Printer Friendly

Using smart cards - a smart move.

Using Smart Cards - A Smart Move

A new technology is being introduced into the world of access control systems. Built around miniature computers called smart cards, these new access control systems use a radically different design architecture. As smart card systems become commercially available, their major impact will not be to displace existing systems. Rather, they will expand the access control marketplace to provide security applications that previously did not exist.

Smart card access control systems provide three key benefits. First, central controller computers are not required. Second, the information on the access cards is more secure. Third, the access cards make a broad variety of additional applications possible.

The system architecture is the key to understanding what makes smart card access systems different. Nearly all of today's access control systems depend on a data file that contains access information. The data file is a cross-index of people and their access authorizations.

Smart card systems use a design known as a totally distributed data base, which makes it unnecessary to maintain an access data file. Instead, each person carries his or her own personal access authorizations on individual smart card computers.

Before discussing access systems any further, it is important to understand what a smart card is. A smart card looks like an ordinary credit card. More accurately, it is a miniature computer packaged inside a plastic, card-sized container.

Like all computers, the computer in a smart card has an operating system, a central processing unit (CPU), and internal memory. Unlike other computers, the smart card computer normally is inert. It has no power supply of its own. The smart card computer operates only when a special read/write device provides it with power and exchanges coded commands with its operating system program.

Smart cards commonly are compared to magnetic stripe cards, but this comparison is seriously misleading. A smart card is a computer, while a magnetic stripe card is merely a data medium.

Comparing a smart card to a magnetic stripe card would be the same as comparing a PC to a floppy disk. The PC and the smart card are computers that process information; floppy disks and magnetic stripe cards are merely media on which information is stored.

Other types of cards also ahve chips in them but do not have CPUs or operating systems. People sometimes call these smart cards, too. More accurately, these should be called memory cards.

Using the PC analogy again, memory cards are roughly equivalent to a PC's random access memory (RAM) without having a disk operating system (DOS) or the capability of executing a program. Smart cards, in contrast, are computers that can execute programs.

WHEN YOU INSERT YOUR SMART CARD into a reader at a protected access point, the reader interrogates your smart card computer. It determines.

* if your card is valid for this system,

* if your card has expired, and

* if you have authorization on your card for entry through this particular access point at this date and time.

The reader at the door does not need to access a master list of people who have access authorizations. All the information it needs to make the access decision is stored in your smart card computer memory.

With the distributed data base architecture, it is not necessary to tie remote locations to controlling computers with secured communications lines, Access control systems can be installed where they were previously impractical and at far less expense.

For example, an access control system can include doorways in building hundreds of miles away. A company can use the system to protect access to locations that are totally mobile, such as armored trucks or van-based, data-processing disaster recovery systems. This capability also permits low-cost installations in existing structures where it would be difficult to extend lines from access points to a central controlling computer.

Smart card systems also have steady response performance whatever the system size. In systems that check authorization through a central list, performance slows as the size of the list increases.

A smart card system does not check a central list. A company can add any number of locations and people to the system, and the response time at each door stays the same.

The distributed data base architecture does not eliminate the possibility of connecting to a central monitor or existing alarm systems. Instead, it makes the central connection optional and changes the nature of the central computer's function.

With a smart card system, the central computer never communicates access authorization information or approvals. The central computer is used only for monitoring and reporting access activities for locations at which a real-time or near real-time connection is desired.

INFORMATION KEPT ON SMART CARDS IS highly secure. The cards contain a single computer chip, so no one can read the information contained in the card's memory without going through the smart card operating system.

To access information, a person needs to know computer chip commands, personal identification numbers (PINs), and encryption keys. The threat of reading or altering card information without authorization is almost totally eliminated, as is the possibility of card forgeries.

In contrast, typical access control systems use cards or tokens that are passive memory devices. Connected to an appropriate reader, the card simply dumps its stored data on demand.

Methods that make access cards more secure typically involve secret ways of altering the data storage techniques. These methods are not particularly hard to defeat. Moreover, even the best of them is easily defeated using a stolen reading device.

Smart card security is enhanced using PIN protection. If a person uses a card without authorization, the card will not work if the perpetrator does not know the PIN.

With a smart card system, the computer inside the card does the PIN matching process. The real PIN is never unencrypted or communicated outside the smart card's computer.

If a person finds or steals a smart card and attempts to guess a PIN, the card's computer disables itself automatically after a specified number of incorrect PIN entries (usually three). These features maximize PIN protection.

Performing the PIN check inside the smart card computer offers another advantage. An additional security threat is eliminated because the system requires no central PIN file that could be compromised.

THE SMART CARD ARCHITECTURE LENDS itself to expanding the use of the cards well beyond the secure access function. It is this potential for expanded functions that sets smart card access systems apart from all other access control systems.

Smart cards differ from other secure access tokens in two important ways. First, each smart card contains a full-functioning, multipurpose computer. And second, compared to other secure access devices, smart cards carry vastly more information.

Standard magnetic stripe cards, for example, carry less than 400 characters of information. Smart cards that are now commercially available carry up to 8,000 characters. Therefore, a single smart card can carry many types of information, such as digitized photos or fingerprints, time and attendence records, electronic bonuses, and debit balances at company stores.

Consider the PC analogy again. You buy a PC to work with spreadsheets. Once the PC is in your home, it is easy to add a new program for word processing or balancing the checkbook. Similarly, a company might purchase smart cards for secure access control. Then, once all employees are carrying smart card computers in their pockets, it is easy for the company to add new programs for other functions.

Using smart cards as electronic ID cards is a natural extension of the secure access function. The smart card's memory can hold a variety of personal data, such as birth date, social security number, insurance information, employee ID number, special company codes and clearances, and training certifications.

When an employee needs to provide personal information to a company, he or she places the smart card into a reader. First, a program checks the authority of the person requesting the information. If the person is authorized to receive it, the smart card delivers the specified information quickly and accurately. The smart card does not deliver information that is not requested or information the requester is not authorized to read.

ID photographs can be mutilated, worn off, or replaced by someone who finds or steals an ID card. With smart cards, the company can actually place the identification in the card, not on the card.

The smart card carries a high-quality digitized photograph in its memory. At a security checkpoint, a person places his or her card into a reader and the person's photograph shows up on a television screen within seconds. If someone's hairstyle changes, it takes only a few minutes to digitize a new image and rewrite the photo data into the card's memory.

Smart cards solve problems of access to machinery or information. A security manager can write the authorizations for operating certain machinery into each employee's smart card.

By installing a smart card reader as an on-off switch, the system ensures that machines, laboratory equipment, and power tools are used only by authorized employees and only at designated dates and times. Similarly, by writing encryption keys in a card, the system ensures limited access to confidential information.

Another function to add to a smart card access system is time and attendance. If employees are using the cards to enter and exit a secured facility, it is easy to track actual times they are at a workplace.

This information can be recorded at a central computer communicating with the location access security devices. Or, it can be tracked in each employee's smart card and downloaded periodically at central reporting points.

Smart cards can provide accurate information for organizations that need to know exactly where people have been and how long they spent there.

Since all employees have a smart card, they might as well use the cards for making purchases, too. The identification can function as a debit card by loading it with electronic money. This eliminates the need for employees to carry cash, thus eliminating the possibilities of theft or loss.

Employees could use the cards to make purchases at the cafeteria, the gift shop, or other stores that have a company-provided smart card reader.

In addition, employees could be given electronic bonuses. They could redeem the bonuses in a gift shop or use them as time earned in the company's health club.

THIS NEW GENERATION OF SMART CARD access systems, or more broadly, smart card ID systems, is not far off. All the necessary technology is in place. Early commercial prototypes are now available. The critical items that will drive this product line into general use are security, cost, product availability, and time.

Already, increased concerns about security are leading organizations to look for more sophisticated access controls. Smart card systems provide levels of security that are both broader and stronger than the capabilities of earlier technologies.

The security of card information is increased, and the likelihood of card forgeries is nearly eliminated. Smart card systems extend secure access easily to machines, control panels, computer networks, and other functions that companies find a need to protect.

Cost is the factor that will slow acceptance at first. Although life-cycle costs can be shown to be quite similar, initial investment costs are higher for smart card systems than for other types of access control technologies. This is due to the cost of the cards.

Today's cost for this technology is about $12 to $15 per smart card. While this is a high price for a card, it is a great price for a computer, which is what you are really buying. If you add a second application to the card, the cost per application is appreciably less because the hardware investment has been made already.

The cost of smart cards will diminish as demand and volume increase. As vendors tie various functions into integrated smart card systems, cost will be less important because the cards will be serving multiple purposes. The cost per application will diminish as the cards provide additional applications.

By the end of this decade, smart cards will be commonplace in this society. People will carry many of them in their wallets and purses.

Smart cards will be our PC data bases. They will keep our personal information safe, yet make it quickly and accurately available whenever we need it.

The widespread use of smart cards will promote better services and greater personal privacy. You will carry your personal information on your card instead of having it kept in numerous institutional data bases. Your card's data will be protected by a PIN and an on-card digitized biometric such as a photograph, fingerprint, or hand-geometry pattern.

Due to your positive identification as the card's owner, the card can be sufficient to qualify you for entitlements or privileges. Supplementary ID checks, such as social security number or driver's license, will be unnecessary.

Beyond physical access controls, organizations find themselves in need of general ID capabilities, authorizations to operate selected devices, and clearances to sensitive information. Once systems are available that can provide all these security services in a single package, their use and cost-effectiveness will become increasingly evident in a security-conscious world.

Joel S. Zimmerman, PhD, is director of SYSCON Corporation's Smart CARD Center in Williamsburg, VA. He also teaches in the graduate programs at the Hampton, VA, campus of the George Washington University. Zimmerman is a member of ASIS.
COPYRIGHT 1992 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Access Control
Author:Zimmerman, Joel S.
Publication:Security Management
Date:Jan 1, 1992
Previous Article:Achieving peak performance.
Next Article:Terrorism in the United States: 1990.

Related Articles
The name's the game.
The Department of Defense's Business Case for Smart Card Technology.
U.S. government customer expands deployment of Datakey smart card technology.
Smarter access control.
The marriage of physical and logical access: unifying the keys to the kingdom.
Smart card to coordinate first responders.
New software development kit.
How smart is the government's plan?

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters