Smartcard technology reaps security benefits

Two and a half years ago, Nikk Gilbert, head of security architecture at a multinational transport and energy firm, had a dream that staff could swipe a smartcard to enter a building, use that same card to pay for coffee in the canteen, then log on to their laptop... Now his dream is reality...

Two and a half years ago, Nikk Gilbert, head of security architecture at a multinational transport and energy firm, had the dream that staff could swipe a smartcard to enter a building, use that same card to pay for coffee in the canteen, then log on to their laptops by inserting the card into a reader, all without needing a password written on a Post-it note. Now his dream is reality at the firm's transport headquarters in France, which is home to 1,500 employees.

Teaming up with public key infrastructure (PKI) products and services company Open Trust, Gilbert put together a PKI, single sign-on (SSO) smartcard project.

"The initial concept was to provide the organisation with strong authentication. We started talking about how people would not need to have so many passwords, how security would be much better. The whole idea of having a smart card instead of 15 complex passwords was quite easy to sell," Gilbert says.

"We also used the smart card project to create a secure Wi-Fi network. People really want Wi-Fi. We said, if we had this smartcard with a certificate on it, we could provide the mechanism for secure Wi-Fi as well. We also integrated RFID on to the smart card, for building access and to pay for the local canteen inside the building."

Two-factor authentication

Gilbert's smart card project relies on PKI as its enabling technology. Encrypted information on the card is decrypted when the card is used, and for logging on to the company's networks there is a single password. "The whole time you have got two-factor authentication - something that you have, and something that you know. It makes security much tighter and it makes the users much happier," Gilbert says.

Ken Warren, smartcard business manager at Cryptography Research Inc., says, "The private key remains secret, but public keys can be shared openly. Data encrypted with a public key can only be decrypted with a private key, likewise data signed with private key can only be verified by public key. This means that data can be securely distributed over open networks with strong security, and authenticity of data can be verified. Although public keys can be freely shared it is important to verify the authenticity of a key someone gives you - key distribution is important task for PKI."

Secure data-authentication - knowing the data comes from the right place - has inevitably interested public sector organisations, and in particular civil aviation. Indeed, The European Commission has requested that all member nations include digital fingerprints on second-generation e-passports by mid-2009 - though this may be delayed in the UK.

E-passports are biometrics-enhanced machine-readable travel documents based on specifications from the International Civil Aviation Organization. Each e-passport contains an RFID chip retaining the holder's data such as name, date and country of birth and face-image, accessible via a contactless reader.

The second generation of electronic passports, to include fingerprint data, will also include an enhanced security specification - known as extended access control or EAC - based on PKI.

"Each passport has its own public-key private-key pair, and the private key is stored securely on the passport," Warren says. "It adds a level of complexity because you have got to have a key distribution system to make sure all the readers have access to the public key database. This database is interrogated by any passport reading authority to get the public key."

Encryption, the last line of defence

Warren thinks PKI incorporation into the e-passport is a welcome development. "The e-passport is a good example of an application where they sat down and worked out the requirements. It is quite a demanding application - there is nothing that needs more global interoperability than e-passports. They looked at the art of the possible, made strong recommendations and did it in a pretty good way. It is not unbreakable, but it is a good example of something that is fit for purpose. They are using an amount of technology that is not too onerous, but still adds an appropriate level of security and privacy to the user."

Richard Moulds, vice-president of product strategy at security enterprise nCipher, is happy the authentication market is swinging towards PKI for both enterprise and public sector and is welcoming the new business opportunities. "For a long time, people have been thinking about security as being anti-virus, anti-spyware and firewalls, which are all perimeter orientated. The fact that the newspapers are full of stories of data being compromised is proof these systems do not cope very well. It does not matter how good your firewall is, if somebody leaves the laptop on the bus then the data is vulnerable. Encryption provides the last line of defence," he says.

Meanwhile, Gilbert is rolling out new developments made possible by the PKI smart cards: total laptop encryption, SSO, and one-time password challenge for all enterprise applications. "SSO is an evolutionary process it is a long road. But it is well worth travelling down," he says.

Read more on Wireless networking