Smart cards were invented in 1974. So 40 years later, how are they doing?
They’re in wide use as credit cards everywhere in the world except the US. In the US, odds are good that your next replacement credit card will include a chip. They’re also inside every cell phone—that’s why cell phone sim chips are usually distributed on a credit-card sized piece of plastic—sim chips are actually smart cards.
Some governments are distributing smart cards as citizen IDs or driver licenses. Applications for these cards are usually specific and limited.
What about using smart cards for digital signing? For authentication purposes?
For these use cases, 40 years of marketing hype have been unable to overcome the hard, real-world problems with smart cards. Let’s review some of the issues plaguing the use of smart cards within corporations and other non-government organizations. A recent article, PIV-I, CIV circling the drain has more on the subject.
Last century solution
Smart cards were an excellent solution for problems of the last century. But today we realize that moving services to the always-on, always-available, centrally-managed cloud is preferable, faster, more reliable, and less expensive than solutions at the “edge” of the network such as smart cards. Just as you use the cloud or centralized ECM systems for storing documents, a cloud-based or centralized signing appliance is recommended for signing the documents.
Administrative overhead
Smart cards require their own administrative infrastructure to distribute, manage, update, replace, and reclaim the cards themselves. For even a small company, the administrative workload can quickly add up to one FTE (Full Time Equivalent) or more.
“Ultimately the most burdensome thing about it is there are no really good supported solutions out there that tie in the whole workflow – request, proofing, vetting, invoking records, issuance and lifecycle,” explains Terry Gold, founder of IDAnalyst. “The services are disjointed.”
Lost and forgotten cards
Unless the smart cards are used for physical access to the office building, they can be easily misplaced. For example, a commenter on SpiceWorks says: “A number of years ago we were using smart cards for authentication as well as digital signing on confidential emails. All I can say is that it was a pain!”
No option if the card is forgotten
Since the signer’s private key is on the smart card, it is simply impossible for her to sign unless she has her card with her. This may seem like a minor point, but it can quickly turn into a major problem. This problem doesn’t exist with a centralized or cloud-based system holding the private keys.
Problems signing via the web browser
Smart cards were designed for the world before the web that held data on the user’s personal computer. That world is now long gone. Instead, data is stored on the cloud, and on centralized document/ECM servers. In these cases, it is difficult or impossible to smoothly bring the data through a web browser down to the personal computer to be signed on the smart card and then automatically uploaded back to the web app.
The reason is security: each new version of the major browsers (IE, Google Chrome, etc) is making it harder and harder to break the “browser wall” between web data and the local personal computer’s operating system. The browser manufacturers are doing this to increase data security. For example, it is now much less common to see Java programs on browsers. Browser APIs such as NPAPI that were used to interface smart cards to web apps are no longer available in current browsers. ActiveX controls limit browser choice to IE. Plus, ActiveX controls are expensive to deal with, difficult to install, maintain, and use.
PKI Infrastructure costs
PKI / smart card servers are expensive and complicated. They raise costs dramatically when compared to the easy plug-and-play architecture of a modern centralized or cloud-based digital signing application that can automatically synchronize the signer list with Active Directory or an LDAP service.
CRL issues
In a smart card system, the Certificate Revocation List (CRL) must be carefully maintained to prevent ex-employees from signing with their cards. The CRL is also used to prevent lost cards from being used. A centralized signing service can be immediately instructed to disable access, easily and quickly ensuring proper control over signing privileges.
Mobile and Tablet access
Have you ever seen a mobile phone with a smart card slot? Me neither. Smart cards are impossible or very difficult to use with mobile phones and tablets. Centralized PKI digital signing systems make it easy to sign from mobiles and tablets.
Not hacker proof
Don’t make the mistake of thinking that smart cards are fail-safe, ultra-secure technology. The Achilles’ heel is their interface to the rest of the computing infrastructure. This enables a “man in the middle” style of attack against the card and its owner. Any type of attack is rare, including this one. The point is that a smart card does not suddenly grant unassailable security.
Any successes?
I paint a grim picture. Are there any successful uses of smart cards for authentication or digital signatures? Yes, the US Department of Defense and some other US agencies are using them successfully. Also some large corporations and organizations are using them for authentication and access control (not digital signatures). But overall, customers speak with their wallets, and smart cards have not succeeded in the general marketplace.
I want more security than a name and password!
There are answers for this challenge. I’ll discuss some of them in my next post.
Photo credit: dbbent