Treasury seeks smarter cards
- By William Jackson
- Nov 23, 1998
The Treasury Department has completed a four-month Internet commerce pilot of smart
cards and elliptic-curve cryptography in conjunction with the Secure Electronic
Transaction (SET) specification.
It worked very well, said Gary Grippo, program manager for electronic money
at Treasurys Financial Management Service. We learned that elliptic-curve
cryptography was more than 73 percent more efficient than the RSA [Data Security Inc.]
The cardholders made secure online retail purchases from Treasurys Bureau of
Engraving and Printing site in one of a handful of electronic commerce programs that FMS
Despite the pilots success, FMS is unlikely to roll out the scheme on a large
scale anytime soon. Smart cards are available but not widely used in this country. SET
transactions require special software that also is not widespread, and the current version
of the specification encrypts cards not via elliptic-curve but by the slower method of RSA
of Redwood City, Calif.
Nevertheless, Grippo said, he believes SET and elliptic-curve cryptography eventually
will be bundled with Web browsers just as Secure Sockets Layer security is now. And the
government prefers hard-token authentication for online security, which smart cards
provide, he said.
The pilot of the Treasury bureaus Web site, at http://moneyfactory.com, sold
souvenir items such as uncut currency and engravings. The bureau rang up about $6 million
in retail sales in fiscal 1997, 23 percent of them through mail and telephone orders.
Prior to the electronic pilot, customers could only use the Web site to print out order
forms for mailing.
During the pilot, customers shopped on an online catalog. When they started to check
out their purchases, the SET protocol launched.
Certicom Corp. of Toronto designed the elliptic-curve public-key cryptographic
algorithm based on points on an elliptic curve.
Its just a way of doing arithmetic that is harder to reverse, said
Philip Deck, chairman and chief executive officer of Certicom.
Because there are fewer ways to attack it, elliptic-curve encryption can have a shorter
key, which saves bandwidth. But it doesnt automatically give you a speed
benefit because the computations are more complex, Deck said.
Certicom tailored its proprietary computations to speed up the encryption.
The digital signature authority for the pilot was Digital Signature Trust Co., a
subsidiary of Zions First National Bank of Salt Lake City, which issued the MasterCard
smart cards. EC software came from GlobeSet Inc. of Austin, Texas.
Nine companies in all were involved in the pilot, which was open to their employees as
well as those of FMS and the Bureau of Engraving and Printing. The employees received
about 200 smart cards plus readers and software. Because the elliptic-curve key was short,
each smart card cost about $4, compared with $18 for cards with RSA keys.
Were not just trying to do cryptography faster, were trying to do it
cheaper, Deck said.
Lower cryptographic overhead at the gateway meant transactions proceeded about 40 times
fastera key to making SET acceptable to the public, Grippo said. The current version
of SET with RSA cryptography is too slow for consumers to accept it willingly,
Each of the pilot transactions took about 20 seconds, he said.
The strong security of a hard token in a smart card might have been overkill for the
small purchases from the Web site.
But the government is going for payment of fees and taxes, which will require
stronger security than we are using now, Grippo said.
As Internet commerce becomes mainstream, were going to see mainstream
fraud, he said. I think the market will react to the perceived security
In the meantime, the government will support SSL and current SET transactions, Grippo
said, and well give the citizens as many options as possible.
William Jackson is a Maryland-based freelance writer.