To start, be aware that smartcards are widely used all
over the world. They first appeared in 1974. The first smartcard trial took place in 1982, in France, and by 1993, French banks had issued 22 million of them. Today smartcards are common in Europe, with over 100 million pay-phone cards in France, 80 million health-insurance cards in Germany, and "electronic purse" cards in more than 20 countries (see the sidebar "Smartcards in Action").
Theories about why such applications have lagged in the U.S. probably outnumber successful American smartcard trials. It could be a case of leapfrog technology. By the time practical smartcards appeared, America's love affair with mag-stripe cards was already in full swing. In contrast, mag-stripe use in many European countries was not yet entrenched. Other explanations involve American attitudes toward public infrastructure, privacy concerns, and even religious opposition (from those who see smartcards as the "mark of the beast" -- at least one smartcard company executive has received death threats).
Secure Perime
ter
But we still think that there's a smartcard in your future. Consider this: As a BYTE reader, you likely use computers that either contain, or access, valuable information -- and it's information-security applications that are leading the smartcard invasion. According to
Chandra Shah
, vice president of Litronic, a leading provider of smartcard-enabled security solutions, "Just as personnel ID badges have become commonplace in company and government offices throughout America, we expect smartcards to become practically universal for authenticating computer users." At the RSA Data Security Conference in January, Litronic was handing out photo ID/smartcards that double as both logical authentication and physical identification.
Security concerns are certainly nothing new, but these days they are magnified by the widespread use of a public and notoriously insecure data network: the Internet. Conditions are now ripe for smartcards to emerge as the answer to many concerns. Comme
rcial public-key encryption is now widely available in toolkit and end-user formats from companies like RSA and Network Associates (which acquired PGP). Digital certificates, which enable commercially acceptable levels of assurance for secured transactions, are now available. The problem is: Digital keys residing on a computer are only as reliable as the access controls on that computer. Secure sessions authenticate the computer, not an individual.
The two most obvious solutions are: install strong access controls or remove the keys from the computer. Smartcards can do both. Public-key transactions at unsecured computers or open-access terminals can depend on inserting the certificate-bearing smartcard at the appropriate time. Cryptographic functions on the smartcard prevent any unauthorized access, or change, to data stored on it.
Alternatively, you can control access to a computer. If it requires inserting your smartcard and entering your PIN, there's a high probability that it's really you logging
on. This is two-factor authentication ("something you have" plus "something you know"). Traditional username/password authentication is only single-factor ("something you know") authentication. If you require a biometric, such as a fingerprint scan to compare to a digital fingerprint on the smartcard, you add "something you are": three-factor authentication.
One strong indicator of smartcard growth in this area is that two leading suppliers of token-based authentication, Security Dynamics and DataKey, are now offering smartcards as alternatives to their proprietary tokens. The partnership between crypto-maker RSA and BIOS-maker Phoenix Technologies enhances the ability of smartcards to further lock down PC security. Through the jointly developed Preboot Crypto API, it will be possible to integrate smartcards into the PC's preboot, ROM-based routines.
Security Scenario
To see where smartcards fit into the information system security picture, look at the figure
"Integration
of Security Services"
. The figure includes applications for which people might encounter smartcard readers, such as e-mail encryption, file encryption, remote access authentication, Web site authentication, network log-in, and software access. Card readers, the size of a cigarette pack, are less than $100 and attach to serial, parallel, and keyboard ports. Smaller readers fit in PC Card slots on laptops or, using Fischer International's Smarty, in floppy disk drives. HP and Keytronic offer keyboards with integrated smartcard readers.
Suppose you are logging on to the corporate network from your smartcard-enabled office workstation. Instead of the usual dialog box, you insert your smartcard and enter your personal identification number (PIN). Next, you check your e-mail. Someone in the Rome office has sent you an encrypted message. Again, your smartcard and PIN decrypt it. At home you need to access the network from your laptop. Guess what? The RSA password you don't even know is on your smartcard. Ins
ert it into the PC Card smartcard reader, enter your PIN, and you can make that connection, too. You work on the spreadsheet you have to present to a client. You store the file on your laptop, encrypted by keys stored on the smartcard, just in case someone steals your machine.
All this activity can use off-the-shelf applications, like Netscape Communicator, or applications modified with existing cryptographic APIs and available tool-kits. The security management center (SMC, on the left of the figure
"Integration of Security Services"
) manages the activity, and the security officer's smartcard controls the SMC. None of this is a projection; all the pieces are in place.
Compelling Forces
To a security professional like David Brussin of Miora Systems Consulting (Los Angeles), this is good news. "Password-based protection of computing resources just doesn't cut it any more. Moving to digital IDs and tokens is just common sense, particularly if one token can support multip
le services."
Of course, it may be a while before all applications support digital certificates and public-key encryption. A contractor developing intranet applications for the military, speaking on condition of anonymity, admitted that, "Our client will rely on passwords for remote access for some time, so hiding hard-to-crack passwords on smartcards lets us increase the effective security level without completely reengineering current systems."
While the cost of deploying smartcards (now about $7 just for the card) continues to decline as technology matures, it is still a resistance factor. However, in situations where security breaches obviously equate to losses, like insurance fraud, the return on investment can be substantial. Litronic's Shah cites an HMO that cut fraud losses dramatically as soon as it deployed smartcards containing a scan of the holder's fingerprint.
On the Home Front
But what about the American mass market? As BYTE's January article on smartcards indicated (see
"The Smartcard Invasion"), financial institutions cite lack of infrastructure and merchant acceptance as hurdles to wide deployment. But developers should not take a wait-and-see attitude to smartcards. Don't underestimate the interest in smartcards of major players like Visa and MasterCard, for whom fraud is a costly motivator.
On the technology end, big names like IBM, Hewlett-Packard, Sun, and Oracle all have heavy commitments to smartcards. Now is definitely the time to acquaint yourself with this technology, if you haven't already. Some American companies are already competing successfully for the huge market outside the United States.
For developers, start with a toolkit, from companies such as Gemplus, Aladdin, IBM, Schlumberger, and Litronic. This is a big change from the past, when developers, even major system integrators, had a hard time getting the cooperation they needed from card manufacturers.
That led to the Independent Smartcard Developer Association, a nonvendor organization th
at emerged from the Cypherpunk group. Says coordinator Lucky Green (not his real name), "Many members are potential users of smartcard technology in their daytime jobs. But we found it challenging at best to get information from vendors." Not only are development toolkits highly vendor-specific, says Green, "one vendor in particular will not provide specifications for its cards unless you agree to use only their solutions."
Such attitudes are a red flag to cypherpunks like Green who test and advance security technology. The group has released a
free
software toolkit that will talk to any smartcard. Group members created a reader-independent abstraction layer and have pretty much finished a card-independent abstraction layer. The software, which is available at the group's Web site (go to
http://www.cy
pherpunks.to
), supports the more popular crypto-capable cards and, says Green, "makes it trivial to add support for additional cards."
Smartcard Invasion Continues
