Smart card technology offers a number of features that can be used to provide or enhance privacy protection in systems. The following is a brief description of some of these features and how they can be used to protect privacy.
Authentication. Smart card technology provides mechanisms for authenticating others who want to gain access to the card or device. These mechanisms can be used to authenticate users, devices, or applications wishing to use the data on the card’s or device’s chip. These features can be utilized by a system to protect privacy by, for example, ensuring that a banking application has been authenticated as having the appropriate access rights before accessing financial data or functions on a card.
Secure data storage. Smart card technology provides a means of securely storing data on the card or device. This data can only be accessed through the smart card operating system by those with proper access rights. This feature can be utilized by a system to enhance privacy by, for example, storing personal user data on the card or device rather than in a central database. In this example, the user has better knowledge and control of when and by whom their personal data is being granted access.
Encryption. Smart card technology can provide a robust set of encryption capabilities including key generation, secure key storage, hashing, and digital signing. These capabilities can be used by a system to protect privacy in a number of ways. For example, system based on smart card technology can produce a digital signature for the content in an email, providing a means to validate the email authenticity. This protects the email message from subsequently being tampered with and provides the email recipient with an assurance of where it originated. The fact that the signing key originated from a smart card or device adds credibility to the origin and intent of the signer.
Strong device security. Smart card technology is extremely difficult to duplicate or forge and has built-in tamper-resistance. Smart card chips include a variety of hardware and software capabilities that detect and react to tampering attempts and help counter possible attacks. For example, the chips are manufactured with features such as extra metal layers, sensors to detect thermal and UV light attacks, and additional software and hardware circuitry to thwart differential power analysis.
Secure communications. Smart card technology can provide a means of secure communications between the card/device and readers. Similar in concept to security protocols used in many networks, this feature allows smart cards and devices to send and receive data in a secure and private manner. This capability can be used by a system to enhance privacy by ensuring that data sent is not intercepted or tapped into.
Biometrics. Smart card technology can provide mechanisms to securely store biometric templates and perform biometric matching functions. These features can be used to improve privacy in systems that utilize biometrics. For example, storing fingerprint templates on a smart card or device rather than in a central database can be an effective way of increasing privacy in a single sign-on system that uses fingerprint biometrics as the single sign-on credential.
Personal device. A smart card is, of course, a personal and portable device associated with a particular cardholder. The smart card plastic is often personalized, providing an even stronger binding to the cardholder. These features, while somewhat obvious, can be leveraged by systems to improve privacy. For example, a healthcare application might elect to store drug prescription information on the card instead of in paper form to improve the accuracy and privacy of a patient’s prescriptions. Smart card technology is also built into other portable personal devices, such as mobile phones and USB devices.
Certifications. Many of today’s smart cards and devices have been certified that they comply with industry and government security standards. They obtain these certifications only after completing rigorous testing and evaluation criteria by independent certification facilities. These certifications help systems protect privacy by ensuring that the security and privacy features and functions of the smart card hardware and software operate as specified and intended.