One topic that arises more and more frequently in conversations that I have – whether it’s with analysts and media, IT security professionals I meet in the course of my work, or my company’s government and military customers – is the state of smartcard and certificate technology to securely access highly sensitive systems.
Many of our key government and military customers use PKI for authentication and authorization, as well as smartcards. I have always been a staunch supporter of PKI, FIPS 201, PIV , HSPD 12 and certificates for authentication, encryption, signing and other usages where physical possession of the crypto device can enable a truly secure environment.
One of the inhibiting factors (until now) in smartcard adoption by ISVs and customers was the poor situation regarding smartcard middleware and Internet browser integration. For reference, the middleware layer provides a standardized way for the operating system and web browsers to read from and manage smartcards and certificates.
In older US Government desktops running Windows XP and CAC cards, everything – including reader and card device drivers, middleware and libraries – were proprietary, extra cost items. The exclusive use of proprietary solutions in older generations of desktops meant that if an ISV wanted to support the government CAC smartcard standard, it became an enormous endeavor that required obtaining development kits and software from proprietary vendors. Since the makers of CAC cards, readers and middleware generally had little interest in helping ISVs, very few commercial software packages that supported CAC cards were developed, much to the dismay of the US Government.
But starting in Windows Vista and continuing into Windows 7, Microsoft implemented an improved certificate and smartcard middleware layer that ships with the operating system (standardized), and also provides drivers for the card readers and cards. The drivers are installed automatically from Microsoft Update when the drives and cards are first plugged into a computer running Windows Vista or Windows 7 (as well as Server 2008 and 2008R2).
Universal and Documented Smartcard Support
With the new universal smartcard support within Windows, it is now simple to support these devices. Microsoft provides a well documented programmer interface, as well as middleware and transparent access to drivers for common devices and smartcards.
This new technology allows the US Federal Government to move past the CAC debacle into the era of PIV cards with a fresh operating system that has all of the drivers and middleware built-in or readily available via automatic updates.
Over the last few years my company has implemented all sorts of authentication and authorization mechanisms within our privileged identity management (PIM) products to match the needs of our corporate and government users. Our integrated authentication solutions include LDAP servers, Kerberos, NTLM, databases, and rich OATH implementation for multi-factor authentication (in addition to RSA SecurID).
Many of our government users have been asking us to provide a solution for PKI and so for the next versions of our PIM products we’re including full blown PKI support implementation of certificate enrollment, authentication and authorization. Our goal is to make it easy to use all of the different smartcard and certificate formats, including PIV, with our security products.