<http://www.cryptonomicon.net/modules.php?name=News&file=article&sid=602>
Cryptonomicon.Net - Badges Using PDAs as Tokens or Smart Card Readers Posted on Monday, January 19 @ 08:00:00 EST by mhamrick Cryptographic smart card technology has been with us for a quite a while now, and standardization efforts have been proceeding since the early 1980's. Through the 1990's we began to see adoption first in market niches, and later in governmental and financial markets. The new millenium brought a surge of new initiatives (the most sucessful being the US Department of Defense's Common Access Card initiative.) Studies indicate that using hardware tokens to login to remote computers or networks enhances security and drives costs down by reducing the numbers of support personnel to assist users in recovering from lost or stolen passwords. Smart Card vendors have been pointing out the benefits of cryptographic hardware tokens for years, but we've yet to see the wide-scale adoption of the technology in consumer class PCs. If hardware tokens are so great, why don't we see a smart card reader on every desktop computer sold? Security experts agree that authenticating with a smart card and a PIN is generally more secure than authenticating with a password alone. The oft-heard mantra of the hardware token industry is "something you have, something you know." In this case, the token (smart card) itself it the thing you have, while the PIN is the thing you know. Authenticating with hardware tokens and public key cryptography minimizes the opportunity for eavesdroppers to capture passwords as they fly across potentially insecure networks. (PINs used to unlock hardware tokens generally do not travel across networks the way login passwords do.) Most likely the answer is that it's unclear which vendor in the supply chain gets the benefit, but it's very clear who bears the cost. The PC manufacturing business is, as most know, a cutthroat competition to decrease production and sales costs. In this climate PC manufacturers are unlikely to include a smart card reader. The reader increases the price of the systems they sell, while adding uncertain benefit. In other words, it's unclear how many consumers would value an integrated smart card reader enough to pay for the manufacturer to include one. Admittedly, smart card readers are plummeting in price, but there is still a non-zero cost associated with them; on the bottom end of the consumer market, adding cost of the reader means subtracting an equivalent cost somewhere else in the design. But unless there is wide-spread demand for hardware tokens, and PC manufacturers just can't sell PCs that don't support them, it's unlikely we'll see any gap-crossing into the consumer market. We believe there is a market, however, it's just a question of jump-starting demand. Small and medium sized enterprises and ISPs would directly benefit from a user population dense with smart card capabilities. Costs for smart cards and smart card readers have been on the decline for a decade. Vendors should be able to find readers for under $15 in bulk. At this price point, it's beginning to be in the ISPs best interest to start distributing smart card readers to some subscribers to see if the projected cost savings materialize. But readers and cards still have a non-zero cost associated with them, and competition between ISPs will only increase as Wireless ISPs begin to compete with DSL and Cable modem providers in the last-mile arena. Another option discussed on Cryptonomicon.Net years ago (see Security for Palm Platform) was to use Personal Digital Assistants as hardware tokens. Most PDAs are already designed to connect to desktop machines via USB, Infra-Red, or Blue Tooth. Using a smart card reader with a dedicated PIN keypad and display could help reduce risks of keyboard sniffers or rogue code "piggy-backing" requests once the user has logged in to the card. PDAs would be an ideal platform to serve as such a reader. Most already have relatively large displays; large enough alert the user which program is requesting authentication and why. Each time an application needs to access sensitive information on the card, it would alert the user on the main computer screen and on the PDA screen. If a user sees a request on the PDA screen that is not on the computer's main screen, this may be a cue to investigate the possibility of rogue code. We're in a market where security solutions are supposedly attracting capital. There's also no shortage of security vulnerabilities. Palm and Handspring were both distracted by a corporate merger over the past year, and PalmSource has recently released PalmOS 6.0 to it's partners. It seems that now is the perfect time for PDA vendors to attack a new market. With a minimal cost to the customer, modern PDAs could be bundled with "soft token" technology. For higher security, a smart card reader could be added to the PDA for use with smart cards or USB dongles. The user interface would be the same; the user still enters the PIN on the PDA's screen, but this time sensitive information is stored on a real smart card. The cost should be relatively low. (Silone offers an inexpensive solution for Handspring Visors.) Compared to the number of people who own smart card readers, the number of people who own PDAs is overwhelming. Demand for hardware tokens could be jump-started by recruiting this community to use a soft token, and later a physical smart card. In corporate environments, you already see a large number of users with both desktop PCs and PDAs. Why not capitalize on this market? Assuming that soft token technologies could build a market that would later be supplanted by real smart-cards and smart-card readers integrated into PDAs. 2004 really could be "the year of the smart card." We are indebted to Randy Vanderhoof of the Smart Card Alliance for his assistance in the production of this article. -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]