In-Depth

Smart Cards Gear Up For Biometrics

Smart cards, currently a favorite of governments and large corporations, are getting more powerful, incorporating Java and USB technologies.

• By Mathew Schwartz
• 09/29/2004

The short answer is no. While every security manager might wish a smart card—and two-factor authentication—upon their constituency, experts say the cards are the provenance of larger organizations and the government.

Today, 87 percent of the smart card market—a percentage practically unchanged since 2001—revolves around the SIM chips in mobile phones, plus improved credit and debit cards, notes Forrester analyst Andrew Bartels in a recent research brief, “Who’s Who in Smart Card Technology in 2004.” In fact, “such potential smart card deployments as Internet and corporate IDs (using digital certificates), loyalty cards, local transit cards, and government or government healthcare ID cards have been slow to take off,” he notes.

Employee ID cards are the provenance of the U.S. government, and “a small number of large multinationals,” he says. Still, this is a formidable market, and as it grows, standards may make it easier for other companies to invest in the cards and integrate, out of the box, with business partners’ smart card infrastructures.

To discuss smart card use, especially by large organizations and the U.S. government, Security Strategies spoke with James Prohaska, the vice president of business development for SSP-Litronic, which recently released jForté, a smart card that uses Sun’s Java Card technology. SSP’s clients include U.S. government agencies, Microsoft, VeriSign, Lockheed Martin, and Bank of America.

Who’s leading the corporate and government smart card push?

The U.S. has really led that because of what’s going on in terms of the government.

You mean with the DoD’s Common Access Card?

That’s where a lot of [initiative] came from, because part of that credential—as part of the DoD program—was to convey a PKI certificate, which then not only allowed you to go into commissaries but also allowed the various members of the [armed forces] to be sure they can sign and encrypt e-mail and … you can protect yourself going into protected government sites.

This established a real requirement that had tied to it, from the government’s perspective, a real return on investment. Now they could go, with the Government Paperwork Reduction Act [in mind], … and say when we’re providing information to citizens, or providing information on a practical or tactical level, digitally, [thanks to the card].

So the smart card trends are really being driven by the government, because yes, smart cards are important. But if you don’t have an infrastructure to support it … it doesn’t matter that you’re carrying your credentials around.

Why offer smart cards with Java on them?

Until recently, everybody … had their own smart card, and because it actually had a processor on it, it had its own operating system (OS) … [So] you had five or six different cards, and each is interfaced to ubiquitously, and that … becomes a problem as you expand the infrastructure.

So … under the auspices of Sun and some university studies, [a group] came out with a virtual card or OS, something like the Java-based technology.

This is “Java Card” technology?

Yes … There’s Java on your system, then the actual technology on your smart cards is called Java Card. The neat thing about that is … if you have those applets—little programs that are Java Card based—and if you load those onto a standard platform, all you’re doing now is interfacing to that application, instead of having to interface to everyone’s OS. So … it really helps protect everyone’s investment in the smart card industry.

Would these smart cards with Java also function across government agencies?

That is correct … as long as they adhere to both standards. The government has actually come out with the GSC-IS (the Government Smart Card-Interoperability Specification) to make sure that not only do the cards interoperate, but the programs are written correctly.

How effective is the GSC-IS standard?

As is often the case, you’ll always find some exception somewhere. As far as me saying this is great, we’re all going to jump over the rainbow, some bug could always rear its ugly head … but we’re getting there.

How much variety is there in features for cards implementing the GSC-IS standard?

Well, for example, [SSP’s] NetSign Enterprise works with anyone else’s cards, and works with a whole plethora of other applications. But one of the things we started seeing from a government, as well as a corporate world with [high-value] assets—like financial organizations—was they wanted to be able to go to a higher level of assurance, with the type of credentials they were using, and the smart cards that they were putting those credentials on.

Why are larger organizations and government agencies pushing for improved credentials?

The higher the value of the data, the more [your attackers] are willing to invest to get that data. So what we’ve been doing is, in conjunction with people in the federal government, and also some companies that have some very highly valued electronic assets, is we developed what we call our J-Forté card. To quote Emeril Lagasse, we sort of take it up a notch … [with] everything from random-number generation, to the way the information is protected in the cards, to not only data, but data pointers, being properly obfuscated, to the way there are the appropriate fiscal protections on the smart card. It also has a significantly higher degree of processing as well. Eight- or 16-bit processors are standard, and we use a 32-bit RISC processor.

[Also] not only do we have the ability to communicate via the ISO specification, which is a serial interface, you also have the ability to interface with our card via USB, and the important thing is it’s not USB to serial to the terminal, it’s USB to terminal. You can actually communicate to the card at about 12 megabits per second, which is a whole lot faster. So now you not only have the strength of the background processes … but you also have a method of performance where you not only have a way to contain the credentials, but also a way to use them.

What’s an example of how the processor and USB speed increase will help?

Let’s say you’re storing a lot of biometric information on your card … You can [add storage, and also] store more information on the card, so you’d be able to communicate faster. The other thing is you have various cryptographic functions which are very memory intensive, and rather than having to take your key, transfer it to the client PC, and let the PC do all its decryption [in an unencrypted space]… all that is now taken care of on the smart card itself.

We heard from [customers] that they wanted to make sure they had more performance and a higher degree of process integrity. They also wanted to have the expandability, and … use it with all different types of applets. Also it [needed to be compatible] with government and industry-standard credential-issuing services. As people start going to biometrics, the higher performance is going to become more and more important.

How does the card invoke biometric passwords?

Built into the functions of the card, the application can, say, go and ask for a PIN, or go and ask for a biometric.

If these cards use Java, can they be updated?

Unlike almost any other card out there … after you’ve issued it, we have the necessary processes [to] update various algorithms and processes securely in the field, so you don’t have to reissue the smart card, or throw it away, or what have you. That’s been very well received.

What’s the potential market for a higher-assurance smart card?

Some of the places we’re focusing on are the areas that are looking for a higher-assurance token and a higher-assurance infrastructure, such as the Department of Homeland Security, the DoD, plus transportation, and law enforcement. I can tell you that [our technology is] being looked at not only by law enforcement community, but also by DoD at various levels.

Related Articles:

Digital Certificates Get Pentagon, Regulatory Boost
http://esj.com/enterprise/article.aspx?EditorialsID=1111

Digital Certificates Secure Web Services, Mobile Communications
http://www.esj.com/security/article.asp?EditorialsID=1079

Case Study: UCI Cinema Adopts SSL VPN for Anytime, Anywhere Access
http://www.esj.com/security/article.asp?EditorialsID=1068