Republished with permission of WatchGuard Technologies . Originally published December 14, 2001.

WatchGuard


Things to Come: 
Waiting for Smart Cards

by Fred Avolio , President, Avolio Consulting, Inc .

What makes smart cards think they're so smart? Well, they're not really "smart," just … well … fancy. And just as a gerbil seems smart if compared with, say, a typewriter, a smart card is smart only in relation   to a plastic credit card with a magnetic stripe. But smart or not, these cards might have a place in your network security arsenal. Let me explain what they are, what makes them so smart, how we can use them for security -- and the odd reason why most of us aren't, yet.

Not-So-Smart Cards

Most of us have at least one magnetic stripe card we carry around. It might be a credit card, bank card (ATM card), or a driver's license. The magnetic stripe stores information; typically, your name, plus a small amount of other data (about 140 bytes). For example, you can purchase a telephone "cash card" preloaded with a cash value -- usually the amount you paid for it. So, a $10.00 card starts with a value of $10.00, then value is subtracted from the card each time you use it for a call. It's neat and even useful. But, it is not really smart.

Smarter cards

Modern smart cards are the shape and size of a credit card. They can even have a magnetic stripe on the back like a credit card. But what makes them different (and potentially clever, if not actually smart), is the embedded microchip.

What can we do with a microchip? Well, if it's a memory chip, we can store things on it. Except, instead of the 140 bytes of data stored on a magnetic stripe, the chip could hold 5 kilobytes to 5 megabytes of data, (over 4600 times more than a mag stripe). If the chip is a microprocessor, we can use it to run programs. Smart cards also have input/output (I/O) ports. Now we're talking! If we have a processor, memory, and input and output channels, and a way for those things to communicate, we have the makings of a computer the size of a credit card. Now, things get interesting.

Smart cards are already used in many places, by many organizations. My daughter's university in Florida embeds a microchip in the student identification card, enabling it to be used as a library card, ATM card, telephone calling card, and a meal plan card. True, you can do some of this with a magnetic stripe card. But due to the 140-byte limitation, you can't do all of them. With a smart card, you can.

The American Express Blue card is a smart card. American Express recently co-sponsored with Sun Microsystems a "Code Blue" contest which, according to an American Express press release, "challenged Java developers from around the world to create innovative, new smart card applications for potential use on the credit card Blue…" Yes, a smart card can run Java™. It is a computer.

Security uses

So, we have this little computer. What can we do with it to enhance security? One common use is for identification. As I said in " Biometrics: Coming of Age ," in security, we talk of three ways to establish identity:   

  1. Something a person has. Possession of a physical item, such as a token, card, or key.
  2. Something a person knows. Possession of information, such as a password, passphrase or a combination to a safe or briefcase.
  3. Something a person is . Possession of a physical attribute, such as a particular face or voice or fingerprint. This is the aspect of security known as "biometrics."

Smart cards support strong user authentication for physical security. Company badges can be smart cards. Long ago, most companies replaced uniform laminated badges with badges having the "user's" photo. Something you have (the badge) and something you are (your face, matching the photo) are required when accessing company property. Add to that a password, or PIN (personal identification number), that is a secret known only to you and stored on the card, and you have something you know. Then all three elements of strong authentication are covered.

You might be thinking, "Fred, you don't need a smart card to do that. A magnetic stripe card works just fine." This is true. But wait! There's more.

Let's use that same smart card not only for physical identification and access, but also for network access control. We can use the smart card to store our digital certificate, containing our public key, as well as our private key to be used in public key cryptography. (If you don't follow what I mean, read " Foundations: Cryptography 101 .")  The user can sit down at a computer. When asked to log in to the network, after entering her user name, the user can slip her smart card into a reader. The authentication software will access the card and ask the user for her passphrase to access her private key, stored securely encrypted on the card. The passphrase is used with the cryptographic processor on the card, to decrypt the private key. The access software then sends a string of random data encrypted with the user's public key to the card. The card, applying the private key, decrypts the random data, again using the on-board crypto processor. The decrypted data is sent back to the system, proving the identity of the user using public key cryptography.

This method uses two of the three elements of strong security: something she has (her private key) and something she knows (the passphrase to access the private key). Note an important feature of this example. At no time was an unknown crypto engine used; we only used the processor on the card. At no time was the private key stored in memory on some possibly compromised computer; the unencrypted private key was used from the volatile memory of the card. Quite nice.

What's the holdup?

I have it on good authority (in other words, I read it on the Internet) that Roland Moreno (who I had hoped was Italian, but he's French) invented the first smart card in 1974. That's over a quarter of a century ago. So why aren't smart cards commonplace today? After all, they've been around for a hundred years (in Internet-time). The software and smart card readers exist and are not too expensive. Compaq has serial- and USB-based units for around $25 USD. Some keyboards for sale have built-in smart card readers; a quick Internet search shows keyboards with integrated readers for $70 USD. Acer (www.acer.com) released the first notebook PC with integrated smart card reader. So why aren't smart cards everywhere?

I think it is nothing more than a "chicken and egg" problem. People are not demanding them or using them. Consequently, smart card readers are not standard equipment, nor do PCs come with software to use them.

Who will blink first?

Next steps

You can blink first. Or, more accurately, you can ask for solutions that support smart card use. Even though they are not free, they are cheap. You can at least find vendors who will sell a smart card reader, writer, smart cards, and developer kits. Using your favorite search engine on the key words in the previous sentence should get you good results. Try out smart card technology. Play with it. Certainly, if you already are using public key cryptography, think about using smart cards. From my perspective, it seems like it could be … well, a smart move.

Resources

The Smart Card Alliance is a not-for-profit, multi-industry association working to accelerate the widespread acceptance of multiple application smart card technology.

Smart cards used to reduce digital video piracy

Pentagon issues "smart" ID cards to four million troops

McDonalds test-markets smart card jointly with Mobil Gas

 

 

Copyright© 2001, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.