Mark Diodati, Burton Group, senior analyst, Identity and Privacy Strategies, concludes his talk with Jeff Gould, CEO & director of Research at Peerstone Research, about PKI and its application on different types of Web servers.
Peerstone: Are any big institutions or Web sites in the U.S. currently trying to do PKI with smart cards?
Diodati: I dont know of any financial institutions at present in the U.S. that are using smart cards to authenticate retail consumers. A few years ago, American Express experimented with smart card technology on its Blue card and also distributed smart card readers to consumers. But the deployment didnt gain traction. Now American Express is embedding something called contactless payment technology in the Blue card using RFID, which is much simpler than a full-fledged smart card. Using the card in retail stores will be more convenient and secure because you wont have to swipe the card in a reader, but it wont do anything for online transactions. But if we move from the consumer space to the enterprise, here smart cards are a much better fit. The hardware and software deployment issues become much more manageable, and many enterprises are deploying smart cards. One very prominent example is the federal government, which is deploying smart cards to federal employees and contractors as part of the HSPD-12 [Homeland Security Presidential Directive 12] initiative.
Peerstone: Wouldnt it be a reasonable compromise for consumers to store their private keys in a piece of software on their PC instead of on a smart card?
Diodati: Security and usability are two problems with traditional, software-based PKI. By default, the private key can be compromised when stored on a PC because it is not adequately protected. Also, mobility is a requirement for most users, but it only makes the security problem worse. Many users will want to copy their PKI credentials to more than one PC, so that they can authenticate from work and from home. But multiple copies of the PKI credentials creates more risk because the private key can now be attacked on multiple PCs. Also, the process of copying PKI credentials to multiple workstations is daunting from a usability perspective; its too difficult for most users.
Peerstone: How does mobile PKI work, and is it feasible for consumer applications?
Diodati: Several vendors, including Arcot and TriCipher, offer mobile PKI solutions that overcome many of the security and usability problems with traditional software-based PKI. From a security perspective, these two vendors have some secret sauce to protect the users private key. In the case of Arcot, it obfuscates the users private key so that it is nearly impossible to guess. With TriCipher, the users private key is split into two pieces, one of which is stored on a server-side appliance, and since it is never fully re-constituted at the workstation it cant be copied. Both solutions provide a roaming capability that enables the users PKI credentials to follow the user around to multiple PCs, and both do things to simplify the users experience. Mobile PKI that is deployed without client software can provide some benefits, but it cant do mutually authenticated SSL between the browser and Web server. That requires client software. But this creates an administrative burden, because the Windows security model usually requires that the user have Windows administrative privileges to install the mobile PKI client. Administrative privileges are usually not a problem for consumers, but enterprise users may have trouble installing the client because they commonly lack these privileges.
Peerstone: If this kind of software tool can provide the benefits of PKI authentication without the need for smart cards, why arent we seeing broad adoption of the technology?
Diodati: The main reason is that financial institutions do not want to take on the support and help desk costs associated with client software for their retail customers.
Peerstone: Do you think were ever going to get PC makers like Dell or HP to build smart-card hardware into every laptop, just like they did for Ethernet and USB ports?
Diodati: Most of the large PC makers have offered smart card readers as an option, going as far back as 10 years ago. Its an issue of economics. Consumers must see the value of a smart-card system before they will pay for it. I dont see that happening in the near-term. Also, the smart card reader is only half the solution. The reader also requires a specialized software driver that has to be installed and that wont necessarily work with every kind of card. But the software is getting smaller and easier to deploy as Windows matures.