Smart Card Based Identity and Access Management Contributors Shahin Shadfar Schlumberger Information Solutions 2004 Schlumberger Information Solutions All rights reserved Introduction Since the tragedy of September 11 2001 security has gained a new connotation and evokes previously unthinkable images Most of the hijackers used either false or stolen identification documents a few used their real identities and all of them managed to breach our borders This massive security breach underscores the importance of Authentication as well as Authorization On a smaller scale within an enterprise securing physical premises protecting information and restricting access to critical applications has become a priority The multiple network entries through Virtual Private Networks VPNs dial ups web portals for employees partners and customers wireless connections and more make strong Authentication and Authorization all the more critical since traditional password based identification is no longer doing the job adequately At the same time managing employees credentials for physical access to facilities such as garages and office buildings their logical access to PCs corporate networks critical applications and online accounts and even resetting their passwords can all be burdensome and expensive A new form of identification is necessary to secure both physical and logical access while combining other business benefits Smart card technology although over twenty years old has made some significant progress in recent years and combined with the right software systems and appropriate policies offers appealing solutions These solutions allow organizations to deploy secure portable and multi purpose employee badges leading to an efficient and cost effective Identity Management system A sound understanding of the business processes and goals within an enterprise is key to the most successful implementations Securing a power utility company generation plants electricity grids mobile employees poses significantly different challenges from implementing security at a large hospital for example because each company s IT processes and business drivers are as vastly and distinctly different as their two industries This paper discusses the benefits of smart card based identity and access management solutions and the different technical components of an enterprise wide corporate badge deployment This paper is geared toward people dealing with real business problems within organizations as well as to technologists chartered to find viable technical solutions Since all projects require financial justification the Return On Investment ROI is also germane to the discussion The scope of this paper is limited to the deployment of smart card based identity and access management systems inside a public or private organization Java Card Specifications CPU 8 16 bit Microcontroller Memory EEPROM 32k 64k and soon 128k External Clock Frequency 1 to 7 5 MHz Operating Temperature 25 to 75 C Data retention 10 years Standards ISO 7816 Java Card 2 1 1 Open Platform 2 0 1 Security DES Triple DES RSA 1024 SHA1 X 509 certificates On Card key generation Smart Card Based Identity and Access Management How smart is a Smart card Smart cards were invented in France in the late seventies and millions have been used over the past few years as pay phone cards banking debit and credit cards and GSM mobile phone identifiers The smart cards that are highlighted in this paper are however much more advanced than their predecessors from the seventies and eighties Nevertheless the concept remains simple A credit card sized piece of plastic with a fitted microchip or integrated circuit with an input and an output channel which can be used to store and or manage the identity of its carrier The chip includes memory an operating system and a processor Through a smart card reader an information query is sent to the chip for example who are you and the chip processes your data and returns a response such as Adam Smith A smart card is in many ways a small computer you have in your wallet What changed over the years The answer lies in the increased power speed and capacity of the chip In the late nineties a team led by Bertrand Du Castel at Schlumberger marketed the first Java programmable smart card with a later addition of a crypto processor The current smart cards used for security applications derive from these early Java Cards The advantage of this new edition is that you could add update or remove card applications called cardlets or card applets similar to applications on your PC The crypto processor allows complex cryptographic functions to operate on the card which becomes relevant to security In addition to offering cryptographic functions for security the chip itself must be resilient to hacker attacks If you have a powerful machine that can execute complex encryption functions the security can still be greatly compromised if it was easy to steal the encryption key Over the years smart card chips have become more bullet proof and have earned FIPS Level 2 and Common Criteria certifications and are commonly regarded as the most secure hardware tokens For the technicians a smart card is a sort of small HSM Hardware Security Module In short smart cards are portable secure and multi purpose tokens Smart card Usage There are already examples of large deployments of smart cards as employee badges in the United States The United States Department of Defense DoD has at this time the largest number of smart card users through its Common Access Card CAC program with over two million cards currently deployed for physical and logical security of its worldwide employees A non negligible number of Fortune 100 companies have also embarked on large scale smart card deployment projects Based on these implementations and the latest developments in the technology what are the applications that make the most business sense The smart card vision is to provide a platform where all credentials of an employee are centralized One common ID card becomes the March 2004 IS 03 181 0 employee badge that gives access to different systems Following is a list of its most common applications which are typically the objectives of Phase One of a deployment project Picture ID The smart card is used as the employee badge with company logo name and picture of the card bearer Physical Access The employee uses the smart card to gain access to parking lots garages buildings and
View Full Document
Unlocking...