Smart Cards and PKI: A winning formula for Enterprise Security
01 August, 2002
category: Corporate, Digital ID, Library
BY SVEN HAMMER,
VICE PRESIDENT OF GEMPLUS
(REPRINTED FROM: SMART CARD TECHNOLOGY INTERNATIONAL, GLOBAL JOURNAL OF ADVANCED CARD TECHNOLOGY)
In recent years, global networks have transformed from a way for scientists and researchers around the world to share ideas and information to an increasingly effective way for businesses and government organizations to communicate and engage in commercial activities.
Today we stand at the threshold of a new era of electronic communications, one that will enable organizations to move beyond simply establishing a network presence, to communicating and sharing sensitive information with colleagues, customers and business partners.
The new It-era and its impact on communication and information sharing has radically increased the demand for secure corporate environments. What used to be an issue for the IT department has now moved onto the agenda of CEOs, as a vulnerable enterprise network is also an acute business risk. Over the last five years (1997-2001), U.S. corporations reported losses of more than $1 billion due to information security breaches (Source: FBI/Computer Security Institute).
Most security solutions today use the familiar combination of usernames and passwords to verify – or, using the parlance of network security, authenticate – people’s identity. The problem is that passwords are easy to forget, especially if you have many applications and sites to log-onto. What’s worse, many people tend to pick simple passwords, such as their own first and last names, providing less than an easy challenge for any wannabe-hacker out there.
Due to increasing threats to corporate networks, it has become necessary for all parties involved, to reach the same level of trust in electronic communications that they have built up over years of doing face-to-fact business in an paper-based world. On the Internet, nobody knows you are actually you – constituting a serious problem for designers as well as users of intranets, extranets, and web applications.
Passwords make poor identifiers
Today, the most popular way to establish identity is with a password. While passwords continue to be widely used to authenticate users, they cannot be relied upon for real proof of identity for may reasons.
Passwords are often sent over networks without any encryption, and then stored on the back-end in a single file, making them highly exposable to interception and compromise. Users often end up choosing the same easy-to-hack PIN (personal identification number) for many systems, or writing down passwords where they are easily accessible for anyone with dishonest intentions.
Recent computer security studies confirm that more than two-thirds of corporate network attacks actually originate from inside a company (Source: FBI/Computer Security Institute 2001).
Bottom line is, passwords offer no proof of who is actually using the password, thus compromising the confidentiality of a message or transaction, and making it an insufficient authentication method for information sensitive environments.
So how is the problem solved then? It would be a shame to see a $100,000 security system go down just because the CEO’s password was too easy to guess! The answer is a combination of smart card technology and standards-based cryptography, which together facilitate the highest possible level of privacy, integrity and user-authentication for network communications. The technology in question that needs to be combined with smart cards, is called ‘public key infrastructure’ (PKI). In order to better appreciate why PKI is a good match with smart cards, a basic understanding of how it works is necessary.
PKI to the rescue
An ingenious method of scrambling information, called public key cryptography, has become the de-facto standard for businesses to secure communications and protect valuable information. The technology is the foundation for a PKI, which enables secure identification of users within a network. So how does a PKI work and why is it preferable to passwords?
To begin with, a PKI involves the use of two cryptographic ‘keys’, one public, which is made available for anyone, and one private, which is stored on a PC hard disk or on a smart card. Information encrypted with one key in the pair can only be decrypted with the other, and vice versa.
Whereas in a password solution the PIN key is a shared secret stored somewhere on a back-end server, public key cryptography solves this problem. As public keys are not secret and can be distributed over non-secured networks, private keys do not need to be distributed at all, meaning a user’s private key is a secret to everyone but him or herself.
In order to link a public key with an individual user, they are embedded in a type of digital ID called a ‘certificate.’ The digital certificate is a data file that contains an individual’s public key along with other identifying information, such as name, address, social security number, etc.
In addition, the digital certificate contains information about the certification authority (CA) that issued the certificate. The CA is a trusted third party, such as a government agency or employer that verifies the identity of the certificate owner before issuing the certificate.
Digital certificates were created to overcome the general anonymity afforded by unsecured networks like the Internet. By providing a reliable and trustworthy proof of identity in much the same way as passports and driver’s licenses do, certificates can be used for identification purposes on networks, websites, email and more.
Consequently, in a PKI, two entities unknown to each other can identify themselves and exchange information securely, given that they trust the third party who is issuing the certificate. Given this, passwords are an inferior solution to PKI, as they don’t have the ability to truly authenticate communicating parties. However, though PKI may seem effective, it possesses weaknesses that could compromise an organization’s security – smart cards provide the ideal complement.
Smart cards unlock the potential of PKI
Even if digital certificates and the public key technology they are based on offer the potential for ensuring secure network communications, used alone, they merely validate a PC, but not the actual user of that PC – a weakness that could prove costly.
Much like a passport without a photograph attached, a digital certificate stored in the usual manner on a PC hard drive is vulnerable to compromise and fraudulent use. Single-factor authentication offered by passwords is simply not strong enough, and before certificates can be widely accepted as proof of identity, a way must be found to protect them.
So, how do you most securely verify the identity of someone who is attempting to log on to your intranet, to make sure that are, in fact, your VP of engineering and not your competitor’s market research assistant? The answer is the two-factor authentication provided by combining smart cards with PKI.
Smart cards provide an easy but strong solution by storing certificates and private keys in a secure, removable medium, making them inaccessible to anyone but their rightful owner. This in effect enables two-factor authentication – something you know (password) as well as something you have (card). Without knowledge of this critical information, potential hackers are unable to usurp the rightful owner’s identity and useit to gain access to secure information or conduct transactions in his/her name.
All cryptographic functions take place on the smart cards by the onboard microprocessor, and only the results are passed back to the host PC. As the card governs PC access, users can easily shield their workstation from unauthorized access by simply removing it from the reader.
Basically, without the strong user authentication provided by a smart card, a digital certificate is about as much good as a passport without a photograph of its owner attached. A passport may attest to its owner’s identity and be an official document issued by a government agency; but without a photograph, it is impossible for anyone presented with the passport to confirm whether or not the passport holder is in fact who he or she claims to be.
The Smart Enterprise Solution
Large enterprise and government organizations are becoming increasingly interested in using smart cards in combination with PKI, as a way to control access to their networks and databases. Although smart cards are applicable in a very broad range of applications, access control and user-authentication are immediate application areas that can utilize its technology.
No other technology can secure and automate PC, LAN and application logon, while at the same time free users from the need to remember and change multiple passwords and so in a user-friendly and comprehensive way. These functionalities represent a tangible step in delivering useful technology – from a user’s as well as an issuer’s perspective – not just something that’s cool to developers.
Besides the obvious access requirements, large organizations employ a number of additional applications that require proper authorization before gaining access — human resource applications, 401k management, workflow and budgeting applications to name a few.
Just as physical access card offer a single “key” to unlock a number of doors which the user is authorized to enter, smart card-based PKI offers a single and unique key for all the applications and network resources a user is authorized to access.
Smart Card as multi-application tool
For most organizations, the technology’s promise lies in its two-factor authentication capabilities described above. But there is also an appealing factor in the concept of being able to develop a multiple application smart card. By loading a card with multiple applications, organizations and their employees can benefit from the ability to use one user-friendly device in a variety of situations and environments.
Smart cards and the capacity of its chip, provide a platform for using one single tool for universal user access across all types of applications. In addition to web, email, logon security and other public key applications enabled with the smart card, it can also include an electronic purse that can be used for electronic commerce transactions on the Internet or for vending and cafeteria uses within a corporation. The card can even be securely debited and credited over the network using a web browser.
In addition, it is possible to combine digital certificates on smart cards with traditional physical access badges, placing both functions onto a single card. This way, one card is issued to employees for access to all the authorized ‘doors and Windows’ applications. By 2003, 33% of corporate Windows 2000 users are predicted to use a smart card for PC logon (Source: Gartner 2001).
Picture this; the first day on the job, a new employee can be issued a public key certificate on a single card, combining both physical and electronic access privileges. As with a traditional security card, the employee’s photograph is taken and printed onto the card. Now, the same card can be used for both physical access to a building and/or office, and logical access to PC, network and web applications.
Add non-security features such as a personal e-purse for cafeterias and vending machines, and we have created a tool that in more ways than one makes the employee’s everyday working-life not only secure, but also highly convenient.