178 Evaluation of Distributed Intelligence on the Smart Card Kazoo J. Ezawa Greg Napiorkowski Mariusz Kossarski Mondex International Limited Atlantic Technology Center Suite 109,100 Campus Drive, P.O. Box 972, Florham Park, New Jersey, 07932-0972, USA Abstract information which uniquely identifies the card e.g., card serial number, manufacture ID and We describe challenges in the risk manufacture date. The terminal will decrypt the management of smart card based electronic signature to determine if the card is genuine cash industry and describe a method to 2. Using Dynamic authentication the terminal will evaluate the effectiveness of distributed generate some random data, known as seed, and intelligence on the smart card. More will ask the smartcard to encrypt the data. On specifically, we discuss the evaluation of receipt of the encrypted data the terminal will distributed intelligence function called "on­ decrypt the data. If the decrypted data is the same chip risk management" of the smart card for as the seed then the card is genuine. Dynamic the global electronic cash payment application authentication is only possible with smartcards due using micro dynamic simulation. Handling of to their ability to perform cryptography. uncertainty related to future economic environment, various potential counterfeit As card industries move from magnetic strip cards to attack scenarios, requires simulation of such smart cards, ability to process information on the cards environment to evaluate on-chip performance. drastically increases. In the case of magnetic strip card, Creation of realistic simulation of electronic it is imperative to rely on the host system's intelligence cash economy, transaction environment, to authorize the transactions (e.g., credit/debit) since it consumers, merchants, banks are challenge has no information processing capability of its own. As themselves. In addition, we shows examples we move to smart card, the intelligence doesn't have to of detection capability of off-chip, host based be concentrated on the host system, but it can be moved counterfeit detection systems based on the from the host system to more balanced combination of micro dynamic simulation model generated host and smart card itself. data set. 1.1 DISTRIBUTED INTELLIGENCE ON SMART CARD AS RISK MANAGEMENT TOOL 1 INTRODUCTION Security and risk management are integral parts of development and deployment of "risk managed" smart The smart card market is expanding rapidly as a result card application for a global electronic cash payment of its superior security, reliability, and capacity. Its such as Mondex electronic cash. There are three critical ability to carry intelligent applications on the card such components, -- prevention, detection, and containment, as "access", "credit/debit", "electronic cash", etc. gives -- to achieve balanced risk managed smart card the smart card an expanding market. The smart card application. The security is primarily concerned with provides distributed processing power, a computer in "prevention." The risk management is primarily your wallet. concerned with "detection" and "containment" in the event that the security were to be broken. The Smart card has effective card authentication and discussion of security can be found in [Maher, 1997]. verification methodologies, employing cryptographic techniques. Smart card can be authenticated in one of The objectives of smart card electronic cash risk two ways either Static or Dynamic: management can be summarized as follows: 1. Using Static authentication the smart card sends the terminal a "digital signature" containing Evaluation of Distributed Intelligence on the Smart Card 179 • To contain the economic risk exposure to a effectiveness of the on-chip detection, the on-chip predetermined level, and incidence response, and off-chip detection systems. It • To ensure the stability and continuity of the also generates data sets to create off-chip detection product. models. As we succeed in risk management, counterfeit transactions won't be available. The evaluation of new One of the key economic risk exposures is due to enhancement to on-chip functionality and the re­ "counterfeit" of electronic currency. Among other calibration of off-chip detection models have to come things, the security and risk management is designed to from simulator using real market inputs. address this threat head�on to minimize the impact of such attacks. At the same time, it is designed to ensure The paper is organized as follows. Section 2 describes the stability and continuity of the product. Mondex global electronic cash payment scheme to set 1he stage. Section 3 discusses the distributed More specifically, to accomplish smart cart electronic intelligence - on-chip risk management capability on cash risk management objectives, risk management the smart card as an example of such intelligence. strategy can stand on the four pillars: Section 4 discusses the micro dynamic simulation. • Prudential Risk Management Section 5 discusses the quantification of impact of • On-Chip Risk Management counterfeiter's threat scenarios using micro dynamic simulator. Section 6 discusses the effectiveness of off­ • Off-ChipRisk Management chip, host system based counterfeit detection systems. • Micro Dynamic Simulation Section 7 summarizes the discussion. Each pillar has its unique contribution to the objectives, GLOBAL SMART CARD BASED but when they are balanced and combined, they become 2 a formidable structure to base the risk management ELECTRONIC CASH PRODUCT strategy, and to accomplish the objectives. It may seem obvious, but the prudential risk management is essential The global smart card based electronic cash product to the success of the product. It includes corporate such as Mondex electronic cash has the security and the governance and structural control. It is the foundation risk management to prevent, detect, contain, and for the rest of the risk management is build onto. recover from potential counterfeit activities. It is designed to make counterfeiter's "chain" of tasks as One of the fundamental strategies in smart card difficult as possible in every step of the way [Ezawa et electronic cash risk management such as Mondex is to al. 1998]. economically exploit the on-chip data processing power of the smart card to the maximum extent. By installing The product is designed for the efficient electronic cash risk management functionality on a chip, some of the payment transactions. It performs purse (chip) to purse critical risk management tasks are performed at the time (chip) transactions without central authorization. It has of transaction autonomously on the transacting smart many on-chip capability and features such as physical cards. On-chip risk management functionality includes security, cryptographical security, purse class structure both on-chip detection, and on-chip incidence (i.e., it restrict the interactions of different type of response. On-chip incidence response can be activated purses), purse limit, on-chip risk management capability autonomously, or by the central command. (e.g., credit turnover limit), and migration1• Purse class structure, purse limit, credit turnover limit will be There's a paradigm shift in off-chip (i.e., host system revisited in the following section. based) risk management as well. It partly relies on the on-chip intelligence to collect information selectively. Figure 1 shows the Mondex transactions among the At the same time, a multi-layered off-chip monitoring different classes of purses. Solid line indicates and detection capability is deployed to analyze possible transactions currently allowed, and dotted line indicates counterfeit activities. All the on-line transactions can be the transactions severely restricted (or disallowed) at monitored, and some of the off-line transactions are this stage of product evolution. selectively monitored. Ideally, an advanced smart card based electronic cash Since counterfeit activities on electronic cash scheme, as a substitute for "real" money, should parallel purses/cards are non-existent, Micro Dynamic the existing money supply and banking system. Simulator was developed to simulate the impact of various counterfeit scenarios on the electronic cash economy for Mondex. It allows us to evaluate the 1 It involves switching of one public key scheme to the other. 180 Ezawa, Napiorkowski, and Kossarski Therefore such a scheme would include a currency "originator" (equivalent of central bank), and 3 DISTRIBUTED INTELLIGENCE -- ON­ "members" (commercial banks and other financial CHIP RISK MANAGEMENT institutions with their branches). There are merchants who transact with consumers and members, and As we have already discussed, one of the fundamental consumers transacting with other consumers, merchants, strategies in smart card electronic cash risk management and members. such as Mondex electronic cash is to economically exploit the on-chip data processing power of the smart card to the maximum extent. It allows risk management tasks done on the chip autonomously for each transaction without external intervention. On-chip functionality in the "security" arena has been around many years, but in the risk management arena it is a new and relatively unexplored field. In the past, an old generation of simple chips with a limited computing capability forced to rely heavily on the host systems for intelligence for transactions and monitoring (i.e., on-line transactions and authorization.) New generation of chips have