Security and Privacy on the U3 Platform

Be Smart with U3

A bit of Background …

Anyone who has programmed in basic and used the INPUT and OUTPUT statements would expect them to run in the Visual Basic environment too, but fortunately or unfortunately it is not the case.
The Visual Basic language doesn’t support for direct hardware access and if the application (no matter what language is used to develop it) won’t be able to access hardware directly if it’s running on a secure system from the Windows NT family (i.e. NT, 2000, XP etc).
These functions are crucial for PC hardware developers and programmers because they allow you to read and write to ports in environments like DOS or Windows 95 and 98. Thus without INPUT or OUPUT you can’t read from or write to your device.
Fortunately the concept of dynamic link libraries or DLLs comes to rescue. DLLs allow VB to link to them (you can write a DLL in any language like Delphi, Borland C++ or Microsoft’s Visual C++) during run-time (dynamically).
VC++ has port I/O (input and output) read/write functions. Also VC++ compiler allows you to create DLLs apart from executable EXE files. Thus you can
  • Write VC++ code that uses these read/write functions
  • Compile it into a DLL (instead of an executable EXE file) file
  • Call your functions from VB
  • Make use of the facilities that a DLL provides; Like notifying you and providing you with a place to put your code that executes when a process loads it or unloads it.
  • Modify the DLL to make any desirable changes to the behavior of functions and you need not build the whole application again.

The list is very long and for more details on features of DLLs you can refer to DLLs, Processes, and Threads section in the MSDN library.

Now lets suppose that you’re a developer willing to develop an application that needs to communicate to a hardware port, say for acquisition card, or perhaps a motor controller or even a robotic arm that you’ve just created! And you’ve never written an application that does so. Futher you just have programmed in Visual Basic.

At this point the major challenges that you have are:

  • How do I access these ports?
  • What should I do so that my applications run on Windows NT family of operating systems, as they’d do on Windows 95 or 98?

I’m emphasizing on the difference between the two operating system families because they’ve a very different way to treat port I/O, as we’ll see shortly.

So now we know that what we intend to develop and more importantly why. So let’s get started!
Before you get started, you’ll probably want to download the support files/sample code from articles section.

-The Editor (


November 11, 2006 Posted by | Uncategorized | Leave a comment

Programming Custom Hardware for Windows

Programming Custom Hardware for Windows

The task of developing custom applications that access custom hardware can be daunting for even the most seasoned application developer and especially for someone who has just learned developing applications using Visual Basic and similar RAD tools.

Here in this blog I present an alternative way that may help even the non-programmers to do what they want; That is to develop a custom UI and then access a specific piece of hardware that is connected to their machine.

I don’t assume the reader to be aware of Port Access in Windows NT/2000/XP or even Windows 98 but I do assume that he knows what he’s trying to do.

The First step would be to understand that why such a framework that allows one to support accessing hardware from RAD tools is needed and then later see what advantages it has got.

Finally we would get into developing such a Framework.

-The Editor (

November 11, 2006 Posted by | Uncategorized | Leave a comment

Java Card Technology and Smart Cards

With Java Card technology, smart card programming is finally entering the mainstream of application development. One of the major problem in smart card programming is the consitancy and interoperabilty among different vendors and standards.
With Java Card technology, smart card programming is finally entering the mainstream of application development for it provides a unified interface to develop relally portable applications on Smart Card. A first principal characteristic of smart card programming is its security system, which undoubtedly is the best among the ones available today.
Smart card programming is characterized by two system requirements; data security and data integrity. When smart card programming is done one will always have to design and write software that the user will interface with to go through the key authorization process and other realted taks that the card holder needs to perform.

European smart card standards are most widespread in the industry for its their birthplace. There are several smart card standards – too many to discuss here.

until next blog,
– Editor (

November 7, 2006 Posted by | Uncategorized | Leave a comment

Writing a Smart Card Library – The Approach

Let’s first talk about how one writes an application with just the WinSCard.dll raw APIs and then we’ll move to writing the OO Wrapper. As mentioned above the core of the Win32 Smart Card subsystem is the WinSCard.dll, which exposes a number of APIs for Smart Card access and Reader Configuration.

The typical steps to access a Smart Card with the raw API’s would be as under:

  • Use the SCardEstablishContext API to get a Context Handle associated with a reader. You need this because the other APIs need you to pass a context handle as parameter.
  • Later using the SCardConnect API you obtain hCard that is handle to a card. Just like above you need this handle to communicate with the Card.
  • You may then use SCardStatus with the above hCard value to get the status of the card before you actually start with some transaction.
  • You then use SCardTransmit API to send APDU to the associated card and retrieve the response at the same time. You’ll need the hCard value here too.
  • After you’re done using the Card you use the SCardDisconnect API to disconnect from the Card using the hCard value associated with the card. Then this hCard value is no longer valid and you should do a SCardConnect call again to retrieve a new handle in case you want to reconnect again
  • Finally when you don’t need the connection with the reader device you just call the SCardReleaseContext API to release the Context handle associated with the reader.

It’s fine as long as you’re writing a small application but as your business logic grows so would be the calls and references to the WinSCard APIs and it’s really not advisable even for a medium project going over 3000LOC.

Moreover it’s solely up to the programmer to put the data in a format that is dictated by the WinSCard APIs. It was a lot of hit and trial the first time I wrote an application in this way. Sooner or later you find that you’re not writing good code if you follow this approach.Compare this approach to the object oriented approach where in you’ve a number of class like in the diagram below that encapsulate one or more Smart Card objects.

The CPSCSCReader class encapsulates a Reader object, which is responsible for managing reader connections, keeping the status updated internally and sending/receiving data to/from the card. There are a few helper classes too like CPCSCCommand, which encapsulates an APDU (Application Protocol Data Unit) object and CRegListDlg, which enables you to select a reader from those connected to your machine. You can skim through the code for these classes or run the demo application to see them in action.

until next blog,
– Editor (

November 1, 2006 Posted by | Uncategorized | Leave a comment

The PC/SC Specification – What and What about???

The objective behind these components was to provide a standard model for interfacing smart-card readers and cards with computers. This approach eased developing smart card enabled applications because it provided device independent APIs for accessing and manipulating smart cards, familiar tools for software development like Visual Studio, and easy integration with all Windows platforms.

Apart from these facilities for the developers, this also made it economic to develop and deploy smart card enabled solutions by:

• Enforcing interoperability among cards and readers from different manufacturers
• Insulating differences between current and future implementations
• Avoiding application obsolescence due to underlying hardware changes
These components were developed in accordance with the specification released by the PC/SC workgroup, of which Microsoft is a member. The PC/SC specifications were released specifically to improve upon the ISO 7816 standards for smart cards and are compatible with both the EMV (Euro pay, MasterCard, Visa) and GSM (Global Standard for Mobile) specifications.
As expected, this gained broad industry support. These were just the initial steps towards standardization of the PC smart card interface and synchronization, and define guidelines for both smart card manufacturers and application developers.

The PC/SC specifications continues to grow toward becoming independent standards in the future with its v2 release.

-The Editor (

October 31, 2006 Posted by | Uncategorized | Leave a comment

Microsoft’s Smart Card Strategy

A smart card is essentially a simple plastic card, like a credit card, that is fabricated with a computer chip capable of storing information and supporting cryptographic operations to secure the data access.
These cards find a lot of consumer and industrial uses because they can store data and, more importantly, can act on that data. Smart cards were first adopted in Europe, and gained quick popularity soon after their introduction.
It appeared this market never took off in the United States, but the new security wave that started taking shape soon after the release of the Microsoft Windows 95 gave the smart card and the embedded industry a new direction.
In the mid-90’s. Microsoft Corporation endorsed development in the field of smart cards. The smart card industry looked to be the next big thing and today it is! Let’s take a look at the events and developments in this smart stream, both as a technology savvy developer and as anaive user of it. Did you know that the SIM in your mobile phone is a smart card?
As a part of its smart card strategy, Microsoft announced Smart Card Base Components for Windows 95 for integrating Smart Cards and Personal Computers in the last quarter of 1996.These components were also provided as a separate install on the Windows 98 CD ROM and Windows 2000 contains these components inbox (bundled with the installer).
These components included a set of DLL’s and COM servers that exposed either raw APIs to access Smart cards attached to a PC or a high level interface to them. SCardSvr.exe is one such COM server that runs as a service on Win2000. On Windows 2000 and higher versions of the OS, these components support public key services such as secure logon.
thats for today,
read up more in the next post!!!
-The Editor (

October 30, 2006 Posted by | Uncategorized | Leave a comment

Writing a Smart Card Library

In the next few posts we are going to develop a Smart Card Library that will ease the development of Smart Card Applications using the Win32 SDK and/or MFC.

This assumes that you’re familiar with Win32 and MFC. The library builds upon the available support for Smart Cards in Windows by providing an Object Oriented wrapper over the WinSCard API. One advantage of using this library is the layered approach, which isolates the core API’s available to non-Win32 conformant languages like

to access this library through JNI (Java Native Interfaces). If you’ve already developed some applications using the APIs exposed by WinSCard.dll then you’ll be well aware of the complexities involved and here is an attempt to ease them.

You might like to download the code before you read the rest of the article form the downloads page on

Microsoft has provided several enhancements toward the use of PCSC conformant Smart Cards with the operating systems releases made after Windows 2000.There is available a COM wrapper and Smart Card Base Components provided as a part of this enhancements.
The heart of this Subsystem is the WinSCard.dll which exposes raw APIs for managing and accessing PCSC compliant Smart Card readers. In order to take a quick look at what it exposes, you can just use the Dependency Walker.

Below is a Snapshot of the same.

Figure 1: The API exports by WinSCard.dll

There are around 60 exports from this DLL and cover most parts of the PCSC specification. Here we would try encapsulating some of the core APIs to develop an object-oriented wrapper that we can use to develop MFC applications that use Smart Cards.

until next blog,
– Editor (

October 30, 2006 Posted by | Uncategorized | Leave a comment

A little background on Smart Cards

Smart Cards might sound to you like a invention from the modern world ……. but its not actually!!!

The smart card – is a term coined by the French publicist Roy Bright in the 1980s—was invented in 1968 by two German engineers – Jürgen Dethloff and Helmut Gröttrupp.

The inventors filed for a German patent for their invention in February 1969 and were finally granted the patent DE 19 45 777 C3, titled “Identifikanden/Identifikationsschalter,” in the year 1982.

An independent researcher, Kunitaka Arimura of the Arimura Technology Institute in Japan filed for a smart card , patent in Japan in March 1970. In the next year, May 1971, Paul Castrucci of IBM filed an American patent titled simply “Information Card” and on November 7, 1972, was issued U.S. Patent 3,702,464. Between 1974 and 1979 Roland Moréno, a French journalist, filed 47 smart card–related patent applications in 11 countries and founded the French company Innovatron to license this legal tour de force.

This seems to be a misty description but one thing is certain, these people found it to be a invention worth of being patented when nobody expected that it would find some viable market share in security arena.

But i have more to say on this,

Keep reading,

-The Editor (

October 27, 2006 Posted by | Uncategorized | Leave a comment

Target applications of Smart Cards

Smart Card applications, unlike most software applications that we use in our daily chores, are typically deployed over a large network or in a community so to speak of which you are a part. In short Smart Card Applications target public systems.
This essentially means that smart cards are used in settings and situations where using a computer is not the feasible and/or affordable ; mobility is another part.
Moreover, the smart cards computer must fit seamlessly in any existing system and be compatible with upcoming new systems. The idea is flexibility and ease of operation/use and mobilty on top of the security Smart Cards provide.
Paying at a grossory store with electronic money on a smart card should practically be a very similar process as paying in cash.
but there is more to it,
Lets talk more later,
-The Editor (

October 27, 2006 Posted by | Uncategorized | Leave a comment

Price Vs Ease – Smart Cards

Smart cards as well as Memory Cards usually cost between $1 and $20, depending on the size of the memory in the card and the software functionality (the card operating system and other features) included.

Smart card software (burned on the chip in ROM or loaded thereafter), depending on the specific card, can range from a very basic ROM (Read-Only-Memory) based operating system with a decent file system, I/O communication, authorization, encryption, as well as access control primitives built into it. Advanced cards offer much more sophisticated on-board operating system supporting the use of advanced languages (Like .NET languages or even BASIC as in BasicCard) or traditional interpreted and/or interpretted languages (such as C, Java) to add new applications and functions to the cards even after they have been issued for use by the cardholder.

Smart cards are specially useful components of IT and IT Enabled systems that need to address CIA (Confidentiality + Integrity + Authentication) kind of security, personal privacy as well as mobility requirements.

Smart card programming is at core characterized by its focus on two critical aspects

  1. Data security, and
  2. Data integrity

Data security implies that a given data value that is present on the card can be accessed by those entities that are authorized to access it, and not by anyone else.

Data integrity, on the other hand, implies that the information stored on the card can not be modofied by unauthorized entities or be corrupted in anyway in normal course of usage.

Did you find this post useful?

Do write back,

-The Editor (

October 27, 2006 Posted by | Uncategorized | Leave a comment