Sunday, October 20, 2013

Smartcards: Solving the authentication problem

Discuss ways in which the use of strong authentication can be designed to be "user friendly" without compromising its effectiveness.

In 1989 Ken Fifield was already writing about the value of plastic cards containing microprocessors to be used for digital signatures and strong authentication. (Fifield, 1989) Jumping forward to today, we still see it as a reasonable solution because, as Bruce Schneier (2005) put it “We're all good at securing small pieces of paper.” Protecting a small, plastic card? We do this all the time. Our credit cards, our driver's license: these items are almost always on our person or in a known protected location. If an organization is implementing physical security then there is probably even already a small plastic card that the employees carry with them to access the building and swear who they are.

A picture identification badge is being used to authenticate the wearer into a space when a human guard validates the authenticity of the badge and that the wearer matches the picture. Digitally, the same thing can be accomplished with the same card, if it is a smart card. The module this week explicitly points out that “single smart card can serve as an employee ID badge, building access card, PKI credential store, and application password provider.” (UMUC, 2001) The PKI credential store what really allows the smart card to shine because that provides the card holder the ability to easily provide digital signatures on their work and communications and also easily decrypt information sent to them. Authenticated access to documents is free if the infrastructure can provide everything PKI encrypted, only the intended user can decrypt the documents, even if they end up in the hands of an un-authenticated attacker.

Fifield, K. J. (1989). Smartcards outsmart computer crime. Computers & Security, 8(3), 247-255.

Schneier, B. (June 17, 2005) Write Down Your Password. Schneier on Security Retrieved from:

UMUC. (2011) Authentication , CSEC-630 – Module 4. Retrieved from:

No comments:

Post a Comment