Feature
The virtual smart card

https://doi.org/10.1016/S0965-2590(07)70116-0Get rights and content

Transactions conducted across the World Wide Web enable increased service availability and higher convenience at all levels. The web has been embraced for a significant amount of commercial and personal communication in nearly all regions, and increasingly, governments across the world are looking to provide internet-enabled services to citizens. In order that the Internet can be used to carry out sensitive operations, each party involved in a transaction or communication has to be able to confirm their identity in a trusted way. Data protection is also a priority to ensure secure and trustworthy transactions. Traditionally, it has been challenging to implement efficient solutions which address the above requirements and those that have been implemented have not been flawless. As a result, the reputation of Internet-based transactions has suffered and none of the systems widely deployed today has been bullet proof against increasingly sophisticated attacks. Guillaume Forget and Alexandre Stervinou of Cryptomathic explain.

Section snippets

A virtual smart card

The concept behind the ‘virtual smart card’ is based on the widely known Public Key Infrastructure (PKI) scheme, where a user disposes of a unique public key pair certified by a trusted body, the Certification Authority, which delivers a digital certificate. While one of the two keys can be made publicly available, the second one must be kept on a secure media as it will enable its respective owner to prove his identity and use it for authentication and/or signature purposes. It is therefore

How does that work?

Let's consider a real customer case scenario. If Claire, an eBanking user, wants to sign an order online, the first step would be for her to subscribe to the ‘virtual smart card’ service by providing her credentials and proving her identity at the local registration authority, which can be the local branch of a participating bank, for example. A public key pair and a certificate are then generated on a central server kept in a highly secure environment.

She would then activate the account with

Does it have a legal value?

As explained above, the concept behind the virtual smart card is derived from the PKI based smart card scheme, but it comes without the complexity associated with the deployment of large-scale PKI systems. For all EU countries, national regulations refer to the transposition of the European Directive 1999/93/EC for secure signature creation devices. Compliance to the latter is achievable through the use of ‘virtual smart cards’ as it is possible to prove that keys are exclusively controlled by

References (0)

Cited by (4)

This feature was provided by Guillaume Forget, Key Account Manager at Cryptomathic and Alexandre Stervinou, Senior Solutions Architect, Cryptomathic.

View full text
Copyright © 2007 Elsevier Ltd. All rights reserved.