Previous Table of Contents Next


Adding Smart Cards to Network Applications

Both Snare Works and SmartGate are software packages that can add smart card security to any TCP/IP infrastructure and thus to network applications. Both packages consist of a small client-side module and a larger server-side module. The client-side module invites the user to enter a PIN, then interrogates the user’s smart card using this PIN to determine user identity. The client-side module then communicates the identity to the server-side module along with a request for service from the server. This design improves network security because the user needs two things—a PIN and a card—rather than just one—a password—while at the same time increasing user convenience because one card and PIN can be used to access many services.

The administrator of the server adds identity- or group-specific access controls to the server’s contents. When the user asks for an item from the server, the server-side module checks the user’s identity against the access control list associated with the item. If the user has been authorized to access the item, the server-side module lets the request go through to the server which returns the item. If the user is not authorized to access the requested item, a request rejection notice is returned to the user.

Intellisoft’s Snare Works, as its name implies, uses OSF’s Distributed Computing Environment (DCE) for directory services and secure data transport. Snare Works comes with a graphical content administration program that makes it easy to specify rules for those who can access what in the server. These rules can be very simple, such as “Sally Green can read the Delphi Project Requirements document,” to very complex, such as “Senior managers in the water division can access the cover page of the electric division’s monthly reports.” Intellisoft calls this rule system the Adaptive Security Framework. Each TCP/IP packet arriving at the server is examined and processed on a protocol-by-protocol basis. For example, the contents of a World Wide Web server could be smart card protected, whereas email could flow uninterrupted. It is relatively easy to add new protocol filters, called Protocol Support Modules, for proprietary TCP/IP protocols to the system.

Intellisoft is going to expand the role of smart cards in its architecture. It will be adding to the smart card PKCS#11 and Microsoft CAPI interfaces online card personalization, multiple credentials per card, on-card key generation, and strong signing encryption.

V-ONE’s SmartGate offers a more coarse-grain access control than Snare. V-ONE’s rules are defined in terms of user connectivity rather than server content. Thus, for example, a user could be permitted access to email on a server but not to FTP or Telnet services on that server. SmartGate currently uses a proprietary directory and has plans to support existing industry-standard directories using the Lightweight Directory Access Protocol (LDAP).

Both systems provide for encrypted data transfer between client and server, and can keep extensive logs of traffic as a side benefit. DCE/Snare also provides, free of charge, encrypted data transfers between clients.

Smart Card Software Development Kits and Application Programming Interfaces

Most smart card applications consist of custom host software running against an off-the-shelf smart card or against a smart card standard. A growing number of smart card software development kits (SDKs) and application programming interfaces (APIs) make this an easy task (see Table 6.3). Some of these are card or card-reader specific, but opening of the smart card application development marketplace is beginning to force interoperability standards on the makers of smart card system components, so that this is becoming less rather than more of a problem.

Table 6.3. Smart card software development kits and application programming interfaces.
Product Company Telephone WWW Email

CryptOS Litronic +1 714 545-6649 www.litronic.com info@litronic.com
Ecash SDK Digicash +31 20 592-9999 www.digicash.com info@digicash.nl
EZ Component Strategic
Analysis
+1 703 527-5410 www.sainc.com radclm@sainc.com
IBM Smart Card IBM +44 171 202 3743 www.chipcard.ibm.com alasdair_turner_
Toolkit@uk.ibm.com
ICDKT1 AmeriSys +1 514 620-8522 www.login.net/amerisys/ info@amerisys.com
IC-XCard HealthData
Resources
+1 512 306-1926 www.hdata.com sales@hdata.com
KapschCard
Development
Tools
Kapsch +431 811 110 www.kapsch.co.at zeppelza@kapsch.co.at
MASDAK Integrated
Technologies
+1 612 941-3605 www.itaincorp.comsales@itaincorp.com
OSCAR
Application
Generator
Oberthur
Smart
Cards
+1 310 884-7900 www.kirkplastic.com david.ankri@wanadoo. fr
PC/SC Microsoft +1 512 331 3128 www.smartcardsys.com pcsc@slb.com
SignaSURE DataKey +1 612 890-6850 www.datakey.com sales@datakey.com
SM/SW/1.1 GIS +44 1223 462200 www.gis.co.uk christopher@gisltd.
demon.co.uk
Smart Card ADK Amerkore +1 703 204-0023 www.amerkore.com amerkore@amerkore. com
SmartStart American
Magnetics
+1 213 775-8651 www.magstripe.com webmaster@magstripe.com


Previous Table of Contents Next