The de-bate over smart cards is settled, as far as the data security community is concerned.
As long as the cards' chips can hold digital certificates, the signature-like identification technique for electronic networks, smart cards have what it takes to play a central role in the growth and development of Internet commerce.
In fact, smart cards are just one form of what specialists in the field call "hardware implementations" of security. They like hardware because it is harder to compromise than computer software and, as typified by smart cards, it is portable: Its possessor can use it in any compatible piece of equipment, be it a personal computer or point of sale terminal.
The hardware security advocates were out in force this week at the annual industry conference sponsored by RSA Data Security Inc., the leading provider of the data encryption technology.
While many are clearly partial to hardware, the RSA-licensed data security vendors are in many ways agnostic. Whether the market demands hardware or software implementations, they will serve it. Smart cards are one of a variety of "tokens" they will accommodate, on either the buy or sell side of an on-line transaction. Smart cards already have been implemented for internal network security, as in bank money transfer rooms.
In addition to digital certificates, the chip cards or other tokens could potentially hold a photograph or other more sophisticated means of biometric identification, such as a fingerprint, voiceprint, or eye pattern.
PCMcIA cards, the standard input devices for laptop computers, are an already popular alternative. One example, the Luna token from Chrysalis-ITS Inc. of Ottawa, Canada, gained momentum this week with several alliance announcements. In perhaps the most prominent, Luna will be available for encryption with two Netscape Communications Corp. products, Communicator and Enterprise Server.
"Especially in the financial and government communities, we see the need for higher-level security that is tamper-proof and allows for the storage of certificates," said Tim J. Hember, president of TimeStep Corp., a Canada-based Newbridge Network subsidiary that is providing encryption technology and tokens to Chrysalis-ITS.
"As prices come down, (hardware implementations) will be more generally accepted," Mr. Hember added. "People will be carrying tokens in their back pockets."
Thomas E. Honey, director of the certification and public key infrastructure program at International Business Machines Corp., said portability is crucial.
A former Visa International executive who helped IBM take part in recent proving of the MasterCard-Visa Secure Electronic Transactions protocol for Internet credit card payments, Mr. Honey said the United States is behind Europe in smart card acceptance. As it gets off the ground, SET is largely a software phenomenon, existing in computer hard drives, though not for long if the RSA show is any indication.
"A hardware token is safer and can be accepted at more places," Mr. Honey said. "We have to get smart card readers out on terminals."
A simple diskette could serve the purpose, at least for the time being.
Fischer International, a Naples, Fla., cryptography innovator, offers to solve the software vulnerability problem by essentially putting the power of a smart card on a diskette called Crypto SmartDisk. It was designed with tamper-proof storage for encryption keys, preventing the illicit copying to which software methods are prone.
Fischer recently took that a step further, modifying the standard diskette with a sleeve for a smart card. The resulting product, Smarty, allows a PC through its disk drive to read a smart card. Users don't have to wait for smart card readers to be incorporated with PCs, as has been advocated by a consortium called the PC/SC Work group.
Many prominent technology suppliers are banking on tokens, with RSA Data Security itself in the forefront. The Redwood City, Calif., cryptography company hooked up in a merger last year with the larger, hardware-oriented Security Dynamics Technologies Inc. of Bedford, Mass.
A producer of authentication devices for money-transfer and other high- value operations, Security Dynamics began to "think about how best to incorporate encryption technology" and RSA became a logical partner, said Security Dynamics chairman Charles Stuckey.
RSA president Jim Bidzos added that the logic behind the merger was that "some sort of smart card or token will be involved in every security solution."
Smart cards and other tokens got plenty of plugs at RSA's sixth annual security technology conference. In one case, an exhibit called the "Get Smartcard Demo," six companies created a kind of crypto-token treasure hunt to show such capabilities as cardholder privacy, authentication, and document-signing.
Gemplus of France issued advanced, cryptography-enabled smart cards to conference attendees, who put them to work over the Netscape Web browser, with Verisign Inc. issuing Digital ID certificates. Consensus Development Corp. supplied technology tool kits, Litronic Inc. provided smart card readers and its CryptOS interface, and the entire demo was built on Hewlett-Packard Co.'s Vectra PC platform.
Among other product unveilings, Hewlett-Packard announced Single Sign- On, a streamlined user log-in system that is part of the company's Praesidium Internet and intranet security framework. Smart cards can be part of the solution; H-P, not coincidentally, was active in the PC/SC Work group and has joined Gemplus and Informix Inc. in a multi-application smart card development alliance called ImagineCard.
Verisign, the digital certification specialist that RSA spun off two years ago, demonstrated what it called the first on-line issuance of its Class 1 Digital IDs on smart cards. That demo combined Cryptoflex cards from Schlumberger with other technology from Litronic and Microsoft Corp.
Verisign termed it "a major step forward in portable digital identification." President Stratton Sclavos said it showed how "smart cards will become the digital wallet of the future, securely holding and transporting information about our most important relationships."
Spyrus Inc., a San Jose-based cryptography vendor that works closely with Verisign and RSA, made several digital signature and token-related announcements including an upgrade of its PCMcIA card, the EES Lynks Privacy Card, for the SET protocol.
"The availability of hardware cryptographic solutions using industry- standard RSA technology can be a major step toward global adoption of the SET standard for Internet payments," said Mr. Bidzos of RSA.
Also commenting on Spyrus, Andrew Bartels, vice president for advanced payment systems at American Express Co., said, "As the SET standard matures in 1997, we expect hardware cryptography to be widely adopted to provide the level of security required for Internet-based credit card payments."
Spyrus also joined with Maithean Inc., a maker of electronic commerce software, to offer an SET-based payment system called NetPay, complete with a virtual wallet for consumers and a client/server merchant management system. The system is fully open and interoperable and received a testimonial from Verisign's rival, GTE Corp.'s Cybertrust unit.
"Maithean/Spyrus and GTE are working to demonstrate interoperability for SET certificate support, said Cybertrust vice president Tom Carty. "GTE is pleased to see Spyrus and Maithean providing the first SET solution using hardware to protect the cryptographic keys."
As vocal as any hardware security advocate, Tandem Computers Inc.'s Atalla division formed an alliance with VLSI Technologies to develop a high-performance chip for on-line security. Called NetArmor, it is designed for computer and set-top motherboards, PCI add-in cards for personal computers, and PCMcIA cards. Atalla said at the behest of one merchant- acquiring client, it is aiming for its system to handle 1,000 SET transactions a second by 2000-several orders of magnitude above current capacity.
Gary Sabo, vice president of product management and marketing at the San Jose, Calif., organization, said hardware-security proponents have had to overcome the misperception that "software is free." While people are coming to realize software does cost, he said, hardware costs still must come down through advances like the VLSI chips.
"We have to get to the same level of trust on the Internet that people have with ATM cards," Mr. Sabo said. "The only way to get there, we believe, is hardware."
