Event Archive‎ > ‎

Evaluating Smart Card Based Security

Virtually every software system has a need for some level of security. The security could be as simple as requiring a password for access control, or it could be as complex as mutual authentication over a secure channel using long keys.

Smart cards are designed to provide a high degree of tamper resistance at a low cost, a combination that is difficult to achieve in larger devices such as mobile phones, PDAs, or desktop computers. Often smart cards are used with larger computing devices to provide a secure, portable user identity token or to provide other security services.

Despite the additional security provided by smart cards, it is possible to have a tamper resistant device rendered insecure due to a system dependency that is not adequately protected. For example, some smart cards will only load applications that have been electronically signed using a long key. Gaining access to the signing key stored on an insecure system might result in compromising an otherwise secure card.

This paper discusses various kinds of smart card based security systems; the attributes, vulnerabilities, and potential threats; and how to avoid common pitfalls in the security of smart card based systems.


About the Speaker

Mike Montgomery, Scientific Advisor, Schlumberger

Michael Montgomery is a co-inventor of the Java Card, a revolutionary technology that has spawned a one billion dollar industry in just five years. He is currently working on new areas of smart card and security research, to elevate smart cards to network peers without compromising security. To date, 12 patents have been issued for his work.

Michael graduated from Stanford in 1981 with graduate degrees in both computer science and computer engineering. He has written over 100 technical papers, including receiving 3 conference "Best Paper" awards. Other recent awards include 'SESAME award for Best Innovation', Cartes 97; 'E-Commerce Development of the Year', Nexus, 1998; and 'Best New Gadget', Linux Journal, 1998. He is regularly published in JavaWorld magazine, Java One conferences, CardTech/SecureTech conferences, and USENIX conferences.
Comments