Page 198 - DCAP403_Operating System
P. 198
Unit 10: System Protection
The inclusion of a signature and occasionally a photograph provide additional security when the Notes
card is used for purchases made in person.
The ATM card employs a more sophisticated use of a memory card, involving not only something
the user possesses, namely the card, but also something the user knows, viz. the PIN. A lost or
stolen card is not sufficient to gain access; the PIN is required as well. This paradigm of use seems
best suited to IT authentication applications.
While there are some sophisticated technical attacks that can be made against memory cards,
they can provide a marked increase in security over password only systems. It is important that
users be cautioned against writing their PIN on the card itself or there will be no increase in
security over a simple password system.
Memory cards can and are widely used to perform authentication of users in a variety of
circumstances from banking to physical access. It is important that the considerations mentioned
above for password selection are followed for PIN selection and that the PIN is never carried
with the card to gain the most from this hybrid authentication system.
10.5.3 Smart Card
A smart card is a device typically the size and shape of a credit card and contains one or more
integrated chips that perform the functions of a computer with a microprocessor, memory, and
input/output. Smart cards may be used to provide increased functionality as well as an increased
level of security over memory cards when used for identification and authentication.
Smart Cards are plastic cards that have integrated circuits or storage receptacles embedded in
them. Smart cards with integrated circuits that can execute transactions and are often referred to
as “active” smart cards.
Cards with memory receptacles that simply store information (such as your bank ATM card) are
referred to as “passive.” Whether or not a memory card is a type of smart card depends on who
you ask and what marketing material you are reading. Used to authenticate users to domains,
systems, and networks, smart cards offer two-factor authentication – something a user has, and
something a user knows. The card is what the user has, and the Personal Identifi cation Number
(PIN) is what the person knows.
A smart card can process, as well as store, data through its microprocessor; therefore, the
smart card itself (as opposed to the reader/writer device), can control access to the information
stored on the card. This can be especially useful for applications such as user authentication in
which security of the information must be maintained. The smart card can actually perform the
password or PIN comparisons inside the card.
As an authentication method, the smart card is something the user possesses. With recent
advances, a password or PIN (something a user knows) can be added for additional security
and a fingerprint or photo (something the user is) for even further security. As contrasted with
memory cards, an important and useful feature of a smart card is that it can be manufactured to
ensure the security of its own memory, thus reducing the risk of lost or stolen cards.
The smart card can replace conventional password security with something better, a PIN, which
is verified by the card versus the computer system, which may not have as sophisticated a means
for user identification and authentication.
The card can be programmed to limit the number of login attempts as well as ask biographic
questions, or make a biometric check to ensure that only the smart card’s owner can use it. In
addition, non-repeating challenges can be used to foil a scenario in which an attacker tries to
login using a password or PIN he observed from a previous login. In addition, the complexity of
smart card manufacturing makes forgery of the card’s contents virtually impossible.
LOVELY PROFESSIONAL UNIVERSITY 191
