Putting Next-Generation Smart Cards to Work

Two trends are driving the growth of digital signatures for sign-off and revisions of digital documents

Last April, British Telecom (BT) rolled out 25,000 smart cards—mostly keychain tokens—to allow mobile employees to authenticate to the corporate network. Soon BT expects to have over 65,000 employees using the technology.

BT was already using smart card technology—SecurIDs from RSA. This rollout, however, began replacing those with ActivCard authentication devices and ActivCard AAA Server to manage them. ActivCard Corp., based in Fremont, Calif., is a global provider of strong authentication and trusted digital identity products.

Why the switch? The short answer is advances in smart card technology are enabling organizations to more efficiently manage their smart cards, and at reduced cost. While this is driving organizations to adopt or readopt the technology for employees and expand how they use it, it’s also driving other groups—industry associations and consumer-focused businesses—to explore how smart cards can help them maintain better overall security.

At BT, the goal of using smart cards is simple: to give employees “access to their network from a remote location, either from home or from a customer site,” or else from headquarters, says Marc Hudavert, ActivCard’s general manager for Europe. While BT initially wants the tokens “for secure remote access and single sign-on,” he says, its ultimate goal is “to develop what we call an enterprise access card, which is a software suite that allows the deployment of a combination card that includes both physical and logical security.”

Smart cards, of course, allow organizations to use two-factor authentication: “something you have (a card) and something you know (your PIN number),” he says. “All our different form factors rely on the same user experience: something you have and something you know.” Then ActivCard also develops the software needed to manage those cards’ credentials and their PINs. Some users even go up to three-factor authentication by adding biometric technology to the cards.

Most of the authentication devices BT uses will be keychain tokens, though ActivCard offers a number of options. They include “a hardware token, and a software token on the PC—including a software, over-the-air token” for mobile phones. Other options include authentication via mobile phone, a smart card in a USB-token form factor, as well as an offline reader so the card can be used in PCs or from hotel or airport kiosks.

One reason BT adopted the new technology was to lower its user-authentication costs. ActivCard works with BT’s existing RADIUS server for remote user authentication, which should result in “significant cost savings on user account management,” says Ashok Patel, the strategy manager for Internet and distributed technology at BT.

Beyond the total cost of ownership (TCO) and form-factor considerations, BT also wanted easier management. “Our solution allows one point of management for all of their employees, and also all of their customers,” says Hudavert. “This is pretty important for consistency, security, as well as TCO.”

Spanish Engineers Sign Digital Documents

Another smart-card user is Spain’s Colegio de Ingenieros de Caminos, Canales, y Puertos (CICCP), the official civil engineering organization of certified engineers working in Spain. Over 20,000 engineers are affiliated with CICCP, many working on public works. “We’re a non-profit organization with members dispersed across a large geographic area, and using a diversity of computing platforms,” says Emilio Marin, the chief technology officer of CICCP.

CICCP, however, is a newcomer to smart cards. What it wanted was a digital way for engineers to be able to approve work documents for Spain’s public-works project, regardless of what platform the engineer was using. With approximately 20 million plan reviews made annually, any move from a paper-based to a digital process would save time and money and would be easier to archive.

About a year ago, CICCP rolled out ActivCard to let engineers digitally sign documents. “Deploying ActivCard Gold has been one of our best business decisions for streamlining our public works plan approval process,” says Marin.

“It’s all about moving from a blueprint infrastructure—hardcopy—to an electronic copy infrastructure with these digital certificates and smart cards,” says ActivCard’s Hudavert. In the past, a bridge-building project might have required 12 iterations of a blueprint, at $10,000 per blueprint, and each of the 8,000 pages of the project plan would have to be signed by a CICCP-certified engineer. By contrast, the organization is now using ActivCard technology, in conjunction with PDF documents and an x.509 standard digital signature embedded in the PDF. The entire project file is then compressed and can fit onto a DVD. During the project’s development, different people can also sign off on different versions of the same page, with all of the versions and sign-offs maintained.

Smart Cards Tackle Phishing

Beyond corporate and government rollouts, smart cards are also gaining in the consumer realm, especially in the banking arena, for combating phishing attacks.

Of course, for banking there’s an obvious financial incentive. According to Gartner Inc., 57 million people in the U.S. have been hit with phishing attacks, stiffing banks for $1.2 billion.

How can smart cards help prevent that? Simply put, they add another layer of security—a credit card or bank number isn’t enough; users also have to enter the related smart-card information. “Basically the issue with phishing is authenticating both the individual and the server. We have technology that is implementable, and it’s something we’re pitching to banks,” says Hudavert. Given the extent of the problem today, “they’re eager to do something, but at the same time without jeopardizing their current services—that’s the only challenge they have.”

So far about 3.5 million online banking customers are using ActivCard’s technology, through such banks as Zagrebaèka Banka, PKOBP, Banque Sarasin, and HypoBank. In related news, recently U.S. Bancorp announced it plans to make VeriSign hardware tokens available, though initially just to its more than 10,000 corporate-banking customers.

Revamping banks’ card infrastructure will take time. Some countries are already ahead of the game, including Scandinavia and parts of the former Eastern Bloc, because they already have bank cards that require PIN numbers to work. Speaking about these countries, “interestingly enough, they don’t have such phishing issues,” says Hudavert

Initiatives in Europe and Asia should help create an environment able to better arrest phishers. For example, while many European countries already have smartcards for their bank, debt, and credit cards, they’re standardizing on the EMV (EuroCard, MasterCard, Visa) specification for smart cards, issuing new cards and upgrading point-of-sale terminals. This year, the majority of cards in use in Europe, South Africa, and Latin American should be EMV-compatible. Next up is Asia, with the United States being a notable exception on the EMV front for now.

Banks in the U.S. should make up the gap by 2007, however, with Gartner predicting that by that time at least 60 percent of banks will rely on more than just passwords to authenticate customers.

Related Articles

Smart Cards Gear Up for Biometrics
http://www.esj.com/news/article.aspx?EditorialsID=1135

AOL’s Two-factor Authentication
http://esj.com/enterprise/article.aspx?EditorialsID=1156

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.