At the recent JavaOne conference in San Francisco, SchlumbergerSema demonstrated the benefits of a Java-based smart card. "A Java what?" was a common response by visitors. A brief explanation showed that anyone with a GSM mobile phone, and many with a credit card, carry one of these around all the time. In an age when processor speeds are measured in gigahertz, it's often difficult to think on a slightly smaller scale.
A smart card is, in essence, a computer that can be carried around in your pocket. It has input/output and power - via a set of metallic contacts - a microprocessor (32 bits will soon be common), ROM, EEPROM (64K in recent models), and an operating system (OS). For a Java-based card the OS, as defined by Java Card 2.1 standards, is a slimmed-down version of the OS found on a larger computer. The flexibility, security, ease-of-use, and rapid development cycle of Java technology has made it the leading open standard for the smart card industry.
"But what does it do?" you might ask. As with most computers, the answer to this question is, "What do you want it to do?" Smart cards have been in use for over 20 years, although only fairly recently have they been able to run an actual operating system. Because smart cards are embedded with a microprocessor, they can store large amounts of data and carry out their own card functions, such as encryption of digital signatures.
A smart card communicates with a host computer through a card reader, which can generally be connected to a USB, RS232, or PCMCIA port.
Although widely used in GSM mobile phones, the Java Card is a relative newcomer to the network security field. Despite the many advantages of smart card technology, the cost of the reader has been a restraining factor. There are significant advantages, however, and with the cost of readers going down and the introduction of direct-to-USB port technology, the strong value of smart cards as an easy-to-use, portable, and very secure means of logical identification is beginning to be better understood by those outside the immediate industry. With the need for security - both physical and network - becoming ever more critical, it's clear that a portable device with a secure memory is a good investment.
Recent laws in many countries have made electronic signatures a reality and Public Key Infrastructures (PKIs) are becoming more common. They rely on a pair of secure keys that make up a person's digital identity. One of these keys is the "public key," which can be seen and used by anyone to check the authenticity of a document signed using the corresponding "private key." As the name suggests, the private key must be kept secret at all times. A smart card offers the ability to securely create the two keys onboard the card itself, ensuring that the private key is never visible to the outside world. The use of this key to sign or decrypt a message is, again, always done on the card.
While it's possible to do these operations using a computer's hard drive, there are too many worms and viruses to make this a secure alternative. In addition, the common practice of writing down passwords or making them easy to remember is a serious flaw in any security architecture. By using a well-defined structure and communication within the card, it's possible to make certain that there's no access to the secret memory without the correct authorization. A multifactor authentication ensures that, to use the card (and therefore the private key), it's necessary to have the card with you and know the password. A third factor can even allow authentication using a biometric application, such as a fingerprint or face recognition.
Futurists once predicted we would carry computers in our pockets - with smart cards, we already do. Security has become paramount in the global consciousness, and Java-based smart cards offer a secure, mobile, practical, and affordable means of providing physical and information security.
More information about smart cards can be found at www.smartcards.net.
Smart Card Developer's Kit: www.scdk.com.
Guthery, S. and Cronin, M. (2001). Mobile Application Development with SMS and the SIM Toolkit. McGraw-Hill.
Anderson, R.J. (2001). Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons.
Ken Greenwood is the business marketing manager for SchlumbergerSema Cards and Transactions. [email protected]