Most organizations use some type of access control to protect their environment. In general, access control is used to protect things perceived to be of value. These controls may take many forms of physical and logical mechanisms, with a common goal of alleviating unauthorized access. Access badges, passwords, PIN numbers and encryption techniques have become basic mechanisms for limiting access to high-risk areas, sensitive information and personal data.
In recent years, access controls have moved out of the realm of manned entrances and have been entwined with the information age. As technology changes and becomes enhanced, it is apparent that traditional controls have to be strengthened. These controls were put in place to prevent intruders from gaining unauthorized access to valuable information without permission and without being noticed.
Most organizations have implemented some form of layered security surrounding their access controls. Physical access controls started initially with basic locked doors and have evolved to include anti-pass-back mechanisms to prevent piggybacking, man trap areas to secure locations, and digital sign-in technology to capture visitor information.
Logical access initially started with a user ID and a lifetime password. Now, logical access controls have evolved to enforce password length and expiration, inclusion of alphanumeric characters, and use of intrusion detection mechanisms to increase the time it takes to break or guess an authentic password. Logical access has also extended to include encryption and filtering techniques to protect remote access and secure stored data. In addition, organizations have employed monitoring and audit trails to detect unauthorized use of information.
Alternative Techniques Needed
Although organizations have increased security to adapt to the information age, the controls in place are still able to be compromised, defeated and bypassed. Techniques such as social engineering, phishing and brute force attacks are only a few ways that intruders can lure users or use tools to uncover weaknesses in security controls.
With the changing environment and emerging technology, alternatives need to be explored to offer more secure authentication methods. Stronger authentication methods have been available for several years and include tokens, smart cards, digital certificates and biometrics. While these methods range significantly in cost, complexity and strength, they share a common purpose: allowing a user to validate his/her identity through more than one authentication factor. Authentication factors exist to validate a user’s identity and may include:
- Something one knows, such as a password or PIN number
- Something one has, such as a smart card or token
- Something that represents an individual, such as a fingerprint, or palm print
Smart cards are gaining popularity as a preferred credential for securely controlling physical and logical access. Smart card technology provides the foundation for securing physical and logical access applications. As a cryptographic device, the microcontroller at the heart of the smart card can support a number of security applications and technologies. Smart cards offer secure data storage and support many authentication techniques commonly used to protect physical and logical access, including:
- Support for PKI and asymmetric key applications (e.g., digital signatures, e-mail message encryption), on-card key generation, and protection for the privacy of the user’s private key
- Secure storage for biometric templates
- Secure storage for user IDs and passwords
- Support for one-time password generation
- Secure storage for symmetric keys
Standard-based smart ID cards can be used easily to secure physical access by authenticating a person’s identity, determine the appropriate level of access and physically allow the cardholder to enter a facility. Designing a secure physical access system includes considerations in addition to the choice of credential and type of reader. Appropriate system design requires a full definition of system requirements, including required functionality and security policy. This should take into account factors such as cost to implement, requirements to adequately integrate with existing systems, security and performance requirements, and additional user training requirements.
One of the fastest growing applications for smart card technology is implementing methods for controlling logical access. By using smart cards for logical security, organizations gain an extra layer of security while integrating this process with existing infrastructure. Smart cards enable digital certifications, passwords or biometrics to be loaded onto a card, improving access and allowing mobility in the identification mechanism. A common application of this technology includes web-based transactions. These transactions can be secured through the use of smart cards with token authentication. A user purchasing goods on the Internet can use the smart payment card with a token to generate a one-time use password to validate the authenticity of the cardholder.
In several regions throughout the world, smart card technology has been implemented in the payment card industry for credit card purchases. One application includes the smart card used with PIN-based authentication and a public and private key infrastructure to secure the transmission, validate the cardholder and authorize the transaction for online and offline environments.
Smart card technology supports multiple applications that allow card functionality to expand and provide enterprisewide usage. Smart cards not only secure access to physical and logical access, but also can be used to store personal cardholder information, pay a fee and support the ability to hold multiple cash purses in different currencies. By using one card to support multiple applications, costs and potential security concerns associated with authenticating users are mitigated.
Smart cards have shown challenges with static and native chips, which postponed development and motivation toward moving in this realm. Challenges included the ability for application portability and the ability to add card functionality. In addition, dynamically updating the card was not possible, and institutions soon encountered difficulties associated with testing this technology, coupled with a lack of in-house expertise.
In 1999, GlobalPlatform adopted an open standard for smart cards, smart card devices and smart card systems. This open standard was designed to achieve economy of scale, ease of development and interoperability. GlobalPlatform Technology, named by the GlobalPlatform Consortium, is an architecture developed cross-industry, founded by more than 30 organizations, with a focus on dynamic, single and multiple smart card applications. GlobalPlatform defines requirements to support card, device and infrastructure development while ensuring independence of the card manufacturer and operating system. With this movement to an open architecture, the earlier challenges encountered with static and native chips seem to have disappeared.
The primary technological advantages of the GlobalPlatform technology include:
- A broad array of technology suppliers, including cards, devices, operating systems, software providers and card technologies
- The secure support of single and multiple applications, which allow applications to coexist on a single card or device in a safe, controlled manner
- The standardization of GlobalPlatform commands that ensure independence in the card platform to support various infrastructures
- The support of existing standards, such as ISO 7816, ISO 14443 and EMV, that ensures backward compatibility with existing smart card implementations
With GlobalPlatform technology, a single infrastructure can support various types of application deployment. It defines an environment for the development and operation of single and multiple smart card application programs. The critical components of the infrastructure within this environment are cards, devices and systems—each designed within an open architecture while maintaining security controls.
An application in this environment is divided among the device, the card and the back-end system. The environment is segregated to allow part of the application residing on the card, a complementary component residing in the device and management information (profile, keys, application-specific data, data generation rules) stored in the back-end systems.
Comprehensive specifications are a crucial component of the GlobalPlatform technology. GlobalPlatform has developed specifications used in defining the open architecture for smart cards, smart devices and supporting infrastructure systems.
The card is the mechanism that provides the foundation for managing various types of applications. The GlobalPlatform card specification defines the cross-industry, nonproductspecific requirements for implementing a GlobalPlatform card. Its primary focus is to define how the card and applications are managed. In addition, it specifies the communication between an off-card entity and the card. The GlobalPlatform card specification is also used to define a GlobalPlatform application programming interface (API) and explains how this API can be used by an on-card application to manage and protect itself. Finally, these specifications define the security mechanisms that can be used to protect the card and its various applications. A high-level overview of the card architecture is displayed in Figure 1.
The GlobalPlatform card architecture encompasses the following:
- Applet—A set of Java programming commands (of which the application code is composed) contained on a GlobalPlatform smart card. Examples of an applet are credit, debit, loyalty and authentication mechanisms.
- Read-only memory (ROM)—Permanent memory that cannot be changed once it is created. It is used to store chip operating systems and permanent data.
- Electronically erasable programmable read-only memory (EEPROM)—A nonvolatile memory technology where data can be erased and rewritten
- Card management system (CMS)—Mechanism for issuer to maintain and exercise control over the card, such as the card's life cycle and which applications can be placed on the card
The basic components of the GlobalPlatform card architecture include the following:
- Runtime environment—The runtime environment consists of three basic components: the operating system used by the card, the virtual machine and the API. GlobalPlatform cards can continue to use proprietary operating systems, which allow suppliers to differentiate their products. The virtual machine acts as interpreter between the language of the operating system used by the card and the language in which applications are written. The latest version, GlobalPlatform 2.1.1, is based on Java Card 2.2. Java Card technology provides a secure environment for applications that run on smart cards and other devices with very limited memory and processing capabilities.
The API allows enhancements to the card to utilize additional capabilities without requiring any knowledge of the underlying operating system. The API is essentially a method to access the set of tools or services commonly used by applications, such as storage, communications and cryptographic features of the card.
- GlobalPlatform API—While the runtime environment API provides generic services needed by a basic smart card application, the GlobalPlatform environment provides additional services relating to card and application management. This is primarily handled by the card manager, which provides a mechanism for securing communication between a card and an off-card entity. There are several types of services managed through the GlobalPlatform environment relating to card and application management, including:
- Allowing an application to open a secure channel for offcard communications
- Enabling an application to lock the card in case of a security threat
- Allowing an application to verify a key check value before loading the key to the card
- Card manager—The card manager is the mechanism that allows the issuer of the card to maintain control of the card and its contents. It also provides the mechanism to prevent unauthorized usage of the card.
- Card applications—The applications on the card represent a mixture of services that can be offered and customized for the cardholders. There may be one or more applications on the card, and each of these applications needs to connect with a card acceptance device, or terminal, containing the complementary terminal component of the application before it can be used. The application may be developed by the issuer of the card, or the issuer may choose to allocate space on the card to other providers. For example, a bank may choose to place its credit and debit application on the card and may also allow loyalty program applications or identity credentials to be added to the card, which is not owned by the bank.
- Security domains—Security domains enable various applications from different providers to share space on a card without compromising the security of any particular provider or application. They also allow the application owner to control its applications without having to share cryptographic keys between entities.
The GlobalPlatform specifications also include requirements specific to the card security architecture. Requirements defined in this specification encompass protocols that are used to establish a secure channel. Both protocols defined in this specification use symmetric key cryptography for the authentication, establishment of session keys, and protection of subsequent communication between the card and off-card entities. In addition, key management system requirements and industry-standard algorithms are outlined to provide greater control over the use of keys and increased security.
When considering stronger access mechanisms, utilizing the smart card architecture may prove to be an advantage. Developing applications for GlobalPlatform is flexible through its open architecture design and provides the necessary environment to allow one card with a common platform to be used for multiple purposes. It also maintains layered security controls to adequately protect each application’s domain and, hence, each individual’s proprietary information.
Tara Kissoon, CISA, CISSP
is a senior manager within Visa Canada’s risk and security services, where her focus is on risk assessments, security reviews, key management and smart card technology. Kissoon has more than 15 years of experience in various aspects of information technology, including security reviews of complex network architectures, facilitating multidisciplined risk assessments, conducting various workshops and forums, and leading IS audits specializing in system development, web architectures, application and database reviews, and Sarbanes- Oxley compliance. Kissoon has taught at Seneca College, where she was responsible for the development, delivery and evaluation of the IT curriculum. She was appointed to represent her college on several advisory committees and developed the first security course at Seneca College.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.