• A disparate and fragmented marketplace
• Setting standards
• Smart card readers
• Smart cards: the security solution
• Summary of smart card applications

Microsoft has decided that smart cards are ready for prime time after years of trials and niche applications. The company is making its presence felt with a vengeance. It has launched a series of initiatives during the last year, the most significant being a programming development environment, a smart card operating system, and a standard for connecting smart card readers to PCs. The combination of credit card form with the ability to store and process information makes smart cards ideal for a number of applications, particularly in four principal categories: security, payment related, mobile phones, and as repositories of personal information.

A disparate and fragmented marketplace

Microsoft’s entry to the field has been generally welcomed by existing smart card vendors, but has not been without controversy. Indeed Microsoft’s call to the industry to grow up and start supporting common standards has caused some resentment even if it is long overdue. The scene is set nicely by John Noakes, Microsoft’s e-commerce manager responsible for smart card issues in the UK. "In Europe there are over 50 smart card operating systems," says Noakes almost in despair. "It’s an absolute minefield this marketplace, very disparate and fragmented. We’re saying hang on a minute, we have developed a Windows-based operating system for smart cards which will enable customers to take advantage of the developments they already have." Microsoft’s strategy, Noakes added, was the usual one of reducing the cost of entry and making it easier to develop new smart card-based applications that would be transferable to the whole population of Windows PCs, for the smart card itself is purely an end user device. "We’re effectively developing an operating system in an 8 bit, 8K environment, but which accesses the 32 bit environment through the APIs and virtual machine that sits on the card," says Noakes.

Given this size constraint, Noakes considers it incorrect to regard this smart card version of Windows as a cut down version of Windows CE, which is about 300K of code even in its smallest configuration. It is a totally different beast performing highly specialised functions, the key points being that it hooks into the Windows environment and, most importantly, that it will run the smart card portion of applications developed within Microsoft’s new smart card tool kit. Indeed it is the latter that Noakes regards as most significant. "I’m keen to focus on this part of the announcement," he says. "The tool kit, based on Visual Studio, will allow Windows developers to build applications to Windows systems in Visual C++ and Visual Basic for smart cards, and we see that as very important."

Setting standards

In some respects we have the hallmarks here of Microsoft’s entry into a new branch of IT, with the rallying cry that it is time to get real and build around universal standards, i.e. those set by Microsoft. In particular there are the attempts to create a groundswell by getting the Windows development community involved, as was readily apparent to visitors at May’s Cardtek-Securetek exhibition in Chicago. This is the smart card industry’s annual showpiece, at which Microsoft had a minimal presence in 1998, when there were few developers to be seen. This year Microsoft was there in force sponsoring a series of developer workshops.

However the smart card sector has some important differences from other IT sectors that Microsoft has entered recently, the most significant being that there are several distinct application sectors, only some of which are of any interest to the Windows development community. The biggest market for smart cards so far, for example, has been as SIM cards that tailor the operation of mobile phones, and at present Microsoft has no interest in this sector. Clearly then SIM cards will continue to run proprietary operating systems and adhere to interface standards specific to that industry. In any case, this sector involving embedded smart cards does not really relate to the PC arena and does not share the same issues.

Microsoft is focusing on the security and payment sectors, and this is where the main effort to rally the industry around the new Windows-based standards will take place. Noakes emphasised that Microsoft would not develop the applications itself, but would encourage partners, including major smart card manufacturers such as GemPlus and Schlumberger, to build applications to the new Windows standards rather than their existing proprietary ones. However there will still be plenty of niche applications for smart cards even within the payment and security sectors, and Noakes admitted it is unrealistic to expect the Microsoft standards to be adopted for all of those. "We’re saying to our partners we’d like you to integrate your applications on our operating system as well as but not instead of (because that’s too much to hope for) the other main operating systems."

These other operating systems are of two types. There are the numerous proprietary systems specific just to a particular card, and there are two other contenders for the role of standard. One is the Java Card standard, with the operating system written in Java, and the other is a system called Multos, which runs the well known Mondex payment cards, involving collaboration between a number of companies, including MasterCard on the payment side. The latter is already well established, while the former has the weight of the Java community behind it and will be well placed for running Java applets on the card enabling it to work with new applications.

Smart card readers

Clearly for smart cards to become widely accepted as the keys for accessing networks and e-commerce applications, a common operating system and standard programming interfaces are important. But perhaps most vital of all is that PCs come with inbuilt smart card readers that any card can be used with. Until recently, each major make of smart card would only work with a proprietary reader from that vendor, and this state of affairs has inhibited growth. There are now several competing smart card reader standards, including Microsoft’s own PC-SC (PC Smart Card), along with Open Card from the Java/Unix community promoted by vendors such as Sun and Oracle, and also a third contender, PKCS11 from Netscape. According to Andy Lee, who heads the e-business programme in the UK for Gemplus, one of the world’s major providers of smart card-based systems, the Microsoft standards are likely to win. "The Open Card process has not been as swift or readily accepted as the Microsoft work," he said.

But according to Frederick Engel, marketing director of ActivCard, another big player in the field, vendors will initially, at least, have to incorporate all three of these standards in readers so that they will work with cards and PCs based on any of them. "Our software complies will all of them already," he said. Until such time as smart card readers are fully integrated into PCs, they will be attached via one of the obvious orifices, either to the RS232 port, the PCMCIA slot, or into the floppy disk drive. The fourth possibility available now is for the smart card reader to be integrated into the keyboard, as some keyboard vendors such as Cherry have already done. This last possibility contends with RS232 connection for desktop PC readers, while for portables, attachment via the PCMCIA slot is the obvious option. For attachment via floppy disk drives, the reader comes in the shape of a floppy disk with a receptacle for the card. You then slide in the reader like a floppy disk. The idea has obvious appeal and will work with almost all types of PC, although not of course with diskless thin clients.

However it does have drawbacks as it is difficult inserting the card into the reader which causes cards to wear out more quickly. It may well be though that 'contactless' smart card readers will come to predominate, avoiding the inconvenience and wear and tear of loading cards into readers. Gemplus, for example, launched a contactless smart card reader early in 1998 aimed initially at ticketing and vending machines, allowing cards to be read just by waving them within 10 cms of the reader. According to Gemplus, this reduces transaction times 20 to 30 fold, which is of huge value for many vending and ticketing applications. For computer access it will merely be a ‘nice to have’ rather than an essential, but if the technology becomes cheap enough it will probably predominate anyway.

Smart cards: the security solution

The real reason why the industry is so determined to sort out these standards issues and why Microsoft has suddenly become so excited is that smart cards appear to provide the only answer to the security demands of emerging e-commerce and payment applications and for authentication in general. Yet at first sight smart cards do not appear to provide any greater security than magnetic stripe cards which combine two security factors, something the user has, i.e. the card itself, and something the user knows, the PIN. This itself is an improvement on many computers and networks whose security is based on a single factor, passwords.

Smart cards provide a second factor while also scoring over alternatives such as smart tokens by being fully integrated into the PC. The card itself can hold credentials such as private keys used to form digital signatures for confirming purchases or identity. Smart cards also blend well with the Kerberos authentication system that Microsoft has chosen to control access to applications within Windows 2000 environments. Kerberos itself provides elaborate mechanisms for issuing electronic tickets that grant access to applications without requiring the root password or other credentials by which users initially identify themselves to their PCs. But therein lies the weakness of Kerberos, or rather the aspect of security it does not address, which is the fact that it assumes there is a sound mechanism for controlling the user’s access to the PC in the first place. With a smart card, there is automatically a second security factor in place. Smart cards also bring the possibility of integrating a third security factor into the equation, based on some physical or biological characteristic of the user. Smart cards have this potential by virtue of their ability to have data written to them, for such data could pertain to the individual, a compressed image of their fingerprint, for example. Then when the user attempts to gain access this image could be compared with a copy of the fingerprint taken at the time, guarding against fraudulent access by someone who has stolen the card.

Strange as it may seem, even existing magnetic stripe cards have the potential to offer such three-factor authentication. In an extraordinary development, researchers at Kent University have succeeded in compressing recognisable digitised photographs of human faces down to just 50 bytes, which means that they could be stored in the magnetic stripe which has about this capacity left over after other user data has been written. This could give such cards a new lease of life for retail applications since the image of the face could be displayed enabling any attempted fraud using stolen cards to be detected instantly. But there is no ability to rewrite the data or use the card for anything else, so this is likely to be just a temporary reprieve until the smart card standards issues are sorted out and prices come down.