Smart card kit secures PCs

French smart card maker Gemplus will shortly release the first smart card that conforms to Microsoft's PC-99 specification for systems with built-in card readers.

Storing digital certificates and encryption keys in software are insufficiently secure for serious electronic commerce applications, according to Olivier Chavrier, multimedia marketing manager for Gemplus. "Today's browsers and e-mail programs already have security measures installed but they are software-based solutions that require only a password for access," Chavrier said. "If the password is guessed, stolen or cracked, your online identity is vulnerable to misuse and fraud."

Windows NT 5.0 will also incorporate support for smart cards as a default installation, Chavrier noted, bringing the technology closer to the mainstream than ever.

Gemplus's product - GemSAFE - is a kit that can be plugged into a serial port or integrated into PCs. Software to drive the reader is supplied for Windows 95 and NT.

"[Smart cards provide] strong proof of identity" when sending e-mail or access Web sites, Chavrier said. The card can also be used to make PCs and other PC-based terminals - such as point-of-sale systems - user-independent since a user can be instantly recognised and their identity confirmed by any GemSAFE-equipped machine.

According to Chavrier, the user's identity is contained in an industry standard X.509 certificate stored on the smart card. The user's private keys never leave the card. GemSAFE cards can be used in PC/SC-compliant smart card readers, including the Gemplus GCR4 10 serial-port reader bundled with the product. Using a Microsoft Crypto-Service Provider and PKCS#1 1 libraries, both Microsoft and Netscape browsers are capable of providing SSL v3 client authentication to requesting Web servers via the certificate stored on the card. In addition, that certificate can be used in Microsoft and Netscape e-mail programs to securely exchange electronic mail via S/MIME.

The product will be available next month and the standard kit includes a Gemplus smart card, a smart card reader, software including the latest version of Microsoft and Netscape browsers and a voucher for a VeriSign digital certificate. For individual users the GemSAFE kit is priced at $99 (£60), with volume discounts available.

For businesses interested in deploying large-scale secure network access projects, a GemSAFE Evaluation Kit includes 25 GemSAFE logo cards and GCR4lO readers. Prices range from $1,999-$3,999 (£1,220 - £2,440) depending on services provided. Olivier says corporate customers can customise the card to incorporate their company logo,and employee photograph or other special graphics.

GemSAFE will sold through the Gemplus direct sales force and the Gemplus Web store.