Card Frontiers: Support for Security Tokens; Tool Kit from Microsoft

Netscape Communications Corp. has rallied support for a technical standard that could accelerate the use of smart cards as portable and secure personal-identification devices.

Netscape and nine data security vendors jointly announced their backing last week of the RSA Laboratories standard, and several of the companies announced products that can be used with the Netscape Communicator client- browser software for Internet commerce.

And in another boost to smart cards, Microsoft Corp. announced Tuesday that it is offering a free Smart Card Software Development Kit to promote corporate and Internet-commerce uses of chip card readers on personal computers.

Supporters of the smart card platform for Windows include Bull Group, Gemplus, Hewlett-Packard Co., IBM, Litronic Inc., and Schlumberger-a partial overlap with the Netscape-RSA allies.

The RSA specification, Public Key Cryptography Standard No. 11, or PKCS 11, covers the generic notion of security tokens. These can take such forms as computer memory cards or floppy disks in addition to credit-card-size pieces of plastic with computer chips inside.

Whatever shape a token takes, its ability to hold an individual's digital certificate is seen as crucial to electronic commerce.

PKCS and tokens allow the certificates, which are digital equivalents of drivers' licenses for purposes of identification, to be carried around and used in a variety of locations and devices-a vast improvement on having to leave the codes on a computer hard drive, accessible only there with entry of a name and password.

"We are making it even safer for Netscape Communicator users to access information from the network while on the road," said Netscape senior vice president Rick Schell.

Smart cards and tokens, because they are forms of hardware, are also regarded as considerably less vulnerable to attack than are software-based security techniques.

RSA Data Security Inc. of Redwood City, Calif., and its RSA Laboratories arm have viewed smart cards as the wave of the future for portable, on-line authentication. They therefore incorporated the idea in their series of technical proposals, many of which evolve into at least de facto commercial standards because of RSA's influence in areas relating to the underlying data encryption technology.

"Public Key Cryptography Standards were established to provide a catalyst for interoperable security solutions based on public key techniques," said RSA president Jim Bidzos. "RSA is pleased to see Netscape and many other leading security vendors adopting PKCS 11 and providing interoperable security products."

In addition to Netscape and RSA's parent, Security Dynamics Technologies Inc., the PKCS 11 support group consists of Bull Worldwide Information Systems, Chrysalis-ITS, Datakey, Gemplus, Fischer International, Litronic, Schlumberger, and Vasco Data Security.

Bull, Gemplus, and Schlumberger are the Big Three of smart card manufacturing, all with operations based in France. The others provide various types of tokens and/or the ability to integrate smart cards into their security systems.

Six of the vendors made product announcements specifically related to Netscape Communicator.

Chrysalis-ITS Inc. of Ottawa said it will make its Luna token, which takes the form of a personal computer card, interoperable with the Web- navigating software.

Security Dynamics of Bedford, Mass., said Communicator users will be able to store digital certificates, public and private encryption keys, and definitions of user privileges on its SecurID tokens.

Fischer International Systems Corp. of Naples, Fla., will offer that capability with Smarty, its modified floppy disk that enables a conventional PC drive to read a chip card.

Datakey Inc. of Minneapolis, which announced it had obtained Communicator certification from Netscape in late July, said it is offering its SignaSure CIP-Cryptoki Interface Package-for smart cards or other cryptographic tokens.

Vasco Data Security Inc. of Lombard, Ill., said its ability to collaborate with Netscape, Datakey, and Fischer International resulted in its beta test release, concurrent with the PKCS 11 announcement, of the smart-card-based VacMan/CryptaPak user authentication system.

Vasco said smart card support for Internet Explorer, Microsoft's competitor to Netscape Communicator, would follow shortly.

"Smart cards have been the buzz of the security industry, yet until now you could not deploy an industry standard solution that worked across multiple authentication standards," said John Haggard, president of Vasco Data Security.

"Everybody loves smart cards," he added, "but nobody wants to invest in a solution when only one problem is solved. Customers of CryptaPak will immediately be able to secure multiple domains-traditional remote dial-in access and Web-Extranet applications."

Litronic of Costa Mesa, Calif., said it is making Netscape- and PKCS-11- compatible the NetSign smart card security package, including the Litronic card reader, Schlumberger Cryptoflex card, and CryptOS application programming interface.

The combination of Litronic's open-standards approach with Netscape Communicator "provides the enterprise with a fully integrated, authenticated on-line communication solution that is easy to deploy and use," said Litronic chief operating officer Eric Greenberg.

"Netscape has always taken a leadership position in designing and delivering Internet security technologies," said Mr. Schell, who heads the Mountain View, Calif., company's client products division. "Broad industry support for PKCS 11 ensures that security vendors can deliver interoperable solutions that work well with Netscape Communicator."

Netscape and archrival Microsoft also figured in another RSA-related development eight days ago-the launch of a certification program to promote the S/MIME electronic mail security standard.

The two software companies were among 10 that RSA said earned the "S/MIME-enabled" seal that designates interoperability. Others included Baltimore Technologies, Deming Internet Security, Entrust Technologies, and OpenSoft.

Support for S/MIME-Secure Multipurpose Internet Mail Extensions-has brought data encryption to millions of desktops since the specification was developed in 1995.

S/MIME, in theory, makes secure E-mail as easy and widespread as exchanging word processing documents in the clear, said Joyce Graff, a research director at Gartner Group, Stamford, Conn. "Ease of use and thoroughness of interoperability testing are critical," she said. Encryption technologies that "operate most trouble-free and are therefore most broadly deployed will emerge the winners."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER