First e-Passport, First Multi-application e-ID in the World
Since its establishment, MCS Microsystems have been developing smart card operating systems for ID card and e-passport projects. Using strictly microprocessor-based cards, some with PKI crypto-coprocessor, our products have been deployed in the first e-passport project and the first multi-application national ID card project in the world, both projects of the Malaysian government.
Our device knowledge ranged from 8051 through ARM, ROM- and Flash-based microcontrollers, with contact (ISO 7816) and contactless (ISO 14443) interfaces, and various cryptographic processors, including DES, AES, RSA, ECC, and SHA.
Multi-application Operating System (MOS)
Founded on the latest IC technologies and our vision of the future of trusted IDs, MOS is the unequivocal smart card solution to address the convergence of the secure document, payment card, ticketing and mobile domains. It has been be ported to contact, contactless and dual-interface devices with large Flash memory and PKI functionality. MOS represents a new generation of true multi-application smart card operating systems.
- MOS features File Manager based on the ISO/IEC 7816-4 standard which is mandated by global standards and specifications for travel documents, driving licenses and national ID cards. The File Manager implements the standard file system and data structures, security architecture and environments, secure messaging, command set and life cycle management.
- MOS actualises a GlobalPlatform Card Manager, the industry standard for provisioning and managing multiple applications on smart cards, terminals and mobile devices.
- MOS supports user authentication through fingerprint biometric verification performed by the card itself. The card holder’s fingerprint templates are stored within the card and the live template is sent to the card for matching and to gain access to protected files.
- Functionalities of MOS and its applications are executed entirely on the native IC platform without a virtual machine, something unique amongst multi-application COS.
- In the early lifecycle state, the Early Lifecycle Manager allows card manufacturers to customise the MOS product according to the target project and application.
Common Criteria EAL 4+
In 2019, MOS has been certified to the Common Criteria security standard according to the Machine Readable Travel Document (MRTD) with Extended Access Control (EAC) and Password-Authenticated Connection Establishment (PACE) protection profile (PP) at evaluation assurance level 4 augmented (EAL 4+).
Small Machine Operating System (SMOS)
MCS Small Machine Operating System (SMOS) is a multi-application operating system with a built-in virtual machine and dual card managers – GlobalPlatform and proprietary. The same application can be installed on different IC platforms, securely executed within active firewalls and protected with the latest countermeasures against timing, fault injection, logical and side-channel attacks.
Common Criteria IT Security Certification
In 2012, a version of our operating system – SMOSCC – achieved Common Criteria (CC) Evaluation Assurance Level (EAL) 4+ security certification. The certification was a confirmation of the secured implementation of our product by an independent authority and it validated our team’s strict development practice.
Our competencies extend to the PC and firmware domains where development tools were created to complement the SMOS products:
- Assembler - Command line tool that converts Small Machine assembly language code to Small Machine bytecode.
- Debugger - Emulates the Small Machine virtual machine and executes card applets. Features assembly view, step function, breakpoints and resource windows.
- Virtual smart card reader – Software driver that creates a virtual PC/SC interface between application software and SMOS emulation. This facilitates COS and applet validation process against test or production software.
- Integrated development environment (IDE) - Software development environment that combines assembly language editor, assembler, debugger and script player functions. Features include project management, code auto-complete, test logs, etc.
- APDU script player - Executes APDU command scripts for testing purpose. Features include cryptography, branch and reporting functions. Interfaces with Windows PC/SC and proprietary smart card readers.
- Certificate generator - Generates certificates to load and delete card applets dynamically, and retire cards. Certificates are derived from issuer keys and are applicable to a specific card or card scheme.
- Applet Loader - Easily loads applets onto or deletes them from SMOS cards, or retires SMOS cards.
Unlike other conventional smart cards, our next-generation COS allows the cardholder to decide which applications go into his smart card, similar to how mobile devices and digital wallets work. The cardholder shall own the card, literally, in every aspect. In partnership with application providers, an opt-in business model provides savvy cardholders with the means to install essential card applications for convenience, back-up, replacement and other purposes that we would not have thought of, or introduce new ones for added services.
To achieve this, we believe our next-generation COS needs to be an open system, yet secured. It will apply the relevant standards, such as GlobalPlatform for administrative and application management; JavaCard virtual machine to execute third-party applications; native applications which comply with specifications by EMVCo, ICAO, ISO/IEC, FIPS, etc. with smaller memory footprint and faster performance; and ISO/IEC 7816 contact interface, ISO/IEC 14443 contactless interface and ISO/IEC 18092 near-field communication to serve as many use-cases as possible.
Cardholders will be assured of the product’s security by virtue of certification by independent authorities, like the Common Criteria, EMVCo, PCI-DSS, FIPS 186 and others of the future.