Using PDAs as Tokens or Smart Card Readers
Posted on Monday, January 19 @ 08:00:00 EST by mhamrick
Cryptographic smart card technology has been with us for a quite a while
now, and standardization efforts have been proceeding since the early
1980's. Through the 1990's we began to see adoption first in market niches,
and later in governmental and financial markets. The new millenium brought
a surge of new initiatives (the most sucessful being the US Department of
Defense's Common Access Card initiative.) Studies indicate that using
hardware tokens to login to remote computers or networks enhances security
and drives costs down by reducing the numbers of support personnel to
assist users in recovering from lost or stolen passwords. Smart Card
vendors have been pointing out the benefits of cryptographic hardware
tokens for years, but we've yet to see the wide-scale adoption of the
technology in consumer class PCs. If hardware tokens are so great, why
don't we see a smart card reader on every desktop computer sold?
Security experts agree that authenticating with a smart card and a PIN is
generally more secure than authenticating with a password alone. The
oft-heard mantra of the hardware token industry is "something you have,
something you know." In this case, the token (smart card) itself it the
thing you have, while the PIN is the thing you know.
Authenticating with hardware tokens and public key cryptography minimizes
the opportunity for eavesdroppers to capture passwords as they fly across
potentially insecure networks. (PINs used to unlock hardware tokens
generally do not travel across networks the way login passwords do.)
Most likely the answer is that it's unclear which vendor in the supply
chain gets the benefit, but it's very clear who bears the cost. The PC
manufacturing business is, as most know, a cutthroat competition to
decrease production and sales costs. In this climate PC manufacturers are
unlikely to include a smart card reader. The reader increases the price of
the systems they sell, while adding uncertain benefit. In other words, it's
unclear how many consumers would value an integrated smart card reader
enough to pay for the manufacturer to include one. Admittedly, smart card
readers are plummeting in price, but there is still a non-zero cost
associated with them; on the bottom end of the consumer market, adding cost
of the reader means subtracting an equivalent cost somewhere else in the
design. But unless there is wide-spread demand for hardware tokens, and PC
manufacturers just can't sell PCs that don't support them, it's unlikely
we'll see any gap-crossing into the consumer market. We believe there is a
market, however, it's just a question of jump-starting demand. Small and
medium sized enterprises and ISPs would directly benefit from a user
population dense with smart card capabilities.
Costs for smart cards and smart card readers have been on the decline for a
decade. Vendors should be able to find readers for under $15 in bulk. At
this price point, it's beginning to be in the ISPs best interest to start
distributing smart card readers to some subscribers to see if the projected
cost savings materialize.
But readers and cards still have a non-zero cost associated with them, and
competition between ISPs will only increase as Wireless ISPs begin to
compete with DSL and Cable modem providers in the last-mile arena.
Another option discussed on Cryptonomicon.Net years ago (see Security for
Palm Platform) was to use Personal Digital Assistants as hardware tokens.
Most PDAs are already designed to connect to desktop machines via USB,
Infra-Red, or Blue Tooth.
Using a smart card reader with a dedicated PIN keypad and display could
help reduce risks of keyboard sniffers or rogue code "piggy-backing"
requests once the user has logged in to the card. PDAs would be an ideal
platform to serve as such a reader. Most already have relatively large
displays; large enough alert the user which program is requesting
authentication and why. Each time an application needs to access sensitive
information on the card, it would alert the user on the main computer
screen and on the PDA screen. If a user sees a request on the PDA screen
that is not on the computer's main screen, this may be a cue to investigate
the possibility of rogue code.
We're in a market where security solutions are supposedly attracting
capital. There's also no shortage of security vulnerabilities. Palm and
Handspring were both distracted by a corporate merger over the past year,
and PalmSource has recently released PalmOS 6.0 to it's partners. It seems
that now is the perfect time for PDA vendors to attack a new market. With a
minimal cost to the customer, modern PDAs could be bundled with "soft
For higher security, a smart card reader could be added to the PDA for use
with smart cards or USB dongles. The user interface would be the same; the
user still enters the PIN on the PDA's screen, but this time sensitive
information is stored on a real smart card. The cost should be relatively
low. (Silone offers an inexpensive solution for Handspring Visors.)
Compared to the number of people who own smart card readers, the number of
people who own PDAs is overwhelming. Demand for hardware tokens could be
jump-started by recruiting this community to use a soft token, and later a
physical smart card. In corporate environments, you already see a large
number of users with both desktop PCs and PDAs. Why not capitalize on this
Assuming that soft token technologies could build a market that would later
be supplanted by real smart-cards and smart-card readers integrated into
PDAs. 2004 really could be "the year of the smart card."
We are indebted to Randy Vanderhoof of the Smart Card Alliance for his
assistance in the production of this article.
R. A. Hettinga <mailto: [EMAIL PROTECTED]>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]