Security Dynamics Technologies, Inc.
A Discussion on the Issues Related to Smart
Card Introduction
Introduction: SecurID and Two Factor Authentication
Security Dynamics Technologies, Inc. is the market leader in enterprise information security. The company's SecurID technology is the de facto standard for user identification and authentication (I&A) through the use of two-factor identification. The SecurID token is available in a number of formats or "form factors", including an independent, hand-held credit card-sized token, a key fob style, and a Windows-based software version. The SecurID token acts as the "something the user has" factor by providing the user with a one time pseudorandomly generated tokencode. The end-user supplies the "something the user knows" factor, namely a personal identification number or PIN. The combination of the PIN and tokencode, along with the user's public username, are provided to the corresponding network-based Security Dynamics ACE/Server software to ensure, with a high degree of confidence and reliability, the authenticated identity of the user attempting access to network resources.
As a technology for user I&A, SecurID is unsurpassed, gaining ever increasing popularity and application. SecurID currently offers the broadest support for securing direct dial and internet remote access services ensuring that Security Dynamics solutions integrated into the existing customer infrastructure too solve today's problem of identifying the users accessing corporate resources. The SecurID token's flexibility and ease of use (it has no dependence on its location nor the device being used to gain access to the network) make it the obvious and ideal choice for the vast majority of remote access applications today.
Future Requirements for Security Services and Tokens
Security Dynamics sees the need to expand its product offerings to include the network security services which will be required by more sophisticated customers. These services are primarily encryption-based, built on a strong authentication of the end-user. Such services typically rely on the existing RSA standards for a public/private key infrastructure (PKI): virtual private networking (VPN), secure messaging, secure desktops, digital signatures, public and private key management, user privilege and access control definition, and secure single sign-on are examples of the desired applications. (RSA is the recognized world leader in cryptographic research and development. Today, there are approximately 80 million instances of RSA encryption technology in use worldwide). In order to enable the incorporation of PKI security services into its offerings, SDTI introduced early in 1997 the Enterprise Security Services (ESS) product roadmap, which will deliver add-on (not replacement) modules to the flagship, award-winning ACE/Server. This strategy allows current and future ACE/Server customers to invest in, and take advantage of, only the additional technology components they require to evolve their network security policy.
A requirement of Public Key Infrastructure security offerings is the storage and management of an individual's private keys, public keys, and digital certificates. In taking advantage of the PKI technologies, Security Dynamics will provide an additional, new form factor for its tokens: the smart card. The ISO 7816 standard smart card is a plastic card having the size and shape of a credit card, and containing a microprocessor chip with both secure storage of public/private key data and cryptographic processing capabilities. The emphasis of the Security Dynamics smart card will be on cryptographically secure storage of a user's security data, and secure execution of security applets (e.g. for signatures, biometrics, encryption algorithms). These cards are much more secure for data and executables than stored-value smart cards. The implementation of smart cards requires a smart card reader for each end-user into which the end user inserts the card in order for it to be used.
Issues and Timing of Smart Card Deployment
There are three primary impediments to mass deployment of these smart cards:
The recent heightened interest in advanced smart card usage was expected to result in rapid development of highly functional products at reasonable prices, which has not been the experience to date. Ideally, the smart card reader will be built into as many PC and workstation devices as possible directly by their manufacturers. For now, the readers carry a relatively high cost of ownership to IT organizations as add-on devices which have not seen widespread deployment. It is expected that smart card readers will be a standard option integrated with most popular laptop and desktop computers by year 2000.
The Combination of Traditional SecurID Tokens and Smart Cards
Customers of Security Dynamics using today's standalone SecurID tokens will have the option of continuing to use these cards, fobs, etc. for those users not requiring additional PPK-based services. For example, users securely dial into the corporate network via a remote access device (as provided by Cisco, Shiva, Ascend, 3Com/USR, Microsoft, etc.), where ACE/Server positively identifies and authenticates the end-user, effectively securing the network perimeter against unauthorized access. In many customer environments, a major advantage of the standalone SecurID token is its independence of the user's access device: UNIX workstation, home PC, telephone set, etc. can all be used interchangeably without concern for interoperability with the SecurID card.
Customers evolving to a public/private key infrastructure can do so with the protection of SecurID. Security Dynamics is implementing its SecurID algorithm on a cryptographically secure smart card to support customers who deploy smart cards before upgrading their network to a public/private key infrastructure. Security Dynamics is also implementing the security features of a smart card in software to support customers deploying PKI applications before all end-users have smart cards and readers. The software smart card will be unlocked and accessed only after a SecurID authentication of the end-user. These are efforts that Security Dynamics is undertaking to encourage the implementation of PKI and to ease the effort in migrating a strong SecurID program to the world of smart cards.
The Transition to SecurID/RSA Smart Cards
SecurID will continue to enjoy tremendous market acceptance due to its flexibility, ease of use and supportability, and user device-independence. Users requiring the smart card will be able to switch to this form factor to take advantage of the added security features it enables, once the customer network and applications have been upgraded and modified to take advantage of these features. It is expected that the majority of SecurID cards and fobs deployed today will live out their three or four years with the original end user. In some cases, SecurID cards may be re-deployed to another user, and in more rare instances, the card may be credited toward purchase of a smart card, or software smart card. Security Dynamics is committed to protect customer investments made in SecurID technology in the past, present and future. For those customers who require a change to smart cards, there will be a credit program available which recognizes the unrealized value in the SecurID tokens a customer wishes to return in trade. The details of this program have not been finalized, but as an industry leader, SDTI will react with integrity to the needs of its customers.
Smart Card Growth in the European Market vs the US Market
The European market for smart cards has grown exponentially in size over the last few years, far outpacing smart card acceptance and deployment in the U.S. Smart card technology was first developed in the mid-1970s but has only seen widespread adoption since the mid-1980s in the areas of health care, transit and electronic purse applications. Note the time span from development to accepted adoption. We expect a similar trend to follow in the US. Although development efforts are strong and dedicated, acceptable technology lags thus forcing a "wait and see" industry and public attitude.
While it is anticipated that smart card technology applications in North America will continue to grow quickly, and in the not-too-distant future approach European acceptance levels, two key issues first need to be addressed. Before wide-scale, public usage is possible, the public and private sectors must reach a consensus on creating a technological standard that can be adopted for use by consumers and merchants everywhere. Second, industry and government players face the challenge of charting a technology migration path that will allow smart card technology to co-exist with established technology investments, such as magnetic stripe technology.
Eight or nine years ago, there was a lot of talk about smart cards in the U.S. During this time, France and other European countries were implementing national systems using smart card technology. That interest, however, never gained much momentum in North America until recently. A number of things have occurred in recent years that have caused both industry and government in North America to renew their interest in smart cards.
First, smart card technology has matured considerably and its costs have come down (somewhat) to the point where the technology makes good economic sense in a variety of application areas. Second, the rapid increase in card-related fraud over the past few years has created the need for a level of security that smart cards are uniquely able to provide. Finally, the convergence of various electronic technologies, together with a desire on the part of many industries to forge new alliances and offer enhanced services, has established a role for smart cards as access keys to these new services.
As the dominant market in smart card technology, Europe is expected to account for $585 million of a $900 million market by 1998. In addition, there are expected to be over 250 million smart cards in circulation/issued in Western Europe by the year 2000. This astounding growth will be sustained as new applications continue to emerge and new nationwide programs incorporating smart cards are introduced. For example, in Germany the national health care authorities began a program in 1993 to provide smart cards to all 80 million of its citizens with health insurance. Other European countries are considering doing the same.
Europe now accounts for 68% of overall smart card demand. Experts predict that by the end of the decade, Europe will represent only a third of demand, with Asia and the United States also each representing one-third of the demand.
In Summary
Smart card technology is moving at a record business pace. By the year 2000, more than 2.5 billion smart cards will be more than 25 percent of U.S. households. Today large investment dollars are at stake and smart card applications are rapidly gaining momentum in Europe, trials and pilots are evident in the U.S., and industry and consumers are beginning to take serious notice. However a key question still looms ahead: Are industry and key executives ready to invest and deploy today this relativity adolescent technology to secure their critical business environments?
Security Dynamics' strategy is to introduce to the marketplace the security solutions required in a modular and complementary manner. SecurID tokens will continue to be fully supported for user I&A, while the introduction of the smart card format to the SecurID product line will enable advanced enterprise security services. Security Dynamics pledges to continue its long tradition of providing the highest quality, highest value offerings available to the security marketplace, including the protection of its customers' investments in SecurID technology, product, and services.