Previous section.

Architecture for Public-Key Infrastructure (APKI)
Copyright © 1998 The Open Group

Requirements for Virtual Smartcard Services

A feature of PKI services is a need to store long-term personal security information (including private keys, certificates, and other information) in protected storage, to activate personal keys for use via an authentication procedure, and to use those keys for encryption, decryption, and signature activities.

There are two models for the processing and management of this information:

The first model may be supported by Smartcard technology in which the personal data is processed and managed within a separate hardware device (the Smartcard). However, the use of such Smartcards incurs the cost of additional hardware and software. They are therefore used in circumstances when the additional security they provide justifies the extra cost. An alternative approach is to use a software module in those circumstances when the additional security is not cost-justified.

Figure: Virtual Smartcard Service Structure

From an application perspective it is not relevant whether a hardware or software module is used, provided the requisite data and services may be accessed. Hence the concept of a Virtual Smartcard service, which may be layered over either hardware or software implementations, may be envisaged within a system architecture. Virtual Smartcard Service Structure illustrates the structure of this component.

The concept of a software module may be further extended to encompass services provided under the second model, based on a centralized repository. In this model, the client/server protocol for retrieval of private keys needs to be supported by the software personal security module subcomponent of the Virtual Smartcard service component, as illustrated in Virtual Smartcard Service Protocol, (the dotted arrow in the figure represents the protocol):

Figure: Virtual Smartcard Service Protocol

The concept of a Virtual Smartcard service may be extended to encompass the processing and management of all personal security information, whichever model of implementation is used.

The Virtual Smartcard service will contribute to generic solutions for end users who are facing real situations that can be summarized as follows:

The following problem scenarios illustrate issues regarding the management of the information contained on Smartcards:

Overview of Virtual Smartcard Services

A Virtual Smartcard service comprises three aspects:

  1. A configuration capability that allows transparent handling of diverse hardware or software security devices. These devices will be used as personal data repositories or providers of security mechanisms.

  2. An abstract data model through which personal information is accessed. This data model describes personal data in a two-level hierarchy. The first level consists of personal data domains (application domains or security domains); the second level consists of end users' identities.

  3. A set of functions designed to:

Example Data illustrates the type of data and a data structure that might be maintained by a Virtual Smartcard service.

Figure: Example Data

Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy of this publication.

Contents Next section Index