Smart card smarts
By Fred Avolio

The smart card is not a magic bullet, not a universal security fix, nor is it a new technology. Roland Moreno invented and developed the first smart card in 1974. Yet, most of us still have very little experience with their use. Should you consider smart card use for your organization? If so, how should you deploy smart cards? To answer these questions, we need to know what smart cards are and how we might use them.

A smart card is a credit card-sized piece of plastic. It may even be a credit card. Most credit cards, driver's licenses, ATM cards and other kinds of identification cards, have a magnetic stripe storing some information about the user. What makes a smart card different from any old piece of plastic and from magnetic-stripe cards is an embedded microchip.

This microchip can be a microprocessor or simply a memory chip. While not making the card any "smarter" than any other piece of plastic, the memory chip does increase the card's utility. Smart cards have the potential to replace many different cards in your wallet. One card could be used for identification, an ATM card, a telephone calling card, a transit pass and a place to carry "digital cash." Government agencies are using them to streamline procurement. Universities are using them as student ID cards for meal plans, library permissions and a university credit union debit card. A microprocessor card contains a small computer, as the name implies, complete with I/O port, storage and operating system.

Smart card access control and ID

One potential big win is using smart cards for access control and other user/employee identification. We know that there are three basic ways to identify individuals: something a person knows (such as a password), something a person has (perhaps a proximity pass card) and something a person is (an identification card with a photo). Combining two or three of these can increase security. A password plus a thumb scan, a photo ID and a cipher lock code or a badge plus a retinal scan, all offer better security than any one of these alone. Smart cards can be used to implement one, two or three of these.

Your company might use badges to help control access to and within a building. Flash the photo on the badge to the guard or receptionist, slide the card through the reader, enter your access code, and you're in. Add a card-stripe reader on a PC, and the card also becomes a network authentication token. Go up to any computer with a reader, swipe the card, enter your password, and authenticate to the network with something you have and something you know. This all can be done with a simpler "not-so-smart," magnetic stripe card.

You would use a smart card to add the following:

* The processor on the card can require a PIN entry before allowing access to the cryptography-protected memory for reading or writing.

* Information can be processed on the card, rather than having to be transmitted to another computer. Sensitive information (access codes, etc.) never needs to leave the card's processor.

* A typical magnetic stripe has low capacity, 140 bytes or so, while smartcards can store 50-80 times more. And cards that use optical storage can hold almost 5M bytes.

If your company already has, or is deploying, a public key infrastructure, using smart cards allows employees to carry around their digital certificates and private keys on the card. Not tied to a particular computer anymore, the user can slide the smart card into a reader and 1) identify themselves to the network, 2) access data encrypted for the users and 3) digitally sign documents, anywhere there is a reader.

Speed-bumps and next steps

They've been around for years, and they are useful. Why aren't most of you using smart cards? Part of it may be cultural. Though I don't claim to know why, smart credit cards and bankcards are more common in Europe than in the U.S. During the 1996 Summer Olympic Games in Atlanta, smart cards were distributed, for use at telephones and local merchants. Viewed as a novelty, they did not take off.

And, obviously, smart cards require smart card readers. They are not expensive, but neither are they ubiquitous. They are not standard equipment on PCs, because there is no demand. There is no demand because people have no use for them. So, what should you do?

If you are implementing a PKI, consider using smart cards to store user credentials (instead of storing them on PCs). If you are considering a large purchase, you may find smart card companies willing to part with a few for a pilot program. You can get smart card readers built into keyboards, handheld readers with keypads, readers that can be plugged into floppy drives and USB ports and even readers for PalmOS devices. A good place to start is searching on searchSecurity for "smart cards." Look for a vendor who will provide a reader, cards, writer and demo software. Even if you are not using smart cards today, someday it will be the smart thing to do.

About the author:
Fred Avolio is the president and founder of Avolio Consulting, Inc., a Maryland-based corporation specializing in computer and network security and dedicated to improving the state of corporate and Internet security through education and testing.

---

Talk back! Do you have any comments on this column? If so, share them in our SoundOff discussion forum.

For more information on PKI, see these articles also written by Fred Avolio:
It's a matter of trust: Digital certificates and e-signatures
Public Key Cryptography: Q&As from your peers

Fred Avolio is a member of searchSecurity's team of experts who are available to answer your security questions. Peruse the answers Fred has provided to frequently asked questions, or submit a question of your own: http://searchsecurity.techtarget.com/ateAnswers/0,289620,sid14_tax285450,00.html