February 2000 
A Token Gesture 

SC TEST CENTER

Introduction

This is the age of smartcards and tokens; a recipe of chips and plastic making it a dish for the security connoisseur. At least this is what the developers and resellers will have you believe and this is why this month’s Test Center is looking closely at the technology behind all the hype, to give you the lowdown on a number of products already available.

Smartcards and tokens are becoming increasingly popular, having many uses such as access control security, and are proving useful now when incorporated into PKI solutions. Of course, like passwords, they too can be lost and potentially lost cards or tokens pose as much of a security threat as lost or stolen passwords. Or do they?

 Heralded as an alternative to the security nightmare that passwords pose, smartcards have the advantage of being very costly when it comes to being counterfeited, whereas password cracking comes much cheaper. Counterfeiting requires reverse engineering of the chip followed by the manufacturing of a new chip, which is an expensive option, only feasible to the big time crook. This, thankfully, prices many of the bad guys out of the market.

There are more ways than one to skin a cat, though, and hackers have tried to crack the algorithms that secure the data held within the chip. Even techniques to track the radio waves that are generated by the ‘conversation’ between card and reader, at the point of the initial transaction, have been used to break the security. Although now, with increased protection, algorithms execute differently each and every time the card or token is used and are not proving to be so easy a target. Countermeasures have given chips additional integrated interference to mask the ‘listening’ process, which provides real problems for would-be hackers. Smartcards and tokens are meant to work with security rather than frustrating it, which is better too for user relations.

It’s very simple, no card - no random number - no random number - no access … lock-out. So it seems the greater the ‘haul’ the more sophisticated the attack needs to be with thieves having to spend more money to get what they want. But even if your data isn’t worth much, the challenge may just be enough to make you worthy of an attack. This is what has led to new and improved systems of smartcard and token manufacture.

This may turn out to be an important move, because in the past new and innovative security devices may have been launched too quickly, which, in turn, probably lead to more security problems. What do I mean? Well, if a product was launched too early in its development, it may not have been ready and be much weaker than second and/or subsequent versions. Each time a technology was cracked, a trail of ‘learning experiences’ could very well have been left behind with the hackers, busy trying to learn how to crack it, then being just one step behind the good guys who are trying to develop the ultimate security device.

In the past the rush to launch a product might prove to have been an expensive decision. It costs a company dearly when its ‘secure’ systems prove otherwise. Since the early days of card and token development and the subsequent mistakes that the industry has had to bear, new standards have been introduced to provide a trustworthy product base.

Smartcard developers have had to provide some assurances to their clientele. Each country, until recently, had set its own security standards and this has made life complicated. There is now a ‘common criteria’ that products are tested against to ensure that they meet a set standard. Each developer must have a stated target of evaluation (TOE), which is the part of the product to be evaluated, and there must also be a security target (ST), which will identify the objectives of the TOE and which also sets out the areas covered that the TOE must meet to provide the evaluation assurance level (EAL).

 The assurance level provides a choice of levels to reach depending on the strength of the security involved, which are known as the ‘strength of function’ and signifies the level of security from basic through to professional. In using this type of evaluation organizations are able to select products that have a suitable level of security attached to them for the type of operation that they are running.

 The banking industry, in its search for security, has proved the worth of the smartcard. The French, in particular, moved away from the magnetic stripe card in 1987 as at that time fraud statistics showed that the total loss on all card transactions was 0.269 percent. Their move to smartcard technology provided a drop in these figures to 0.02 percent, which adds up to an astonishing reduction of 92 percent within 5 years.

So why have IT departments been so slow to take up this new security? Is it a reluctance to change? Or maybe they are waiting to see where the industry is going and if their IT budgets can justify the change.

Our comparative review of fifteen products should provide some of the answers and will help an IT department to choose the right product for the job in hand. Find out if this technology is a really strong contender in the war against crime or whether it is merely a token gesture.  

[CardLogix Product  Review]

M.O.S.T. Toolz 2.0
CardLogix, Inc.
$99 (M.O.S.T. Toolz), $299 (Smart Toolz)
(949) 380-1312
sales@cardlogix.com
www.cardlogix.com
 

For
Excellent for an enterprise that wishes to initiate its own cards.
Against
Not for everyone as it involves using programming.
Verdict
If you require a unique card for your business then this is one way of securing it.

Where most small- to medium- sized businesses will be more than happy with a pre-set smartcard system for authentication purposes there may be occasions when their own ‘home grown’ system may be more appropriate. No one knows better than the business itself how or what is needed. CardLogix, therefore, has supplied a smartcard programming kit that will allow you to define your own rules and requirements so that you may issue your own cards for your own specific purpose. Although, the idea of programming your own smartcards may seem daunting in an organization where it would be entirely beneficial to do so, it is certainly worth considering.

The Smart Toolz kit is a comprehensive suite of software and hardware that includes everything you need to develop PC-based smartcard applications and the M.O.S.T. Toolz is an add-on for the original kit.

The card supplied with M.O.S.T. Toolz uses a powerful 8-bit micro controller and has a 64K-bit user memory (it also supports 4K, 32K and 128K-bit capacities). It uses the microprocessor operating system technology (M.O.S.T.) operating system, which provides authentication, an advanced password security logic and a file management system. The file management system is not unlike the file structure found within a PC and this allows the cards to be programmed for multi-functional purposes.

CardLogix produced the kit so that the card system could be designed, programmed and implemented by the user. It has both the hardware and the software required to produce the system cards. The software, CardAppzApplication Software, allows the card developer to test and demonstrate the different database structures without the need for any programming. This allows the design and its feasibility to be tested before moving on to the card issuing thereby avoiding expensive mistakes.

Once this design and test stage has been successfully accomplished the CardAppz is used, along with the rest of the Smart Toolz kit, to personalize the cards. This may not be an easy option, but it provides the diversity many organizations need for their smartcard system and can easily cut the cost of running more than one system and having to provide numerous cards.

The manuals supplied with the card and reader are very thorough and each step is well documented. You are also asked to consider the usage of the cards, the type of information they will be storing and the security level for some or all of the stored data. There are also issues of scalability and management to be taken into account and the manual certainly pleads a good case for thorough planning before design and deployment take place.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 For the full article please refer to www.infosecnews.com

 

 

<% include("webtrends.inc"); %>