The privileges of membership

You've heard it before and you'll hear it again: Security is a top concern

for government agencies and IT managers. The problem is that security measures

often interfere with end users' work.

The smart card largely manages to avoid this problem. It's a credit

card-like device with an embedded computer chip that stores information

or applications. Vendors haven't missed this fact, and as a result, bundled

smart card systems — which contain everything needed to install smart card-based

security on a workstation or network — are hitting the market.

We looked at one such system from Hewlett-Packard Co. called the HP

ProtectTools 2000 Smart Card kit. The kit is available in desktop PC and

notebook versions. We reviewed the desktop system, which comprises an external

card reader, two smart cards and a CD-ROM containing all software, including

HP's excellent TopTools management package.

The smart cards in our kit were Gemplus SA GemSafe cards, a special

version of a smart card that supports encryption/decryption and digital

signatures for secure Web access and e-mail exchange. The card stores a

separate password for access to these two functions.

HP ProtectTools 2000 is a comprehensive security system that uses two-factor

authentication, which means that two pieces of information are necessary

to gain access. In this case, a valid smart card and a password are required.

The password, or personal identification number, must be eight characters

long and may contain any combination of letters and numbers. Five failed

attempts at entering the PIN will render the card unusable.

The reader is a small, gray, rectangular device that plugs in to the

PC's serial port, with a keyboard pass-through connector for power. It's

not much longer or wider than the card itself, and it's just more than a

centimeter thick. It includes a flip-down stand that props the reader at

an angle for easy card insertion.

Installation was not difficult, although the documentation made the

process a tad trickier than necessary.

Even after installation, we found the documentation misleading at times.

For example, we followed the steps to set up folder encryption but hit a

dead end when we discovered that only existing empty folders can be encrypted

(folders cannot be created from within this process). This is not explained

anywhere in the manual, and the wording of the instructions is misleading.

The Security Manager is the heart of the HP ProtectTools 2000 system.

It offers loads of functions and flexibility. The interface has one window

with five tabs, which makes it very navigable. One oddity, though, is the

presence of an Accounts tab on our Windows 98 installation. According to

the manual, this function is only available with the Windows NT 4.0 and

Windows 2000 installations. (The function enables smart card owners to add

multiple accounts to the card.)

Windows 95/98 functions cover initializing new smart cards, changing

PINs, creating a recovery file and restoring a smart card. Restoration is

vital in case of loss, theft or a forgotten PIN.

Administrators can set an option that allows users to create their own

backup cards, although this lowers the security level. Another feature is

a secure screen saver that activates upon removal of the smart card.

Using HP ProtectTools 2000 with Windows NT 4.0 or Windows 2000 greatly

expands the management options. Administrators can set different log-on,

shutdown and workstation-lock policies, random password generation policies

and more. Also, two smart card readers can be attached to one machine so

an administrator can use one for securing access to the PC and the other

for managing smart card user accounts.

But keep in mind that smart card security has its pros and cons. One

key advantage of a smart card is its ability to store security credentials

in a safe place. Smart cards also offer a lot of flexibility in setting

security parameters. However, smart cards can be lost or stolen, so administrators

must be vigilant about creating recovery files or backup smart cards — and

ensure that those are not stolen.

But if you want a smart solution, this is a good one. The HP ProtectTools

2000 Smart Card kit provides a lot of security flexibility and is easy to

use. Our only significant complaint is with the kit's documentation.