Smart cards afford an obvious benefit: mobility.
Possessing a credential that can authenticate that an individual is who they claim to be, regardless of where they are, is highly beneficial. This un-tethers the individual from the desktop or laptop and frees them to move from station to station. And because there are such requirements within the Federal Government such as FIPS (Federal Information Processing Standard) to ensure such functionality as the token being tamper proof, for example, among other requirements, the level of assurance can remain consistent. However, with digital transactions smart cards are only as effective as the credential the card is protecting.
Biometrics provide a uniqueness of the person’s identification, ‘something you are’. Advancements have led to the ability to distinguish an individual by their fingerprint, voice, face, eye, entire body, and more. More importantly, devices are being developed that can use multiple biometric ‘signatures’ to exponentially increase the accuracy of identification and decrease the possibility of a ‘false positive’ or incorrect identification.
With both smart cards, as mentioned previously, and biometrics, legal non-repudiation is challenged because digitally there is no difference between the credential presented and the one stored for comparison. However secure, if the credential or the biometric ‘signature’ resides in a database, someone other than you has access to your credential.
To extend this legal argument further, it is not necessary to prove that someone did or did not have access to your credential or biometric data. But rather, could someone, such as an administrator, have accessed your data? Or even the reverse of that argument, is it a categorical impossibility that no one other than the owner of the data had access to it? This is why the policies, guidelines and laws play such a critical role. Each piece of the equation, the card, the reader, the biometric, the credential, policies, and the consequences are all an equally important factor to the sum of the security solution.
For instance, with symmetric key generation the owner of the credential must know or have contact with all those in the community with which they are presenting their digital credential. This is because they must share their credential with that person and that person must subsequently ‘recognize’ that credential as being from its appropriate owner. This quickly becomes an arduous process when dealing with a community of any substantial size.
To solve this issue, we must look beyond the physical and think in the “digital dimension.” Asymmetric key technology offers both identity assurance and privacy. An individual’s identity is represented by a key pair. Properly managed, the private key is created and retained by the owner and only by the owner. The public key is then freely distributed to a public repository(s) where it can be accessed by anyone known or unknown. Despite being based on complex cryptographic technology and mathematics, the user experience is quite simple. To identify one’s self, the individual applies an algorithm using their private key and presents the result, a ‘hash.’ At the other end of the transaction, an algorithm is applied using the individual’s public key. If the resulting hash matches, the recipient can be assured of the identity of the initiator, and knows that the transaction was not altered or tampered with between the time it was created and the time it was received.
In a vast community of users such as the Internet, it is much more feasible to leverage asymmetric key technology where distribution and retrieval of public keys can be readily achieved, and the protection of the private key can be managed to the level of assurance desired and that technology permits. The Internet can be used as it was designed, for the open sharing of information without the loss of protections or privacy.
