Universal Smart Cards has a strong relationship with Gemplus (now Gemalto) and has been involved in several projects to help customers secure their PC and Network environments.
GemSAFE Libraries delivers an easy-to-use smart card solution designed to secure all network communications, allowing you to leverage these technologies to expand your business.
The GemSAFE Libraries smart card-based solution brings ease of use, portability and, most importantly, the highest level of security for PC logon, Web site access, and email exchange through Microsoft® and Netscape® suites. It is the perfect complement to your network security implementation.
The IT market is creating new business opportunities, for large and small companies, in a wide range of areas from remote access and intranet/extranet to electronic commerce and e-mail exchange. In order to take advantage of these new business opportunities, network security is required to build the necessary confidence and provide the protection organisations need. GemSAFE Libraries delivers an easy-to-use smart card-based solution to secure your network transactions.
GemSAFE Libraries integrates seamlessly with the latest standards and security protocols (SSL, TLS, S/MIME, CAPI, PKCS#11) for certificate-based Kerberos logon to PC’s, secure Web access and e-mail, and offers a higher level of security than existing software offerings by storing the digital identity on smart cards. Using public-key cryptography, smart cards keep confidential information stored in a safer manner within the card than on a PC, which is vulnerable to hackers. PIN (Personal Identification Number) codes ensure correct identification while the microprocessor on the card transparently carries out user authentication.
With GemSAFE Libraries, users can store their identity and confidential information on a smart card, enabling complete portability. Travelling with your electronic identity in your pocket, network services now can be accessed simply and securely from any GemSAFE-equipped PC in the world.
Ease of use
GemSAFE Libraries is designed to be easy to install and use. You simply connect the smart card reader to the PC, install the software on a Windows 2000, Windows XP or Vista -compatible computer and, after following a few simple instructions, activate the card with a certificate.
Diagnostics Tool and Card Details Tool allow users to change their PIN and provide simple administrative functions such as registration and setting default certificate.
Running GemSAFE Libraries
The "single user" GemSAFE Libraries media kit contains:
GemSAFE smart card
Smart card reader – USB, PCMCIA, RS232, or direct connection to motherboard
Card reader drivers
CSP and PKCS #11 crypto modules
GemSAFE Libraries Install and User Guide
Access to Technical Support
Uses for GemSAFE Libraries
1. Certificate-based Kerberos logon to a Windows domain
2. Signing and encrypting email
3. Signing macros and documents within Microsoft Office
4. Enhancing SSL to ‘require client authentication’ for secure access to web applications
5. Enhancing applications such as VPN client software
6. Adding additional security to a WI-FI environment
PKI and Smart cards
Over the past several years, global networks have transformed from a way for scientists and researchers around the world to share ideas and information to an increasingly effective way for businesses, financial institutions and government organisations to communicate and engage in commercial activities. Today we stand at the threshold of a new era of electronic commerce, one that will enable these organisations to move beyond simply establishing a network presence to sharing sensitive information and conducting business transactions with customers, contractors and business partners. Before this can happen, it will be necessary for all parties involved to reach the same level of trust in electronic transactions that they have built up over years of doing business face-to-face in a paper-based world.
Digital certificates were created to overcome the general anonymity afforded by unsecured networks like the Internet by providing a reliable and trustworthy proof of identity in much the same way as passports and driver’s licenses. Used in conjunction with modern web browsers, email software and other applications, digital certificates (and the public key technology they are based on) offer the potential for ensuring secure electronic commerce and transactions over these networks. Like a passport without a photograph attached, a digital certificate stored in the usual manner on a PC hard drive is susceptible to compromise and fraudulent use, and before they can be widely accepted as proof of identity, a way must be found to protect them.
Smart cards offer this protection by securely locking the digital certificates in a secure, removable medium, and making them inaccessible to anyone but their rightful owner. Without knowledge of this critical information, would-be hackers and thieves are unable to usurp the rightful owner’s identity and use it to gain access to secure information or conduct transactions.
Passwords Make Poor Identifiers
Intranets, extranets, the Internet: they’re all based on the same technology, and they’re all susceptible to the same security risks. Simple retail transactions pose little threat and personal email communications entail little risk if intercepted. More sensitive types of personal transactions and most business-to-business transactions pose a much greater risk, especially when conducted over an insecure channel like public networks, and require much greater assurances of authenticity, privacy, integrity and acceptance.
The risks can be huge as organisations face the loss of money, intellectual property or customers, as well as the potential for legal consequences. The March 1998 Computer Security Institute/FBI computer Crimes Survey found that 47 percent of the 563 organisations surveyed were attacked via the Internet, and the FBI believes as many as 95 percent of the attacks go undetected. Corporate America spent about $6 billion in 1997 on network security, and financial losses were estimated at $10 billion. Whether an individual buys or sells stock, or Boeing submits a purchase order to a contractor in Japan, there’s a big difference between conducting these transactions in person or using traditional paper documents and conducting these transactions over networks. Today, the most popular way to establish identity is with a password. While passwords continue to be widely used to identify users, they cannot be relied upon for real proof of identity for many reasons.
Passwords are often sent over networks without any encryption, making them highly susceptible to interception and compromise. Users generally need to remember many passwords, and often end up using the same password for many systems, using easy-to-remember (and easy to crack) passwords, or writing the passwords where they are easily accessible. On the back end, all passwords must be stored in a single file, and although encrypted, there are numerous cases of these files being stolen and unlocked. Further, these password files are expensive to support and maintain, with much of the expense resulting from users forgetting their passwords. The bottom line is, passwords offer no proof of who is actually using the password. Passwords have proven to be poor vehicles for ensuring identity, and without firmly establishing who is really at the other end of the wire, it is impossible to control access to sensitive information, ensure the confidentiality of messages, ensure that communications have not been tampered with or provide undeniable proof that a transaction occurred.
Digital Certificates to the Rescue
An ingenious method of scrambling information, called public key cryptography, has become widely used by businesses to secure communications and protect valuable information. Public key cryptography uses two very large numbers called keys and a series of complex mathematical formulas to scramble and unscramble digital data of any kind. Whatever one of these keys scrambles, the other one can unscramble, and the larger the key (the more "bits" it has), the more difficult it is for someone to crack the scrambled data.
In practice, the "public" key is made readily available while the "private" key is secured and accessible only by the rightful owner of the keys. Someone wishing to send a message that can only be read by the intended recipient will scramble the message using the recipient’s public key. When received, only the intended recipient can unscramble the message using their corresponding private key. In addition, the sender can digitally "sign" the message using their own private key, which the recipient can confirm using the sender’s public key, proving the message actually originated with the stated sender, while at the same time ensuring that the message has not been tampered with. As good as public key cryptography is at securing messages, it alone cannot attest to who is actually presenting any particular public key. In theory, a criminal could present a public key and claim it belongs to the FBI, and lacking any other mechanism for ascertaining identity, there is no way the other party in the transaction can tell the difference. Digital certificates solve this problem by attesting to the binding of a public key to the identity of an individual or entity. They allow verification that a public key does, in fact, belong to a specific individual.
The digital certificate is a data file that contains an individual’s public key along with other identifying information, including the owner’s name, the certificate’s serial number and expiration date and possibly other user-supplied information such as a postal address, email address or employer name and address. In addition, the digital certificate contains the name and digital signature of the certification authority (CA) that issued the certificate. The certification authority is a trusted third party, such as a bank, government agency or employer that verifies the identity of the certificate owner before issuing the certificate. Similar to an international passport, most digital certificates today conform to an international standard -- the ITU X.509 standard -- so they may be used universally. The standard helps ensure interoperability of digital certificates regardless of issuer, network or application by specifying what information must be contained in the digital certificate and how it is formatted.
Digital certificates are an important component of a larger public key infrastructure (PKI), which also includes the issuing certification authority, certificate revocation and key management functions. Organisations employ a PKI on their networks to support the use of public key cryptography and digital certificates for secure transmission of sensitive information.
Already, a number of standard protocols being widely adopted for secure communications and electronic commerce require the use of digital certificates. Currently the two most popular are the secure sockets layer (SSL) protocol and the secure multipurpose Internet mail extensions (S/MIME) protocol. SSL enables both servers and client browsers to authenticate each other and perform secure data transmission, and is implemented in browsers from Netscape, Microsoft, and may others, as well as in most commercial servers. S/MIME ensures that email and EDI messages are kept private and not tampered with, as well as offering non-repudiation.
The Problem with Digital Certificates
With a digital certificate, anyone with access to the private key is assumed to have rightful ownership of the certificate. Thus, while digital certificates can associate an identity with a public key, the digital certificate alone cannot confirm that the individual presenting the certificate as proof of identity is actually the rightful owner.
Consequently, protecting the private key is the single most important aspect of using digital certificates because if the private key becomes known by others, it is possible for them to assume that identity and engage in fraudulent use of the certificate. Most digital certificates today, and more importantly their associated private keys, are simply encrypted with a password and stored on the owner’s PC hard disk drive where it may be vulnerable to attack either directly or through the network. The private key is vulnerable to many of the same password-related problems mentioned earlier, and several programs are available to either divert PC files or attack password mechanisms.
As a result, although digital certificates can provide digital authentication, they are not fully secure without strong user authentication. Without strong user authentication, a digital certificate is about as much good as a passport without a photograph of its owner attached. A passport may attest to its owner’s identity and be an official document issued by a government agency; but without a photograph, it is impossible for anyone presented with the passport to confirm whether or not the person presenting the passport is, in fact, the owner.
The Smart Card Solution
The measures taken to protect the private key must be at least as strong as the security of the messages encrypted with the key. Single-factor authentication such as a password is simply not good enough. Smart cards offer superior protection for private keys because they require not only a password (PIN) but also physical possession of the card as well to gain use of the private key. This kind of two-factor authentication offers significantly stronger security than passwords, and ensures that the digital certificate is used only by its rightful, intended owner.
With a smart card, the private key never leaves the card and is completely inaccessible from outside the card. All cryptographic functions requiring use of the private key for secure Internet browser and electronic mail transactions--digital signatures and decryption of the session keys-- take place on the smart card by the onboard microprocessor, and only the results are passed back to the host PC.
The smart card itself is easy to use, portable, unique and can’t be cloned. Its use is PIN protected, and it becomes completely unusable after a specified number of failed access attempts. The user has fewer passwords to remember and IT departments have fewer problems with lost or stolen passwords. In fact, more than 40 percent of all help desk calls involve resetting passwords for users, and a large organization with 20,000 users could save as much as $4 million in lower help desk costs.
GemSAFE Libraries from Gemplus
Gemplus has designed GemSAFE to be the most secure, simple and affordable solution for organisations wishing to use smart cards in their public key infrastructures for greatly improved security. Developed and distributed by the world’s leading provider of plastic and smart cards, GemSAFE provides a personal network safeguard by using digital certificates stored on smart cards for accessing corporate intranets, extranets, websites and electronic mail systems. Designed for quick, easy, plug-and-play installation and set up, GemSAFE combines a Gemplus smart card, smart card reader and software for integrating with popular Microsoft and Netscape software suites.
GemSAFE works seamlessly with Microsoft Internet Explorer, Outlook and Outlook Express via Microsoft’s Crypto API, as well as Netscape via PKCS#11. When using these applications, GemSAFE provides SSLv3 client authentication to requesting web servers and secure S/MIME email exchange via the user’s digital certificate and private key stored on a smart card. The user’s private key never leaves the smart card and is inaccessible from outside the card. All cryptographic functions requiring the private key are handled on the card by the onboard microprocessor.
GemSAFE also works out of the box with Microsoft Windows logon, and GemSAFE is fully PC/SC compliant. No extra drivers are needed to get up and running. And GemSAFE smart cards can be used in any industry-standard PC/SC-compliant smart card reader, including readers from Gemplus.
GemSAFE is designed to work with all certifying authorities, whether an organization chooses to take on this task themselves or outsource it to an external trusted third party such as VeriSign or Trustwise. Organisations can also choose to personalize GemSAFE smart cards themselves or use the services of a bureau.
Should you have any requirements for Logical Access Control either software, cards or readers then please do not hesitate to contact us.