Smart Cards and Biometrics: Your Key to PKI

The cool way to make secure transactions.
Export Regulations

The laws regarding export of strong cryptography are a patchwork quilt at best; collectively they represent possibly the largest hurdle to be overcome. Solutions that employ message recovery features such as multiple key encryption or key recovery will help move legislation forward. Currently, the worldwide nature of the Linux development community and the modular approach of the MUSCLE project would seem to facilitate the spread of this technology.

Conclusion

Integrating smart cards, biometrics and public key cryptography provides a solid foundation for developing secure applications and communications. The highest level of security uses three-factor authentication:

  • Something you know (password or PIN)

  • Something you have (smart card, magnetic stripe card or a physical key)

  • Something you are (your fingerprint, retinal/iris scan or voice pattern)

An individual gains three-factor authentication by combining a smart card, biometric and PIN. If the user loses the smart card, the card is inoperable without the biometric. Forged fingerprints are weeded out with use of the PIN.

In a smart-card-secure world, you are not locked into one form of authentication, such as the ever-vulnerable password. You control your identity because it is contained on the card you carry with you. Even if attackers run Crack 5.0 on your Internet provider's password file, they cannot gain access without possession of the smart card tucked safely in your own front pocket.

The argument for improved security is a noble one. Some methods of achieving improved security may use expensive hardware and still be relatively easy to compromise. Most symmetric forms of security fall into this category. It is only a matter of time before a shared secret is no secret at all. Smart cards combined with biometrics provide today's best approach to secure electronic data. But as your mother may have told you, the only way to truly keep a secret is never to share it.

David Corcoran is a student studying Computer Science at Purdue University. He works with the COAST/CERIAS labs directed by Gene Spafford and also as a Knowledge Worker for Schlumberger Limited in Sugar Land, Texas. He can be reached at corcordt@cs.purdue.edu.

David Sims is the Technical Manager of Information Technology for Schlumberger Limited, based in Sugar Land, Texas. He holds a BS degree in Mechanical Engineering from Washington University in St. Louis, Missouri. He can be reached at sims@sugar-land.sl.slb.com.

Bob Hillhouse is a Senior Software Engineer for American Biometric Company. Based in Ottawa, Ontario, Canada, he holds a BMath degree in Computer Science with Electrical Engineering Electives from the University of Waterloo. He can be reached at bob@abio.com.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Smart cards and Biometrics based Public Distribution Systems

Anonymous's picture

Hey can anyone suggest what wil b d modules in a Smart cards and Biometrics based Public Distribution Systems(PDS).

dude how the hell do i get

Anonymous's picture

dude how the hell do i get the dam source code for this project...?

Heh, I always thought

Anonymous's picture

Heh, I always thought biometrics couldn't be used as keying material, I thought the devices using it would be like, "oh your fingerprint matches! here you go have this plaintext from my hdd!". Good to know that's not true.

Re: Smart Cards and Biometrics: Your Key to PKI

mahadevan_keyan's picture

Have you guys looked at key generation from Biometrics. That will solve the problem of key management. We can look at applications like e-voting which is currently a hot topic

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState