Smart Card-Based Identity and Access ManagementContributors:Shahin Shadfar, Schlumberger Information Solutions© 2004 Schlumberger Information Solutions. All rights reserved.This paper discusses the benefits of smart card-based identity and access management solutions and the different technical components of an enterprise-wide corporate badge deployment.This paper is geared toward people dealing with real businessproblems within organizations, as well as to technologists charteredto find viable technical solutions. Since all projects require financialjustification, the Return On Investment (ROI) is also germane to thediscussion. The scope of this paper is limited to the deployment ofsmart card-based identity and access management systems inside apublic or private organization.IntroductionSince the tragedy of September 11, 2001, security has gained a new connotation and evokes previously unthinkable images.Most of the hijackers used either false or stolen identification documents, a few used their real identities, and all of them managedto breach our borders. This massive security breach underscoresthe importance of Authentication as well as Authorization. On a smaller scale, within an enterprise, securing physical premises,protecting information, and restricting access to critical applicationshas become a priority. The multiple network entries throughVirtual Private Networks (VPNs), dial-ups, web portals foremployees, partners and customers, wireless connections andmore, make strong Authentication and Authorization all the morecritical, since traditional password-based identification is no longerdoing the job adequately. At the same time, managing employees’credentials for physical access to facilities, such as garages andoffice buildings, their logical access to PCs, corporate networks,critical applications and online accounts, and even resetting theirpasswords, can all be burdensome and expensive. A new form of identification is necessary to secure both physicaland logical access while combining other business benefits.Smart card technology, although over twenty years old, has madesome significant progress in recent years and, combined with theright software systems and appropriate policies, offers appealingsolutions. These solutions allow organizations to deploy secure,portable and multi-purpose employee badges leading to an efficient and cost effective Identity Management system. A soundunderstanding of the business processes and goals within an enterprise is key to the most successful implementations. Securinga power utility company (generation plants, electricity grids,mobile employees) poses significantly different challenges fromimplementing security at a large hospital, for example, becauseeach company’s IT processes and business drivers are as vastlyand distinctly different as their two industries. Java Card Specifications• CPU: 8, 16 bit ‹Micro-controller• Memory: EEPROM 32k,64k and (soon) 128k• External Clock Frequency: 1 to 7.5 MHz • Operating Temperature:–25 to +75 C• Data retention: 10 years• Standards: ISO 7816, Java Card 2.1.1, Open Platform 2.0.1• Security: DES, Triple DES,RSA 1024, SHA-1, X.509 certificates, On-Card key generationSmart Card-Based Identity and Access ManagementHow ‘smart’ is a Smart card?Smart cards were invented in France in the late seventies and millions have been used over the past few years as pay phone cards,banking debit and credit cards and GSM mobile phone identifiers.The smart cards that are highlighted in this paper are, however,much more advanced than their predecessors from the seventiesand eighties. Nevertheless, the concept remains simple: A creditcard-sized piece of plastic with a fitted microchip or integrated circuit, with an input and an output channel, which can be used to store and/or manage the identity of its carrier. The chip includesmemory, an operating system and a processor. Through a smartcard reader, an information query is sent to the chip (for example,‘who are you?’), and the chip processes your data and returns aresponse (such as ‘Adam Smith’). A smart card is, in many ways, a small computer you have in your wallet. What changed over the years? The answer lies in the increasedpower, speed and capacity of the chip. In the late nineties, a teamled by Bertrand Du Castel at Schlumberger marketed the firstJava™ programmable smart card with a later addition of a crypto-processor. The current smart cards used for security applications derive from these early Java Cards. The advantage of this new edition is that you could add, update or remove ‘cardapplications’ called ‘cardlets’ or ‘card applets,’ similar to applicationson your PC. The crypto-processor allows complex cryptographicfunctions to operate on the card, which becomes relevant to security. In addition to offering cryptographic functions for security, thechip itself must be resilient to hacker attacks. If you have a powerfulmachine that can execute complex encryption functions, the securitycan still be greatly compromised if it was easy to steal the encryptionkey. Over the years, smart card chips have become more bulletproof and have earned FIPS Level 2 and Common Criteria certifications, and are commonly regarded as the most secure hardware tokens. For the technicians, a smart card is a sort of small ‘HSM’ (Hardware Security Module). In short, smart cardsare portable, secure and multi-purpose tokens.Smart card UsageThere are already examples of large deployments of smart cards as employee badges in the United States. The United StatesDepartment of Defense (DoD) has, at this time, the largest numberof smart card users through its Common Access Card (CAC) program, with over two million cards currently deployed for physical and logical security of its worldwide employees. Anon-negligible number of Fortune 100 companies have alsoembarked on large-scale smart card deployment projects. Based on these implementations and the latest developments in the technology, what are the applications that make the most business sense?The smart card ‘vision’ is to provide a platform where all credentialsof an employee are centralized. One common ID card becomes theemployee badge that gives access to different ‘systems.’ Followingis a list of its most common applications, which are typically theobjectives of Phase One of a deployment project.• Picture IDThe smart card is used as the employee badge with
View Full Document
Unlocking...