- Andy Briney
Imagine leaving for work in the morning, walking out of your house and down the street to the subway station. As you enter the station, you walk right past the line at the ticket counter and through the turnstile, which automatically deducts the fare from a smart card in your hip pocket. Twenty minutes later, you get off the subway and grab a cup of coffee, paying with the same smart card. Arriving at work, you whip the card out again for the lobby security guard, who glances at the photo and waves you through. Now at your office door, you use the smart card/ID badge as a key, waving it past an RF reader on the wall. Finally, as you sit down at your desk and boot up your PC, you slide the card -- the same card -- into a reader, enter your PIN and log on to the network.
You've used your smart card five times, and it's not even 9 a.m.
This scenario is the dream of every smart card manufacturer, issuer and integrator in the world. Put a smart card in everyone's hands, and build the infrastructure so it can be used everywhere, for everything. Not just electronic purse and access control, but driver's licenses, national ID and health insurance cards, telecommunications, mobile commerce and more. Privacy concerns aside -- and there are plenty of them -- rapid technological innovation and explosive adoption rates make this far-fetched scenario, well, not so far-fetched after all.
While smart cards are years away from achieving critical mass in the United States for any of these uses, predictions of "hockey stick growth" in some segments are finally coming true. Last year, more than 41 million cards were manufactured for use in the U.S., a 45 percent increase over 2000, according to a Smart Card Alliance study released last month. Year-to-year growth in shipments to the federal government topped 1,000 percent, while shipments to retail and financial institutions grew by 377 percent and 146 percent, respectively.
"For years, we said, 'Don't worry, the smart card explosion is going to happen in seven years.' It looks like this is the last year we have to say that," says Patrick Gauthier, senior VP of smart card applications at Visa USA.
However, critics are quick to point out that it's easy to achieve triple-digit growth when you're starting from practically nothing. The 41 million manufactured for the U.S. last year represents a paltry 5 percent of the worldwide microprocessor card market. And despite 2001's impressive growth, the U.S. remains at least a generation behind Asia and Europe in the use of smart cards. For instance, the Taiwanese government recently announced plans to issue health insurance smart cards to all 24 million residents. And more than 40 million French citizens carry a smart card for e-banking and debit card purchases.
"Smart cards are a part of the European culture and business system," says Jason Wright, security technologies program leader at analyst firm Frost & Sullivan. "Whereas in the U.S., it's going to require a whole shift in dynamics. You're going to have to get the card readers out, you're going to have to get people to understand the technology, and you're going to have to get them to break from what they're already using."
When talking about smart card adoption rates, it's also important to separate the consumer market from the business one. Just because more Americans are using smart cards for, say, online banking doesn't mean that U.S. corporations are champing at the bit to use them for physical or network security. In fact, according to a January 2002 Information Security reader survey, only 12 percent of organizations currently use smart cards for network/systems authentication. Of those that don't, 82 percent said they had no definite plans to purchase or deploy smart cards in the next two years.
Cool, but Practical?
Smart cards have always been cool, but not always practical. Although their core functionality has remained unchanged for 30 years, recent developments have increased their practical viability.
Memory. The single biggest driver of smart card growth, experts say, is their multiapplication capabilities. A few years ago, smart cards had a maximum memory capacity of 6K or 8K, which typically restricted them to a single application (say, storing frequent flier miles). Today, most smart card manufacturers-including heavyweights SchlumbergerSema, Gemplus and Oberthur are mass-producing 32K cards, which allows the same card to be used for multiple applications. For high-capacity applications, more expensive 64K and even 128K cards can be used.
"The arrival of 32K cards is really the first time a smart card alternative has been viable," says Malcolm MacTaggart, president and CEO of smart card vendor CryptoCard (www.cryptocard.com). "Without having a multifunction capability, what's the point? Why go to the expense of installing smart card readers and putting in place 16K smart card systems just to do authentication?"
Multi-application platforms. Smart card developers can choose from several competing platforms to colocate multiple applications on the same chip. Different apps can be programmed before cards are issued. Post-issuance, software development kits such as Gemplus' GemXpresso Lite lets developers upload new apps via PoS devices, ATMs and the Internet.
Currently, three platforms compete for multi-application market share. Mondex's Multos platform is widely used for financial smart cards, particularly in Asia and Latin America. Microsoft's (www.microsoft.com) Windows for Smart Cards has been used for some network security applications. Over the last two years, however, Microsoft has distanced itself from the smart card OS, viewing it as an enabling technology and not a key part of future OSes. In its place, Sun Microsystems' (www.sun.com) Java Card -- already the number one platform for GSM and m-commerce applications -- is becoming more popular for all multi-application environments, including enterprise security.
For the Java Card to become the de facto multi-application standard, issuers and developers must be confident in the platform's security-a questionable proposition given Java's security history. The security of the Java Card has been the focus of intense scrutiny over the last several years. While Java Card isn't immune to attack, its current version, 2.1, addresses many of the security weaknesses that plagued previous versions. In particular, experts say the security model for sharing objects between multiple applets has improved significantly.
"Even though Java Card is relatively new, it has been around long enough to go through several changes itself," says Gary McGraw, VP of corporate technology at Cigital (www.cigital.com) and coauthor of Securing Java (Wiley, 1999). "A majority of the changes have been brought about in the name of security."
Another major benefit of the move to Java Card is the large base of Java developers -- more than 100,000 worldwide, by some estimates -- who can program applications for smart cards.
Standards. Progress toward a full-fledged multiapplication environment has been hindered by the competing technologies and development infrastructures. While Java Card is emerging as the front-runner for multiapplication environments, some insiders insist that the Multos platform is more technically robust. Meanwhile, the large installation base of the Microsoft smart card OS and the existence of dozens of proprietary platforms complicates the move to a standardized development model. For smart cards to take the next step to a true multiapplication framework, the lack of interoperability must be addressed.
GlobalPlatform, a new cross-industry smart card standards group, is tackling this issue head on. Comprised of more than 50 organizational members from the financial services, telecommunications, government and technology sectors -- including all the leading smart card vendors -- GlobalPlatform provides a system architecture for developing globally interoperable smart card systems.
With its roots in Visa's Open Platform specifications, GlobalPlatform develops models and conventions needed to facilitate cross-industry chip card application loading and management, such as back-end card systems, security, key management and application deployment. The architecture is comprised of three elements -- card, terminal and systems -- each of which includes specifications, software and/or chip card technology.
"Visa's Open Platform standardized on Java for multiapplication cards four years ago," says Tad Bogdan, senior VP of sales and business development at ActivCard (www.activcard.com). "GlobalPlatform is the committee behind Open Platform, and from the very start they standardized on Java Card."
Open Platform and GlobalPlatform also have undertaken much of the research into Java Card security. "The development of GlobalPlatform significantly enhances Java Card loading and other security-critical features," says Cigital's McGraw.
Infrastructure. The problem with the "smart card for everyone" scenario isn't getting a smart card in everyone's hands. The problem, particularly for enterprise environments, is providing end users with a smart card reader that's cheap, portable and easy to use.
While PC/SC peripheral readers continue to come down in cost, for desktop systems the easiest solution is a built-in keyboard reader. After years of dipping their toes into the smart card pool, hardware manufactures Compaq and Dell are now rolling out a limited number of combination keyboard/readers. Compaq last year announced a partnership with Fleet Credit Card Services, a subsidiary of FleetBoston Financial, to offer Fleet Fusion Visa cardholders keyboard readers that can be used to access online accounts, pay bills and enroll in customer loyalty programs.
While Compaq hasn't committed to building readers into all of its keyboards, some experts say it's only a matter of time. "Within 18 months, I predict all keyboards will come with smart card readers," says Frederic Spagnou, chief operating officer of Gemplus.
In addition to using smart cards for physical access control and identification, most recent adopters store users' private keys on the card for authentication and transaction integrity. Some organizations, such as The Judicial Organization of the Netherlands Ministry of Justice, are even storing biometrics on chip cards. The Ministry uses biometrics-powered smart cards from Oberthur and Utimaco, allowing users to employ digital signatures and perform data encryption within applications such as Microsoft Outlook.
"I know of very few enterprise smart card implementations that don't store a private key," says Frost & Sullivan's Wright. "You can log into Web servers, corporate networks, even your online bank account, and have it be much more secure than a traditional user ID/password scheme."
In the U.S., recent examples of multi-application smart card use abound:
- The U.S. Department of Defense is rolling out 4.3 million Java-based "Common Access Cards" (CACs) to all military and civilian employees and contractors. In addition to providing physical access control, the cards will allow DoD employees to digitally sign and encrypt electronic transactions (such as e-mails and deployment orders) and authenticate themselves to intranet databases and applications. "By encrypting information, this technology will also make Defense Department computer networks more secure," Pentagon deputy CIO Paul Brubaker said in a statement.
The 32K CAC will reserve 7K of space for customized applications. For example, one Marine Corps program reportedly plans to use the cards to track weapons issued by its armories. Eventually, the DoD plans to roll out 13 million CACs in 13 different countries.
- The Washington Metropolitan Area Transit Authority (WMATA) has issued more than 210,000 smart cards to Metro subway and commuter train riders in the Washington, D.C., and Northern Virginia area. Riders can store up to $200 on a contactless smart card called SmarTrip. As described in the opening scenario, passengers simply wave their card in front of a turnstile reader. They don't even have to take their cards out of their wallets or pockets as long as the card is within 10 centimeters of the reader. SmarTrip cards can also be used to pay for parking at Metro stations.
The WMATA smart card project has been operational for more than two years. Metro authorities are now working on a pilot program with First Union Corp. that combines SmarTrip cards with a First Union debit card application. A possible partnership combining SmarTrip with federal agency ID cards -- specifically, the General Services Administration's Federal ID Card -- is also being explored.
- More than 50 bank members of Identrus LLC, a consortium of 300 leading financial institutions, are planning to offer their corporate customers smart card-based PKI systems to digitally sign and authorize financial transactions. Participating customers are provided with a card, reader and software kit; a card management system assigns key pairs and certificates when cards are issued.
- Petroleum giant Royal Dutch Shell has issued nearly 100,000 Java-based smart cards to all employees worldwide, including thousands in its U.S. headquarters in Houston. The cards, manufactured by SchlumbergerSema, serve as corporate ID badges and provide building and network access control.
"Shell has a large legacy of systems, and the security of the Shell network is only as strong as its weakest point," says Xavier Flinois, president of Schlumberger Network Solutions. "So they decided to deploy a smart card-based system that would basically give a similar level of access to everybody."
According to Flinois, Shell plans to move a significant portion of its employees to a thin-client architecture, relying on the smart cards for authentication to network and systems resources. "There's basically nothing on the desktop except for your screen and card reader," he says. "You use the card to actually log into the system. All of the resources are on the other side of the network."
Eventually, Shell plans to migrate 35 to 40 percent of its users to the smart card-based thin-client model, Flinois says. "Most of the people who are now traveling are thin-client based. All of the MIS systems are addressed with the thin client, and all of the business apps can be addressed that way." (At press time, Shell could not be reached for comment.)
Obstacles to "Critical Mass"
Smart card vendors and industry groups point to these and other rollouts as a sign that chip cards will soon be a common fixture in businesses across North America. However, several obstacles may prevent the ultimate dream -- a smart card for everyone, used everywhere and for everything -- from ever happening in the U.S.
Interoperability. While multiapplication functionality is driving smart card growth in U.S. businesses, the "single card" concept -- one card for identification, PoS, transit, physical and network access, etc. -- is a long shot at best. While the Global-Platform group's efforts may simplify the challenges of programming multiple apps on a single card, creating a secure, robust and interoperable management infrastructure remains complicated and expensive. The industry's inability to standardize on one multiapplication platform further complicates matters.
The credit card industry's effort to introduce a smart card infrastructure in the U.S. offers a glimpse of the enormity of this challenge. Visa, American Express, Discover and MasterCard have each rolled out smart card programs. But these programs have stalled because merchants don't have the terminals to accept smart card purchases. "The cost of upgrading the infrastructure to payment on chip is $12 billion," says Visa's Paul Gauthier. "The problem is that $8 billion of this must be shouldered by the merchant." Compounding the problem is the lack of interoperability: none of the card platforms currently works with any of the others.
Privacy. Even if the technology and infrastructure were robust and cheap enough to support the single-card concept, privacy concerns will plague adoption. "The multipurpose card raises a lot of privacy concerns," says Robert Ellis Smith, an attorney and publisher of Privacy Journal. "The more purposes you have, the more information you need to collect on the card. The more information on the card, the more people are expected to carry it, and the more law enforcement will think something is wrong with you if you don't have it on you. It becomes a de facto mandatory card if it's a multipurpose card, because any good citizen is expected to carry it."
Privacy is also a potential concern for employees at organizations using smart cards for building access control. Such systems provide accurate logs of where employees are at all times, which smacks of Big Brother to many workers.
Security. The need to ensure the confidentiality and integrity of all information stored on a smart card -- be it your health records or your subway fare -- is one reason smart card security remains a hot topic. Just as consumers are concerned about protecting the privacy of sensitive information on a card, businesses must be assured that authentication credentials are tamperproof should the card fall into the wrong hands.
"The main reason for security is not to protect cardholder privacy but to protect card issuers against fraud perpetrated by malicious cardholders -- that is, people who steal cards," says Cigital's McGraw.
As mentioned earlier, Java Card security has been a focal point of smart card research over the last several years. By itself, Java Card does not include sufficient controls over applet loading, cryptography and selection, according to McGraw. "This is one reason why managing security risk on a particular vendor's implementation is a nontrivial exercise. In the end, each vendor's different card has a different risk profile."
Beyond Java Card, the smart card model in general is vulnerable to a variety of hard-to-combat attacks. Unlike a self-contained computer system, smart cards aren't restricted by a single system's security boundaries. Multiapplication cards, in particular, have multiple system interfaces and, therefore, multiple avenues of attack.
Three years ago, Bruce Schneier and Adam Shostack wrote a white paper on eight classes of such attacks, including "attacks by the terminal against the cardholder" and "attacks by the cardholder against the issuer."3 Since then, "the smart card OEMs haven't done anything to solve these problems," says Schneier, "mostly because they're really hard problems."
Cost. In Information Security's survey of IT/security professionals for this article, the cost of smart card rollouts was the number one obstacle to purchase and deployment. While the cost of smart cards and card readers is coming down, they're still more expensive, unit-to-unit, than other two-factor authentication options, such as hard tokens and USB tokens. For a 1,000-user deployment, for example, smart cards will cost you $60-$65 per seat, compared to $35-$40 for USB tokens and $45-$55 for password tokens.
On the other hand, cost becomes less of an issue in a multiapplication environment. In other words, you can't use a USB token as an ID badge, and you can't wave a SecurID token past an RF reader to gain access to the data center.
Culture. Perhaps the biggest obstacle to U.S. smart card adoption -- for consumers and businesses alike -- is the lack of cultural acceptance.
"Why has North America been that much slower than elsewhere to embrace smart cards technologies as a whole? The reason is that consumers aren't feeling deprived of being able to do something because they don't have smart card technology," says CryptoCard's MacTaggart. "And because they don't feel deprived, they don't rush to adopt them. The technology purist will suggest, 'Yes, but with smart cards we can do all these multifunction cool things.' That's true, but the consumer says, 'So what?'"
American Express has learned this lesson the hard way. Over the last three years AmEx has spent millions trying to launch its Blue card stateside, even offering free smart card readers to roughly 500,000 first-time customers. But by all accounts, the initiative has been a huge disappointment. More than 5 million Blue cards have been issued, but pitifully few cardholders use (much less recognize) their smart card capabilities.
"It's hard to demonstrate the value proposition of smart cards when you can't even give them away," says David Bonalle, VP and general manager of advanced payments development at AmEx.
"Culture" is less of an issue in a business environment, of course, because unlike consumer populations, you can force company employees to adopt a technology solution. Nevertheless, the prospect of issuing and administering cards and card readers, managing the back-end infrastructure, programming multiple applications, etc., has been too much for most organizations to swallow.
"Ninety percent of the world still uses passwords," MacTaggart says. Multiapplication or not, it's clear that most companies haven't felt "deprived" enough to make a change to any two-factor authentication solution.
Despite these and other obstacles, smart card adoption marches onward. It's clear that most U.S. businesses don't view smart cards in the same light as their European and Asian counterparts, but some experts say that doesn't matter.
"I think North America will catch up," MacTaggart says. "But it's not like the space race. We're not trying to get to the moon first." MacTaggart and others insist that the business need, not the technology, will be the primary driver for future deployment in the U.S. "When it becomes cheaper and easier for your organization to have its security and/or authentication needs met by using a smart card, then we'll see higher rates of adoption, but not before."
Until the industry settles on a standardized multiapplication platform, businesses may prefer to approach smart cards the way they approach other major IT infrastructure projects: one application at a time. After all, that's the beauty of a multiapplication framework -- other apps can be added as the business model evolves.
"We're seeing the need for VPN and e-mail applications," says Colleen Kulhanek, VP of marketing at DataKey (www.datakey.com). "E-mail is a very common first use for smart cards. Customers begin with securing their e-mail systems and then move that out to their remote VPN users." Leading VPN vendors such as Nokia (www.nokia.com) and Check Point (www.checkpoint.com) support smart cards for remote user authentication.
Vendors of other authentication technologies are also moving to integrate smart cards into their portfolios. Earlier this year, RSA Security (www.rsasecurity.com) released the SecurID ComboReader, a combination SecurID token and smart card reader. The token can be used like any stand-alone SecurID token, providing users with a one-time password to authenticate to an RSA ACE/Server. Or, it can be plugged into a USB or serial port and used as a PC/SC reader for authentication to a Windows domain. (A standard card-type token is also available without the PIN pad.)
While the one-card dream will probably remain just that, most experts agree that it's only a matter of time until most Americans are using smart cards for at least some applications. "We'll never get to a point where every American has a smart card," says Dan Cunningham, chair of the Smart Card Alliance's market research committee. "But by 2005 I would guess that more than half of the people in the U.S.-150 million or so-will have one."
About the author:
Andy Briney is editor-in-chief of Information Security.