PKI, SSO and Smart Cards explained

Smart cards and hardware tokens have a few undeniable advantages, but they become even more obvious when combining PKI, intelligent hardware tokens and single-sign-on solutions for the web. Here the explanation of each component for a better understanding:

  1. A public key infrastructure (PKI) enables users of an unsecured public network such as the Internet, to securely and privately exchange data through the use of public and private cryptographic key pairs that are obtained and shared through a trusted authority. The most common form of public key infrastructures we know on the web are secured web pages and digitally signed and encrypted email messages.
  2. Digital certificates can be compared to a virtual container holding all kinds of different data. A x.509 certificate contains usually information about the owner of the certificate, the public key provided by the owner, the issuer of the certificate (called a certification authority) , the purpose of the certificate, a serial number and other extensions.
  3. Smart card and hardware tokenSmart cards and hardware tokens store cryptographic private keys and digital certificates in the memory of the intelligent chip which resides within those cards. These keys are protected in such a way on the chip, that one can use the keys, but there is no way to obtain or retrieve those keys. And in order to use a key stored on a smart card, the owner of the card must provide a password.
  4. Two-factor authentication systems such as smart cards overcome the issues of single secret authentication (like user name and password pairs) by the requirement of a second secret. Two-factor authentication uses a combination of the following items:
    • Something that the user has, like a smart card.
    • Something the user knows, such as a password.

    Since a smart card is the size of a credit card - a USB token that of a key, it’s easy to carry it around all the time. This allows the same experience and access rights everywhere.

  5. Single-sign-on (SSO) on the web is a session per user authentication process that permits a user to authenticate once in order to access multiple web sites and applications. The provider of an SSO service usually allows also the storage of additional information about the user, which he/she in turn can share with the respective sites. The user makes use of a digital identity which the SSO provider knows and authenticates, and by confirming this fact to relying web sites, it eliminates the need for multiple user names across different web sites.

In practical terms we can put all the pieces of this puzzle together by explaining what StartCom does:

  • StartCom issues digital certificates for various purposes and levels through its StartSSL™ PKI web site (StartSSL is a trade mark of the StartCom Certification Authority).
  • OpenID is a decentralized single sign-on system and an easy way to use a single digital identity across the Internet. StartSSL™ functions also as an OpenID provider and each user who creates an account at the StartSSL™ web site receives a unique digital identity.
  • Access and authentication to the StartSSL™ account is not protected by a user name, instead each user receives a digital client certificate for authentication purpose during sign-up. The browser knows how to communicate with the server and provides the certificate when a request for this type of authentication is made when logging in.
  • By installing this client certificate on a Smart Card or eToken, this account is then protected by a two-factor authentication system and therefore the digital identity extremely secured. And since the keys are stored in the device, the user can carry the digital identity and certificates right to work and home alike.

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.

Other Posts
Smart Cards made easy on Linux and Firefox
StartSSL™ OpenID Provider

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

Be the first to leave a comment!