A SANE 2000 presentation

STPA, a pragmatic, very secure, three party authentication scheme for the Internet,
based on todays smartcard technology

Pieter G. Maclaine Pont
SURFnet

<piet.maclaine.pont@surfnet.nl>

Co-author: Ali Odaci

Solid, hardware token based authentication for all web-applications, with the potential enhancement of full software-independent message-flow encryption... without having the initial expense of investing in the distribution of security tokens to all your end-users... that is the aim of STPA! Developed initially for the Dutch Student Chipcard, the protocol and its product-level implementation can be adopted for all currently used smartcards, e.g. bankcards that are currently in the possession of more then 50 million Europeans. STPA might generate new service opportunities for companies and organizations with a smartcard base at end-usersSTPA -for Smart Three Party Authentication- is a development outcome of the inventive work around the Dutch Student Chipcard (SCK), as conducted initially by the IBM Student Chipcard Innovation Team (ISCIT, see and ), later on picked up by SURFnet and SURFdiensten (see , look for SCK) in The Netherlands. The base idea is to exploit an already existing and distributed base of smartcards for authentication against another (third) party. Since all smartcards distributed in large volumes in Europe are (Triple-) DES based, the protocol has been fully based on Triple-DES.
Pieter G. Maclaine Pont, Sr. Industry Specialist as a former employee of IBM Netherlands from 1968 until 1998, now an independent professional with a fixed relation with SURFnet and TNO TPD in The Netherlands, has been involved in the development of consumer transaction systems since 1970.

Initially he was active in the introduction of supermarket scanning systems in Europe in the seventies. In the eighties he got involved in the development of payment transfer systems for the Dutch Banking Industry. His specific field of action was in the area of security and practical implementation of consumer payment systems (EFT/POS), interbanking networks and secure PC-based workstations.

In 1993 he assumed responsibility for the introduction of IBM microprocessor chipcards for consumer applications. He has been involved as architect and projectmanager with the Dutch Student Chipcard pilot project, that introduced advanced multi-application chipcard technology for 21000 students at two universities and a college, all in close cooperation with IB Groep and PTT Telecom and about 15 other companies and institutions.

His last activities and responsibilities within IBM have been in the field of chipcard technology and related areas. He is the founder and manager of ISCIT, the IBM Student Chipcard Innovation Team, a team of university and college students in their final stage that develops practical innovations in the field of telematics. He is now continuing these activities in cooperation with TNO TPD in Delft and AND Identification in Rotterdam under the name wISCIT (for weboriented Interdisciplinary Student Chipcard Innovation Team).

Finally, he has supervised a constant flow of publications by (w)ISCIT by the (w)ISCIT-team-members. These can be found (as long as they are not confidential), with some of his own publications, on the Internet ( www.wiscit.org ). Pieter can be accessed by E-mail at Piet@mullpon.com or by telephone at +31 (0)621 233 982. For his full CV see www.mullpon.com .

Last modified: March 8, 2000 (mk)