7. The Relation of Smart Cards with PKI
As we already know smart cards are secure place to hold sensitive data, such as money and identity. And if the identity is the subject we should talk about PKI, Public Key Infrastructure, and smart cards.
Think that, you are working in a company with many branch offices and many facilities. In such large companies often employers have access permissions to different physical places. Also you access the servers inside the company for various purposes like sending mail, uploading the web pages and accessing the databases of the company. Just think, one password for each server and one key for each door and some money in your wallet to buy food or drink from the local restaurant.
Actually you could just use a smart card. If you use a microprocessor card and a the cards operating software or Java cardlets permit, you could use only one card for all these. For this scenario to work, the company must establish a local CA, Certificate Authority. Below there is a diagram showing the structure of a PKI simply, as described in RFC 2459.
+---+ | C | +------------+ | e | <-------------------->| End entity | | r | Operational +------------+ | t | transactions ^ | | and management | Management | / | transactions | transactions | | | PKI users | C | v | R | -------------------+--+-----------+---------------- | L | ^ ^ | | | | PKI management | | v | entities | R | +------+ | | e | <---------------------| RA | <---+ | | p | Publish certificate +------+ | | | o | | | | s | | | | I | v v | t | +------------+ | o | <------------------------------| CA | | r | Publish certificate +------------+ | y | Publish CRL ^ | | | +---+ Management | transactions | v +------+ | CA | +------+ |
end entity: user of PKI certificates and/or end user system that is the subject of a certificate;
RA: registration authority, i.e., an optional system to which a CA delegates certain management functions; (in some implementations, where you register your self to the system)
CA: certification authority; (Your public key, can be issue when you register yourself or can be self-issued, is signed and your certificate is issued to you at CA)
repository: a system or collection of distributed systems that store certificates and CRLs, Certificate Revocation Lists, and serves as a means of distributing these certificates and CRLs to end entities.
In fact, this is just a simplified view of the entities PKI. The employer or the end entity just applies to the CA or RA to get a certificate A certificate is just a public key digitally signed with the issuer's, CA, private key. By signed with the CA's private key, all which trust the CA, can also trust the end entity. Your digital ID is ready. Just write your digital ID and private key to your smart card. Or a better way, new smart cards are deployed with embedded functions that generate public and private keys inside the card which means your private key is not exported to anywhere.
New deployed cards are capable of PKI functions which you do not need to export the private key to the application you use. For example when you want to send a signed mail, your mail applications first generates a hash of the document you just wrote and starts the communication with the card. Your application sends the hash value to the card which is than signed with your private key inside the card. By this way your private key is never exported to the public, your computer.
Also, while accessing your remote shell account you could use ssh, secure shell, client. In man page of OpenSSH, an authentication method for ssh protocol 2 is described. Main purpose of the method is true identification of the person trying to access the account and secure connection between the host, if the user is accepted. Theoretically, only you can know your private key. Although your private key is only readable by yourself, this could be a security risk. But if your private key is inside a smart card, this is an increased security. Of course, a smart card can get lost. But at this point another security subject is on the line, your PIN. Generally speaking, smart card's security comes from two things, one you know and one you own.
SSH is not the only application that smart cards can be used. Other applications like, money transactions on the net, identification of yourself to the website you connect can be done with smart cards. The system is more or less the same. Your identification is checked via your private key and secure session is started with your keys. Than application specific part comes which is designed and deployed by the service provider of the application. Some money transactions are just done inside the smart card but some applications just ask the card for your banking account number. There could be more methods.
Electronic locks that can communicate with a smart card can be found on the market. PKI can support, in addition to the mutual authentication between the card and the reader, access accounting in the building. Just mutual authentication can be used or the lock ask to a local server that keeps the user data and checks if the user is permitted to go behind the door. And whether the permission is granted or not the server keeps the tracks of the access trials.
With integration of smart cards into PKI world, many more applications could be built. These application are mostly security specific or to ease the life of the customers.