Smart Cards in Access Control

?Access control refers to the process of granting access to certain entities or persons and refusing access to others. Access used to be primarily physical and was controlled via gates, locks, and security guards. Keys, passwords, PIN numbers and...



System boot-up. Smart cards can be used for actually booting personal computers and servers where the system requires critical information contained on the smart card and system startup cannot take place until user authentication takes place. This means that if attackers are successful in gaining physical access to the hardware, they will be unsuccessful in accessing the files.?


U.S. government use. As of February 2003, the U.S. government has launched 64 smart card programs in various agencies. These cards are issued to government employees to allow them access to their systems when off-site. They are also issued to workers who do not work for the government, such as airport, port, rail and bus workers. The Department of Defense issued 1.6 million smart card IDs to military and civilian employees in 2002 and expects the number to increase in the future.??


Private sector use. Private sector companies like Microsoft, Exxon, and Pfizer are also issuing smart card IDs, some with biometrics like fingerprints, photos, and facial recognition, to protect their networks and facilities worldwide.??


Medical information. In Europe each individual customarily has a smart card containing pertinent medical information that can be presented to any hospital or doctor from whom the individual seeks treatment. These smart cards can be updated after each treatment before being returned to the patient. They also carry pertinent contact information and emergency medical data.?


Financial institutions. Banks and insurers are using smart cards for electronic payments because of their capability to process data, their portability and tamper-resistance. Stored-value cards (i.e. prepaid phone cards, transportation cards) and cards that access money balances are both gaining in popularity.?


Physical access. More and more hotels, corporations, universities, hospitals, health clubs and commercial buildings are issuing smart cards to personalize access. The use of these cards allows the issuer to give or deny access based on privilege and time restrictions.??


Smart cards have certain capabilities that make them ideal for controlling both physical and system access. While they are more expensive than magnetic stripe cards, operating costs are generally lower for smart cards. Following are some basic requirements necessary for a smart card platform to succeed.


? Smart cards must be an extension of the network and/or Internet environment;


? Smart cards must provide software development tools that have a broad base of developer familiarity and support;


? Each smart card issuer must have the ability to choose components they want and deem necessary from a variety of suppliers;


? Smart cards must incorporate extensive security features and be attractively priced.?


It's anticipated that 2.7 billion smart cards will be in use this year, and the number will continue to grow. Applications will always be the driving force behind the smart card market, since they will be the deciding factor for implementers, adapters, and users of smart cards.?


D.E. Levine CISSP, CFE, FBCI, CPS is a regular contributor to ST&D and a contributing author to Computer Security Handbook, Fourth Edition (Wiley 2002). She can be reached at dlevine@managesecurity.com.