Previous | Table of Contents | Next |
Adding Smart Cards to Network Applications
Both Snare Works and SmartGate are software packages that can add smart card security to any TCP/IP infrastructure and thus to network applications. Both packages consist of a small client-side module and a larger server-side module. The client-side module invites the user to enter a PIN, then interrogates the users smart card using this PIN to determine user identity. The client-side module then communicates the identity to the server-side module along with a request for service from the server. This design improves network security because the user needs two thingsa PIN and a cardrather than just onea passwordwhile at the same time increasing user convenience because one card and PIN can be used to access many services.
The administrator of the server adds identity- or group-specific access controls to the servers contents. When the user asks for an item from the server, the server-side module checks the users identity against the access control list associated with the item. If the user has been authorized to access the item, the server-side module lets the request go through to the server which returns the item. If the user is not authorized to access the requested item, a request rejection notice is returned to the user.
Intellisofts Snare Works, as its name implies, uses OSFs Distributed Computing Environment (DCE) for directory services and secure data transport. Snare Works comes with a graphical content administration program that makes it easy to specify rules for those who can access what in the server. These rules can be very simple, such as Sally Green can read the Delphi Project Requirements document, to very complex, such as Senior managers in the water division can access the cover page of the electric divisions monthly reports. Intellisoft calls this rule system the Adaptive Security Framework. Each TCP/IP packet arriving at the server is examined and processed on a protocol-by-protocol basis. For example, the contents of a World Wide Web server could be smart card protected, whereas email could flow uninterrupted. It is relatively easy to add new protocol filters, called Protocol Support Modules, for proprietary TCP/IP protocols to the system.
Intellisoft is going to expand the role of smart cards in its architecture. It will be adding to the smart card PKCS#11 and Microsoft CAPI interfaces online card personalization, multiple credentials per card, on-card key generation, and strong signing encryption.
V-ONEs SmartGate offers a more coarse-grain access control than Snare. V-ONEs rules are defined in terms of user connectivity rather than server content. Thus, for example, a user could be permitted access to email on a server but not to FTP or Telnet services on that server. SmartGate currently uses a proprietary directory and has plans to support existing industry-standard directories using the Lightweight Directory Access Protocol (LDAP).
Both systems provide for encrypted data transfer between client and server, and can keep extensive logs of traffic as a side benefit. DCE/Snare also provides, free of charge, encrypted data transfers between clients.
Most smart card applications consist of custom host software running against an off-the-shelf smart card or against a smart card standard. A growing number of smart card software development kits (SDKs) and application programming interfaces (APIs) make this an easy task (see Table 6.3). Some of these are card or card-reader specific, but opening of the smart card application development marketplace is beginning to force interoperability standards on the makers of smart card system components, so that this is becoming less rather than more of a problem.
Product | Company | Telephone | WWW | |
---|---|---|---|---|
CryptOS | Litronic | +1 714 545-6649 | www.litronic.com | info@litronic.com |
Ecash SDK | Digicash | +31 20 592-9999 | www.digicash.com | info@digicash.nl |
EZ Component | Strategic Analysis | +1 703 527-5410 | www.sainc.com | radclm@sainc.com |
IBM Smart Card | IBM | +44 171 202 3743 | www.chipcard.ibm.com | alasdair_turner_ Toolkit@uk.ibm.com |
ICDKT1 | AmeriSys | +1 514 620-8522 | www.login.net/amerisys/ | info@amerisys.com |
IC-XCard | HealthData Resources | +1 512 306-1926 | www.hdata.com | sales@hdata.com |
KapschCard Development Tools | Kapsch | +431 811 110 | www.kapsch.co.at | zeppelza@kapsch.co.at |
MASDAK | Integrated Technologies | +1 612 941-3605 | www.itaincorp.com | sales@itaincorp.com |
OSCAR Application Generator | Oberthur Smart Cards | +1 310 884-7900 | www.kirkplastic.com | david.ankri@wanadoo. fr |
PC/SC | Microsoft | +1 512 331 3128 | www.smartcardsys.com | pcsc@slb.com |
SignaSURE | DataKey | +1 612 890-6850 | www.datakey.com | sales@datakey.com |
SM/SW/1.1 | GIS | +44 1223 462200 | www.gis.co.uk | christopher@gisltd. demon.co.uk |
Smart Card ADK | Amerkore | +1 703 204-0023 | www.amerkore.com | amerkore@amerkore. com |
SmartStart | American Magnetics | +1 213 775-8651 | www.magstripe.com | webmaster@magstripe.com |
Previous | Table of Contents | Next |