My week has been spent mostly in the company of consultants. I seem to have had every vendor and consultant stereotype visit me since Monday: from the nervous, commission-hungry salesman to the professional, soberly suited management consultant with an encyclopedic knowledge of a very narrow area.
The subject was smart cards. As regular readers know, I'm trying to implement smart-card-based access control for Windows 2000 PCs so that I can do away with passwords wherever possible. This should be relatively simple, because Windows 2000 is designed to support smart-card access. But the project is made more complex by having to be compatible with our proximity-card building-security system.
Digging Into Smart Cards
Over the past few weeks, I've been on a steep learning curve. I've been scouring the Internet for Web sites that explain smart cards and smart-card technology. I've also been reading all the Microsoft Corp. white papers I can find. The white papers are in fact rather clear and concise, despite some occasional lapses into jargon.
 | | | This Week's Glossary
ISO 7816: The International Standards Organization's (ISO) published standards for the design and manufacture of smart cards. Although ISO standards aren't enforced, vendors wishing to interoperate with other companies in the smart-card marketplace usually comply with this standard.
X.509v3 certificates: This refers to the international standard Directory Authentication Framework (ISO/IEC 9594-8, or ITU-T X.509). This standard describes an authentication protocol based on public-key cryptography and using digital certificates. The name X.509v3 is commonly used to denote digital certificates that comply with this standard. LINKS Smartcardcentral.com Inc.'s online buyer's guide to smart-card industry vendors is an excellent resource. It includes links to vendor Web sites, names of consultants, reports about smart cards and smart-card technology and even a list of trade shows. Sun's JavaCard Web page contains detailed technical product information, white papers and developer information. TheMultos site is operated by Maosco Ltd., a consortium that develops Multos and backs it as an industry smart-card standard for financial and retail applications. Microsoft Corp.'s Windows for Smart Cards Web page includes a tutorial, tool kit data sheets, white papers and other data. Gemplus SA's Web site includes both smart-card product information and a tutorial. |
|
|||
From what I understand from the smart-card Web sites and the blandishments of the consultants, I have to choose the smart-card chip, the chip's operating system, the type of smart-card reader and a certification authority. From there, it's just a matter of system configuration.
I'm least sure about the type of smart-card chip I need. I have a wide choice of manufacturers, but I'm not yet sure how to distinguish among the different chips they all offer. I know the chip needs to conform to the industry standard, ISO 7816, and I know that they offer different amounts of RAM, from 1KB to 16KB, but after that, I can't distinguish among them on anything other than cost. (Perhaps readers can enlighten me in the Computerworld.com Security Manager's Journal forum.)
The ISO 7816 requirement is absolutely fundamental. This is the international standard that determines the basics of how a smart card should be designed; most cards and card readers are built to this standard. If I specify a card that doesn't meet the standard, I'll have a very hard time finding other compatible systems.
Windows 2000 smart-card authentication is based on X.509v3 certificates, so I know that each card will have to hold one of these certificates. This can take up to 3KB of the available memory. After that, any remaining memory is there to be used by future applications.
Although we don't have any other applications planned for the cards yet - it's very early - I believe that smart cards are such a useful technology that many other applications will be found as soon as the technology is there. Since 16KB cards cost only about 10% more than 8KB cards, and since the card cost is going to be such a tiny fraction of the cost of the whole project, it makes sense to go for the largest possible cards right from the start.
The card operating system is an easier decision - particularly because there seem to be only four real choices: Sun Microsystems Inc.'s JavaCard, London-based Maosco Ltd.'s Multos, Microsoft's Windows for Smart Cards or a proprietary operating system.
I want this system to be as flexible as possible so it can be used easily for new smart-card-based systems as they arise. Therefore, I want to avoid proprietary operating systems wherever possible.
Multos seems be the highest-security operating system, most commonly used in retail financial systems such as payment cards.
I'm not sure about JavaCard yet, and I haven't found anyone with a well- researched opinion on it. Windows for Smart Cards is young and relatively untested. However, knowing Microsoft, by the time I'm ready to roll it out in nine months, it will be like any other Microsoft operating system - not pretty, not very elegant, but functional, popular and capable of working with almost anything else on the market.
The User Triumvirate
Smart-card readers are turning out to be a bigger problem than I imagined. We have three main types of users: the average paper pushers (that's me!) with a relatively standard desktop PC, keyboard and monitor; the road warriors, who take their laptops wherever they go; and the front-line operations staff ers, who are highly stressed, highly demanding and have very specialized hardware and software configurations.
That means we need three different types of readers. Paper pushers can use almost anything that fits in the back of their PCs. Road warriors need something light, unobtrusive and easy to use. Operations staffers need a reader that can take some punishment and can fit into their often unusual environments.
I put these requirements to every consultant I met, but I got incomplete answers at best. One finally suggested a French company called Gemplus SA. Gemplus seems to have products that meet most of these requirements. I've had time only for a brief call to one of the company's salesmen, but he was impressively calm and well-informed and came up with simple, helpful answers to all my questions. The impression I got was that people at Gemplus had seen these problems before and solved them. I'll have to investigate further.
The certification authority might be the hardest requirement of all because it will involve the most office politics.
As I mentioned above, Windows 2000 authentication is based on digital certificates. A digital certificate essentially consists of two things: the public key of an asymmetric cryptographic key pair and a statement from a trustworthy source that the corresponding private key - the other half of the key pair - is known to one person only. This asymmetric cryptographic key pair consists of two keys; one public, one private. Anything encrypted with the public key can be decrypted only by using the corresponding private key, and vice versa.
In our situation, that trustworthy source is known as a certification authority. And it isn't easy to create something worthy of so much trust.
¿ This journal is written by a real security manager, "Jude Thaddeus," whose name and employer have been disguised for obvious reasons. It's posted weekly at www.computerworld.com and at www.sans.org to help you and your security manager better solve security problems. Contact him at jude.t@lycos.com or head to the forums. (Note: Registration required to post message; anyone may read messages. To register for our forums, click here).