The privileges of membership
Smart cardbased security proves functionrich
You've heard it before and you'll hear it again: Security is a top concern
for government agencies and IT managers. The problem is that security measures
often interfere with end users' work.
The smart card largely manages to avoid this problem. It's a credit
card-like device with an embedded computer chip that stores information
or applications. Vendors haven't missed this fact, and as a result, bundled
smart card systems — which contain everything needed to install smart card-based
security on a workstation or network — are hitting the market.
We looked at one such system from Hewlett-Packard Co. called the HP
ProtectTools 2000 Smart Card kit. The kit is available in desktop PC and
notebook versions. We reviewed the desktop system, which comprises an external
card reader, two smart cards and a CD-ROM containing all software, including
HP's excellent TopTools management package.
The smart cards in our kit were Gemplus SA GemSafe cards, a special
version of a smart card that supports encryption/decryption and digital
signatures for secure Web access and e-mail exchange. The card stores a
separate password for access to these two functions.
HP ProtectTools 2000 is a comprehensive security system that uses two-factor
authentication, which means that two pieces of information are necessary
to gain access. In this case, a valid smart card and a password are required.
The password, or personal identification number, must be eight characters
long and may contain any combination of letters and numbers. Five failed
attempts at entering the PIN will render the card unusable.
The reader is a small, gray, rectangular device that plugs in to the
PC's serial port, with a keyboard pass-through connector for power. It's
not much longer or wider than the card itself, and it's just more than a
centimeter thick. It includes a flip-down stand that props the reader at
an angle for easy card insertion.
Installation was not difficult, although the documentation made the
process a tad trickier than necessary.
Even after installation, we found the documentation misleading at times.
For example, we followed the steps to set up folder encryption but hit a
dead end when we discovered that only existing empty folders can be encrypted
(folders cannot be created from within this process). This is not explained
anywhere in the manual, and the wording of the instructions is misleading.
The Security Manager is the heart of the HP ProtectTools 2000 system.
It offers loads of functions and flexibility. The interface has one window
with five tabs, which makes it very navigable. One oddity, though, is the
presence of an Accounts tab on our Windows 98 installation. According to
the manual, this function is only available with the Windows NT 4.0 and
Windows 2000 installations. (The function enables smart card owners to add
multiple accounts to the card.)
Windows 95/98 functions cover initializing new smart cards, changing
PINs, creating a recovery file and restoring a smart card. Restoration is
vital in case of loss, theft or a forgotten PIN.
Administrators can set an option that allows users to create their own
backup cards, although this lowers the security level. Another feature is
a secure screen saver that activates upon removal of the smart card.
Using HP ProtectTools 2000 with Windows NT 4.0 or Windows 2000 greatly
expands the management options. Administrators can set different log-on,
shutdown and workstation-lock policies, random password generation policies
and more. Also, two smart card readers can be attached to one machine so
an administrator can use one for securing access to the PC and the other
for managing smart card user accounts.
But keep in mind that smart card security has its pros and cons. One
key advantage of a smart card is its ability to store security credentials
in a safe place. Smart cards also offer a lot of flexibility in setting
security parameters. However, smart cards can be lost or stolen, so administrators
must be vigilant about creating recovery files or backup smart cards — and
ensure that those are not stolen.
But if you want a smart solution, this is a good one. The HP ProtectTools
2000 Smart Card kit provides a lot of security flexibility and is easy to
use. Our only significant complaint is with the kit's documentation.
NEXT STORY: SAP adds services, partners