"We don't know where the vulnerabilities are until we put the spec out and have a reference implementation," he says. "You can't attack a spec; you need an implementation." Ultimately, Homeland Security expects to issue 250,000 smart cards to government employees.
Windows Support Broghamer has been among the government officials who have discussed with Microsoft incorporating elements of the U.S. government's smart card spec into the Windows operating system. He says it would be much easier for government agencies and private corporations to deploy smart cards if Windows had built into its underlying code functions that today must be performed by customized software, called middleware. He cites as an example links to card-issuing systems.
While he says he cannot go into detail because of confidentiality agreements, he expresses confidence that elements of the federal smart card standards will be part of future versions of Windows.
The New Standard
Because there has been so much work done on smart cards by U.S. agencies, many of the features of the new ID card standard already are set.
Barker says the card will have a contact smart card chip with a digital certificate for authenticating users to computer networks and digitally signing documents. Those have been the primary functions of the Defense Department Common Access Card, which is one of the largest implementations worldwide of digital certificates based on public key infrastructure, or PKI.
The card will also have a contactless interface so that cardholders can enter facilities by waving a card or tapping it on a reader. Most likely, that will require a separate contactless chip, rather than a single dual-interface chip. That is because some U.S. officials remain concerned that the contactless interface on a dual-mode chip could enable unauthorized access to the secret keys stored on the chip as part of the PKI system.
Several U.S. agencies are issuing cards with both contact and contactless chips, including the Department of Veterans Affairs, which began issuing its smart card ID nearly two years ago. The agency, which manages several large hospitals for veterans, has issued more than 15,000 smart cards IDs and expects to complete its rollout of 500,000 One-VA cards by 2006.
Broghamer notes that the government is especially concerned about computer network security because there is no way to check the identity of someone logging onto a Web site, whereas there are often guards at building entrances to check a suspicious person trying to enter.
The card will also carry biometrics for verifying the cardholder's identity, scans of the left and right index fingers. And the chip will carry one or two digital photographs of the individual.
Among the issues to be settled, Barker says, is who should receive the card. While the directive clearly includes private contractors who work on government contracts, does it include other employees of those companies? Should it include "first responders," those police, fire and ambulance personnel who would have to be quickly identified and put to work in an emergency? What about journalists accredited to work in the White House?
Also needed are common policies for verifying identity before issuing an ID card. That is required so that an agency other than the one that issues the card can be confident that the cardholder is who he or she claims to be. There will not be one single card format, but Barker says the cards may have some common elements so that officials can quickly recognize fakes.
There remains much to be done, and insiders say agencies that have not yet embarked on smart card programs will be hard pressed to meet the implementation deadline of October 2005.
Regardless, by then the presidential order will have served its purpose, says U.S. smart card consultant Henry Dreifus. "Even if they don't make it," he says, "you've got everybody moving in the same direction."