Things to Come:
Waiting for Smart Cards
, President, Avolio Consulting, Inc
What makes smart cards think they're so smart? Well, they're not
really "smart," just … well … fancy. And just as a gerbil seems smart if
compared with, say, a typewriter, a smart card is smart only in relation
to a plastic credit card with a magnetic stripe. But smart
or not, these cards might have a place in your network security arsenal.
Let me explain what they are, what makes them so smart, how we can use them
for security -- and the odd reason why most of us aren't, yet.
Most of us have at least one magnetic stripe card we carry around.
It might be a credit card, bank card (ATM card), or a driver's license.
The magnetic stripe stores information; typically, your name, plus a small
amount of other data (about 140 bytes). For example, you can purchase a telephone
"cash card" preloaded with a cash value -- usually the amount you paid for
it. So, a $10.00 card starts with a value of $10.00, then value is subtracted
from the card each time you use it for a call. It's neat and even useful.
But, it is not really smart.
Modern smart cards are the shape and size of a credit card. They
can even have a magnetic stripe on the back like a credit card. But what
makes them different (and potentially clever, if not actually
smart), is the embedded microchip.
What can we do with a microchip? Well, if it's a memory chip, we
can store things on it. Except, instead of the 140 bytes of data stored
on a magnetic stripe, the chip could hold 5 kilobytes to 5 megabytes of data,
(over 4600 times more than a mag stripe). If the chip is a microprocessor,
we can use it to run programs. Smart cards also have input/output (I/O)
ports. Now we're talking! If we have a processor, memory, and input and
output channels, and a way for those things to communicate, we have the makings
of a computer the size of a credit card. Now, things get interesting.
Smart cards are already used in many places, by many organizations.
My daughter's university in Florida embeds a microchip in the student identification
card, enabling it to be used as a library card, ATM card, telephone calling
card, and a meal plan card. True, you can do some of this with a magnetic
stripe card. But due to the 140-byte limitation, you can't do all of them.
With a smart card, you can.
The American Express Blue card is a smart card. American Express
recently co-sponsored with Sun Microsystems a "Code Blue" contest which,
according to an American Express press release, "challenged Java developers
from around the world to create innovative, new smart card applications for
potential use on the credit card Blue…" Yes, a smart card can run Java™.
It is a computer.
So, we have this little computer. What can we do with it to enhance
security? One common use is for identification. As I said in "
Biometrics: Coming of Age
," in security, we talk of three ways to establish identity:
- Something a person has.
Possession of a physical item, such as a token, card, or key.
- Something a person knows. Possession of information, such
as a password, passphrase or a combination to a safe or briefcase.
- Something a person is
. Possession of a physical attribute, such as a particular face or voice
or fingerprint. This is the aspect of security known as "biometrics."
Smart cards support strong user authentication for physical security.
Company badges can be smart cards. Long ago, most companies replaced uniform
laminated badges with badges having the "user's" photo. Something you
have (the badge) and something you
are (your face, matching the photo) are required when accessing
company property. Add to that a password, or PIN (personal identification
number), that is a secret known only to you and stored on the card, and
you have something you know. Then all three elements of strong authentication
You might be thinking, "Fred, you don't need a smart card to do that.
A magnetic stripe card works just fine." This is true. But wait! There's more.
Let's use that same smart card not only for physical identification
and access, but also for network access control. We can use the smart card
to store our digital certificate, containing our public key, as well as
our private key to be used in public key cryptography. (If you don't follow
what I mean, read "
Foundations: Cryptography 101
.") The user can sit down
at a computer. When asked to log in to the network, after entering her user
name, the user can slip her smart card into a reader. The authentication
software will access the card and ask the user for her passphrase to access
her private key, stored securely encrypted on the card. The passphrase is
used with the cryptographic processor on the card, to decrypt the private
key. The access software then sends a string of random data encrypted with
the user's public key to the card. The card, applying the private key, decrypts
the random data, again using the on-board crypto processor. The decrypted
data is sent back to the system, proving the identity of the user using public
This method uses two of the three elements of strong security: something
she has (her private key) and
something she knows
(the passphrase to access the private key). Note an important
feature of this example. At no time was an unknown crypto engine used; we
only used the processor on the card. At no time was the private key stored
in memory on some possibly compromised computer; the unencrypted private
key was used from the volatile memory of the card. Quite nice.
What's the holdup?
I have it on good authority (in other words, I read it on the Internet)
that Roland Moreno (who I had hoped was Italian, but he's French) invented
the first smart card in 1974. That's over a quarter of a century ago. So
why aren't smart cards commonplace today? After all, they've been around
for a hundred years (in Internet-time). The software and smart card readers
exist and are not too expensive. Compaq has serial- and USB-based units for
around $25 USD. Some keyboards for sale have built-in smart card readers;
a quick Internet search shows keyboards with integrated readers for $70 USD.
Acer (www.acer.com) released the first notebook PC with integrated smart card
reader. So why aren't smart cards everywhere?
I think it is nothing more than a "chicken and egg" problem. People
are not demanding them or using them. Consequently, smart card readers are
not standard equipment, nor do PCs come with software to use them.
Who will blink first?
You can blink first. Or, more accurately, you can ask for solutions
that support smart card use. Even though they are not
free, they are cheap.
You can at least find vendors who will sell a smart card reader, writer,
smart cards, and developer kits. Using your favorite search engine on the
key words in the previous sentence should get you good results. Try out smart
card technology. Play with it. Certainly, if you already are using public
key cryptography, think about using smart cards. From my perspective, it
seems like it could be … well, a smart move.
Smart Card Alliance
is a not-for-profit, multi-industry association working to accelerate
the widespread acceptance of multiple application smart card technology.
Smart cards used to reduce digital video piracy
Pentagon issues "smart" ID cards to four million troops
McDonalds test-markets smart card jointly with Mobil Gas
Copyright© 2001, WatchGuard Technologies, Inc.
All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are
trademarks or registered trademarks of WatchGuard Technologies, Inc. in
the United States and other countries.