Secure access module

Last updated June 24, 2024

A Secure Access Module (SAM), also known as a Secure Application Module, is a piece of cryptographic hardware typically used by smart card card readers to perform mutual key authentication.^[1]^[2]^[3] SAMs can be used to manage access in a variety of contexts, such as public transport fare collection and point of sale devices.

Formats

Removable SAM: This form factor resembles a standard Subscriber Identification Module (SIM) card. It plugs into a dedicated SAM slot within the smart card reader.

Embedded SAM: This form factor integrates the SAM functionality directly onto the printed circuit board (PCB) of the reader system. The SAM component is typically housed within a secure enclosure soldered onto the PCB.

Components

A typical smart card reader system generally consists of the following key components:

Microcontroller (MCU): This acts as the central processing unit (CPU) of the reader system. It manages various tasks such as protocol handling, data flow control, and data interpretation.
Reader Integrated Circuit (Reader IC): This specialized chip facilitates communication between the SAM and the contactless smart card using radio frequency (RF) interface protocols.

Integration and functionality

By integrating a SAM into the reader system, the security functionalities are centralized and offloaded from the MCU. The SAM assumes responsibility for:^[4]

Key Management: Secure storage and management of cryptographic keys, including master keys and application keys derived from them.
Cryptography: Performing various cryptographic operations such as encryption, decryption, and digital signing to ensure data confidentiality and integrity.
Mutual Authentication: Facilitating a two-way authentication process between the smart card and the reader system to verify the legitimacy of both parties before allowing any communication to proceed.

Secure Messaging: Enabling secure communication between the SAM and the host system by encrypting and authenticating data packets.^[5]

SAM in a HVQFN housing Hvqfn housing.JPG — SAM in a HVQFN housing

SAMs can be deployed in any of the following applications:^[6]^[2]^[7]^[8]

Generate application keys based on master keys
Store and secure master keys
Perform cryptographic functions with smart cards
Use as a secure encryption device
Perform mutual authentication
Generate session keys
Perform secure messaging

Related Research Articles

Communications security is the discipline of preventing unauthorized interceptors from accessing telecommunications in an intelligible form, while still delivering content to the intended recipients.

A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike cryptographic processors that output decrypted data onto a bus in a secure environment, a secure cryptoprocessor does not output decrypted data or decrypted program instructions in an environment where security cannot always be maintained.

A smart card (SC), chip card, or integrated circuit card, is a card used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.

In cryptography and computer security, a man-in-the-middle (MITM) attack, or on-path attack, is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two user parties.

A personal identification number (PIN), or sometimes redundantly a PIN number or PIN code, is a numeric passcode used in the process of authenticating a user accessing a system.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Key management refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.

There are a number of standards related to cryptography. Standard algorithms and protocols provide a focus for study; standards for popular applications attract a large amount of cryptanalysis.

MIFARE is a series of integrated circuit (IC) chips used in contactless smart cards and proximity cards.

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing transactions such as wire transfers.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

Authentication and Key Agreement (AKA) is a security protocol used in 3G networks. AKA is also used for one-time password generation mechanism for digest access authentication. AKA is a challenge–response based mechanism that uses symmetric cryptography.

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols and optional in others (TLS).

A hardware security module (HSM) is a physical computing device that safeguards and manages secrets, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.

A contactless smart card is a contactless credential whose dimensions are credit card size. Its embedded integrated circuits can store data and communicate with a terminal via NFC. Commonplace uses include transit tickets, bank cards and passports.

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

The Universal Mobile Telecommunications System (UMTS) is one of the new ‘third generation’ 3G mobile cellular communication systems. UMTS builds on the success of the ‘second generation’ GSM system. One of the factors in the success of GSM has been its security features. New services introduced in UMTS require new security features to protect them. In addition, certain real and perceived shortcomings of GSM security need to be addressed in UMTS.

In cryptography, the OpenPGP card is an ISO/IEC 7816-4, -8 compatible smart card that is integrated with many OpenPGP functions. Using this smart card, various cryptographic tasks can be performed. It allows secure storage of secret key material; all versions of the protocol state, "Private keys and passwords cannot be read from the card with any command or function." However, new key pairs may be loaded onto the card at any time, overwriting the existing ones.

Automated teller machines (ATMs) are targets for fraud, robberies and other security breaches. In the past, the main purpose of ATMs was to deliver cash in the form of banknotes, and to debit a corresponding bank account. However, ATMs are becoming more complicated and they now serve numerous functions, thus becoming a high priority target for robbers and hackers.

Utimaco Atalla, founded as Atalla Technovation and formerly known as Atalla Corporation or HP Atalla, is a security vendor, active in the market segments of data security and cryptography. Atalla provides government-grade end-to-end products in network security, and hardware security modules (HSMs) used in automated teller machines (ATMs) and Internet security. The company was founded by Egyptian engineer Mohamed M. Atalla in 1972. Atalla HSMs are the payment card industry's de facto standard, protecting 250 million card transactions daily as of 2013, and securing the majority of the world's ATM transactions as of 2014.

References

↑ Al-Khouri, Ali M. (2013). Critical Insights from a Practitioner Mindset. Chartridge Books Oxford. p. 243. ISBN 978-1-909287-59-4.
1 2 "Fare Collection Systems - Secure application modules". www.ssatp.org. Retrieved 2024-05-02.
↑ "What is a Secure Access Module (SAM)?". community.infineon.com. 2023-12-05. Retrieved 2024-05-02.
↑ Bragdon, Clifford (2011-08-19). Transportation Security. Butterworth-Heinemann. ISBN 978-0-08-088730-2.
↑ "ACOS6-SAM". acs.com.hk. Retrieved 2024-05-02.
↑ "ACOS6-SAM Secure Access Module Card". acs.com.hk. Retrieved 2024-05-02.
↑ "Secure Access Module. Sims Direct". simsdirect. Retrieved 2024-05-02.
↑ WO2019210427A1,Ouellet, Sylvain,"Secure access control",issued 2019-11-07

This cryptography-related article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Al-Khouri, Ali M. (2013). Critical Insights from a Practitioner Mindset. Chartridge Books Oxford. p. 243. ISBN 978-1-909287-59-4.

[:0-2] 1 2 "Fare Collection Systems - Secure application modules". www.ssatp.org. Retrieved 2024-05-02.

[3] "What is a Secure Access Module (SAM)?". community.infineon.com. 2023-12-05. Retrieved 2024-05-02.

[4] Bragdon, Clifford (2011-08-19). Transportation Security. Butterworth-Heinemann. ISBN 978-0-08-088730-2.

[5] "ACOS6-SAM". acs.com.hk. Retrieved 2024-05-02.

[6] "ACOS6-SAM Secure Access Module Card". acs.com.hk. Retrieved 2024-05-02.

[7] "Secure Access Module. Sims Direct". simsdirect. Retrieved 2024-05-02.

[8] WO2019210427A1,Ouellet, Sylvain,"Secure access control",issued 2019-11-07

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]