Smart Cards: Certification May Raise Digital Security Stakes

Some smart card and information security companies will soon add a new kind of imprimatur to their lists of selling points.

The companies are submitting their products to various testing authorities for certification under multinational standards known as security evaluation criteria.

The processes are highly rigorous and time-consuming, and there are multiple sets of criteria, raising questions as to commonality and as to which might best apply.

But the approaches are converging, and all get at the same objective: to eliminate a buyer's uncertainty by assuring that a data encryption system or method for electronic identification or authentication delivers on its claims.

It is a step toward the standardization and interoperability whose lack may be hindering the acceptance of smart cards and other data security tools. And the coming together of security evaluation criteria may be a factor in vendor companies' optimism about near-term growth, particularly in the intracompany and business-to-business area commonly referred to as enterprise security.

Two leading sellers of public key encryption infrastructures for banking and electronic commerce announced last month that they had gotten hard-won approvals under two of the evaluation programs. Also, smart card companies are going down this road as they seek to emphasize the security benefits inherent in their increasingly powerful computer chips.

None has aimed as high as Mondex International Ltd., the MasterCard- controlled venture that designed its system to achieve ITSEC level E6, the highest rating of digital armor-plating under the Information Technology Security Evaluation Criteria.

The inventors of Mondex at National Westminster Bank in London decided it would take air-tight security to legitimize their electronic form of money on smart cards and the Internet. They still have hurdles to clear before the certification is complete.

ITSEC, which was adopted by the European Community in 1991 after earlier iterations in the United Kingdom, France, and Germany, developed in parallel with the U.S. Defense Department's Trusted Computer Systems Evaluation Criteria, or TCSEC, also known as the Orange Book.

The U.S. National Security Agency, in its Trust Technology Assessment Program, is offering evaluations-or certifying private laboratories to perform them-under TCSEC or a fusion of the prominent approaches known as the Common Criteria for Information Technology Security Evaluation.

Among the first to get NSA Common Criteria awards in January were firewall products of Cisco Systems and Lucent Technologies. They came in at Evaluation Assurance Level 2, or EAL2. The EALs go as high as 7.

Entrust Technologies Inc. of Richardson, Tex., broke the Common Criteria ice for public key infrastructures, or PKIs, last month with an EAL3 validation.

A competitor, Baltimore Technologies, said at the same time that it obtained "provisional listing" for its Unicert certificate authority system at ITSEC level E3.

The two PKI vendors took the occasion of Cebit, the big computer show in Hannover, Germany, to trumpet their certifications, a sign of how competitive the field is and how such seals of approval might be raising the stakes.

Entrust had earlier made a point of complying with U.S. Federal Information Processing Standard 140-1, seen as a key to serving the government market and by extension private-sector enterprise security.

"I am proud to say we are the first and so far only PKI company to have completed the Common Criteria evaluation and FIPS 140-1 validation tests," said John Ryan, president and chief executive officer of Entrust. The company began life as part of Nortel in Canada, another of the countries whose official security evaluation projects contributed to the Common Criteria.

"As the PKI market matures, customers increasingly rely on objective, external testing to ensure vendors are delivering strong security implementations and standards-based interoperability," Burton Group senior analyst Phil Schacter said of the Entrust announcement. He said the certification "is raising the bar" for the industry.

Smart card and computer security expert Jerome Svigals of Jerome Svigals Inc., Redwood City, Calif., called these evaluations "a good starting point" for security products. But their effectiveness still hinges on policies and operational procedures that are not necessarily addressed by hardware and software engineering, he said.

When Bull Smart Cards and Terminals-a part of the French electronics company Bull Group that emphasizes its security competence-recently launched a card development venture called Trusted Logic, it made Common Criteria evaluation part of its business plan.

Similarly, when International Business Machines Corp. and Philips Electronics' Philips Semiconductors unit announced a joint smart card development effort in February, they had ITSEC and Common Criteria in their sights. IBM Research official Elaine Palmer said they might go after ITSEC first because the specifications are "more stable." It might be practical to pursue Common Criteria when the higher EAL levels 5 through 7 are "more fully formed," Ms. Palmer said at the time.

Common Criteria validation raises customer assurance, Mr. Ryan of Entrust said. It "adds another level of confidence to Entrust-ready e- commerce infrastructures and applications such as SAP and PeopleSoft."

The certification "is significant as it takes away the uncertainty surrounding this fast-moving area of IT (information technology) security," said Robin Pizer, head of U.K. ITSEC, the body that evaluated the Entrust/PKI software. "Organizations can adopt a validated PKI for their own use with with confidence and use the standard as a benchmark when making decisions about the wisdom of cross-certifying with other PKIs."

In another advance for Entrust/PKI, Entrust said it was chosen by the United Kingdom's Royal Mail for the digital credentials securing its Viacode electronic commerce program. Royal Mail and the Swift banking communications network are among Entrust's biggest European clients.

Zergo Holdings PLC, the British-Irish data encryption company that does business under the Baltimore name, had its ITSEC examination done by an Australia-New Zealand organization, the Australasian Information Security Evaluation Program.

Baltimore's Unicert has won wide acclaim in the digital certificate market, and ITSEC E3 is "the highest desirable level of commercial security sought today," the company said during the Cebit 99 exposition.

The approval "will confirm Baltimore's commitment to providing advanced security technology that meets requirements of current and future customers," said John Sullivan, vice president of engineering. "ITSEC E3 is becoming increasingly important as PKI systems are deployed in governments and commercial environments."

Also at Cebit, Baltimore cemented a relationship with Deutsche Telekom by saying its MailSecure message authentication system would be integrated with the German telecommunications giant's OnlinePass service and Telesec Chipcard Operating System for smart cards. These are seen as building- blocks for personal identification, corporate security, and digital payment systems.

Further confirming Baltimore-Zergo's international standing and progress, the company was chosen as preferred digital certificate vendor for the Australian Payments Clearing Association. Unicert will be used to generate certificates, and the certificate authority operation will be outsourced to Baltimore's Certificates Australia unit.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER