As businesses expand their supplier bases to include a new virtual neighbourhood of companies through the Internet, smart cards could be the vital sign posts assuring them that these new acquaintances are indeed legitimate companies with which to do business.
It is also not uncommon to find that an employee working from home or on the road has only limited access to the organisation`s data and network. On the Internet, the more an organisation or an employee is trusted, the more services they will be able to obtain or provide. Solutions to these challenges come from technologies such as smart cards, to enhance software-only solutions, providing client authentication, interactive logon, code signing, and secure e-mail.
A smart card, also referred to as a chip card or an integrated circuit card (ICC), is a plastic card with a small computer chip embedded in it. It looks like any credit card, except that on the front upper left-hand corner of the card, there are small gold contact marks.
Authentication provides assurance for the claimed identity of a user - it verifies that you are who you claim you are. The now well-known cartoon depicting two dogs talking to each other over the Internet with the caption "On the Internet no-one knows you`re a dog", seems to epitomise the problem of authenticity.
Today, the most popular way to establish a user`s identity is with a user ID and a password. Poorly chosen passwords and failure to change passwords regularly remain the primary security loopholes for most companies; intruders can easily guess those passwords. Passwords are also vulnerable to network eavesdropping and intruder programmes.
Authentication by user ID and password only provides single-factor authentication - `something you know` - that is used multiple times and can be intercepted and reused. Dependence on a user ID and password is therefore considered a weak authentication strategy.
Pierre Kotze, product manager at Integrated Card Technology (ICT) believes that smart cards reduce password risks:
"Using a smart card and a secret Personal Identification Number (PIN) introduces a process of verifying that the cardholder is the user or entity that is designated to use the card," he says. A malicious person would have to obtain both the user`s smart card and the PIN to impersonate the user. An advantage of smart cards is that if a small number (for example, three) of unsuccessful PIN inputs occur consecutively, the card will lock. This makes a dictionary attack against a smart card extremely difficult.
"By demanding that the user enter the correct PIN, a smart card is equipped to identify positively its authorised bearer on each occasion, before making any further meaningful response (for example, authentication service). Following a successful cardholder verification session, the logon process can proceed. Smart card logon is a strong form of authentication because it uses public-key cryptographic based identification and proof-of-possession when authenticating a user to another entity on the network. This approach provides a two-factor authentication system, `something you know` plus `something you have`.
"The invention of public key cryptography provides the ability to help solve authentication problems. In public key cryptography every entity (which may be people or computers) will have what is known as a public key pair.
"The public key pair comprises a public key and a private key. Everyone knows the public key of an entity while the private key is known only by the entity. The private key can, only decrypt any message encrypted under the public key. Similarly any message encrypted under the private key may be decrypted using the public key.
"To see how a typical authentication protocol works, assume that an application on the company`s network server (called Server for simplicity) wants to authenticate the smart card and that the Server knows the card`s public key. The Server can issue a challenge (i.e. some message) to the card. The card encrypts the challenge under its private key and sends back the encrypted message as its response. The Server then decrypts the response. If the decrypted response is the Server`s original message, the Server can be sure that the entity with which the Server is communicating knows the card`s private key (proof-of-possession).
"The belief that a public key actually belongs to a given user can be answered using the notion of a digital certificate. The fact that the smart card is portable is also an advantage, unlike software solutions on PC`s. The smart card with its cryptographic capability and ability to securely store private key(s) and digital certificate(s) solves a number of security and portability issues associated with authentication," explains Kotze.
Share