For Questions Call: (800) 306-9329
Cart | How to Buy | Login | White Papers | Downloads | Search

Integration and Identity Management Technologies Glossary Home > Integration and Identity Management Technologies Glossary > Smart Cards

Print Page

 Request More Info Email Page
Overview
Security Glossary

Smart Cards

With the increased emphasis placed on security and total cost of ownership by IT managers and CIOs, companies are turning to smart cards and public key technology as a key component of their information security solutions. This trend has been further fueled by the desire by organizations to allow access by customers, suppliers and other business partners from outside the firewall.

A smart card, within the context of a login, is simply a replacement for a username and password. A smart card, containing the user’s login name and password, can be issued to each network user.

Smart cards provide two-factor authentication, also known as strong authentication. Put simply, two-factor authentication is ‘something you have’ (a smart card) and ‘something you know’ (a PIN). Its strength lies in ensuring that a user’s identification is reliant on two distinctive factors. Passwords, on the other hand, only provide single-factor authentication—both the user id and the password are ‘something you know’ and so the user represents the common point of weakness.

Two-factor authentication is already familiar to most people in everyday life through the use of a key card and a PIN to perform Automatic Teller Machine (ATM) transactions.

Smart Card Security

Smart cards provide a tamper-resistant storage mechanism for protecting private keys and other forms of personal information. Importantly, they segregate security-critical functions, including authentication, digital signatures and key exchange from other parts of a system, while enabling the portability of user credentials and other private information between computers at work, home and on the road.

Traditional password-based approaches have a number of failings:

  • Weak passwords are easily compromised by dictionary and brute force attacks.
  • Password compromise may go undetected.
  • Passwords are often physically recorded by users, particularly where users are required to access multiple systems with multiple user ids and passwords.
  • Passwords can be compromised through keystroke monitoring or network monitoring.
  • Users are vulnerable to social engineering attacks, for example, a well-meaning employee may be manipulated into revealing a password through deception.
    On the other hand, smart cards:
  • Use a longer key and protection with a PIN avoids dictionary and brute force attacks.
  • Smart cards are physically secure and loss or theft is detectable.
  • The memory capacity of smart cards means that advanced cryptographic mechanisms can be used, resulting in better security.
  • Credential information (for example, Kerberos tickets) can be stored on smart cards—when the card is removed from its slot, system resources cannot be accessed.

Smart Cards and Single Sign-On

As enterprises increasingly move toward more flexible distributed computing environments, a plethora of access and authorization problems are presented. Now, few users access all the applications and resources they need from a single mainframe or server. In a single workday, an individual may require access to critical applications and data residing on a range of platforms, including Windows NT servers, various Unix systems, NetWare servers, IBM mainframes and a range of legacy systems to name but a few.

This scenario is further complicated by the growth of Internet/intranet technologies. The increased deployment of intranet technology means that client-side access to some applications occurs via an Internet browser, and extranet applications extend the need for secure authentication and authorization services beyond the perimeter of the corporate network.

Single Sign-On (SSO), that is, an enterprise-wide method of identification and authorization that can be consistently administered and permits the user to transparently access all systems to which they are authorized, presents a viable solution to the problems outlined above. However, while early SSO approaches eliminated the problem of multiple ids/passwords, they have merely presented another security concern. If the means of system-wide authentication is an individual id and password, compromise means access to everything to which the user is authorized. Encryption of logon sessions and passwords whenever they are transmitted over the network, and robust password and password change requirements go some way to mitigate this problem. But there is another solution.

By storing a user’s ids and passwords on a single smart card (coupled with the use of a PIN) and allowing an enterprise system to automatically access these details as required, both the need for the user to remember multiple ids and passwords, and the “keys to the kingdom” problem are removed. Storing the user’s sign-on credentials on a smart card provides a higher factor of security and assurance. To gain access to all the required applications and resources, the user simply inserts their smart card and enters their PIN.

With the use of smart cards, an enterprise is able to increase security throughout the organization. Other dividends to be gained include increasing the efficiency of users through automated logon, and lowering the total cost of ownership (TCO) through the deployment of a hardware security technology that already enjoys widespread use.


        © Quest Software, Inc. All rights