Studying up on smart cards
Nov 1, 2000 12:00 PM
Provider shows versatility of multiple uses Over the next 18 months, the use of password security by computer users will decline from 90 percent to 50 percent, says Merzad Madavi, vice president of information security and electronic commerce for Schlumberger North America, Austin, Tex.
These folks will not be giving up on computer or logical security; they will be implementing better security solutions. One solution that will attract new users is smart cards. According to Madavi, the use of logical security solutions in the form of smart cards will increase from less than 5 percent to 30 percent of computer users.
For some companies currently employing magnetic stripe or proximity card access control for doors and offices, adding smart card access control to company computer networks could create great inconveniences. Employees would have to begin carrying two cards - one more card that might be lost or forgotten. Security managers would have to manage two card production and replacement systems, multiple PIN numbers, etc.
By way of demonstrating a solution to these problems, Schlumberger, an international smart card security system provider, recently retrofitted its facilities with physical access control readers that are activated by the same smart card used to access the company's computer network.
The Schlumberger smart card demonstration project spans seven campuses in five locations around the world, including installations in Austin and Montrouge, France, near Paris.
Schlumberger chose smart card readers using the Wiegand protocol manufactured by GiroVend Ltd., Buckinghamshire, England, to handle the job. The company has retrofitted approximately 100 doors across its worldwide network of campuses.
According to Madavi, the change-over was quick and easy. "All we had to do was replace our existing proximity card readers," he says. "The new readers required an extra power wire, but we had a wire for that in our existing conduit. We used the same field panel cabling, the same field panels, and the same door alarms."
The change-out also would have worked the same if the original readers had been magnetic stripe, Madavi says. Costs for smart card readers vary, but Madavi says prices are generally competitive with proximity card readers.
"The only thing you need to be careful about are the connections required by the reader," Madavi cautions. "Shop around and make sure you get a reader that will fit your cabling scheme."
The existing back-end of the Schlumberger system also continues to function with the same software. The Austin campus, for example, stayed online with a system from Identicard Systems Inc., Lancaster, Pa., and the Paris campus continued to use a system provided by WSE, Fremont, Calif.
The big difference in the system is convenience. The 400 Schlumberger employees in Austin, for example, now carry a single Schlumberger Easyflex Corporate dual interface smart card. Previously, they carried both a smart card for computer access and a proximity card for building access.
The single card controls physical access to buildings and offices, and logical access to computers, servers, and networks. In addition, the smart card will enable access to virtual private network (VPN) systems used for business-to-business communications and transactions conducted at remote but secured Websites.
The contactless Easyflex Corporate interface communicates on the 13.56 MHz carrier frequency according to the ISO 14443-Type A standard and the Mifare protocol. Operations require fewer than 100 milliseconds at a distance of up to 4 inches (10 centimeters) from the reader.
Easyflex Corporate also works with Microsoft and Netscape Internet software, multiple keys and certificates, and Windows 2000.
What makes a smart card smart? "A smart card is a secure, moveable platform the same size and shape of a credit card," Madavi says. "It is like a PC in that it has RAM, ROM, application memory, and a CPU. But all of this is on a small chip made for security. You can't hack into it. You must have a PIN or biometric identifier to get the card to recognize you and do its job."
It does cost more to make a smart card. Each form of security - physical and logical - requires its own chip. According to Madavi, cards purchased in a quantity of 10,000 would cost about $5 each to provide access control and $8 to $9 to include a chip for logical security.
Because of the higher cost for two-chip cards, security directors interested in smart cards must develop a migration plan. Smart cards can accommodate magnetic stripes, so it might make sense to buy smart cards for logical access needs, but continue to use the mag-stripes and existing readers for access control. When smart card physical security becomes a priority, the readers can be changed out. Companies that began the process with a single chip card for logical security would also have to allocate funds to purchase the more expensive two-chip cards.
Credentials and smart cards Smart cards also change the traditional badging process. In the Schlumberger demonstration project, the company set up inexpensive badging stations supplied by DataCard Corp., Minnetonka, Minn. The badging system includes a digital camera, printer, and PC. Schlumberger added its own smart card management system to the badging system, which operates on the company computer network.
The DataCard system imprints photos directly onto the smart cards like a conventional system, while saving the digital image in a database.
"Our smart card management system then places an employee's digital certificate on the smart card's logical chip and in the files of a digital authority company," Madavi says. "A security officer with registration authority would do this while badging an employee. Gaining registration authority is a process similar to becoming a notary public.
"Next, the card generates private keys, one for signing documents and another for decoding encrypted data. The encryption key gets backed up on the network."
A third and public key encrypts files sent across the network or Internet. Only the designated recipient can open encrypted files, using the private decoding key on his or her smart card. Finally, the employee privately records a PIN number on the card and in the system.
Once the credentials are created, employees can use the card to access building and office readers as well as the company computer network. In addition, employees can sign documents, such as purchase orders, with an electronic signature that carries the force of law.
Companies with inter-operable back-end access control systems at multiple campuses will find that smart card systems ease other burdens. Take, for example, the task of getting into company buildings and onto company networks on different campuses. "Suppose one of our employees was traveling from Austin to Paris," Madavi says. "Before the trip, the employee can log onto a company Website and ask a manager to enable his smart card for building A, B, or C in Paris. The manager uses her smart card to sign a digital message authorizing physical and logical access to a set of buildings for, say, the next seven days in Paris. The message goes to the security officer in Paris, who sets the system to accommodate the trip. It could also be done with a direct link to the Paris database, in which the database recognizes the manager's key and authorizes access for the employee automatically."
While a conventional access control system can handle the physical access part of this chore, logical access requirements create additional security concerns. As more and more employees routinely travel to work at different company facilities, computer systems must allow people to access appropriate files, while restricting access to other files. Password security has proven increasingly inadequate to this task in recent years. It takes smart cards to secure far-flung computer networks.
At the same time, the digital authorizations and PIN numbers encoded on the smart cards enhance physical security beyond the capabilities of a mag-stripe or proximity card system. In short, a smart card goes a step further in making sure that the person presenting the card to a door reader or to a computer owns the card.
Which is a smart thing to do.
Reports from the point of convergence Internet watchdogs How can you defend cyberspace? It's a nagging question as consumers and businesses use the Internet to buy, sell, share, learn and play. As concerns about privacy and security continue to mount, the government is inevitably caught up in the fray. How can the government offer convenient e-services while simultaneously protecting user privacy and the nation's critical infrastructure? Taking on such big issues will be the third annual Defending Cyberspace Conference and Exhibition, being held at the Renaissance Washington, D.C., Hotel, Dec. 11-13, 2000. It will be sponsored by the U.S. General Services Administration, Office of Governmentwide Policy and the Federal CIO Council Committee on Security, Privacy, and Critical Infrastructure Protection. Information: www.ctst.com
In search of a single card Companies want a single card that can handle e-commerce purchases and enterprise resource planning systems, but not one company in a recent survey currently has one system that will handle such transactions. However, 60% of those polled would like to have such a system, while only 17% do not want to integrate the two systems. The survey was done by Credit Card Solutions Inc., Richland, Wash., a developer of purchasing card software. "The survey clearly illustrates what we already see coming in the marketplace," says Lori Nowlen of Credit Card Solutions. "Whether it's a government agency or a private corporation, the main goal is to have a single, easy-to-use system that makes it possible to efficiently manage and reconcile all types of purchases electronically."
Making information resilient Assuming that intruders will somehow manage to break into a computer network, so-called information resiliency applies various methods to limit the damage intruders can cause. A team led by Logicon Inc., Herndon, Va., has become the first to successfully demonstrate real-time information recovery and response during a simulated information warfare attack on a deployed Department of Defense battle management computer system. The demonstration took place as part of the Data Resiliency in Information Warfare (DRIW) program, a study sponsored by the U.S. Air Force Research Laboratory in Rome, N.Y. "The Logicon team focused on two areas - forecasting an attack and responding in real-time immediately after an attack," says Dennis McCallam of the company's senior technical staff. "Our work enables the user to either forestall an attack or react rapidly to it, and to re-establish the system's operations with minimal or no impact to the end-user." It is designed to protect battle management and command-and-control systems.
Identix merges physical access, IT Biometrics supplier Identix has reorganized to combine its physical access and IT divisions into one Security division to market its commercial products. Grant Evans has been promoted to executive vice-president of Identix and will also head Identix's itrust division, which was recently launched in conjunction with an equity investment in Identix by Motorola Inc. "We can now closely manage our itrust and Security divisions to develop complementary products and services that fit within the scope of both business models," says Evans. "This will permit us to further leverage Identix's proprietary fingerprint technology for wireless, wired and physical access platforms.
The eyes (fingers, voice, etc.) have it Biometrics is finally ready for the big time. Large investments in the market, the strategic focus of companies like Microsoft and the support of analysts are combining to bring biometric technologies to a mass audience. The major players in voice, face and fingerprint recognition technologies will address and discuss key industry issues at the Biometrics in Business conference, Dec. 6-8, 2000, at the Flanders Language Valley, Belgium. It will be built around the theme that "only bodies speak the truth," and will explore the security and convenience benefits of biometric solutions. Presentations will cover strategies and solutions, from physical access to Internet security, from smart cards to digital signatures. Information:firstname.lastname@example.org
Lenel adds alliance partners Lenel Systems International, Rochester, N.Y., has enrolled several companies in its OpenAccess Alliance Program, which provides a framework for hardware manufacturers and software developers to provide integrated security systems based on open architecture and device independence. Companies recently enrolled in the program are Management Controls Inc., Loronix Information Systems, PPM 2000, Vision Systems, Que Accounting, Internet Video Management Services Inc., and Integral Technologies. OpenAccess is a set of Application Programming Interfaces (APIs) that allow companies to integrate their products into Lenel's system.
Making Web data `bulletproof' Whale Communications, a provider of Air Gap security solutions for e-business, and infoShark, a software provider for access, exchange and transmission of XML data, have allied to promote secure XML-based e-business. Together, the two companies will enable enterprises to securely exchange slices of their database in XML format via the Internet. The companies are exploring mutual sales opportunities and joint marketing efforts, and may use each other's products in their own networks.
Making smart cards interoperable Card and reader interoperability is important to smart-card applications, and the General Services Administration (GSA) has modified its specifications to include an interoperability standard. Under GSA specs, the cards must secure physical and logical access, provide biometric user authentication, and encrypt via digital signature, public-key infrastructure and other methods. The original specs were the work of the GSA, other agencies, and five Smart Access Common ID prime contractors: Electronic Data Systems Corp., Litton PRC Inc., Logicon Inc., KPMG LLP, and 3-G International Inc. "When customers buy off the GSA contract, they will have the assurance that the core applications will be interoperable," says Mickey Femino of the Federal Technology Service's Center of Innovative Business Solutions. The National Institute of Standards and Technology will test the different vendors' cards and readers together. GSA also will establish an advisory board to consider more spec changes over the contract's 10-year life.
BRIEFLY ... A leading supplier of integrated security management systems - DEI Inc., Baltimore - has merged with NetVersant Solutions Inc., Houston, a provider of integrated network infrastructure.
"Smart cards have been around for 20 years, but never really caught on in the U.S.," says Jack Mapes, director of campus solutions at Schlumberger's Moorestown, N.J., offices. "The reason is that they were originally designed as a payment tool. The U.S. has always had an advanced credit card payment system. So there was no need for smart cards. This is changing with the need for cards to handle many different applications. It's a convenience that enables you to empty your wallet and replace many cards with one."
Smart cards will continue to have limited applications in general use in the U.S., Mapes believes. To develop a national smart card system for a card that acted as, say, a drivers license, social security card, credit card, and debit card would carry enormous infrastructure costs.
On the other hand, a smart card is ideal for many uses in the closed world of a private company with many buildings and even many campuses. In such a closed environment, smart cards can provide an array of conveniences beyond security. For example, smart cards can be used at the company cafeteria and company vending machines. Retailers occupying space in company buildings - a snack bar, dry cleaner, or other retailer - could install readers that would accept the company's smart cards.
Schlumberger installations use small closed circuit television systems to supplement their smart card security systems. At the Austin, Tex., campus, for instance, security director David Cherry uses four Pelco color cameras to monitor the grounds of the six-building campus. The cameras send video over fiber-optic cabling to a security center equipped with a Pelco 2000 switcher that can accommodate up to eight cameras. A 24-hour time-lapse Sony VCR records the video, which can be displayed on a Sony monitor.