4WWW95: smart tokens and their implementation


authors:


Smart Tokens:

secure transactions are a the basis for electronic commerce on the World Wide Web. various security enhancemens have been proposed, as described in the security tutorial. most of these enhancements involve public key cryptography, which in turn requires an authority issuing a pair of complementary encryption keys. if the private part of the key can be copied or made public, the authenticity of the transaction is no longer guaranteed. in a commercial environment, software-only solutions for protecting the private key are inherently vulnerable to attacks by viruses, password guessing schemes and any other methods of compromise.

a Smart Token, the subject of this paper, is a hardware device with associated software that has the ability to perform private key operations without the private key ever being vulnerable to compromise. it is an easily portable device with the size of - for example - a PCMCIA card. a smart token represents a trusted node on a untrusted network that carries secret data. it must be tamper-resistant, which means it must not be possible to open a smart token without breaking it. in addition, a smart token must be password protected, so even if it gets stolen, it will be difficult to impersonate its owner.


applications of smart tokens:

smart tokens might be used to:


WWW implementation: FSTC Electronic Check Project:

the Financial Services Technology Consortium (FSTC) is a collaboration of major banks, technology companies and laboratories that was formed to address the critical need for viable means of conducting electronic commerce on public networks. the Electronic Check Project (ECP) was developed by the FSTC to provide a secure, all electronic payment system modeled after the familiar paper check.

a live demonstration was conducted on september 21, 1995 at the bank of america in san francisco. the demo included the purchase and payment by electronic check over the Internet, using a WWW browser in conjunction with an electronic check application. the check actually cleared electronically through the automated clearing house of the US banking system. a smart token performed the role of an electronic checkbook, generating and signing the first electronic check through the US banking system.


back to 4WWW95 main document.


4WWW95 smart tokens / 28-jan-1999 (ra) / reto ambühler