If smart cards are the losing proposition that many U.S. bankers seem ready to write off, then the word has not spread to the people actually selling the technology.
Chip card manufacturers and many companies they work with in the software, telecommunications, and information security industries are, if anything, more intent than ever on getting the advanced plastic cards into mainstream distribution.
Though acknowledging the economic hurdles that have kept skepticism relatively high in North America, card makers and other nonbankers find reasons to stay hopeful and busy in the more chip-friendly markets of Europe and Asia, in the corporate "enterprise security" movement toward multi-function identity cards, and in the brewing rivalry between computer industry titans Microsoft and Sun Microsystems over smart card operating systems.
That last factor, stemming from Microsoft Corp.'s announcement in October of Smart Card for Windows, means that millions of programmers worldwide are capable of rapid creation and deployment of cards and applications that should become more economical as they grow in number.
Before the 1996 introduction of Sun's Java Card specification, "there were maybe 4,000 or 5,000 smart card programmers in the whole world," Sun Microsystems Inc. staff engineer Yahya Al-Salqan said last week in San Jose, Calif., at RSA '99, the annual conference sponsored by the data encryption company RSA Data Security Inc. of nearby San Mateo.
"With a two-hour tutorial, now any Java programmer can program smart cards," said Mr. Al-Salqan. And with increasing chip capacities, the cards might turn notions of client/server computing on their heads. By Mr. Al- Salqan's definition of network computing, smart cards are little servers, not the passive "thin clients" that they are usually made out to be.
That should go a long way toward answering concerns about the lack of a business case, Mr. Al-Salqan reasoned. Though others may disagree on matters of technical philosophy or profess loyalty toward competing products and approaches, they fully share his positive outlook.
Last Thursday morning, while the Sun engineer was expounding on how that "personalized network device or server" can perform sophisticated security and authentication functions and contribute to "a new paradigm of massive computing," John Landwehr of Gemplus Corp. was in another part of the San Jose Convention Center, making the "enterprise security" case.
Mr. Landwehr, who oversees the French-owned smart card producer's information-technology marketing, said cards used for security purposes worldwide will grow to 120 million in 2003, from one million in 1997. Moving from passwords to personalized digital certificates, which can be stored on smart cards, could eliminate the 40% of help-desk calls that have to do with lost or changed passwords.
Card-based information security can save "a 20,000-employee company $4 million in help-desk costs," Mr. Landwehr said.
Flying in the face of any doubters, Gemplus, many of its direct competitors, and various other system vendors put smart cards on something of a pedestal at the RSA conference. The event is more of a window on the high-energy world of electronic commerce than the Bank Administration Institute Retail Delivery conferences that set a high-technology standard for banking audiences.
The optimism of RSA '99-about smart cards and other security products- stemmed from a shared belief that so many bets by so many strategically savvy technologists cannot be too far off the mark.
In line with what U.S. observers perceive and assume, business-to- business commerce and enterprise security are seen as more likely smart card venues than the consumer mass market, at least in the near term.
There is nothing new in that, said Georges Brotman, president of TTI Transaction Technology International, a Canadian consulting firm. In 1988 he worked on CashCommand, a Royal Bank of Canada cash management service that was "the first commercial smart-card-based information security system in North America."
As the passage of a decade indicates, even enterprise vendors had cost and logistical obstacles to overcome.
Gemplus' display last week of a card- and fingerprint-based authentication system with the Lucent Technologies spinoff Veridicom, Schlumberger's demonstration of Microsoft Corp.'s Windows Card, the public key encryption strategy unveiled by the French electronics and smart card giant Bull, the "price-performance breakthrough" in card readers touted by the digital security specialist Spyrus-all these and more at the RSA show suggested that the chip card story is far from over.
To enliven matters further, Litronic Inc. of Irvine, Calif., gave the 5,000 visitors to RSA '99 a chance to live smart card security in "The L Files." Cribbing shamelessly from Fox Television's "X Files," Litronic put cards in the hands of hundreds of "Agent Sculders," sending them out in search of the missing "Agent SpyGuy" via the exhibits of DataCard Corp., Netscape Communications Corp., PricewaterhouseCoopers, RSA Data Security, Schlumberger Smart Cards and Terminals, and Verisign Inc.
Among the truths out there, according to Litronic, was that without open standards and cooperation among companies possessing various pieces of the enterprise security puzzle, market acceptance would come very slowly.
"A lot will get done with partners; it will give people options," said Bill Holmes, Litronic's vice president of sales and marketing. In putting together a public key infrastructure, or PKI, offering for digital certificates and other data security components, he said, Litronic focused on "what we are good at-the infrastructure side and building smart cards into existing applications."
Accordingly, Litronic's security tokens and tool kits are compatible with the Internet browser software of both Microsoft and Netscape, and with the PKI methodologies of GTE Cybertrust, Entrust Technologies, Thawte Certification, and Verisign.
Litronic announced last week that its public key encryption management system, ProFile Manager, has been integrated with Netscape's Certificate Management System.
Spyrus of Santa Clara, Calif., which through acquisitions and internal developments claims to have assembled "all the pieces" as a "single-source" PKI vendor and assurer of e-commerce security, accords smart cards exalted status. Chief executive officer Sue Pontius said the six-year-old company has been in the smart card business all along, though earlier versions, Lynks Privacy Cards, were of the PCMCIA type, those commonly inserted into laptop computers.
Today's Spyrus Rosetta public key smart cards make PCMCIA capabilities more affordable, and the newly introduced chip card reader links them to computer serial ports and ultimately the Internet.
Ms. Pontius envisions smart cards infiltrating corporate enterprises at the entranceway, initially by upgrading identification and access control cards, then adding computer sign-on security, medical data, digital certificates, perhaps digital cash, and other functions.
Smart cards have been hampered by "a lack of reader infrastructure in North America," Ms. Pontius said at an RSA '99 press conference. Spyrus sought to rectify that by acquiring and enhancing a device originally owned by Oki Electronics of Japan.
"Our new security reader, used together with Rosetta smart cards, reduces the cost per seat of high-assurance security by 80%," Ms. Pontius said.
To be sure, the costs of smart cards and reading infrastructures are not trivial. Former MasterCard electronic commerce executive Steve Mott, a consultant doing business as BetterBuyDesign.com in Stamford, Conn., said the $20 to $30 chip card readers that manufacturers are moving into mass production may sound reasonable but will be hard to justify in major quantities.
"The cost issue is everything," said Philip C. Deck, chief executive officer of Certicom Corp., which sells elliptic curve cryptography that is said to be more efficient than the more established RSA algorithms. He contended that single-function smart cards will hit the market first, and "if you have a $30 card reader, that just doesn't compute. If it is a single application, it has to be cheap."
Even for enterprises of thousands to tens of thousands of employees, the high "cost per seat" has some vendors pushing cheaper alternatives.
Rainbow Technologies Inc. of Irvine, Calif., a data security specialist that competes with Spyrus on PCMCIA cards for the U.S. government's Fortezza program, puts their deployment cost at $200 a seat. Smart cards lower that only to $100, said Rainbow executive vice president Peter M. Craig.
Rainbow has come out with a smaller authentication token, the i-Key, which can be carried on a key ring and connected through a computer's universal serial bus at a cost of "well under $50," Mr. Craig said.
Ms. Pontius claimed Spyrus' PCMCIA cards are "under $100" per seat and smart cards "well under $100," which she ascribed to the breadth and "life cycle" of the Spyrus Integrated Enterprise Security offering with "one-card solution."
In any event, the direction is down, and vendors are working furiously to "change the economics PKI deployment," as Mr. Craig put it.
Sellers of smart cards, by definition, are partial to hardware security, which is widely viewed as superior to software that may be vulnerably exposed in personal computers. Smart cards have the added advantage of portability, usable in any device with a standard reader, and higher-level chips can perform cryptographic operations.
Chrysalis-ITS of Ottawa, Canada, maker of Luna computer security cards, argued in a recent white paper that "you must enhance the security of software-only (cryptography) solutions. Hardware is the most viable way to protect your root key against all forms of attack."
"A system-on-a-chip is the ideal solution for reducing costs that are preventing universal deployment of PKIs and Internet-based virtual private networks," said Mike Foster, chief operating officer of Chrysalis, which made several announcements at RSA '99 including cooperative deals with the semiconductor manufacturer Mosaid Technologies, cell phone leader Nokia, and PKI vendor Xcert International Inc.
"In addressing performance, we are aiming for an order-of-magnitude improvement over existing technologies for multi-cryptographic algorithms," Mr. Foster said.
But software has its advocates, and their technology is advancing too.
Cybersafe Corp. added a "virtual smart card option" to its TrustBroker Security Suite, saying several large financial companies are involved in beta testing.
The virtual smart card occupies a kind of middle ground between full- scale hardware and unprotected software. It offers portability without card and reader expense and "can be used to ease the transition to an all-smart- card environment," the Issaquah, Wash., company said.
ID Arts introduced Passface, software security with an unusual twist that it calls "cognometrics." The system replaces personal identification numbers with faces. Computer users authenticate themselves by picking out their chosen sequences of pictures presented on screens via software.
Even smart cards tend to be PIN-activated and prone to mishandling or forgetfulness, the Brighton, England, start-up asserts. Barclays Bank is testing Passface.
"Plenty of studies say people forget their PINs," contributing to the unproductive 40% of help-desk calls, said ID Arts managing director Paul Barrett. "Research shows that part of our brains is dedicated to recognizing faces. It is unlike any other sort of memory."
Hopes also run high for biometrics such as fingerprints, voices, faces, or eye patterns, perhaps in conjunction with smart cards. Identicator Corp. of San Bruno, Calif., says it has gotten its finger scanner under $50, and PC keyboard makers such as Key Tronic Corp. are integrating them with chip card readers.
American Biometric Co. of Ottawa has teamed up with Schlumberger and Entrust Technologies to combine fingerprints, smart cards, and digital certificates. The combination "is exactly what customers need to facilitate the rollout of a security infrastructure in their organizations," said American Biometric general manager Marshall Sangster.
Whereas that partnership emphasizes maximum security with portability for enterprise operations, others are going after mass-market efficiencies. Mobile communications companies and makers of small devices like the Palm Pilot are especially keen on "thinner" authentication methods that do not tax limited memory capacities.
AT&T Wireless is testing Cybersafe's virtual smart card. Speaking at RSA '99, Malte Borcherding, senior product manager of the German payments software company Brokat, described a way to turn standard GSM mobile telephones into secure authentication devices. The phones' smart card slots and strong encryption could be used in generating digital signatures.
Also at the conference, Ian Goldberg, a University of California Ph.D. student who gained notoriety for breaking a DES-Data Encryption Standard- code and discovering a flaw in GSM security, proposed using the Palm III organizer as an authentication device. It would essentially perform the role of a cryptographic smart card, but better, in Mr. Goldberg's view.
"Banks seem to be very interested in delivering services to cell phones and personal digital assistants," said Jennifer Vancini, director of electronic commerce at Certicom, a Toronto-based company with a U.S. base in San Mateo, Calif. "Stock trading is one of the applications driving this."
3Com Corp.'s Palm Computing unit, BellSouth Wireless Data, Motorola Inc., and Research in Motion Ltd. are among those working with Certicom's elliptic curve cryptography. Diversinet Corp. and Xcert International, which also have Canadian roots, are among those pursuing certification opportunities jointly with Certicom that could involve smart cards.
Racal Electronics, a United Kingdom company deep into telecommunications technology, wants to be a force in smart cards and the Secure Electronic Transaction program for Internet payments-votes of confidence in subjects of banking industry controversy. Racal Security and Payments of Sunrise, Fla., last week introduced a smart card personalization system and high- volume SET processing platform.
Bull Smart Cards and Terminals circulated a paper by its president of advanced research and security, chip card pioneer Michel Ugon, to underscore the security part of the equation.
He called smart card security essential and said "the hardware and the software form an inseparable pair."
"Security is set to become a decisive differentiating factor for smart cards with embedded operating systems," Mr. Ugon wrote, "since most of the key applications guarantee both data integrity and confidentiality."
Mr. Landwehr, who markets Gemplus' Gemsafe package for PCs, said security is striking a marketing chord.
"Judging by the calls I got in just the first two weeks, this is going to be a big year," he said. "A lot came from multiple divisions of PC manufacturers that want to integrate smart card readers in keyboards"-which would certainly address the infrastructure problem.