vector with the activation
domain. In vivo interaction of bait and prey proteins in a yeast cell
brings the activation and binding domains of GAL4 close enough together
to result in expression of a reporter gene.
It is also possible to systematically test a library of bait proteins
against a library of prey proteins to identify all possible interactions
in a cell.
AP/MS
Affinity purification and mass spectrometry
(AP/MS) is able to identify proteins that interact with one another in
complexes. Complexes of proteins are allowed to form around a particular
“bait” protein. The bait protein is identified using an antibody or a
recombinant tag which allows it to be extracted along with any proteins
that have formed a complex with it. The proteins are then digested into
short peptide fragments and mass spectrometry is used to identify the proteins based on the mass-to-charge ratios of those fragments.
Deep Mutational Scanning
In
Deep mutational scanning every possible amino acid change in a given
protein is first synthesized. The activity of each of these protein
variants is assayed in parallel using barcodes for each variant. By
comparing the activity to the wild-type protein, the effect of each
mutation is identified. While it is possible to assay every possible
single amino-acid change due to combinatorics two or more concurrent
mutations are hard to test. Deep Mutational scanning experiments have
also been used to infer protein structure and protein-protein
interactions.
Loss-of-function techniques
Mutagenesis
Gene function can be investigated by systematically “knocking out” genes one by one. This is done by either deletion or disruption of function (such as by insertional mutagenesis) and the resulting organisms are screened for phenotypes that provide clues to the function of the disrupted gene.
RNAi
RNA interference (RNAi) methods can be used to transiently silence or
knock down gene expression using ~20 base-pair double-stranded RNA
typically delivered by transfection of synthetic ~20-mer
short-interfering RNA molecules (siRNAs) or by virally encoded
short-hairpin RNAs (shRNAs). RNAi screens, typically performed in cell
culture-based assays or experimental organisms (such as C. elegans)
can be used to systematically disrupt nearly every gene in a genome or
subsets of genes (sub-genomes); possible functions of disrupted genes
can be assigned based on observed phenotypes.
CRISPR screens
An example of a CRISPR loss-of-function screen.
CRISPR-Cas9 has been used to delete genes in a multiplexed manner in
cell-lines. Quantifying the amount of guide-RNAs for each gene before
and after the experiment can point towards essential genes. If a
guide-RNA disrupts an essential gene it will lead to the loss of that
cell and hence there will be a depletion of that particular guide-RNA
after the screen. In a recent CRISPR-cas9 experiment in mammalian
cell-lines, around 2000 genes were found to be essential in multiple
cell-lines.
Some of these genes were essential in only one cell-line. Most of genes
are part of multi-protein complexes. This approach can be used to
identify synthetic lethality by using the appropriate genetic
background. CRISPRi and CRISPRa enable loss-of-function and
gain-of-function screens in a similar manner. CRISPRi identified ~2100
essential genes in the K562 cell-line.
CRISPR deletion screens have also been used to identify potential
regulatory elements of a gene. For example, a technique called ScanDel
was published which attempted this approach. The authors deleted regions
outside a gene of interest(HPRT1 involved in a Mendelian disorder) in
an attempt to identify regulatory elements of this gene.
Gassperini et al. did not identify any distal regulatory elements for
HPRT1 using this approach, however such approaches can be extended to
other genes of interest.
Functional annotations for genes
Genome annotation
Putative genes can be identified by scanning a genome for regions
likely to encode proteins, based on characteristics such as long open reading frames, transcriptional initiation sequences, and polyadenylation
sites. A sequence identified as a putative gene must be confirmed by
further evidence, such as similarity to cDNA or EST sequences from the
same organism, similarity of the predicted protein sequence to known
proteins, association with promoter sequences, or evidence that mutating
the sequence produces an observable phenotype.
Rosetta stone approach
The
Rosetta stone approach is a computational method for de-novo protein
function prediction. It is based on the hypothesis that some proteins
involved in a given physiological process may exist as two separate
genes in one organism and as a single gene in another. Genomes are
scanned for sequences that are independent in one organism and in a
single open reading frame in another. If two genes have fused, it is
predicted that they have similar biological functions that make such
co-regulation advantageous.
Bioinformatics methods for Functional genomics
Because of the large quantity of data produced by these techniques and the desire to find biologically meaningful patterns, bioinformatics is crucial to analysis of functional genomics data. Examples of techniques in this class are data clustering or principal component analysis for unsupervised machine learning (class detection) as well as artificial neural networks or support vector machines for supervised machine learning (class prediction, classification).
Functional enrichment analysis is used to determine the extent of over-
or under-expression (positive- or negative- regulators in case of RNAi
screens) of functional categories relative to a background sets. Gene ontology based enrichment analysis are provided by DAVID and gene set enrichment analysis (GSEA), pathway based analysis by Ingenuity and Pathway studio and protein complex based analysis by COMPLEAT.
An overview of a phydms workflow
New computational methods have been developed for understanding the
results of a deep mutational scanning experiment. 'phydms' compares the
result of a deep mutational scanning experiment to a phylogenetic tree.
This allows the user to infer if the selection process in nature
applies similar constraints on a protein as the results of the deep
mutational scan indicate. This may allow an experimenter to choose
between different experimental conditions based on how well they reflect
nature. Deep mutational scanning has also been used to infer
protein-protein interactions.
The authors used a thermodynamic model to predict the effects of
mutations in different parts of a dimer. Deep mutational structure can
also be used to infer protein structure. Strong positive epistasis
between two mutations in a deep mutational scan can be indicative of two
parts of the protein that are close to each other in 3-D space. This
information can then be used to infer protein structure. A proof of
principle of this approach was shown by two groups using the protein
GB1.
Results from MPRA experiments have required machine learning
approaches to interpret the data. A gapped k-mer SVM model has been used
to infer the kmers that are enriched within cis-regulatory sequences
with high activity compared to sequences with lower activity.
These models provide high predictive power. Deep learning and random
forest approaches have also been used to interpret the results of these
high-dimensional experiments. These models are beginning to help develop a better understanding of non-coding DNA function towards gene-regulation.
Consortium projects focused on Functional Genomics
The ENCODE project
The ENCODE (Encyclopedia of DNA elements) project is an in-depth
analysis of the human genome whose goal is to identify all the
functional elements of genomic DNA, in both coding and noncoding
regions. Important results include evidence from genomic tiling arrays
that most nucleotides are transcribed as coding transcripts, noncoding
RNAs, or random transcripts, the discovery of additional transcriptional
regulatory sites, further elucidation of chromatin-modifying
mechanisms.
The Genotype-Tissue Expression (GTEx) project
Samples used and eQTLs discovered in GTEx v6
The GTEx project is a human genetics project aimed at understanding
the role of genetic variation in shaping variation in the transcriptome
across tissues. The project has collected a variety of tissue samples
(> 50 different tissues) from more than 700 post-mortem donors. This
has resulted in the collection of >11,000 samples. GTEx has helped
understand the tissue-sharing and tissue-specificity of EQTLs.
Java Card refers to a software technology that allows Java-based applications (applets) to be run securely on smart cards and similar small memory footprint devices.
Java Card is the tiniest of Java platforms targeted for embedded
devices. Java Card gives the user the ability to program the devices
and make them application specific. It is widely used in SIM cards (used in GSM mobile phones) and ATM cards. The first Java Card was introduced in 1996 by Schlumberger's card division which later merged with Gemplus to form Gemalto. Java Card products are based on the Java Card Platform specifications developed by Sun Microsystems (later a subsidiary of Oracle Corporation).
Many Java card products also rely on the GlobalPlatform specifications
for the secure management of applications on the card (download,
installation, personalization, deletion).
The main design goals of the Java Card technology are portability and security.
Portability
Java Card aims at defining a standard smart card
computing environment allowing the same Java Card applet to run on
different smart cards, much like a Java applet runs on different
computers. As in Java, this is accomplished using the combination of a
virtual machine (the Java Card Virtual Machine), and a well-defined
runtime library, which largely abstracts the applet from differences
between smart cards. Portability remains mitigated by issues of memory
size, performance, and runtime support (e.g. for communication protocols
or cryptographic algorithms).
Security
Java Card technology was originally developed for the purpose of securing sensitive information stored on smart cards. Security is determined by various aspects of this technology:
Data encapsulation
Data is stored within the application, and Java Card applications
are executed in an isolated environment (the Java Card VM), separate
from the underlying operating system and hardware.
Applet Firewall
Unlike other Java VMs, a Java Card VM usually manages several
applications, each one controlling sensitive data. Different
applications are therefore separated from each other by an applet
firewall which restricts and checks access of data elements of one
applet to another.
Cryptography
Commonly used symmetric key algorithms like DES, Triple DES, AES, and asymmetric key algorithms such as RSA, elliptic curve cryptography are supported as well as other cryptographic services like signing, key generation and key exchange.
Applet
The applet is a state machine which processes only incoming command
requests and responds by sending data or response status words back to
the interface device.
Design
At the
language level, Java Card is a precise subset of Java: all language
constructs of Java Card exist in Java and behave identically. This goes
to the point that as part of a standard build cycle, a Java Card program
is compiled into a Java class file by a Java compiler; the class file
is post-processed by tools specific to the Java Card platform.
However, many Java language features are not supported by Java Card (in particular types char, double, float and long; the transient
qualifier; enums; arrays of more than one dimension; finalization;
object cloning; threads). Further, some common features of Java are not
provided at runtime by many actual smart cards (in particular type int, which is the default type of a Java expression; and garbage collection of objects).
Bytecode
Java Card bytecode run by the Java Card Virtual Machine is a functional subset of Java 2 bytecode
run by a standard Java Virtual Machine but with a different encoding to
optimize for size. A Java Card applet thus typically uses less
bytecode than the hypothetical Java applet obtained by compiling the
same Java source code. This conserves memory, a necessity in resource
constrained devices like smart cards. As a design tradeoff, there is no
support for some Java language features (as mentioned above), and size
limitations. Techniques exist for overcoming the size limitations, such
as dividing the application's code into packages below the 64 KiB limit.
Library and runtime
Standard
Java Card class library and runtime support differs a lot from that in
Java, and the common subset is minimal. For example, the Java Security
Manager class is not supported in Java Card, where security policies are
implemented by the Java Card Virtual Machine; and transients
(non-persistent, fast RAM variables that can be class members) are
supported via a Java Card class library, while they have native language
support in Java.
Specific features
The Java Card runtime and virtual machine also support features that are specific to the Java Card platform:
Persistence
With Java Card, objects are by default stored in persistent memory
(RAM is very scarce on smart cards, and it is only used for temporary or
security-sensitive objects). The runtime environment as well as the
bytecode have therefore been adapted to manage persistent objects.
Atomicity
As smart cards are externally powered and rely on persistent memory,
persistent updates must be atomic. The individual write operations
performed by individual bytecode instructions and API methods are
therefore guaranteed atomic, and the Java Card Runtime includes a
limited transaction mechanism.
Applet isolation
The Java Card firewall is a mechanism that isolates the different
applets present on a card from each other. It also includes a sharing
mechanism that allows an applet to explicitly make an object available
to other applets.
Development
Coding
techniques used in a practical Java Card program differ significantly
from those used in a Java program. Still, that Java Card uses a precise
subset of the Java language speeds up the learning curve, and enables
using a Java environment to develop and debug a Java Card program
(caveat: even if debugging occurs with Java bytecode, make sure that the
class file fits the limitation of Java Card language by converting it
to Java Card bytecode; and test in a real Java Card smart card early on
to get an idea of the performance); further, one can run and debug both
the Java Card code for the application to be embedded in a smart card,
and a Java application that will be in the host using the smart card,
all working jointly in the same environment.
Versions
Oracle has released several Java Card platform specifications and is providing SDK tools for application development.
Usually smart card vendors implement just a subset of algorithms specified in Java Card platform target
and the only way to discover what subset of specification is implemented is to test the card.
Version 3.1 (17.12.2018)
Added configurable key pair generation support, named elliptic
curves support, new algorithms and operations support, additional AES
modes and Chinese algorithms.
Version 3.0.5 (03.06.2015)
Oracle SDK: Java Card Classic Development Kit 3.0.5u1 (03.06.2015)
Added support for Diffie-Hellman modular exponentiation, Domain Data
Conservation for Diffie-Hellman, Elliptic Curve and DSA keys, RSA-3072,
SHA3, plain ECDSA, AES CMAC, AES CTR.
Version 3.0.4 (06.08.2011)
Oracle SDK: Java Card Classic Development Kit 3.0.4 (06.11.2011)
Added support for DES MAC8 ISO9797.
Version 3.0.1 (15.06.2009)
Oracle SDK: Java Card Development Kit 3.0.3 RR (11.11.2010)
Added support for SHA-224, SHA-2 for all signature algorithms.
Version 2.2.2 (03.2006)
Oracle SDK: Java Card Development Kit 2.2.2 (03.2006)
Added support for SHA-256, SHA-384, SHA-512, ISO9796-2, HMAC, Korean SEED MAC NOPAD, Korean SEED NOPAD.
Version 2.2.1 (10.2003)
Oracle SDK: Java Card Development Kit 2.2.1 (10.2003)
Version 2.2 (11.2002)
Added support for AES cryptography key encapsulation, CRC
algorithms, Elliptic Curve Cryptography key encapsulation,Diffie-Hellman
key exchange using ECC, ECC keys for binary polynomial curves and for
prime integer curves, AES, ECC and RSA with variable key lengths.
Version 2.1.1 (18.05.2000)
Oracle SDK: Java Card Development Kit 2.1.2 (05.04.2001)
Added support for RSA without padding.
Version 2.1 (07.06.1999)
Java Card 3.0
The version 3.0 of the Java Card specification (draft released in March 2008) is separated in two editions: the Classic Edition and the Connected Edition.
The Classic Edition (currently at version 3.0.5 released
in June 2015) is an evolution of the Java Card Platform version 2 (which
last version 2.2.2 was released in March 2006), which supports
traditional card applets on resource-constrained devices such as Smart
Cards. Older applets are generally compatible with newer Classic Edition
devices, and applets for these newer devices can be compatible with
older devices if not referring to new library functions. Smart Cards
implementing Java Card Classic Edition have been security-certified by
multiple vendors, and are commercially available.
The Connected Edition (currently at version 3.0.2 released in
December 2009) aims to provide a new virtual machine and an enhanced
execution environment with network-oriented features. Applications can
be developed as classic card applets requested by APDU commands or as servlets using HTTP to support web-based schemes of communication (HTML, REST, SOAP
...) with the card. The runtime uses a subset of the Java (1.)6
bytecode, without Floating Point; it supports volatile objects (garbage collection), multithreading, inter-application communications facilities, persistence, transactions,
card management facilities ... As of 2017 there has been little
adoption in commercially available Smart Cards, so much that reference
to Java Card (including in the present Wikipedia page) often implicitly
excludes the Connected Edition.
A smart card, chip card, or integrated circuit card (ICC) is a physical electronic authorization device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing.
Applications include identification, financial, mobile phones (SIM),
public transit, computer security, schools, and healthcare. Smart cards
may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.
The universal integrated circuit card, or SIM card, is also a type of smart card. As of 2015, 10.5billion smart card IC chips are manufactured annually, including 5.44billion SIM card IC chips.
One of the first smart card prototypes, created by its inventor Roland Moreno
around 1975. The chip has not yet been miniaturized. On this prototype,
one can see how each pin of the microchip (center) is connected to the
exterior world by a copper connector.
First smart card manufactured by Giesecke & Devrient
in 1979, already with the finally standardized dimension (ID-1) and a
contact area with eight pads (initially on the upper left corner)
The idea of incorporating an integrated circuit chip onto a plastic card was first introduced by two German engineers in the late 1960s, Helmut Gröttrup and Jürgen Dethloff. In February 1967, Gröttrup filed the patent DE1574074 in West Germany for a tamper-proof identification switch based on a semiconductor device.
Its primary use was intended to provide individual copy-protected keys
for releasing the tapping process at unmanned gas stations. In September
1968, Helmut Gröttrup, together with Dethloff as an investor, filed
further patents for this identification switch, first in Austria and in 1969 as subsequent applications in the United States, Great Britain, West Germany and other countries.
Independently, Kunitaka Arimura of the Arimura Technology
Institute in Japan developed a similar idea of incorporating an
integrated circuit onto a plastic card, and filed a smart card patent in
March 1970. The following year, Paul Castrucci of IBM filed an American patent titled "Information Card" in May 1971.
In 1974 Roland Moreno patented a secured memory card later dubbed the "smart card". In 1976, Jürgen Dethloff introduced the known element (called "the secret") to identify gate user as of USP 4105156.
In 1977, Michel Ugon from Honeywell Bull invented the first microprocessor smart card with two chips: one microprocessor and one memory,
and in 1978, he patented the self-programmable one-chip microcomputer
(SPOM) that defines the necessary architecture to program the chip.
Three years later, Motorola
used this patent in its "CP8". At that time, Bull had 1,200 patents
related to smart cards. In 2001, Bull sold its CP8 division together
with its patents to Schlumberger, who subsequently combined its own internal smart card department and CP8 to create Axalto. In 2006, Axalto and Gemplus, at the time the world's top two smart-card manufacturers, merged and became Gemalto.
In 2008, Dexa Systems spun off from Schlumberger and acquired
Enterprise Security Services business, which included the smart-card
solutions division responsible for deploying the first large-scale
smart-card management systems based on public key infrastructure (PKI).
The first mass use of the cards was as a telephone card for payment in French payphones, starting in 1983.
Carte bleue
After the Télécarte, microchips were integrated into all French Carte Bleuedebit cards in 1992. Customers inserted the card into the merchant's point-of-sale (POS) terminal, then typed the personal identification number (PIN), before the transaction was accepted. Only very limited transactions (such as paying small highway tolls) are processed without a PIN.
Smart-card-based "electronic purse"
systems store funds on the card, so that readers do not need network
connectivity. They entered European service in the mid-1990s. They have
been common in Germany (Geldkarte), Austria (Quick Wertkarte), Belgium (Proton), France (Moneo), the Netherlands (Chipknip Chipper (decommissioned in 2001)), Switzerland ("Cash"), Norway ("Mondex"),
Spain ("Monedero 4B"), Sweden ("Cash", decommissioned in 2004), Finland
("Avant"), UK ("Mondex"), Denmark ("Danmønt") and Portugal
("Porta-moedas Multibanco").
Private electronic purse systems have also been deployed such as the
Marines corps (USMC) at Parris Island allowing small amount payments at
the cafeteria.
Since the 1990s, smart cards have been the subscriber identity modules (SIMs) used in GSM mobile-phone equipment. Mobile phones are widely used across the world, so smart cards have become very common.
EMV
Europay MasterCard Visa (EMV)-compliant cards and equipment are
widespread with the deployment led by European countries. The United
States started later deploying the EMV technology in 2014, with the
deployment still in progress in 2019. Typically, a country's national
payment association, in coordination with MasterCard International, Visa International, American Express and Japan Credit Bureau (JCB), jointly plan and implement EMV systems.
Historically, in 1993 several international payment companies agreed to develop smart-card specifications for debit and credit cards. The original brands were MasterCard, Visa, and Europay. The first version of the EMV system was released in 1994. In 1998 the specifications became stable.
EMVCo maintains these specifications. EMVco's purpose is to
assure the various financial institutions and retailers that the
specifications retain backward compatibility with the 1998 version.
EMVco upgraded the specifications in 2000 and 2004.
EMV compliant cards were first accepted into Malaysia in 2005 and later into United States in 2014. MasterCard was the first company
that was allowed to use the technology in the United States. The United
States has felt pushed to use the technology because of the increase in identity theft.
The credit card information stolen from Target in late 2013 was one of
the largest indicators that American credit card information is not
safe. Target made the decision on April 30, 2014 that it would try to
implement the smart chip technology in order to protect itself from
future credit card identity theft.
Before 2014, the consensus in America was that there were enough
security measures to avoid credit card theft and that the smart chip was
not necessary. The cost of the smart chip technology was significant,
which was why most of the corporations did not want to pay for it in the
United States. The debate came when online credit theft was insecure
enough for the United States to invest in the technology. The adaptation
of EMV's increased significantly in 2015 when the liability shifts
occurred in October by the credit card companies.
Development of contactless systems
Contactless smart cards do not require physical contact
between a card and reader. They are becoming more popular for payment
and ticketing. Typical uses include mass transit and motorway tolls.
Visa and MasterCard implemented a version deployed in 2004–2006 in the
U.S., with Visa's current offering called Visa Contactless. Most contactless fare collection systems are incompatible, though the MIFARE Standard card from NXP Semiconductors has a considerable market share in the US and Europe.
Use of "Contactless" smart cards in transport has also grown
through the use of low cost chips NXP Mifare Ultralight and
paper/card/PET rather than PVC. This has reduced media cost so it can be
used for low cost tickets and short term transport passes (up to 1 year
typically). The cost is typically 10% that of a PVC smart card with
larger memory. They are distributed through vending machines, ticket
offices and agents. Use of paper/PET is less harmful to the environment
than traditional PVC cards . See also transport/transit/ID applications.
Smart cards are also being introduced for identification and
entitlement by regional, national, and international organizations.
These uses include citizen cards, drivers’ licenses, and patient cards.
In Malaysia, the compulsory national ID MyKad enables eight applications and has 18 million users. Contactless smart cards are part of ICAObiometric passports to enhance security for international travel.
Design
A smart card may have the following generic characteristics:
Dimensions similar to those of a credit card. ID-1 of the ISO/IEC 7810
standard defines cards as nominally 85.60 by 53.98 millimetres (3.37 in
× 2.13 in). Another popular size is ID-000, which is nominally 25 by 15
millimetres (0.98 in × 0.59 in) (commonly used in SIM cards). Both are
0.76 millimetres (0.030 in) thick.
Managed by an administration system, which securely interchanges
information and configuration settings with the card, controlling card blacklisting and application-data updates.
Communicates with external services through card-reading devices, such as ticket readers, ATMs, DIP reader, etc.
Since April 2009, a Japanese company has manufactured reusable financial smart cards made from paper.
Contact smart cards
Illustration of smart-card structure and packaging
4
by 4 mm silicon chip in a SIM card, which was peeled open. Note the
thin gold bonding wires and the regular, rectangular digital-memory
areas.
Smart-card reader on a laptop
A smart-card pinout. VCC: Power supply. RST: Reset signal, used to reset the card's communications. CLK: Provides the card with a clock signal, from which data communications timing is derived. GND: Ground (reference voltage). VPP:
ISO/IEC 7816-3:1997 designated this as a programming voltage: an input
for a higher voltage to program persistent memory (e.g., EEPROM). ISO/IEC 7816-3:2006 designates it SPU, for either standard or proprietary use, as input and/or output. I/O: Serial input and output (half-duplex). C4, C8: The two remaining contacts are AUX1 and AUX2 respectively and are used for USB interfaces and other uses.[22] However, the usage defined in ISO/IEC 7816-2:1999/Amd 1:2004 may have been superseded by ISO/IEC 7816-2:2007.
Contact-type smart cards may have many different contact pad layouts, such as these SIMs.
Contact smart cards have a contact area of approximately 1 square centimetre (0.16 sq in), comprising several gold-plated contact pads. These pads provide electrical connectivity when inserted into a reader,
which is used as a communications medium between the smart card and a
host (e.g., a computer, a point of sale terminal) or a mobile telephone.
Cards do not contain batteries; power is supplied by the card reader.
Because the chips in financial cards are the same as those used in subscriber identity modules (SIMs) in mobile phones, programmed differently and embedded in a different piece of PVC,
chip manufacturers are building to the more demanding GSM/3G standards.
So, for example, although the EMV standard allows a chip card to draw
50 mA from its terminal, cards are normally well below the telephone
industry's 6 mA limit. This allows smaller and cheaper financial card
terminals.
Communication protocols for contact smart cards include T=0
(character-level transmission protocol, defined in ISO/IEC 7816-3) and
T=1 (block-level transmission protocol, defined in ISO/IEC 7816-3).
Contactless smart cards
Contactless smart cards communicate with technology (at data
rates of 106–848 kbit/s). These cards require only proximity to an
antenna to communicate.
Like smart cards with contacts, contactless cards do not have an
internal power source. Instead, they use an inductor to capture some of the incident radio-frequency interrogation signal, rectify
it, and use it to power the card's electronics. Contactless smart media
can be made with PVC, paper/card and PET finish to meet different
performance, cost and durability requirements.
APDU transmission by a contactless interface is defined in ISO/IEC 14443-4.
Hybrids
A hybrid smart card, which clearly shows the antenna connected to the main chip
Hybrid cards implement contactless and contact interfaces on a single card with dedicated modules/storage and processing.
Dual-interface
Dual-interface cards implement contactless and contact interfaces on a
single card with some shared storage and processing. An example is Porto's multi-application transport card, called Andante, which uses a chip with both contact and contactless (ISO/IEC 14443 Type B) interfaces.
USB
The CCID
(Chip Card Interface Device) is a USB protocol that allows a smart card
to be connected to a computer, using a standard USB interface. This
allows the smart card to be used as a security token for authentication
and data encryption such as Bitlocker. A typical CCID is a USB dongle and may contain a SIM.
Applications
Financial
Smart cards serve as credit or ATM cards, fuel cards, mobile phone SIMs, authorization cards for pay television, household utility pre-payment cards, high-security identification and access badges, and public transport and public phone payment cards.
Smart cards may also be used as electronic wallets. The smart card chip can be "loaded" with funds to pay parking meters, vending machines or merchants. Cryptographic protocols
protect the exchange of money between the smart card and the machine.
No connection to a bank is needed. The holder of the card may use it
even if not the owner. Examples are Proton, Geldkarte, Chipknip and Moneo. The German Geldkarte is also used to validate customer age at vending machines for cigarettes.
These are the best known payment cards (classic plastic card):
Visa: Visa Contactless, Quick VSDC, "qVSDC", Visa Wave, MSD, payWave
Mastercard: PayPass Magstripe, PayPass MChip
American Express: ExpressPay
Discover: Zip
Unionpay: QuickPass
Roll-outs started in 2005 in the U.S. Asia and Europe followed in
2006. Contactless (non-PIN) transactions cover a payment range of
~$5–50. There is an ISO/IEC 14443 PayPass implementation. Some, but not all, PayPass implementations conform to EMV.
Non-EMV cards work like magnetic stripe cards.
This is common in the U.S. (PayPass Magstripe and Visa MSD). The cards
do not hold or maintain the account balance. All payment passes without a
PIN, usually in off-line mode. The security of such a transaction is no
greater than with a magnetic stripe card transaction.
EMV cards can have either contact or contactless interfaces. They
work as if they were a normal EMV card with a contact interface. Via
the contactless interface they work somewhat differently, in that the
card commands enabled improved features such as lower power and shorter
transaction times.
SIM
The subscriber identity modules used in mobile-phone systems are reduced-size smart cards, using otherwise identical technologies.
Identification
Smart-cards can authenticate identity. Sometimes they employ a public key infrastructure
(PKI). The card stores an encrypted digital certificate issued from the
PKI provider along with other relevant information. Examples include
the U.S. Department of Defense (DoD) Common Access Card
(CAC), and other cards used by other governments for their citizens. If
they include biometric identification data, cards can provide superior
two- or three-factor authentication.
Smart cards are not always privacy-enhancing, because the subject
may carry incriminating information on the card. Contactless smart
cards that can be read from within a wallet or even a garment simplify
authentication; however, criminals may access data from these cards.
Cryptographic smart cards are often used for single sign-on. Most advanced smart cards include specialized cryptographic hardware that uses algorithms such as RSA and Digital Signature Algorithm
(DSA). Today's cryptographic smart cards generate key pairs on board,
to avoid the risk from having more than one copy of the key (since by
design there usually isn't a way to extract private keys from a smart
card). Such smart cards are mainly used for digital signatures and secure identification.
The most widely used cryptographic algorithms in smart cards (excluding the GSM so-called "crypto algorithm") are Triple DES and RSA. The key set is usually loaded (DES) or generated (RSA) on the card at the personalization stage.
Turkey implemented the first smart card driver's license system
in 1987. Turkey had a high level of road accidents and decided to
develop and use digital tachograph devices on heavy vehicles, instead of
the existing mechanical ones, to reduce speed violations. Since 1987,
the professional driver's licenses in Turkey have been issued as smart
cards. A professional driver is required to insert his driver's license
into a digital tachograph before starting to drive. The tachograph unit
records speed violations for each driver and gives a printed report. The
driving hours for each driver are also being monitored and reported. In
1990 the European Union conducted a feasibility study through BEVAC
Consulting Engineers, titled "Feasibility study with respect to a
European electronic drivers license (based on a smart-card) on behalf of
Directorate General VII". In this study, chapter seven describes
Turkey's experience.
Argentina's Mendoza province began using smart card driver's
licenses in 1995. Mendoza also had a high level of road accidents,
driving offenses, and a poor record of recovering fines.
Smart licenses hold up-to-date records of driving offenses and unpaid
fines. They also store personal information, license type and number,
and a photograph. Emergency medical information such as blood type,
allergies, and biometrics (fingerprints) can be stored on the chip if
the card holder wishes. The Argentina government anticipates that this
system will help to collect more than $10 million per year in fines.
In 1999 Gujarat was the first Indian state to introduce a smart card license system. As of 2005, it has issued 5 million smart card driving licenses to its people.
In 2002, the Estonian government started to issue smart cards named ID Kaart
as primary identification for citizens to replace the usual passport in
domestic and EU use.
As of 2010 about 1 million smart cards have been issued (total
population is about 1.3 million) and they are widely used in internet
banking, buying public transport tickets, authorization on various
websites etc.
By the start of 2009, the entire population of Belgium
was issued eID cards that are used for identification. These cards
contain two certificates: one for authentication and one for signature.
This signature is legally enforceable. More and more services in Belgium
use eID for authorization.
Spain
started issuing national ID cards (DNI) in the form of smart cards in
2006 and gradually replaced all the older ones with smart cards. The
idea was that many or most bureaucratic acts could be done online but it
was a failure because the Administration did not adapt and still mostly
requires paper documents and personal presence.
On August 14, 2012, the ID cards in Pakistan were replaced. The Smart Card is a third generation chip-based identity document
that is produced according to international standards and requirements.
The card has over 36 physical security features and has the latest encryption codes. This smart card replaced the NICOP (the ID card for overseas Pakistani).
Smart cards may identify emergency responders and their skills.
Cards like these allow first responders to bypass organizational
paperwork and focus more time on the emergency resolution. In 2004, The Smart Card Alliance
expressed the needs: "to enhance security, increase government
efficiency, reduce identity fraud, and protect personal privacy by
establishing a mandatory, Government-wide standard for secure and
reliable forms of identification". emergency response personnel can carry these cards to be positively identified in emergency situations. WidePoint Corporation, a smart card provider to FEMA, produces cards that contain additional personal information, such as medical records and skill sets.
In 2007, the Open Mobile Alliance (OMA) proposed a new standard defining V1.0 of the Smart Card Web Server (SCWS), an HTTP server embedded in a SIM card intended for a smartphone user. The non-profit trade association SIMalliance has been promoting the development and adoption of SCWS. SIMalliance states that SCWS offers end-users a familiar, OS-independent,
browser-based interface to secure, personal SIM data. As of mid-2010,
SIMalliance had not reported widespread industry acceptance of SCWS.
The OMA has been maintaining the standard, approving V1.1 of the
standard in May 2009, and V1.2 is expected was approved in October 2012.
Smart cards are also used to identify user accounts on arcade machines.
Public transit
SmartRider smart card (Transperth)
Smart cards, used as transit passes, and integrated ticketing
are used by many public transit operators. Card users may also make
small purchases using the cards. Some operators offer points for usage,
exchanged at retailers or for other benefits. Examples include Singapore's CEPAS, Ontario's Presto card, Hong Kong's Octopus card, London's Oyster card, Ireland's Leap card, Brussels' MoBIB, Québec's OPUS card, San Francisco's Clipper card, Auckland's AT Hop, Brisbane's go card, Perth's SmartRider, Sydney's Opal card and Victoria's myki. However, these present a privacy
risk because they allow the mass transit operator (and the government)
to track an individual's movement. In Finland, for example, the Data
Protection Ombudsman prohibited the transport operator Helsinki Metropolitan Area Council
(YTV) from collecting such information, despite YTV's argument that the
card owner has the right to a list of trips paid with the card.
Earlier, such information was used in the investigation of the Myyrmanni bombing.
The UK's Department for Transport
mandated smart cards to administer travel entitlements for elderly and
disabled residents. These schemes let residents use the cards for more
than just bus passes. They can also be used for taxi and other
concessionary transport. One example is the "Smartcare go" scheme
provided by Ecebs. The UK systems use the ITSO Ltd
specification. Other schemes in the UK include period travel passes,
carnets of tickets or day passes and stored value which can be used to
pay for journeys. Other concessions for school pupils, students and job
seekers are also supported. These are mostly based on the ITSO Ltd specification.
Many smart transport schemes include the use of low cost smart
tickets for simple journeys, day passes and visitor passes. Examples
include Glasgow SPT subway. These smart tickets are made of paper or PET which is thinner than a PVC smart card e.g. Confidex smart media. The smart tickets can be supplied pre-printed and over-printed or printed on demand.
In Sweden, as of 2018-2019, smart cards have started to be phased out and replaced by smart phone apps.
The phone apps have less cost, at least for the transit operators who
don't need any electronic equipment (the riders provide that). The
riders are able buy tickets anywhere and don't need to load money onto
smart cards. The smart cards are still in use for foreseeable future (as
of 2019).
Some disk encryption systems, such as VeraCrypt and Microsoft's BitLocker,
can use smart cards to securely hold encryption keys, and also to add
another layer of encryption to critical parts of the secured disk.
GnuPG, the well known encryption suite, also supports storing keys in a smart card.
Smart cards are being provided to students at some schools and colleges. Uses include:
Tracking student attendance
As an electronic purse, to pay for items at canteens, vending machines, laundry facilities, etc.
Tracking and monitoring food choices at the canteen, to help the student maintain a healthy diet
Tracking loans from the school library
Access control for admittance to restricted buildings, dormitories,
and other facilities. This requirement may be enforced at all times
(such as for a laboratory containing valuable equipment), or just during
after-hours periods (such as for an academic building that is open
during class times, but restricted to authorized personnel at night),
depending on security needs.
Access to transportation services
Healthcare
Smart health cards can improve the security and privacy of patient information, provide a secure carrier for portable medical records, reduce health care fraud,
support new processes for portable medical records, provide secure
access to emergency medical information, enable compliance with
government initiatives (e.g., organ donation) and mandates, and provide the platform to implement other applications as needed by the health care organization.
Other uses
Smart cards are widely used to encrypt digital television streams. VideoGuard is a specific example of how smart card security worked.
Multiple-use systems
The Malaysian government promotes MyKad
as a single system for all smart-card applications. MyKad started as
identity cards carried by all citizens and resident non-citizens.
Available applications now include identity, travel documents, drivers
license, health information, an electronic wallet, ATM bank-card, public
toll-road and transit payments, and public key encryption
infrastructure. The personal information inside the MYKAD card can be
read using special APDU commands.
Security
Smart cards have been advertised as suitable for personal identification tasks, because they are engineered to be tamper resistant. The chip usually implements some cryptographic algorithm. There are, however, several methods for recovering some of the algorithm's internal state.
Differential power analysis involves measuring the precise time and electric current
required for certain encryption or decryption operations. This can
deduce the on-chip private key used by public key algorithms such as RSA. Some implementations of symmetric ciphers can be vulnerable to timing or power attacks as well.
Smart cards can be physically disassembled by using acid,
abrasives, solvents, or some other technique to obtain unrestricted
access to the on-board microprocessor. Although such techniques may
involve a risk of permanent damage to the chip, they permit much more
detailed information (e.g., photomicrographs of encryption hardware) to be extracted.
Benefits
The
benefits of smart cards are directly related to the volume of
information and applications that are programmed for use on a card. A
single contact/contactless smart card can be programmed with multiple
banking credentials, medical entitlement, driver's license/public
transport entitlement, loyalty programs and club memberships to name
just a few. Multi-factor and proximity authentication can and has been
embedded into smart cards to increase the security of all services on
the card. For example, a smart card can be programmed to only allow a
contactless transaction if it is also within range of another device
like a uniquely paired mobile phone. This can significantly increase the
security of the smart card.
Governments and regional authorities save money because of
improved security, better data and reduced processing costs. These
savings help reduce public budgets or enhance public services. There are
many examples in the UK, many using a common open LASSeO specification.
Individuals have better security and more convenience with using
smart cards that perform multiple services. For example, they only need
to replace one card if their wallet is lost or stolen. The data storage
on a card can reduce duplication, and even provide emergency medical
information.
Advantages
The
first main advantage of smart cards is their flexibility. Smart cards
have multiple functions which simultaneously can be an ID, a credit
card, a stored-value cash card, and a repository of personal information
such as telephone numbers or medical history. The card can be easily
replaced if lost, and, the requirement for a PIN
(or other form of security) provides additional security from
unauthorised access to information by others. At the first attempt to
use it illegally, the card would be deactivated by the card reader
itself.
The second main advantage is security. Smart cards can be
electronic key rings, giving the bearer ability to access information
and physical places without need for online connections. They are
encryption devices, so that the user can encrypt and decrypt information
without relying on unknown, and therefore potentially untrustworthy,
appliances such as ATMs. Smart cards are very flexible in providing
authentication at different level of the bearer and the counterpart.
Finally, with the information about the user that smart cards can
provide to the other parties, they are useful devices for customizing
products and services.
Reliability that is virtually unaffected by electrical and magnetic fields.
Smart cards and electronic commerce
Smart cards can be used in electronic commerce,
over the Internet, though the business model used in current electronic
commerce applications still cannot use the full potential of the
electronic medium. An advantage of smart cards for electronic commerce
is their use customize services. For example, in order for the service
supplier to deliver the customized service, the user may need to provide
each supplier with their profile, a boring and time-consuming activity.
A smart card can contain a non-encrypted profile of the bearer, so that
the user can get customized services even without previous contacts
with the supplier.
Disadvantages
A false smart-card, with two 8-bit CMOSmicrocontrollers, used in the nineties to decode the signals of Sky Television.
The plastic or paper card in which the chip is embedded is fairly
flexible. The larger the chip, the higher the probability that normal
use could damage it. Cards are often carried in wallets or pockets, a
harsh environment for a chip and antenna in contactless cards. PVC cards
can crack or break if bent/flexed excessively. However, for large
banking systems, failure-management costs can be more than offset by
fraud reduction.
The production, use and disposal of PVC plastic is known to be more harmful to the environment than other plastics. Alternative materials including chlorine free plastics and paper are available for some smart applications.
If the account holder's computer hosts malware,
the smart card security model may be broken. Malware can override the
communication (both input via keyboard and output via application
screen) between the user and the application. Man-in-the-browser malware (e.g., the Trojan Silentbanker) could modify a transaction, unnoticed by the user. Banks like Fortis and Belfius in Belgium and Rabobank ("random reader")
in the Netherlands combine a smart card with an unconnected card reader
to avoid this problem. The customer enters a challenge received from
the bank's website, a PIN and the transaction amount into the reader.
The reader returns an 8-digit signature. This signature is manually
entered into the personal computer and verified by the bank, preventing point-of-sale-malware from changing the transaction amount.
Smart cards have also been the targets of security attacks. These
attacks range from physical invasion of the card's electronics, to
non-invasive attacks that exploit weaknesses in the card's software or
hardware. The usual goal is to expose private encryption keys and then
read and manipulate secure data such as funds. Once an attacker develops
a non-invasive attack for a particular smart card model, he or she is
typically able to perform the attack on other cards of that model in
seconds, often using equipment that can be disguised as a normal smart
card reader. While manufacturers may develop new card models with additional information security, it may be costly or inconvenient for users to upgrade vulnerable systems. Tamper-evident and audit features in a smart card system help manage the risks of compromised cards.
Another problem is the lack of standards for functionality and
security. To address this problem, the Berlin Group launched the ERIDANE
Project to propose "a new functional and security framework for
smart-card based Point of Interaction (POI) equipment".
.jpg)
