For Tech's Sake: Verification, Authentication and Security Finally Deal Smart Cards a Winning Hand

This is the year of the smart card ? again.For at least 15 years, purveyors of the plastic card with the built-in microprocessor have been promising that "this year" would be the one in which their technology takes off. Their attention has careened among smart-card applications for banking, financial payments, telecommunications, transportation, medical records and personal identification. (Actually, European chipmaker Schlumberger unveiled the world's first memory smart card prototype in 1979, marking this year as the quarter- century anniversary of smart cards' breakthrough.)Finally, though, this year truly might be the year of the smart card. The emergence is coming in large part via several fast-moving federal initiatives for identity verification ? notably Homeland Security Presidential Directive/HSPD-12 (http://www.fas.org/irp/offdocs/nspd/hspd-12.html) ? and aggressive military record-keeping projects. Moreover, a State Department smart-card passport project, unveiled in mid-October, and September's General Accountability Office report on federal adoption of the technology (http://www.gao.gov/highlights/d04948high.pdf) have focused even greater attention on the long-simmering, portable processing power of smart cards. The flurry of activity follows the 2002-03 efforts by an Interagency Advisory Board, created by the Office of Management and Budge and the General Services Administration to advise agencies on how to implement greater security, including in their moves toward electronic commerce. The resulting Federal Identity Credentialing Committee expects to complete its policy standards by year's end, and they are likely to include smart-card directives. The brightest spotlight today is on the National Institute of Standards and Technology. NIST expects to issue its first public draft early next month for the smart-cards requirements to be used in the Personal Identity Verification Standard. That's the authentication system for federal employees and contractors as set forth in HSPD-12, which is due for implementation Feb. 28, 2005. In recent congressional testimony, Benjamin Wu, nominee for assistant secretary of Commerce for technology policy, said that over the past decade, federal agencies postponed large smart-card systems because of a lack of interoperability among different types of cards."Without assurances of interoperability, agencies would be locked into a single vendor," Wu said. Integration and Collaboration EmergeIn keeping with Wu's cautionary comments, the new wave of smart-card deployments relies on greater integration. For example, the Defense Department's Common Access Card (CAC) project, quickly adopted for about 3.5 million active-duty military personnel, selected Reservists, civilian employees and eligible contractors, has demonstrated the value of a smart card that can be used for both physical and logical applications. The card provides identification and secure access to computer networks and buildingsKathleen Phillips, vice president of sales and marketing at Fargo Electronics Inc., which supplied the high-definition printer and encoder system for the CAC project, also emphasizes the need for a fully integrated system. "There has been so much of a struggle to bring this technology to fruition," Phillips told me from her office near Minneapolis. "There was no interoperability, no talking between the physical and logical guys."Now, she hastens to add: "It's falling into place." Phillips credits EDS Corp., a prime contractor for recent smart-card projects, as "playing a big part in software and card management ? to give everyone a common language."The CAC project, seen by many as a turning point in smart-card acceptance, lets authorized users carry one card for access to computer systems and buildings, the "logical" and "physical" venues. The cards include public key infrastructure capability, which is used to log onto networks and secure e-mail. According to Phillips, the arrangement means that people can carry one card instead of two to seven separate ID and access cards. Overall, the program had reduced the number of cards in use from an estimated 30 million to about 4 million, providing significant time and cost savings from the issuance process alone ? not to mention the greater security capability. Moreover, as Phillips points out, a soldier can now use the same card at a Reserve post in the United States and days later at a front-line position in Iraq where he or she is deployed. Last month, Fargo sold 240 units of its HDP600-LC card printer and encoder to a federal agency that demanded anonymity. The agency plans to distribute smart cards to all employees and contractors for secure access facilities and information systems. This latest implementation of Fargo's technology lets agencies print over the edge of cards, tightly around microprocessor chips and on a variety of card surfaces. The Fargo systems will be incorporated into the unnamed agency's card project by MPC Computers of Nampa, Idaho, a government contractor, and TransTech Systems, a value-added distributor of ID badging and access control products.Although Fargo declines to identify its new client, several agencies are known to have stepped up their smart-card initiatives, even as they await NIST's standardization report. For example, the Homeland Security Department expects to distribute 250,000 smart cards that use PKI and digital signatures to let employees and contractors access the secure DHS network. Meanwhile, Veterans Affairs is preparing a similar project that will involve 500,000 smart cards. NASA is preparing to issue smart-card identity credentials, according to the Smart Card Industry Alliance, a trade group (www.smartcardalliance.org). On another front, U.S. passports will soon include a contactless chip and secure operating software, all supplied by Axalto, the European smart-card vendor. The computer chip, embedded in the passport cover, will contain all the information now printed on the document's data page, including a digitized photograph of the passport owner. The text data and the photograph can be read with a contactless reader at border entry points, comparing the passport data to information and photo supplied when the passport was issued. The Government Printing Office, which assembles all passports, will embed the chip into the passport cover. The new Axalto contract calls for a small, initial production run this year, ramping up to 1 million electronic passports in 2005 and all new passports (about 7 million annually) by 2006. The Axalto technology has been tested to sustain for a passport's 10-year life. The U.S. passport project adheres to a new global plan seeking to add facial biometrics and other security features to passport books worldwide.These and other smart-card projects emerge in the shadow of the GAO report, which noted that nearly half of federal smart-card projects had been discontinued, "deemed no longer feasible" or absorbed into other initiatives during the past year. Security requirements and the increasingly complex demands of a mobile and multitasking workforce are bringing smart cards into the spotlight. Equally important, there is now sufficient focus on integration and standardization, which have foiled many earlier attempts to deploy the chip-in-card systems.The year ahead, at last, may become the year of the smart card.