Smart cards gained a lot of notoriety this year. The credit-card-sized plastic cards, which contain a microprocessor chip about the size of a thumbnail, are quickly gaining adoption as a security and identification tool. Both public and private entities are adopting smart cards to identify personnel or to grant physical or virtual access to a building or corporate network. Still, smart-card technology does have its challenges.

The Department of Defense has partnered with EDS to initiate a rollout of more than 4 million smart cards to active duty U.S. military personnel and eligible contractors over the course of two years. Rolling out a massive number of cards to about 900 locations worldwide is a daunting task, says Robert Branderwie, deputy directory of the Defense Manpower Data Center, the governing body issuing the smart cards for the Department of Defense. But the project has been considerably more manageable because the infrastructure to issue identification cards is already in place. "We use a combination of ActivCard software and a real-time automated personnel identification system, which has all of the military information, to make the new cards," says Branderwie. ActivCard, which creates the applets that run on smart cards and the software that resides on a computer and talks to the applets, is one of many vendors supplying smart-card technology to the Defense Department.

The Space Case
Currently, the Department of Defense is storing identification data on its smart cards: name, rank, serial, and Social Security numbers. The card also contains three public key infrastructure certificates. These go beyond traditional cryptographic functions to let the user authenticate herself to access a networked computer, or encrypt and digitally sign E-mail or E-government documents. The personnel data and the PKI certificates occupy the majority of the 32 Kbytes of storage space on the card (which also must support the card's operating system).

The storage limit will become a problem when the Defense Department is ready to add biometric applications. While the department would like to use smart cards to identify personnel and grant them physical access to various locations, that functionality may have to wait until the department upgrades to a 64-KB card in another 12 months, Branderwie says. "A biometric ID system that uses the smart card in combination with a fingerprint would be ideal to allow physical access to bases, but you need the fingerprint applet and the software program to run the fingerprint comparison on the card," he says. "Space is always an issue." In the meantime, the Department of Defense is considering using smart cards to store medical data, check out equipment, or pay for meals.

As confidence in biometric technology grows, so too will the adoption of smart cards, says Frost & Sullivan analyst Shalini Chowdhary. "The security in a smart card comes from the fingerprint," she says. "The focus of access control should be biometrics, not smart cards."

Java Clears Interoperability Hurdles
Sun Microsystems is also issuing smart cards to its employees, letting them log on remotely and gain physical entry to buildings, says Albert Leung, business development manager for Java Card at Sun Microsystems. Sun is trying to increase the functionality of its smart cards. "We hope to put Sun cash on it to use in cafeterias and company stores, or use it as a library card to check things in and out of the data library," Leung says. By scanning an individual's smart card and the barcode of a notebook computer he's taking out of the building, the company can authenticate the user and keep track of the equipment, he adds.

Interoperability was an issue. Sun introduced in 1996 the concept of adding Java technology to smart cards, which enables the card to hold multiple applications with a different password or PIN for each application. Doing so increases the card's security--and makes the card interoperable with technologies from a variety of vendors, Branderwie says. "Before Java card, the biggest challenge was to make systems interoperate," he says. "The smart-card industry in the past didn't interoperate across readers or middleware." Java technology is helping to clear some of these interoperability hurdles, because it integrates with a global platform security system that is used by many smart-card manufacturers, he adds.

Using technology to extend the functionality of the employee badge or identification card will continue as intrusion detection and terrorism elevate new levels of security concerns for IT managers, says Gartner analyst John Pescatore. "IT needs to decide 'Now that I know who you are, what can I allow you to touch'" within the corporate infrastructure.