A new product from Schlumberger provides one of the first realistic glimpses into what Java technology promises to deliver on smart cards.
The European-American smart card company last week announced Cyberflex Access, an addition to its high-security chip card line. It includes cryptographic security methods and the ability to load applets-little Java programs-over telecommunications lines, using digital signatures to authorize and authenticate the applets.
Cyberflex Access is designed for corporate information security, where many vendors anticipate faster acceptance than in banking or consumer markets. But the "dynamic loading" feature, touted as a key feature of the network-friendly Java Card standard sponsored by Sun Microsystems Inc., is a first that will have broad implications, said Tom Lebsack of Schlumberger Smart Cards and Terminals.
"This is a next step in Java Card, because it takes secure application loading to a new level," said Mr. Lebsack, the unit's director of multiple applications for North America. "This is an important feature, especially for banks. They will insist on it for multi-application cards," which might include loyalty-point systems or medical information or drivers-license data in addition to banking and payment services.
Cyberflex Access, scheduled for delivery in the first quarter of 1999, is said to be the first commercially available card with its combination of cryptographic and loading capabilities. Much like Gemsafe, a previously announced system from Gemplus of France, the Schlumberger smart card enables digital certificates, or electronic credentials, to be stored on a chip, granting access to a computer network or data base, to the extent authorized, from any device with a card reader.
In one example of a Gemsafe application, International Business Machines Corp. is offering a security package for notebook computers that authenticates corporate employees from remote locations.
Schlumberger has been aggressively developing systems according to the Java Card 2.0 specification, which has also been embraced by Visa International as the basis for its Visa Open Platform version of the technology. Mr. Lebsack said Cyberflex Access, as a limited, enterprise- oriented product, does not fulfill all Open Platform requirements, but it "moves us in that direction."
The security and loading features "were just talked about before. Cards were just password-protected," he said.
He added that Access incorporates key aspects of the recently announced Java Card 2.1 enhancements and is "backward compatible" with previous Cyberflex releases.
"The first use in the corporate environment is authentication of the user to a network, whether local or from a remote location, with single sign-on," Mr. Lebsack said in an interview last week during the Cardtech/Securtech West conference in San Jose, Calif. "Two- or three- factor authentication"-using passwords, certificates, and biometrics, or other such combinations-"is the basic application, and after that it depends on the company."
For example, cash value can be stored on the multi-application chip for company store or cafeteria purchases. The card could also provide secure access to on-line banking or credit union services or to human resources and benefits files. It could be an employee badge or key to secure areas using contactless technology, which makes it unnecessary for the card to be inserted into a terminal.
"Network technology can only realize its full potential if users can perform secure transactions wherever they are located," said Olivier Piou, vice president of smart card products for Schlumberger Smart Cards and Terminals, which is part of San Jose-based Schlumberger Test and Transactions.
"Cyberflex Access is the enabling technology that can deliver that capability by combining a truly versatile, multi-application smart card platform with a comprehensive security library." Those security options for the 16-kilobyte card include the RSA, DES, and Triple-DES data encryption algorithms and SHA-1 hash function.
Many experts in the data security industry expect corporations to make use of digital certificates and similar technologies before they filter out to the mass consumer market. The same may hold true for smart cards, whether as security or payment devices.
Mr. Lebsack said he sees the logic in that. "As corporations see applications work for themselves, they begin to see how they can work for customers."
But he is not jumping to any conclusions, saying that university and other closed-campus programs, one of the smart card's few clear successes in North America, have not expanded into open systems. "The jury is still out," he said.