The strategy broadly defines an Identity Ecosystem that would re-establish trust and better protect online identities. NSTIC identifies smart card technology as one example of an identity medium — a card, USB token or other device storing identity credentials used to validate online identities and transactions — suitable for high-value transactions and identities.
This slideshow explains what a smart card is, where they are used today and how it can establish trusted identities in cyberspace.
What is smart card technology?
A smart card, also called an integrated circuit card, is a device with an embedded secure computer chip. The vast majority of smart cards now include a microprocessor chip and special operating software.
There are two basic types of smart card technology, contact and contactless. Contact smart cards are inserted into a reader and left in place while the computer in the card interacts with the card acceptance device and the system behind it.
Contactless cards establish a wireless connection using a form of short range RF communications that works when it is brought close to a contactless terminal.
Where is smart card technology used?
Smart card technology is used to protect identities and transactions.
In mobile telecommunications, a SIM/UICC securely identifies and authenticates subscribers to the network. More than one billion credit and debit payment cards contain a smart card chip to secure payment transactions. Transit agencies are using contactless smart cards to speed riders onto subways, buses and trains.
Governments use smart card technology to make identity credentials more secure, including the global ePassport program, used in more than 100 countries. The U.S. Federal Government issued a Personal Identity Verification (PIV) card to all federal employees, used for physical access to buildings and logical access to networks and computers.
Smart cards restore trust and protection for online identities
One protection mechanism identified in the proposed national strategy for high-value transactions and identities is a smart card-based “identity medium” — a physical credential or device separate from the PC.
Many organizations already use smart card identity cards/tokens for IT security. The server authenticates the smart card chip during the login, using the same types of security smart cards provide in mobile and payment networks. This is a “second factor” in addition to the password; it is also called strong authentication or two-factor authentication.
Why is this so secure? Even if someone steals a username and password they cannot log in or pretend to be you without the smart card.
How smart card security works
The microprocessor chip and special operating software have several capabilities, including built-in digital identity credentials (public key certificates) or other cryptographic technologies, used to authenticate identities and authorize access to systems in cyberspace.
One important aspect of this capability is the use of dynamic challenge and response mechanisms, including random numbers during the authentication process. Using its internal cryptographic capability, its stored secret key and these inputs, the smart card generates a unique number, which it sends back to the server.
The server verifies that the number generated by the card is correct, and therefore that the card is both authentic and present.
Smart cards can confirm a server is authentic
The smart card chip can also authenticate the server.
When the smart card and the server both authenticate each other it is known as mutual authentication. Mutual authentication is a “best practice” when smart cards are used for cybersecurity.,/p>
Having the smart card verify the server eliminates the risk of man-in-the-middle attacks, also known as relaying attacks. In this attack, a hacker uses any one of several techniques to get between the end user and the server to steal login credentials or hijack sessions after the legitimate user has been authenticated. Smart cards can prevent this from happening.
Smart cards are separate from the PC
The smart card is not a part of the PC and has its own computer and software, an important factor in why it is so secure for protecting identities and access in cyberspace.
PCs are vulnerable to malware that can steal passwords by monitoring keyboard entries or other techniques and forward the information to cyber criminals. Some programs enable hackers to completely overtake a PC, giving a hacker access to passwords or software certificates stored on the PC.
Unlike PCs, smart cards are designed and manufactured for security and are virtually impervious to malware, forgery and other fraudulent efforts to extract or tamper with information.
Card and PIN: A familiar approach
The approach of using a card carrying digital identity credentials is very easy for individuals to understand and use, because it is so familiar. At the same time, smart card technology provides strong digital identity protection without burdening individuals with the complexity, responsibility and risk inherent in keeping PCs free of spyware, learning how to spot phishing attacks and hacker websites, or determining website security certificate validity.
To achieve high levels of security, however, the card must include smart card technology to carry digital identity (PKI) credentials, biometrics or other security features.
An identity medium based on smart card technology could carry multiple identities or personas for different purposes.
U.S. federal government smart card programs
The U.S. federal government has extensive experience using smart card technology. As a result, there is already an established set of best practices, standards and technology solutions for smart card-based identity management and authentication.
That provides a very strong and proven foundation for protecting identities in cyberspace that can be adapted to fulfill NSTIC’s goals.
An Identity Ecosystem that includes smart card technology as an identity medium for high-assurance online identity transactions will provide an easy to use, secure, privacy sensitive and proven solution.