NIST aims for a better smart card
Agency to test a technology that puts the verification process in the card itself rather than in the reader
- By Michelle S. Haase
- Jun 29, 2007
The National Institute of Standards and Technology is inviting vendors to participate in a feasibility study to determine whether a technology called Secure Biometric Match-on-Card can be used with contactless smart cards in government applications. The agency wants to determine whether the resulting transactions would be secure, accurate and fast enough for government use.
Contactless smart cards use radio frequency technology to communicate with a card reader, so they don't have to be swiped, as conventional smart cards do.
The technology would allow biometric template verification to take place inside the smart card's processor instead of inside the smart-card reader.
'The advantage of Match-on-Card is that you can decrypt [the biometric template] with keys that are held in the card that were placed there by the issuing agency, so you don't need to have the reader manufacturer or the local operating entity know those secrets,' said Walter Hamilton, senior consultant at Identification Technology Partners. 'That makes the management of cryptographic keys much safer.'
But when you use this technology with contactless smart cards, there is a risk that a thief could steal the information as it travels through the air via radio waves.
'There's a definite trend in the ID card industry to move to contactless cards,' said Bill MacGregor, personal identity verification coordinator at NIST. 'So the question arose: Could we combine Biometric Match-on-Card capability with contactless cards in a way that is practical, usable and secure?'Give and take
The challenge is that when you beef up security and improve accuracy, you slow down transaction time. NIST is interested in whether vendors can provide solutions that offer an acceptable level of accuracy and security while performing the transaction in a reasonable amount of time.
'It's easy to make things work fast if the accuracy requirement is decreased to a very low level,' MacGregor said. 'We need to set an accuracy threshold, and we need to test for that threshold, and at the same time we need to know that the protocol that's used to communicate between the reader and the card protects the privacy of the information so it can't be sniffed or skimmed in any way.'
NIST will test the submitted products on a PC that is connected to a smart-card reader. The software on the PC will carry out the authentication procedure and time each phase of the transaction. The set of tests will be run multiple times for each product.
MacGregor said NIST is not setting any standards at this point. 'We don't even have a fixed specification for these devices, and there won't be one for this study, so we're willing to accept great variability in the products.'
The testing has not yet begun, but NIST is ready to start as soon as vendors can deliver products.
Vendors must complete an Intention to Participate form and send it to NIST by July 20. Products must be submitted by August 20.
For more information and links to the forms, visit www.csrc.nist.gov.