Statement of the Technical Field
This document concerns methods and systems for authentication, encryption and data storage. More particularly, this document concerns methods and system to facilitate such enterprise level functions that are commonly implemented using smart cards.
Description of the Related Art
A smart card is a pocket-sized card that contains an embedded electronic circuit (e.g. a secure microcontroller with internal memory) which can be read by a reader device by means of direct physical access or radio frequency signaling. Smart cards have many uses which range from encryption to authentication. Smart cards have the ability to store small amounts of data and can be designed to perform certain on-card processing functions. To facilitate such interactions, a conventional smart card is designed to interact with a hardware element which is commonly referred to as a smart card reader.
Many companies have strict requirements for auditing processes such as financial transactions and document approval. They need to know which employees authorized which steps and when. Similarly the employees need to have a full understanding of the transaction they are approving and must be able to control the use of their credentials for this purpose. To facilitate these processes, a smart card can be issued to an employee for authentication and signing purposes. In such scenarios, the smart card may contain a private key for use in connection with a conventional public key infrastructure (PKI) scheme. The smart card may be used in conjunction with a personal identification number (PIN) passcode, or fingerprint reader to validate the user.
As an alternative to the use of smart cards, digital certificates for the purposes described herein have been issued directly to end users using “software certificate” support. In such implementations, a private key for use in a PKI system has been conventionally stored in the user's roaming profile. As is known, a roaming user profile is a feature of certain computer operating systems whereby a user can log on to any computer on the same network and access their documents as well as other data (such as digital certificates and/or private keys). But the user has no control over the private key, and it can be very easy for hackers to “steal” the key.
A conventional smart card provides certain advantages over systems which utilize certificates and private keys that are associated with a roaming user profile. For example, the smart card facilitates a hardware-based solution that is better at protecting the private key from being copied. Still, a smart card can be susceptible to loss/theft and may be used without authorization if the user's PIN can be deduced. Once physical control over a token such as a smart card is lost, it is hard for an enterprise to ensure that the key is not going to be used for unauthorized purposes. For example, such a situation may arise in scenarios where a smart card is not returned by an employee on termination.
Another challenge when using conventional smart cards is that they can hinder an auditing process which may be needed to reconstruct or track when and how a particular person's credentials have been used in connection with various transactions. Systems using smart cards can be designed to facilitate auditing, but these systems tend to be proprietary or built into different applications. Accordingly, it may not be possible to unify auditing, or some applications may not log all the appropriate information.