Introduction to Windows for Smart Cards
This paper is part of a series of white papers known as " The Smart Card Deployment Cookbook."
On This Page
Introduction
Advantages of Windows for Smart Cards
Protection
Productivity
Profit
Promotion
Smart Card Deployment
Introduction
In the past few years, telecommuting, the Internet, and electronic commerce have developed from an alternative means of doing business to become increasingly mainstream consumer activities. Several years ago, a Web address on a business card was comparable to a secret handshake that gains you admittance to an exclusive club. Now, advances in software functionality and hardware speed, along with the power of word of mouth, have made the Internet and all its offshoots the "next big thing" for commerce, communication, and entertainment. Unfortunately, growing in lock step with the boom in network and communication technology are the proliferation of multiple user IDs and passwords, the proficiency of computer hackers, and the occurrence of credit card fraud and identity theft.
The family of Microsoft Windows operating systems is designed for the emerging world of connected commerce and far-flung networks. By incorporating the same widely used software development tools from the desktop and the back office, Windows scales from the smallest networks - the smart card - to the largest enterprise network, enabling customers to run their businesses complete with multiple networks, remote users, electronic commerce, credit card payments, and Web sites. The newest member of the Windows operating system family, Windows for Smart Cards extends the benefits of the Windows environment to the smart card industry.
Advantages of Windows for Smart Cards
A Windows Powered Smart Card is a microcomputer without a graphical user interface. According to Gemplus, a leading smart card manufacturer, companies have reduced their technical support calls by 40 percent by implementing smart cards that perform automatic authentication, previously an error-prone manual process. , Microsoft is working closely with smart card industry leaders such as Gemplus to developing its smart card technology to the highest performance and security standards in the enterprise. At the same time, Microsoft is integrating smart card technology with Windows-based architectures to facilitate ease of application development."
At a price of approximately $20 per card reader and a maximum of $5 per card, Windows Powered Smart Cards are an inexpensive way to strengthen your corporate security. Even when the cards are implemented only for security reasons, your business still benefits from the multitude of other functions that Smart Card facilitates. These services include payment functionality and storage of loyalty information, medical and citizen information, and personal contacts.
The Windows Powered Smart Card can enhance your existing corporate network; there is no need to replace the existing system infrastructure. Windows for Smart Cards works with the Microsoft Windows 95, Windows 98, and Windows NT 4.0 operating systems, and will be optimized for Windows 2000.
Windows Powered Smart Cards can be customized for each user, And they can be programmed with multiple keys. The cards can be used to log on to a PC or to one or more networks and to perform remote logons. By storing all of a user's authentication information, one Windows Powered Smart Card can gain for a user admittance to all of his or her accounts - on the corporate network, within Internet chat rooms, or within financial institutions.
Therefore, Windows for Smart Cards used with one or more of the Microsoft Windows operating systems can enhance protection, improve productivity, increase profit, and facilitate promotion.
Protection
Corporate computers generally are configured to require a form of authentication for logon purposes. Password authentication, the most widely used logon security mechanism, is only as infallible as its users. Users often share their personal passwords with friends and spouses. Even the most reliable user may write a password on a slip of paper where another user might later discover it. If a user does not safeguard a password, the network may be subject to concurrent usage of a user account or worse, may be unprotected against malicious break-ins.
A Windows Powered Smart Card can be used by only one person at a time, which makes concurrent account usage impossible. Because the card is required to access the network, users are inclined to carry the card with them wherever they go, preventing malicious break-ins. Windows for Smart Cards supports multiple authentication mechanisms, such as PIN, fingerprint, or retina recognition. Your company can determine the method or methods that work best for you.
If the card is lost, no one else can use it to access the network because only the owner knows the PIN or has the fingerprint or retina to match the authentication account. Information and account balances are not lost if the card is lost because a user's information is replicated on each card partner's server. When a replacement card is activated and inserted into the card partner's network, the information is transferred to the new card.
Like a bank or credit card, if a Windows Powered Smart Card is lost or stolen, an 800 number can be used to turn off the card and activate the issuance of a new card. Unlike a bank or credit card, a Windows-powered smart card can be produced at a branch office for quicker turnaround.
By using the most secure crypto-algorithms, such as RSA, DES, 3DES and SHA and by being built on the most reliable chips, Windows Powered Smart Cards are virtually inviolable.
Productivity
Windows for Smart Cards ensures a consistent experience for application developers and end users. Application developers can use development and debugging tools with which they are already proficient, such as Microsoft Visual Studio, to create applications for Windows Powered Smart Cards. Additionally, developers save time by using the Microsoft Windows Smart Card Toolkit to write applications. Unlike tools that differ from vendor to vendor, Windows for Smart Cards is a logical extension of the Windows operating systems and provides a consistent development and run-time environment. By using the Windows Smart Cards Toolkit with the Windows operating systems, developers can write and debug many diverse applications in the same amount of time it would have taken to port one application to many diverse operating environments.
Windows Powered Smart Cards can be used with the Windows operating systems to store personal contact information. By using the cards as a companion to the Microsoft Outlook messaging and collaboration client, you can transfer the names, e-mail addresses and phone numbers of business associates from a PC or network to the card. You can slip the card into your pocket or wallet; then, miles and time zones away, you can insert it into another computer running a Windows operating system. Instantly, your Outlook information is accessible.
With the appropriate hardware, Windows Powered Smart Cards can be used to call a contact at the touch of a button, obtain a street address while driving, or exchange contact information with another user of Outlook. And, unlike e-mail attachments or floppy disks, the smart cards are tamper-resistant, making them resistant to viruses, physical modification, or any other type of unauthorized access.
In fact, physical defenses are built into the hardware of a Windows Powered Smart Card. It uses the software protection strategy of the access control list (ACL), enabling information to be retrieved from the card only if certain known principles (requester's identification, computer identification, time of day) match information stored in the ACL. In addition, these smart cards utilize an MS-DOS-type file system so that applications from different vendors are stored separately. Vendors, therefore, cannot obtain information that does not pertain directly to their application from a card. ACL and file partitioning, together with security libraries and mathematical algorithms, work in tandem to protect these smart cards from unauthorized users and the most invasive tampering. If the card is tampered with in any way (consecutive incorrect PIN entries, electron microscope, sawing open), it implodes, rendering it useless.
Windows Powered Smart Cards can be used to store medical information and citizen accounts. Pharmacies can check a patient's card to verify that the patient isn't taking medication that may interact negatively with a new prescription. By using Windows Powered Smart Cards, a doctor's office can bill insurance companies at the time of treatment, eliminating copious paperwork and speeding the payment of charges. Furthermore, Windows Powered Smart Cards also can be used to help distribute food stamps, store traffic violations, and verify a consumer's age for tobacco and alcohol purchases.
Vendors of Windows Powered Smart Cards can use standard Windows-based APIs to customize the amount and type of information stored on a card. For those loath to store their personal information on a card that could be lost, the card can be configured as an identification mechanism only. In this case, medical and citizen information resides on an agency's server, and the user's Windows Powered Smart Card acts as the identity key.
Profit
With the adoption of e-commerce by the masses, fraud activity has increased dramatically. Stolen credit card numbers are used to purchase goods and services on the Internet, where signatures are not required to prove identity. Underage users can access information and entertainment that is intended for more mature audiences. With Windows for Smart Cards, a Web site administrator can ascertain the identity of a user signing in to a chat room to ensure the safety of patrons. In addition, administrators of Web sites that contain adult content can ensure that only the intended audience views the material.
Internet merchants can implement Windows Powered Smart Cards to obtain a digital signature when goods and services are purchased. Such a digital signature would protect financial institutions as well, ensuring that only a card's owner can make purchases with the card. Windows Powered Smart Cards can be used in lieu of a bank or credit card in traditional purchasing scenarios as well. By writing a financial application and storing it on the card, a vendor can determine the payment method. Financial institutions can write applications for Windows Powered Smart Cards that store a prepaid value, deducting from it as purchases are made. Alternatively, applications for Windows Powered Smart Cards can be written with the same Windows-based APIs developers already use to interact with a server-side automatic billing program.
Promotion
Windows Powered Smart Cards can be used much like a credit card to advertise your business and your corporate partners. You can also store loyalty information, such as airline miles and past purchase amounts, directly on the card. Or you can issue Windows Powered Smart Cards to your customers and sell advertising space on them.
Unlike a credit card, however, Windows Powered Smart Cards are read-writable. When your company's strategic alliances change, you don't need to manufacture more cards; instead, you can change the advertisements and loyalty information on the cards you have already issued.
Smart Card Deployment
How to deploy Windows for Smart Cards is discussed in the remainder of this series of white papers. One group of these papers sets up a "real-world" scenario that illustrates the planning and deployment process.
Microsoft Enterprise Services
Mike Dusche, Program Manager, Microsoft Windows Powered Smart Cards
March 2001
For information about Enterprise Services, see https://www.microsoft.com/es/.
Companies, organizations, products, people, and events depicted in examples in this paper are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.