Home

Smart cards

Smart cards are back in the press this week and the following few recent articles are of particular interest. DotSec has a range of smart card-related skills, and has implemented systems that support smart card authentication at the desktop, as well as Single Sign-On, and we have used smart cards to support two-factor authentication for client-side SSL/TLS, which in turn can be used in a SAML Web-SSO environment. Finally, we have helped private and government bodies to develop Request For Technology briefings for smart card selection, and assisted in the final product evaluation.

Like PDAs, smart cards need to be easily useable by non-technically minded people. Well-done if this is obvious to you, as it not obvious to many others, and we have seen card projects fall into difficulty because of a lack of appreciation of useability considerations. A well-defined scope and set of useability requirements is critical for any IT project, but doubly-so for smart card projects. For example, in considering concerns about smart card security, the person quoted in this article in CIO magazine also raises concerns about data matching and theft. These are valid privacy concerns, but are not necessarily related to the use of smart cards.
The New Queensland Driver's License (NQDL) is scheduled for production in late 2008. The NQDL project will replace the current laminated photo-ID driver's license card with a smart card, with the aim of improving identity management, reducing fraud, and supporting secure, on-line citizen-to-government transactions. A little more information on the NQDL project is available from the Queensland Department of Transport's NQDL page.
The Australian federal government has published a series of documents on the Australian Government Smartcard Framework. The cut-off date for responses to the Standards and Model Specification has now expired.
Given these kinds of government projects, it is no surprise that security concerns are raised. For example, a recent article in CIO magazine highlights a common concern. However, its important to remember that questions like "is this system secure" are meaningless, as no computing system is totally secure. What is important, is to know if the system is acceptably secure, and a good understanding of threats and risk is critical here. Robert Brandewie has noted that the the designers of the Common Access Card decided to minimise the information stored on the cards at least in part to mitigate risks to personnel who were captured. This is a good lesson. Cards are not hack-proof; they are hack-resistant. As the smart card application owner (not the card-holder) you are still responsible for things like key and certificate management, perhaps even more-so since smart cards allow sensitive information to be stored and used by a wide range of technical and non-technical users.

[Continue > ]

[ < Back to Links]

Free presso!

Yes, its demo time! DotSec will host a series of presentations that will demonstrate a range of Identity and Access Management technology, including smart cards and SAML-based on-line Identity Management systems.

Contact DotSec if you are interested in attending.