Combining Encryption Methods in Multipurpose

Smart Card
Maryam Savari

Mohammad Montazerolzohour

Yeoh Eng Thiam

Faculty of Computing and Informatics

Multimedia University, (MMU)
Cyberjaya, Selangor, Malaysia
marirooz@yahoo.com

Faculty of Computing and Informatics

Multimedia University, (MMU)
Cyberjaya, Selangor, Malaysia
mason.montazer@gmail.com

Faculty of Computing and Informatics

Multimedia University, (MMU)
Cyberjaya, Selangor, Malaysia
etyeoh@mmu.edu.my

Abstract Smart cards have many applications such as health,

ID verification and access control, electronic purse card, banking
card, payphone card, passport card and license card. Since, there
are many kinds of smart cards, it is difficult to carry and protect
them. Losing one card means losing a lot of important
information. So in this paper proposes to combine some
important cards such as: health, passport and credit system in
one multipurpose smart card and find an encryption method to
make it enough secure. It should also be efficient in transferring
information. It means, we develop an effective encryption system
for these three applications in a multipurpose smart card and we
propose an optimized encryption system for the applications.
Keywords; RSA; ECC; DES; AES; Encryption; Decryption

I.

INTRODUCTION

Smart card is also called a cheap card or integrated circuit

card. Smart cards are used for data storage, transaction and
processing with strong security authentication. Smart cards do
not have component such as power resource, display area or
keyboard [2]. As mentioned above, smart cards are very useful
these days, but there are problems with them. Since, there are
many kinds of smart cards, it is difficult to carry many cards
and protect them. You may lose, leave or forget one of them
and it means that you lose important personal information [18].
Another problem with smart cards is limitation of storage in
smart cards. Smart cards need to transfer data in a short time
and encrypt them very fast. So, having an efficient encryption
system is very important [5, 6]. Therefore, we have decided to
design a cryptosystem for multipurpose smart cards.
Multipurpose smart card is a smart card with many different
applications in one smart card [18]. As everyone knows,
carrying and protecting one smart card is easier and more
comfortable than carrying two or more smart cards. We choose
three most important cards such as health card, credit cards and
passport cards to be combined in one smart card.
So, in this paper we are going to design an efficient
encryption system for a multipurpose smart card.
In the first section we explain about the encryption methods
in smart cards and an overview on combination algorithm. In
the second section current algorithms and methods in the
health, passport and credit system are considered. In the third
section we explained our methodology and the reason why we
have chosen this method. Finally in the last section encryption
method which we used in our multipurpose smart card is

released together with recommendation for future work and the

conclusion of the paper.
II. BACKGROUND
A. Overview of Encryption Methods for Smart cards
The algorithm used in smart cards is block-oriented which
means ciphertex and plaintext can only be processed in packets
with fixed lengths (such as 8 bytes with DES) [2].
The old principle known as principle of security by
concealment is to prevent attackers from finding out how the
system works. This system is used today but the modern
cryptography is biased on Kerckhoffs principle. This principle
known as Auguste Kerckhoff (18351903), is based on secrecy
of key. It means secrecy of key is important not secrecy of
algorithm. It is recommended that we dont use one principle
only because it is easily to broken in a short time [2, 4].
Cryptographic functions in smart cards consist of huge
number of algorithms. It means there are a lot of algorithms to
be implemented in smart cards. Algorithms in smart cards are
not accessible from outside. On the other hand, card reader or
any other device cannot have access to the algorithms inside
the smart card and they can communicate with smart cards
through interface only. Smart cards used public key, private
key and hash function. All types of algorithms used in smart
cards are shown in Table 1 [2].
TABLE I.

ALGORITHMS IN SMART CARD.

Type of algorithm
Symmetric cryptography
algorithm

Asymmetric cryptography
algorithm

Hash function

Algorithm
AES (128 bit, 196 bits, 256
bits)
DES (56 bit)
T-DES (112 bit)
IDEA (128bit)
DSA
ECDSA (160-256 bit)
RSA (1024-2048 bit)
HMAC
MD5
RIPEMD-160
SHA-1 and SHA-256

43

978-1-4673-1677-4

There is a list of standard algorithms which are currently

used in smart card: For Private Key (symmetric key) the
algorithms are DES (Data Encryption Standard), 3DES, and
AES (Advanced Encryption Standard), for Public Key
(asymmetric key) the algorithms are RSA (Rivest-ShamirAdleman) and ECC (Elliptic Curve Cryptography), and for
hash function the algorithms is SHA (Secure Hash Algorithm).
Smart cards also offer a full range of signature functions, which
are based on asymmetric cryptographic algorithms.
B. Combination Algorithm Method
The process for this method is as follows:
Encryption process:
1- Data are encrypted with a symmetric algorithm. The
result of data encryption is cipher text and a key.
2-

Key is encrypted with the asymmetric algorithm.

3- Encrypted key and cipher text will be sent for

receiver. The exact process is shown in the Figure 1.

Figure 1. Encryption process for combination algorithm.

Decryption process:
1- Decrypt symmetric key with private key of
asymmetric algorithm. (for example: decrypt DESs key with
ECC private key )
2- Decrypt the cipher text with symmetric key [20]. The
exact process is shown in the Figure 2.

Figure 2. Decryption process for combination algorithm.

In a real transaction between a smart card and terminal,

since in the terminals there is not any security module so it is
impossible to use symmetric cryptographic algorithms because
key cannot keep secret without security modules. Using
security modules in terminals have some disadvantages like:
Using Security modules in the terminals increase the cost of
terminals so it is not cost effective to use them in the terminals.
Also, in international transaction it will be very complicated
and expensive to manage the key when it operates offline [2].
There are two conditions to catch smart card authentication
by the terminal
1used

An asymmetric cryptographic algorithms must be

2- EMV uses static unilateral authentication with cardspecific keys [2].

Smart card cannot check authentication of terminal when it
is using static unilateral authentication, but it is not essential in
the EMV application to check authentication of terminal. In
fact, the card only proves a transaction certificate for the
terminal. Terminal authenticates transaction only by
connecting to the relevant card issuer and finding information
of cardholder from there. Finally every transaction will be
submitted to the relevant card issuer by an authorized
merchant. This way reduces huge amount of fraud because
allowed transaction will only be those which are authorized by
related card issuer.
In the following section, I describe payment process with
smart card. The customer submits his card to cashier and
cashier inserts it to the card reader. If terminal is available the
identity of the cardholder must be verified by a signature. In
this case, the associated transaction receipt has a marker that
indicates that the card user has been identified in this manner
[2]. Apart from signature there is another way to verify user
which is by entering four-digit PIN. PIN can be checked online
or offline. In online it will be checked by the background
system and in offline by smart card. If a PIN is used for
identification, the transaction certificate indicates which type of
PIN check was performed. The payment process is shown
graphically in Figure 3 [2].

III. SMART CARD APPLICATIONS

In this section we explain the process of each application in
a real smart card.
A. Health System
In most of health card RSA is used because it is standard
but in this paper ECC algorithm is used because it is safer and
faster than RSA [6, 9]. All the process in real health system is
similar to our system except kind of algorithms. So for prevent
of redundancy we explain all the process in the section V.
B. Credit System
The cryptographic mechanisms used in an application are
naturally highly dependent on the associated general
requirements. This can be seen especially well in the EMV
(Europay, MasterCard, and Visa) application [1, 2].

978-1-4673-1677-4

Figure 3. Payment process of transaction in a smart card in an EMV. [2].

In EMV all processes are in encrypted form. Mother Key

and ID will be checked by card issuer for authentication of card
and user. In online EMV all transaction will be done only with
catching authentication of card issuer. In Figure 4 the summary
of encryption and decryption Process is shown.

44

Figure 4. Payment process of transaction in an EMV.

C. Passport System
International Civil Aviation Organization (ICAO) defined
standards for passport in the International Organization for
Standardization (ISO). E-passport is smart card with integrated
circuit which stores similar information in the paper passport.
E-passport is used for authentication of card holder. It includes
a digital photograph which is used for biometric comparison. In
the international border person authentication is with facial
recognition technology from digital photography. This
interface is one of the advantages of passport card but passport
cards have a problem in reliability and security. There is not
any encryption between card reader and e-passport. A. Baith
Mohamed, Ayman Abdel-Hamid and Kareem Youssri
Mohamed used EPC RFID Tags method to solve this problem
and in a few systems TDES is used to solve this problem [10].
Since, there are many threats to catch information and
every system will face the risk of threats, system should be
protected against attacks. Passport cards have been facing these
threats as like as other system. Some threats in passport cards
are between smart card and card reader and some of them are
between card reader and card issuer or server which will
authenticate the information of the card holder. Advanced
Encryption Standard (AES) is used to prevent attack in
transaction between card reader and server also Chip
Authentication and Terminal Authentication are implemented
to avoid threats between reader and e-passport. There is no
encryption algorithm between passport card and card reader
[10, 16]. In Figure 5 the process is demonstrated in a simple
way.

Figure 5. Passport Card system.

IV. METHODOLOGY
For safety of data transfer with smart card two features are
very important:
1- Safeguarding the data and information.

We should mention that there are many types of algorithms

and methods for these three applications but we tried to analyse
which algorithm is more suitable and efficient for a system
which consists of more than one application. In our
multipurpose smart card there are four main sections. First
section is common information and another three sections are
health, credit and passport application. Common information
consists of common data among three applications and
important information in health system which doctor must
access in emergency situation such as blood type, age,
emergency contacts and etc. Data in this section are encrypted
with ECC algorithm.
Based on three applications which exist in this
multipurpose smart card (passport system credit system and
health system) there are three different levels of security in this
smart card. It means we use different types of encryption
methods in each system. These depended on level of security
needed and amount of data needed to transfer between database
and smart card [17]. An arrangement of the algorithm needed
in each system is shown in Table 2.
TABLE II.

Applications
Health
Credit
Passport

ALGORITHMS USED IN THE MULTIPURPOSE SMART CARD.

Asymmetric
Algorithms
ECC
ECC
ECC

Semantic
Algorithms
DES
AES
-

Method
Combination
Combination
Point
Doubling

For asymmetric algorithms, ECC and RSA algorithms are

two possible algorithms. In this project ECC algorithm is
chosen because ECC with 160 bit key size Provide equivalent
security level with 1024 bit key size in RSA. Therefore ECC
uses smaller length key size so ECC algorithm has faster
computation than RSA algorithm. Also, ECC algorithm is
based on difficult mathematics so it has more complexity and
ECC need smaller bandwidth and used lower power. On the
other hand, the ECC algorithm is suitable for a device with
limited storage such as: PDA (Personal Digital Assistant),
pagers, cell phones, and smart cards [3, 8, 11, 13, 22, 23].
Possible symmetric algorithms for smart card are DES,
TDES and AES algorithm [2]. For health system and credit
system we used a combination algorithm method. The amount
of data in health system is huge so using only one asymmetric
algorithm takes a lot of time for encryption and decryption. On
the other hand, using only one symmetric algorithm is not safe
enough since the best method for health system is by using
combination algorithm. All data are encrypted with symmetric
algorithm at first and the key of symmetric algorithm is
encrypted with asymmetric algorithm to make the system faster
and safer than using only one algorithm. In this multipurpose
smart card DES algorithm is chosen for health system because
the amount of data to transfer from smart card to database is
huge. TDES and AES are not suitable because they take more
time for encryption and decryption process. Since there are
high levels of data to transfer between database and smart card
DES is the best, because DES is much faster than TDES and

2- Handling of large amount of data.

978-1-4673-1677-4

45

AES algorithm. Also, the level of security in DES algorithm is

enough for a system like health system [19, 20].
In credit system the most important requirement is level of
security and algorithm with high level of security is the first
priority in credit system. The amount of data which transfer
between smart card and database is not high and choosing an
algorithm with high level of security is more important than
speed. Thus, we can choose a slow algorithm with high level of
security. Since, combination algorithm is safer than using only
one algorithm and the amount of data in credit system is not
huge like health system the best method for credit system is
combination of AES (symmetric) and ECC (asymmetric)
algorithm. AES algorithm is slower than DES and TDES but it
is more complicated and safe. In addition, the amount of data in
credit system is not large so using AES algorithm does not
reduce efficiency of the system. Information is encrypted with
AES algorithm at first and the key of AES algorithm will be
encrypted with ECC algorithm [2, 19].
The only algorithm used in passport system is ECC
algorithm. In the current passport system there is no security
algorithm between smart card and card reader. Since, in this
project providing an efficient system is one of the most
important requirements we used ECC algorithm between smart
card and card reader. ECC algorithm has high level of security
and it is faster than RSA algorithm. Since, in the passport card
biometric verification is used for authentication of the person
and it is contact less card, speed is very important [10, 16]. So,
ECC algorithm is the best algorithm for passport system. Table
3 demonstrates requirement in security, speed and level of data
in every application. According to this table the reason for
using every algorithm is clear.
TABLE III.

IMPORTANT REQUIREMENT IN IN EACH APPLICATION.

Requirement
Application

Level of
speed
requirement

Level of
speed data

Level of
security

Health System

high

huge

middle

Credit system

middle

low

high

Passport System

high

middle

middle

In this smart card there is only one PIN number in the

system which is taken in the login. After login common
information appears and user can choose one of the
applications. User cannot run two applications at the same
time. Access to each application is possible only after exiting
other applications. It means it is not possible to run more than
one application at the same time. This make the system more
secure. The system process is shown in the Figure 6 and 7.

Figure 6. Multipurpose smart card system with

Figure 7. Multipurpose smart card with its own applications.

Base on Figure 6 at first user must login or register to the

system. After login Common Info page will appear and users
can choose applications on this page (it also shown on Figure
7). Each application has its own algorithm for encryption and
decryption. Data for each application is shown in Figure 6. For
better safety all the data must be saved to database in encrypted
form only. So when data arrived from database it must decrypt
in the smart card at first then demonstrate for end user. Also,
when user completes an application data must encrypt again to
be sent to the database. Transferred data in encrypted form
reduce risk of hacking of data by middleman.
V. PROPOSED ENCRYPTION FOR MULTIPURPOSE SMART
CARD
In this project three applications are combined namely
health, credit and passport system. Encryption method in every
system is explained here. We implemented this multipurpose
smart card in C# language.
A. Health System
During transfer of data or information a non-authorized
person can read or wiretap information of patients. Use of
security algorithms is a safe way to prevent access by
unauthorized person. There are many kinds of power
algorithms for catching high security, but we used DES (Data
Encryption Standard) and ECC. In the health application at

978-1-4673-1677-4

46

first, mother key exchange for authentication of health and card

reader. It is demonstrated in Figure 8.

Figure 11. Process of alternative in the system by doctor.

Figure 8. Encryption Process between Health Card and Card Reader

Both patient and doctor must be verified by card. This

verification is inside the health card. After verification related
session of database is opened according to ID entrance. This
stage has high level of integrity.

Figure 9. Verification Process of Patient and Doctor in Health System

The process of transaction will be done in this stage.

Finally there is a mention, in principle, any desired
cryptographic algorithm can be used, since both the associated
data elements and the algorithm itself are unambiguously
identified by TLV-coded data structures [2] but it is the
proficiency of designer to choose the best algorithms for the
system according to requirement of the system.
B. Credit System
In our system in the first stage public information of card
holder and account will be demonstrate but information in this
section is not changeable by user. Information release from the
database in encrypted form and system decrypt and show them.
As we explained before information encrypt with AES
algorithm at first and the key of AES algorithm encrypt with
ECC algorithm (combination algorithm).
The only writable section of credit system is transaction
section. When a card holder punches goods the amount of
balance will be changed so, new balance must be save in the
database. In addition, general information should keep in
encrypted form in the database. Therefore, credit system need
encryption process for finish its job. The process of encryption
is shown in the Figure 12. Rest process is exactly same as real
credit system which explained before.

In the health system, amount of information is large so it

takes a lot of time to encrypt data with asymmetric algorithms.
Thus, data will be encrypted with a symmetric algorithm like
DES and since, symmetric algorithm are not safe enough we
encrypt DES key with an asymmetric algorithm like ECC.
Figure 12. Encryption process in credit system

C. Passport System
Passport system use only ECC algorithm for Encryption
data. Data are not changeable by user. The process of
encryption is shown in the Figure 13. Rest process is exactly
same as real passport system which explained before.
Figure 10. Health Card communicates with database.

Doctors can write new prescription for patient. This

alteration will be saved in health card or database only with
doctor digital signature.
Figure 13. Encryption process in passport card.

978-1-4673-1677-4

47

VI. CONCLUSION
Combination algorithms are one of the useful and efficient
methods which are suitable for applications with high level of
data to transfer. Using multipurpose smart card is much better
than carrying different cards.
Also, using encryption
algorithms in passport card make them more secure. Since,
data in health system is huge the best algorithm for health
system is combination algorithms of DES and ECC. Finally the
best algorithm for a credit card is combination of ECC and
AES because it is secure enough for credit system.
REFERENCES
[1]

D. R. Hankerson, S. A. Vanstone, A. J. Menezes, Guide to Elliptic

Curve Cryptography, 2003.
[2] W. Rankl, W. Effing, Smart card handbook, 3rd ed., John Wiley
and Sons Ltd., Baffins Lane, England: Spring Verlag.
[3] W. Rankl, W. Effing, Smart Card Applications, Design Models for
using and programming smart cards, 2007.
Giesecke &
GmbH.Devrient, Munich. x Germany, Translated by Kenneth Cox.
[4] J. A .Menezes, C.Paul, V.Oorschot, S. A. Vanstone Handbook of
Applied Cryptography, 5the ed., 2001.
[5] T. Abdurahmonov, M. H. Helmi, Y. E. Thiam, The Implementation
of Elliptic Curve Binary Finite Field for the Global Smart Card,
Proceedings of 2010 IEEE Student Conference on Research and
Development (SCOReD 2010), 13 - 14 Dec 2010, Putrajaya, Malaysia.
978-1-4244-8648-9/10/ 2010 IEEE, 2010, pp. 169-173.
[6] T. Abdurahmonov, Y. E. Thiam, M. H. Helmi, Improving Smart
Card Security Using Elliptic Curve Cryptography over Prime Field,
2010.
[7] T. Abdurahmonov, M. H. Helmi, Y. E. Thiam, Personal Information
Requirements of Global Information System, International
Conference on Science and Social Research (CSSR 2010), Kuala
Lumpur, Malaysia, 2010, pp. 1197-1202.
[8] T. Abdurahmonov, Y. E. Thiam, M. H. Helmi, A Proposed
Implementation of Elliptic Curve Digital Signature Algorithm
(ECDSA) in Global Smart Cards, ITC 2010 Digital library, 2010.
[9] T. Abdurahmonov, Y. E. Thiam, M. H. Helmi, Improving Smart
Card Security Using Elliptic Curve Cryptography over Prime Field,
IEEE Xplore. January 28, 2011, Pp. 169 173.
[10] MSc S.Arora, Information Security-Siddhartha Arora Final, 2007,
[Online].Available:
http://www.porvoo12.net/MSc_Information_Security.pdf.

978-1-4673-1677-4

[11] C. Sanchez-Avilaf, R. Sanchez-Reillo, The Rijndael Block Cipher

(AES Proposal): A Comparison with DES, 0-7803-6636-0/01/ 02001
IEEE, 2001, pp. 229-234.
[12] M. S. Anoop, Elliptic Curve Cryptography,
[Online].
Available:http://scholar.google.com.my/scholar_url?hl=en&q=http://w
ww.infosecwriters.com/text_resources/pdf/Elliptic_Curve_AnnopMS.p
df&sa=X&scisig=AAGBfm2g4sjHrmiybRY69w8lIxzfFKRFIA&oi=sc
holar.
[13] A. Nadeem, Dr M. Younus Javed, A Performance Comparison of
Data Encryption Algorithms, 0-7803-9421-6/05/ 2005 IEEE, 2005,
pp. 84-89.
[14] J. H Han, Y. J. Kim, S. I. Jun, K. I. Chung, H. Chang Seo,
Implementation of ECC/ECDSA Cryptography Algorithms Based on
Java Card, IC Card OS Research Team, ETRI. 22nd International
Conference on Distributed Computing Systems Workshops
(ICDCSW02) 0-7695-1588-6/02 .2002 IEEE.
[15] A. Kleijhorst, van der Velde.E T, Baljon.M H, Gerritsen.M J G M,
Oon.H, Secure and Cost-Effective Exchange of Cardiac Images over
the Electronic Highway in the Netherlands, 0276-6547/97 1997 IEEE,
1997, pp. 191-194.
[16] A. B. Mohamed, A. A. Hamid, K. Y, Mohamed, Implementation of
an Improved Secure System Detection for E-passport by using
EPCRFIDTags, 2009
[17] Nyamasvisva, E. Tadiwa, H. Halabi, Multi-level security algorithm
for randon ZigBee Wireless Sensor Network, In: 4th International
Symposium on Information Technology 2010 (ITSim'10), 15-17 June
2010, KLCC, Kuala Lumpur, 2010, pp. 612-617.
[18] S. Omar, H. Djuhari, Multi-purpose student card system using smart
card technology. Information technology based higher education and
training, ITHET 2004. Proceedings of the Fifth International
conference on, 2004, pp. 527-532. .
[19] C. Sanchez-Avilaf, R. Sanchez-Reillo, The Rijndael Block Cipher
(AES Proposal): A Comparison with DES 0-7803-6636-0/01/ 02001
IEEE, 2011, pp. 229-234.
[20] S. Ricardo, M. E. Correia, A. Lus, Securing a health information
system with a government issued digital identification card, 978-14244-1817-6/082008 IEEE, 2008, pp. 135-142.
[21] O. P. Verma, R. Agarwal, D. Dhiraj, T. Shobha, Performance
Analysis of Data Encryption Algorithms, 978-1-4244-8679-3/11/
2011 IEEE, 2011, pp. 399-403.
[22] Y. Wang, L. Douglas Maskell, L. Jussipekka, T. Srikanthan, Unified
Signed-Digit Number Adder for RSA and ECC Public-key
Cryptosystems, 1-4244-0387-1/06/ 2006 IEEE, 2006, pp. 1655-1658.
[23] Z. Peng, J. J. Fang, Comparing and Implementation of Public Key
Cryptography Algorithms on Smart Card, C 978-1-4244-7237-6/
2010 IEEE. V12-508-V12-510.

48