Smartcard Smarts

Fred Avolio, Avolio Consulting, Inc., http://www.avolio.com/

[An "Executive Security Briefing" originally published at searchSecurity.com.]

The smartcard is not a "magic bullet," not a universal "security fix," nor is it a new technology. Roland Moreno invented and developed the first smartcard in 1974. Yet, most of us still have very little experience with their use. Should you consider smartcard use? If so, how should you deploy them? To answer these questions, we need to know what smartcards are, and how we might use them.

A smartcard is a credit card-sized piece of plastic. It may even be a credit card. Most credit cards-and driver's licenses, and ATM cards, and all kinds of identification cards-have a magnetic stripe storing some information about the user. (How do you think the waiter knows your full name to print on the receipt?) What makes a smartcard different from any old piece of plastic and from magnetic stripe cards is the embedded microchip on the card.

This microchip can be a microprocessor or simply a memory chip. While not making the card any "smarter" than any other piece of plastic, the memory chip does increase the card's utility. Smartcards have the potential to replace many different cards in your wallet. One card could be used for identification, an ATM card, a telephone calling card, a transit pass, and a place to carry "digital cash. Government agencies are using them to streamline procurement. Universities are using them as student "id" cards, with using the cards as a meal plan card, library card, and university credit union debit card. A microprocessor card contains a small computer, as the name implies, complete with I/O port, storage, and operating system. Our discussion will concentrate on smartcard use for security purposes, rather than commerce.

 

Smartcard Access Control and ID

One potential "big win" is using smartcards for access control and other user/employee identification. We know that there are three basic ways to identify individuals: something a person knows (such as a password), something a person has (perhaps a proximity pass card), and something a person is (an identification card with a photo). Combining two or three of these can increase security. A password plus a thumb scan, a photo id and a cipher lock code, or a badge plus a retinal scan all offer better security than any one of these alone. Smartcards can be used to implement one, two, or three of these.

Your company might use badges to help control access to and within a building. Flash the photo on the badge to the guard or receptionist, slide the card through the reader, enter your access code, and you're in. Add a card stripe reader on a PC, and the card also becomes a network authentication token. Go up to any computer with a reader, swipe the card, enter your password, and authenticate to the network with something you have and something you know. One can do all of this with a simpler "not-so-smart," magnetic stripe card.

You would use a smartcard to add the following:

If your company already has, or is deploying, a PKI using smartcards allows employees to carry around their digital certificates and private keys on the card. Not tied to a particular computer anymore, the user can slide the smartcard into a reader, and 1) identify themselves to the network, 2) access data encrypted for the users, and 3) digitally sign documents, anywhere there is a reader.

 

Speed-bumps and Next Steps

They've been around for years, and they are useful. Why aren't most of you using smartcards? Part of it may be cultural. Though I don't claim to know why, smart credit cards and bankcards are more common in Europe than in the US. In Atlanta, during the 1996 Summer Olympic Games, smartcards were distributed, usable at telephones and local merchants. Viewed as a novelty, use did not take off.

And, obviously, smartcards require smartcard readers. They are not expensive, but neither are they ubiquitous. They are not standard equipment on PCs, because there is no demand. There is no demand because people have no use for them. So, what should you do?

If you are implementing a PKI, consider using smartcards to store user credentials (instead of storing them on PCs). If you are considering a large purchase, you may find smartcard companies willing to part with a few for a pilot program. You can get smartcard readers built into keyboards, handheld readers with keypads, readers that are can be plugged into floppy drives and USB ports, and even readers for PalmOS™ devices. A good place to start is searching on searchSecurity.com for "smartcards." Look for a vendor who will provide a reader, cards, writer, and demo software. Even if you are not using smartcards today, someday it will be the smart thing to do.