Smart Uses for Smart Cards

Tim McKnight and Russell Koste of Northrop Grumman take an award-winning approach to high assurance credentialing


The landscape of critical business assets has changed significantly since the first electronic access cards were introduced about 50 years ago. Personal computers and networking did not exist - let alone the Internet, mobile phones, digital pocket cameras, USB drives and gigabit capacity memory chips smaller than a flattened pea. Typewriters themselves held no or little data - you could only read some recently typed text from a then-modern plastic typewriter ribbon cartridge.

Today, electronic computing devices (whose non-electronic predecessors were formerly known as "business machines") are both physical assets to be protected, and generators of information assets that require safeguarding.

According to the White House Cyberspace Policy Review, between 2008 and 2009, American business losses due to cyber attacks had grown to more than $1 trillion of intellectual property. Other sources report that identity fraud ($54 billion in 2009), falsification of information, electronic money theft and reported electronic data breaches (up 33 percent in 2010 to more than 16 million records) are all on the rise. The convenience of card-based payments and electronic transactions (including via mobile phones) fuels an expanding base of targets for attackers. In spite of this trend, the application of strong security measures lags. As an example, in 2009, out of a set of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data. However, physical security requires beefing up, too. In 2009 paper breaches accounted for nearly 26 percent of known breaches.

Thus, many companies are looking to smart cards to provide higher levels of authentication for both physical and logical access to critical information and assets. Although the next paragraph starts off with some comments about the smart card computer chips, this article is not about smart card technology details. Instead, it is a discussion about smart card initiatives, and presents some key aspects of an award-winning smart card project in an attempt to convince you of one thing: now is the time to start examining how an identity assurance and smart card program, based on existing standards and technology, can help you establish the kind of security capabilities that your organization needs.

More than Just a Card

Nearly all of us are familiar with the image of the small golden electrical contact tabs of the chip that resides on a smart card. It is amazing to realize that the chip on the bulk of today's smart cards has more processing power than the processor chip of the original IBM PC and early personal computers. Smart cards need computer processing power so they can perform the kinds of calculations needed for cryptography (data encoding, including encryption) used to perform secure communications with other devices.

Additionally, for contactless communication, smart cards contain a tiny radio transmitter and several wires that serve as an antenna, as illustrated in the figure below. Note: this is the primary reason why you do not punch a hole in the card to insert a clip or lanyard string. Special clips exist for use with smart cards.

It is specifically because smart cards are computers in a card - and because they can exchange data in a highly secure way - that smart card programs require a strong identity management system and a more advanced card management system than cards of traditional physical access control technologies. The levels of high assurance achieved are a combination of all of these things. It is not simply the cards themselves that require the improved identity and card management systems. Physical and logical access control systems and business systems can now leverage a combination of technology and process for very high assurance of identity, data integrity and privacy protection.

New Requirements for New Levels of Security

This content continues onto the next page...