AT88SC153 is a new card model launched by ATMEL following AT88SC1608. It inherits all the advantages of AT88SC1608, with only changes in storage capacity and the number of partitions, and can basically be understood as a low-capacity version of AT88SC1608.
The AT88SC153 encryption card has a clock frequency of 1MHz and supports page write mode (8 bytes/page). If accessed in page write mode, the access time is 10ms (maximum)/page; the operating voltage ranges from 2.7V to 5.5V; the number of write/erase cycles is 100,000; data retention period is 100 years; operating temperature ranges from 0℃ to 70℃; the communication protocol complies with the ISO/IEC 7816-3 synchronous protocol.
Like AT88SC1608, the AT88SC153 encryption card features outstanding high security performance. In addition to encryption logic, it also has high-security authentication, anti-interception tracking technology, 64-bit mutual authentication, an authentication error counter, and an error count of 8 times.
The AT88SC153 has 1 64-byte configuration area and 3 64-byte application partitions. The 3 partitions can be freely merged, controlled by read passwords and write passwords (4 sets of passwords, 3 bytes each), with an error count of 4/8 times.
The AT88SC153 has a total storage capacity of 2048 bits (256 bytes), of which the first 1536 bits (192 bytes) are the application area, and the latter 512 bits (64 bytes) are the configuration area.
Storage Structure: (Byte addresses are in hexadecimal)
Storage Partition ＄0 ＄1 ＄2 ＄3 ＄4 ＄5 ＄6 ＄7 Address
Application Partition 0 (User0) 64 bytes ＄00
Application Partition 1 (User1) 64 bytes ＄80
Application Partition 2 (User2) 64 bytes ＄40
Configuration Area 64 bytes ＄C0
The storage structure of the configuration area is as follows: (Byte addresses are in hexadecimal)
　＄0 ＄1 ＄2 ＄3 ＄4 ＄5 ＄6 ＄7 Address
Manufacturer Information Answer To Reset (ATR) Historical Code (HC) ＄00
Manufacturer Code (FZ) Card Manufacturer Code (CMC) AR0 AR1 AR2 MTZ ＄08
Identification Area Issue Number (IC) ＄10
DCR Identification Code (Nc) ＄18
AAC Cryptogram (Ci) ＄20
Secret Key Secret Key (Gc) ＄28
Password Area PAC Write Password 0 (WP0) PAC Read Password 0 (RP0) ＄30
PAC Write Password 1 (WP1/SC) PAC Read Password 1 (RP1) ＄38
Note: Which set of passwords to use for each partition and whether authentication is required are determined by the access rights AR0-AR2.
In checksum authentication mode, address ＄20 can also be used as the Checksum Authentication Register (CAR).
ATR: Answer To Reset, defined by ATMEL, non-rewritable.
HC: Historical Code, defined by ATMEL, non-rewritable.
FZ: Manufacturer Code, defined by ATMEL, non-rewritable.
CMC: Card Manufacturer Code, defined by the card factory, non-rewritable.
AR0-2: Access rights. Defined before personalization. (For detailed usage, refer to Access Rights)
MTZ: Used to test the read/write performance of the card. Can be tested under any conditions.
IC: Issue Number. Defined before personalization.
DCR: Device Configuration Register.
Nc: Identification Code, usually used as the unique identifier of the card—card number. Defined before personalization.
Ci: Cryptogram. A random number can be written before personalization, used for card authentication, and automatically rewritten during each authentication.
Gc: Secret Key, a 64-bit confidential seed derived from Nc through the F1 formula, written into the card before personalization.
It is inaccessible after personalization and used as a parameter for the card's F2 formula during authentication. (For detailed usage, refer to the Authentication Protocol)
AAC: Authentication Error Counter. The initial value is 8, but decreases by 2 for each verification failure, so there are 4 consecutive verification failure opportunities, which can be extended to 8 times (see DCR configuration method). It is also used as part of Ci.
Note that modifying AAC will affect the Ci value for the next authentication.
CAR: Checksum Authentication Register. Only valid after successful authentication. Each write operation activates the checksum mode and automatically writes the checksum of the write or continuous writes into CAR.
At this time, the checksum can be read to confirm whether the write operation is completed. Any read operation will terminate the checksum mode.
WP0, WP1, RP0, RP1: 2 sets of read/write password sets. Each partition can point to a unique password set or the same password set, so that multiple partitions can be accessed by verifying only one set of passwords, merging multiple partitions into a single large partition.
By default, WP1 and RP1 are the read/write passwords. Write Password 1 (WP1) also serves as the Session Key (SC). In addition, if it is necessary to modify the read/write passwords, the write password of the same password set must be verified.
SC: Session Key. The initial value is defined by ATMEL, different for each card factory. It can be modified and is used until personalization; other passwords are used after personalization.
PAC: Partition Password Error Counter. The initial value is 8, but decreases by 2 for each verification failure, so there are 4 consecutive verification failure opportunities. It can be extended to 8 times. (See DCR configuration method)

Fuse Flag (FUSE)
The fuse flag is located at address ＄40 of the configuration area, with the following storage structure: (Addresses are in hexadecimal)
Bit7 Bit6 Bit5 Bit4 Bit3 Bit2 Bit1 Address
0 0 0 0 PER CMA FAB ＄40
Note: FAB, CMA, and PER are the three-level fuse protection flags of the AT88SC153's EEPROM; "0" indicates fused. When all fuse flags are "1", all storage spaces are readable. Each fuse operation is irreversible.
FAB: Fuse flag set by ATMEL when the chip leaves the factory.
CMA: Fuse flag set by the card factory when the card leaves the factory.
PER: Fuse flag set during personalization before the application system starts.

Before delivering the AT88SC153 card for use, the following operations should be completed for the information in the card:
● ATMEL writes the manufacturer information (excluding the card manufacturer code, access rights, and test area) and the Session Key (SC), writes all other storage spaces as "1", and performs the FAB fuse operation to set FAB＝0.
● The card factory writes its own card manufacturer code and performs the CMA fuse operation to set CMA＝0.
● The system integrator initializes the card (or the card is initialized by the system before issuance) and then performs the PER fuse operation to set PER＝0.
Access Rights
Access Rights Table Before and After Fuse Blowing:
Area Access FAB＝0 CMA＝0 Per＝0
Manufacturer Information (excluding CMC, AR, MTZ) Read Allowed Allowed Allowed
Write Prohibited Prohibited Prohibited
Card Manufacturer Code Read Allowed Allowed Allowed
Write Session Key (SC) Prohibited Prohibited
Access Rights Read Allowed Allowed Allowed
Write Session Key (SC) Session Key (SC) Prohibited
Test Area Read Allowed Allowed Allowed
Write Allowed Allowed Allowed
Identification Area Read Allowed Allowed Allowed
Write Session Key (SC) Session Key (SC) Prohibited
Secret Key Read Session Key (SC) Session Key (SC) Prohibited
Write Session Key (SC) Session Key (SC) Prohibited
Password Read Session Key (SC) Session Key (SC) Write Password (WP)
Write Session Key (SC) Session Key (SC) Write Password (WP)
PAC (Counter) Read Allowed Allowed Allowed
Write Session Key (SC) Session Key (SC) Write Password (WP)
Application Area Read Access Rights (AR) Access Rights (AR) Access Rights (AR)
Write Access Rights (AR) Access Rights (AR) Access Rights (AR)
Storage Structure of Access Rights AR0－AR2: (Enabled is "0", default is "1")
bit7 bit6 bit5 bit4 bit3 bit2 bit1 bit0
WPE RPE ATE AOW PWS WLM MDF PGO
WPE: Write Password Enable Flag. When the value is 0, a write password must be provided for write operations on the corresponding application partition. After personalization, verifying the write password also determines whether the read and write passwords can be changed.
RPE: Read Password Enable Flag. When the value is 0, the read password or write password must be provided to read an application partition. If the password verification fails, the fuse status bit is returned.
ATE: Authentication Enable Flag. When the value is 0, authentication must be passed to operate the current application partition.
AOW: Authentication Required Only for Write Flag. Authentication is only required for write operations, not for read operations. If ATE＝0, AOW is ignored.
PWS: Specifies which set of password sets to use for the current application partition. Each partition can point to a unique password set or the same password set, so that multiple partitions can be accessed by verifying only one set of passwords, merging multiple partitions into a single large partition.
WLM: Write Lock Mode Enable. Each 8-byte block of a partition is a page. If WLM＝0, each bit of the first byte (byte0) of each page serves as the write lock flag for the 8 bytes of that page; 0 indicates write-locked (i.e., can only be written from "1" to "0", not from "0" back to "1"), and 1 indicates unlocked.
MDF: Modification Prohibition Flag. When the value is 0, the current application partition is write-protected, and the content of the write-protected area must be written before personalization.
PGO: Write-Only Flag. If 0, each bit of the current application partition can only be written from "1" to "0", not from "0" back to "1".
Device Configuration Register (DCR)
The Device Configuration Register is located at address ＄18 of the configuration area, with the following storage structure: (Enabled is "0", default is "1")
bit7 bit6 bit5 bit4 bit3 bit2 bit1 bit0
SME UCR UAT ETA CS3 CS2 CS1 CS0
CS0－CS3: Programmable Chip Select. Written as ＄B (i.e., 1011) by ATMEL at the factory. It is the high 4 bits of all command words for accessing the card.
ETA: 8-Count Enable. When ETA＝0, the count times of AAC and PAC can be set to 8; otherwise, it is 4.
UAT: Authentication Error Count Unchecked Flag. When UAT＝0, AAC is unchecked; otherwise, AAC is checked.
UCR: Unlimited Read Checksum Count Flag. When UCR＝1, the checksum mode can be read only once per authentication (default); when UCR＝0, there is no count limit.
SME: Super Management Mode. When SME＝0, all read/write passwords and password error counters can be read and written by verifying the write password (WP).
Authentication Protocol
Generate random numbers Nc (often used as the card number) and Ci, calculate Gc=F1 (Ks, Nc), and write Nc, Ci, and Gc into the card.
Card Nc Gc Ci Authentication Protocol Reader Ks Q0 (Random Number)
Identification Code: Nc Ci Ci+1=F2(Gc, Ci, Q0); if (Ci+1==Q1) Ci+2＝F2(Gc, Ci+1); Ci=Ci+2; // Modify Ci Authentication Successful; else Ci＝Ci; Authentication Failed; Ci --------------------＞ (Using Read Command) ＜-------------------- (Initialization Authentication Command) ＜-------------------- (Verification Authentication Command) --------------------＞ (Read Command) Gc=F1(Ks, Nc); Q0 Q1＝F2(Gc, Ci, Q0); Q1 Q2＝F2(Gc, Q1); if (Q2＝Ci) Authentication Successful; else Authentication Failed;
F1 Algorithm: 64-bit user-defined algorithm.
F2 Algorithm: 64-bit in-card algorithm (a variant of the DES algorithm, with C language and 51 assembly language programs provided)
This protocol includes mutual authentication between the card and the reader's CPU (ELVA patent), and the authentication data is transmitted in encrypted form to prevent communication data from being stolen.