Smart Cards for Windows XP Login? 23
coleman asks: "I just bought a used Litronic Netsignia 210 smart card reader / programmer, from a friend for 20$. It came with 2 Cyberflex Simera phase 2 + java sim cards from Schlumberger. I was looking for a way to use the smart card (with a pin) to log in to the machine. The litronic people make a software called net sign that does this, but it is 99$ and comes with a Netsignia 210. I'd rather not have to pay that much money for such software and am looking into other options. I have heard that the University of Michigan has done this, but I don't know if they've released any of their software. I've tried several searches on the net and have only found links on DSS hacking."
Anyone know of cool smart card apps for windows?"
Using Smart Cards with Windows 2000/XP (Score:4, Informative)
First, you need to have the card manufacturer's Cryptographic Service Provider (CSP) installed. For Windows 2000/XP, the Schlumberger and Gemplus CSPs are installed and using a "Win2K Compatible" card from either of these vendors does not require the installation of additional software.
The second part to the involves getting a certificate in the correct format onto the card. Assuming you are refering to PKINIT, you will need to have a card with only a single certificate that follows Microsoft's "Smart Card Logon" profile. Additionally, you will need to do some configuration on the Active Directory side to make it work.
Microsoft summerizes the process in the following Knowledge Base article:
http://support.microsoft.com/default.aspx?scid=
One of the hardest parts is finding a CA (besides Microsoft's) that will UTF8 encode the SubjectAuthName field.
It can be done. Good luck.
Certificate Authority (Score:1)
Our company was slow to adopt security until we did this. Verisign is great, but using an outside certificate provider makes managing certificates a huge heartache.
In your case, you probably wouldn't need to add the new root certificate to all machines, but it's a fairly trivial matter to do so if needed.
What we did is write a quick executable which included a serialized copy of the certificate. We then put this executable in user's login scripts. Note that however you do this, the user will need to click Yes to a system dialog box - a fairly simple matter but they'll need some warning.
Re:Using Smart Cards with Windows 2000/XP (Score:1)
am I so outdated with this XP crap, that the above would not work at all?
Re:Using Smart Cards with Windows 2000/XP (Score:1)
Re:Using Smart Cards with Windows 2000/XP (Score:1)
nothing like a cheap hack though.
heck you could have your roaming profile on that card too..
meh
whatever floats your boat
Re:Using Smart Cards with Windows 2000/XP (Score:2)
PIN? (Score:2)
Re:PIN? (Score:1)
This is similar to pins on digital certs (in many ways they are the same thing, but I digress), you need the proof that it's you, but just like your driver's liscence or passport, someone could steal it. A pin is a simple way to further protect such an identity from becoming freely available to anyone with physical access to it.
Re:PIN? (Score:1)
Siemens came out with a new thumbprint smart card this year at comdex. You could use the card as the username and the thumbprint as the password . . .
Re:PIN? (Score:1)
Typical security requires what is termed "multi-factor" authentication - that is, merely stealing a single piece of information will not give you access to the system.
Cryptocards accomplish this by requiring the user to enter in a PIN into the CARD in order to get the current passphrase (which is then entered into the computer).
This means that in order to login you must:
1) have physical access to a "smart card"
2) have the associated PIN to the smart card.
Thus, someone who steals the smart card is out of luck without the PIN, and someone who knows the PIN is out of luck without the smartcard.
Re:PIN? (Score:5, Informative)
The best security is a layered defense...
There are layers, and then there are layers (Score:2)
PINs are just not a credible way to secure information. A short character string chosen from a character set with only ten elements? That's about 8 bits of entropy. (Thanks Bruce, for teaching us about entropy.) Hardly worth the trouble.
Of course, PINs are popular because they're easy to remember. But that just points up the problem with all password-based security systems: if the password is simple enough for most people to remember, it's simple enough to crack.
Alternately, you can tell people to write down their password and keep it in a secure place. But that place had better not be the same place they keep the smart card! If you're going to do that, you might as well just issue two smart cards.
Schenier trumpets the "social engineering" and "security as a process" doctrines with all the zeal of a convert. But he too often fails to see all their implications. You have to have a security process that doesn't overwealm users with complicated detail, or else Captain Murphy steps in and the whole process breaks down.
Here's a way to use smart cards that is perfectly adequate in most situations. Possesion of the smart card is proof of identity, period. If the smart card is reported lost, you cancel it. Does this system have an obvious vulnerability? Of course it does. But the important question is, is it less secure than a smart-card-plus-PIN system?
I would argue that the smart-card-only system is more secure. It's lacks the extra "layer" of a PIN, but that's just an extra complication that is worse than useless.
Re:There are layers, and then there are layers (Score:1)
The pin is designed to simply delay the use of the stolen card long enough to cancel the card.
I.E. It is like a hold down timer for distance vector based routing, like IGRP. Execpt a hold down timer helps stop routing loops.
Re:There are layers, and then there are layers (Score:3, Interesting)
The result of this zeroization is that password guessing is not able to work most of the time, if your password isn't one of the first "x" that the attacker guesses. (I set "x" to 5)
Because the card is zeroized, the only way to "reset" your password is to go - with the card - to someone with the authority to reinitialize your card. Once again, with proper implementation (policy), you won't be able to get that stolen card reinitialized without presenting photo ID (really good implementations have a combined smartcard/photo-id card implementation).
Also, smartcards are not vulnerable to sniffing or keystroke monitoring. Even though you could capture the PIN with the monitor (but not sniffer), you still need the card.
Finually, even a program running on the same computer as a logged-in smartcard user can not get the private key off the card. Not even the smartcard user can do that - it is generated on the card and stays on the card (alternatively it is written, but not readable, and it is written from a secure non-networked terminal). Because the private key is needed to answer the cryptographic challenge - which can't be anticipated in advance - the smartcard must be in the attacker's possession. It eliminates almost all network based attacks (the only ones that remain are due to software bugs - not technology bugs).
Thus, a compromise of one component of the smartcard system (either the PIN or the card) is not enough to attack the system. Both systems are gaurded carefully in a well-implemented solution, making it very difficult to gain illicit access. Combined with widespread encryption and digital signatures - with decryption and signing taking place on the card - even a network-based attacker won't find any data he can read. (yes, there are cryptographic attacks, but these are very difficult to do compared to normal computer security attacks)
Assumptions (Score:2)
There are precisely two ways to protect information. One is to keep it physically inaccessible to a potential thief. A stolen smartcard just doesn't qualify, no matter how many clever tricks your program into it. People are still smarter than software.
The other way is strong encryption. Eight bits is not strong.
University of Michigan Smartcard Software, Info (Score:4, Informative)
Though I have to say I enjoy being able to login without one here at the moment, but maybe that's just me.
Re:University of Michigan Smartcard Software, Info (Score:1)
Here at auburn we don't have the luxury of smartcard login.
What does UM do for windows?
Looks like we found something linux can do for free that windows can barley do for pay.....
Write your own (Score:1)