Frequently Ask Questions

I. Why smartcards ?

The basic question is:
Is it acceptable that the network subscriber/user knows its credentials (Certificates, Shared Secrets, …) ?

* Company entrances are not secured by passwords. Usually employee use Card-ID or smartcards.

* As intranet access is a major and vital resource, we believe that smartcards should be deployed for avoiding parking lot attacks.

* Smartcard is the only way to split issues security in two different planes

- Network Access Plane. Symmetric or asymmetric keys are stored in smartcard. Card bearer cant’ read/modify these credentials.
- User Plane. Smartcard is unblocked by means of Personal Identifier Number codes, or biometric identification (fingerprint, …).

Are smartcards performances sufficient ?

* Usually smart cards include crypto-processors that compute the RSA 2048 bits algorithm in less than 0,5s.

* Commercial Javacards memory size are around 32-64 KB (available for code byte storage).

* The size of an X509 certificate is about 1KB

* As an illustration EAP-TLS applet size (processing EAP and TLS protocols) is around 20KB.

* New generation of smartcards based on FLASH technology, supports one megabyte of memory.

II. What is the EAP smartcard ?

* A smartcard that processes EAP messages

* It supports multiple authentication method
- EAP-TLS, MD5, others

* First EAP-TLS smartcard is operational since June 17th 2004.

What doest it look like ?

* It is an application written for javacards

* Specified by an IETF draft, “EAP-Support in smartcard”, draft-urien-eap-smartcard-07.txt

The EAP smartcard won two awards

* Sesame 2003, “Best Technological Innovation”, cartes’2003 exhibition, Paris, November 2003

* Card Technology Magazine, Breakthrough Awards 2004, “Innovation”, CardTech/SecureTech exhibition, Washington DC, April 2004.

III. The four EAP smartcard services

1- The operating system interface.

* Identity is a pointer to an authentication triplet (EAP-ID, EAP-Type, Credentials) stored in the EAP-Smartcard.

* Smartcard may manage several network accounts, the OS performs an identity discovery process in order to browse its contents.

* A profile is a collection of information, such as EAP-ID, EAP-Type, protocol version, list of preferred SSIDs, root certificates, user’s certificates, or every data meaningful for operating systems in order to interoperate with the card or to select the right access point when multiple wireless networks are available.

2-The network interface.

* EAP messages are processed by the smartcard. At the end of the authentication method, a Session Key (PMK) is computed.

3-The user/issuer interface.

* The smartcard is protected by two PIN codes (Personal Identification number), one is managed by the card bearer and the other by the card issuer. For example if the user’s PIN is activated, the smartcard is locked (and can’t be used) after three wrong PIN values presentation.

4-The management/personalisation interface.

* This service updates information (identities) stored in the smartcard.