Enabling Technologies – Smart Cards

Introduction
At first glance, smart cards look like normal credit or debit cards. However, closer examination reveals the absence of a magnetic stripe as smart cards store all their information on a chip buried within the card. Compared to conventional magnetic stripe cards, smart card enabling technologies differ in several important ways:

They can store much more data
They can be password protected
They can incorporate a microprocessor that can perform processes such as encryption

Although relatively unknown in the US, smart cards are by no means a new invention. There use in Europe is widespread for applications such as credit cards, telephone payment cards and the payment of road tolls. France is the leading adopter, having started issuing cards in 1967 and now has some 25 million cards in circulation. However, their use is predicted to grow rapidly world-wide over the next few years on the back of the Internet e-commerce explosion. The potential for smart card use is enormous, but there are three key functions of interest to the Web store merchant:

Storage of encryption keys
Electronic purses
User profile portability

Storage of encryption keys
Web commerce secure transaction protocols, such as SSL and SET, require that private encryption keys are stored securely.The most basic storage method is to encrypt the private key using a password and store it on the computer’s hard disk – this is what programs such as Netscape’s Navigator do. This method although convenient, does have some security risks as anyone who discovers or intercepts the password can use the private key if they have access to the computer where the key is stored. Another vulnerability is that once the key is decrypted it is held within the computer’s memory where it could be copied by a rogue program.

Security can be increased by storing the encrypted key on removable media, for example a floppy disk. An attacker would then need access to this media and knowledge of the password before they could use the private key. However, this method still requires the key to be decrypted and held within the computer’s memory where again it could be copied by a rogue program.

Smart cards can provide a very secure way of generating, storing and using private keys.In its most basic implementation, smart cards can be used to store private keys and digital certificates protected with a password. Security can be further enhanced by using a microprocessor within the card to generate the public and private key pairs and to perform the actual encryption. Data to be decrypted or digitally signed is passed to the card where the microprocessor performs the operation and then passes the data back to the computer. That way the key never leaves the card and is therefore not vulnerable to attack by rogue programs scanning the computer’s memory for keys.

Electronic purses
Many applications in place today use a smart card as a replacement for cash because of the higher security they offer over standard credit cards. Although most of these systems (for example Mondex, VisaCash, CLIP and Proton) were developed for point of sales applications, their use is likely to extend to Web commerce as they provide an easy and secure way to handle cash transactions. Many project that smart card readers will become a standard component of PCs – indeed the Intel PC98 specification recommends that Office PCs have a smart card reader installed as standard.

User profile portability
One factor that could potentially restrain the growth of Web commerce is restricted access to the Internet. Although the number of home and office computers with Internet access is continually growing, it is still not universally available and even the introduction of low cost access devices (for example Web TV) will not solve this completely. Also, even those with Internet enabled computers are unable to access them when away from their office or desk.

Smart cards could provide an answer to this by providing secure access over public Internet terminals or screen phones. Personal profile information could be stored on the card so no matter what device was being used the appearance would be the same. The on board microprocessor would be able to encrypt all messages thus eliminating security risks.