DND implements smart card security

For the Canadian Department of National Defence (DND), protecting the country is the number one concern. But in order to serve and protect more efficiently, the DND realized that its previous paper-based system – literally keeping paper copies and records of sensitive information – had to go.

Last month the DND announced it is revamping its old system in lieu of a public key infrastructure (PKI) that will include software provided by Plano, Tex.-based Entrust Inc. In a $5.2 million contract, the DND has also sought the help of Ottawa-based EXOCOM Group Inc. to provide and deploy over 80,000 Entrust-ready PKI smart cards, smart card readers and software to enable DND employees to access corporate information networks securely.

In a partnership with Datakey Inc., EXOCOM has developed the Entrust-ready smart cards that are able to store individual user digital signatures as well as user credentials for authentication purposes. The use of smart cards will also allow for the transfer of non-classified sensitive information via e-mail between DND employees.

“The whole rationale behind smart cards is that (they) provide a secure place for the storage of private keys,” said Major Gareth Gill of the DND. “It is almost impossible to remove the private keys from the card. It is the cheapest way to provide the secure functionality we needed.”

Gill said that the DND intends to conduct various forms of digitally signed e-mail and added that once a document has been electronically signed it is legally binding. Gill noted that this will rid the DND of the need to keep physical paper copies of signed documents.

“In order for a digital signature to be legally binding, there can only be one key,” Gill said. “The key has to be irrevocably bound to the person that is signing the document. You are not allowed to back up these keys or make copies and the smart card provides you with the ability to localize the key ownership and to bind it to a single person. Basically it is a protective aspect making sure that there is only one copy of the key and it is only bound to the person carrying the card.”

According to Gary Miller, vice-president of strategy and business development for EXOCOM, the smart card deployment is meant to give the DND a sense of comfort in the integrity of communication. He said certificate credentials of individual users are stored on the smart card. For authenticity purposes, users are asked to enter their card into a smart card reader and then provide the password to their smart card credentials before being allowed to access a network.

“If I chose to encrypt an e-mail for another person, at that time I would be asked to log on to my credentials on my smart card and thereby prove who I say I am,” said Walter Dann, manager of engineering and implementation division for EXOCOM. “I have two factors of authentication: I have something – the smart card – and I know something – the password to unlock my credentials on the smart card.”

EXOCOM’s Miller said that a contract of this calibre really signifies to the market that the long-awaited acceptance of smart card technology is at hand. He said that for the DND, the smart cards allow it to have better access and greater reach to all its members without sacrificing security.