Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Microsoft

Smart Cards for Windows XP Login? 23

Posted by Cliff from the don't-lose-the-card-with-"Administrator"-access dept.
coleman asks: "I just bought a used Litronic Netsignia 210 smart card reader / programmer, from a friend for 20$. It came with 2 Cyberflex Simera phase 2 + java sim cards from Schlumberger. I was looking for a way to use the smart card (with a pin) to log in to the machine. The litronic people make a software called net sign that does this, but it is 99$ and comes with a Netsignia 210. I'd rather not have to pay that much money for such software and am looking into other options. I have heard that the University of Michigan has done this, but I don't know if they've released any of their software. I've tried several searches on the net and have only found links on DSS hacking." Anyone know of cool smart card apps for windows?"
This discussion has been archived. No new comments can be posted.

Smart Cards for Windows XP Login? More

Smart Cards for Windows XP Login?

Comments Filter:

  • Using Smart Cards with Windows 2000/XP (Score:4, Informative)

    by eldub1999 ( 515146 ) <`moc.xobop' `ta' `budle'> on Monday December 03, 2001 @12:02PM (#2647913)
    Using smart cards with Windows 2000/XP is a two-fold problem.

    First, you need to have the card manufacturer's Cryptographic Service Provider (CSP) installed. For Windows 2000/XP, the Schlumberger and Gemplus CSPs are installed and using a "Win2K Compatible" card from either of these vendors does not require the installation of additional software.

    The second part to the involves getting a certificate in the correct format onto the card. Assuming you are refering to PKINIT, you will need to have a card with only a single certificate that follows Microsoft's "Smart Card Logon" profile. Additionally, you will need to do some configuration on the Active Directory side to make it work.

    Microsoft summerizes the process in the following Knowledge Base article:
    http://support.microsoft.com/default.aspx?scid=k b; EN-US;q281245

    One of the hardest parts is finding a CA (besides Microsoft's) that will UTF8 encode the SubjectAuthName field.

    It can be done. Good luck.
    • It's probably worth creating your own Certificate Authority if you're going to deploy this.

      Our company was slow to adopt security until we did this. Verisign is great, but using an outside certificate provider makes managing certificates a huge heartache.

      In your case, you probably wouldn't need to add the new root certificate to all machines, but it's a fairly trivial matter to do so if needed.

      What we did is write a quick executable which included a serialized copy of the certificate. We then put this executable in user's login scripts. Note that however you do this, the user will need to click Yes to a system dialog box - a fairly simple matter but they'll need some warning.
    • can't you just make a program that monitors for the smartcard device's drive to be shut, reads the card, presents a window asking for your pin, logs you in via sendkeys?

      am I so outdated with this XP crap, that the above would not work at all?
    • One of the hardest parts is finding a CA (besides Microsoft's) that will UTF8 encode the SubjectAuthName field.
      OK, maybe I don't know what I'm talking about, but can't anybody be a CA? Of course, if you're not some recognized entity like Verisign or Thawte, other people shouldn't trust you to issue their certificates. But presumably you trust yourself!

  • PIN? (Score:2)

    by fm6 ( 162816 )
    So if your smart card is your proof identity, what's the PIN for?
    • How secure would the card be if anyone could use it they ganked it from him. I believe it is standard to have to enter a pin to access the data on a smart card (is it required? I can't remember I haven't worked with these in years).

      This is similar to pins on digital certs (in many ways they are the same thing, but I digress), you need the proof that it's you, but just like your driver's liscence or passport, someone could steal it. A pin is a simple way to further protect such an identity from becoming freely available to anyone with physical access to it.
    • Apologies for the non-technical language - I'm not up on all the techni-speak stuff.


      Typical security requires what is termed "multi-factor" authentication - that is, merely stealing a single piece of information will not give you access to the system.


      Cryptocards accomplish this by requiring the user to enter in a PIN into the CARD in order to get the current passphrase (which is then entered into the computer).


      This means that in order to login you must:

      1) have physical access to a "smart card"

      2) have the associated PIN to the smart card.


      Thus, someone who steals the smart card is out of luck without the PIN, and someone who knows the PIN is out of luck without the smartcard.

    • Re:PIN? (Score:5, Informative)

      by mfarver ( 43681 ) on Monday December 03, 2001 @01:02PM (#2648374) Journal
      Any good auth system (according to Bruce Schneier ) should use two things from the following list:
      • Something you have. (Smartcard, token card)
      • Something you know. (Pin, password)
      • Something you are. (Biometrics, fingerprint iris scan etc
      A smartcard + pin solution would be far better than a system that only used on form of auth. A smartcard can be stolen, but without the pin: no access. A password can be evesdropped, but you'd need to swipe the card too.

      The best security is a layered defense...

      • I respect Schneier (God knows I quote him often. enough) but on this issue he's being too doctrinaire. A layered defense is only useful if all the layers are serious defenses by themselves. Besides (quoting Schneier yet again) a bogus defense is not merely useless -- it's dangerous, because of the false sense of security it engenders.

        PINs are just not a credible way to secure information. A short character string chosen from a character set with only ten elements? That's about 8 bits of entropy. (Thanks Bruce, for teaching us about entropy.) Hardly worth the trouble.

        Of course, PINs are popular because they're easy to remember. But that just points up the problem with all password-based security systems: if the password is simple enough for most people to remember, it's simple enough to crack.

        Alternately, you can tell people to write down their password and keep it in a secure place. But that place had better not be the same place they keep the smart card! If you're going to do that, you might as well just issue two smart cards.

        Schenier trumpets the "social engineering" and "security as a process" doctrines with all the zeal of a convert. But he too often fails to see all their implications. You have to have a security process that doesn't overwealm users with complicated detail, or else Captain Murphy steps in and the whole process breaks down.

        Here's a way to use smart cards that is perfectly adequate in most situations. Possesion of the smart card is proof of identity, period. If the smart card is reported lost, you cancel it. Does this system have an obvious vulnerability? Of course it does. But the important question is, is it less secure than a smart-card-plus-PIN system?

        I would argue that the smart-card-only system is more secure. It's lacks the extra "layer" of a PIN, but that's just an extra complication that is worse than useless.

        • This is incorrect. Proper smartcard implementations zeroize the key of the smartcard after a short number of incorrect PIN entries (a better word then PIN is "password", since it can be a traditional strong password).

          The result of this zeroization is that password guessing is not able to work most of the time, if your password isn't one of the first "x" that the attacker guesses. (I set "x" to 5)

          Because the card is zeroized, the only way to "reset" your password is to go - with the card - to someone with the authority to reinitialize your card. Once again, with proper implementation (policy), you won't be able to get that stolen card reinitialized without presenting photo ID (really good implementations have a combined smartcard/photo-id card implementation).

          Also, smartcards are not vulnerable to sniffing or keystroke monitoring. Even though you could capture the PIN with the monitor (but not sniffer), you still need the card.

          Finually, even a program running on the same computer as a logged-in smartcard user can not get the private key off the card. Not even the smartcard user can do that - it is generated on the card and stays on the card (alternatively it is written, but not readable, and it is written from a secure non-networked terminal). Because the private key is needed to answer the cryptographic challenge - which can't be anticipated in advance - the smartcard must be in the attacker's possession. It eliminates almost all network based attacks (the only ones that remain are due to software bugs - not technology bugs).

          Thus, a compromise of one component of the smartcard system (either the PIN or the card) is not enough to attack the system. Both systems are gaurded carefully in a well-implemented solution, making it very difficult to gain illicit access. Combined with widespread encryption and digital signatures - with decryption and signing taking place on the card - even a network-based attacker won't find any data he can read. (yes, there are cryptographic attacks, but these are very difficult to do compared to normal computer security attacks)
          • What an assumption! You're sure the card's designer has anticipated every possible strategy the attacker might think of. That's not an assumption you should make in the real world.

            There are precisely two ways to protect information. One is to keep it physically inaccessible to a potential thief. A stolen smartcard just doesn't qualify, no matter how many clever tricks your program into it. People are still smarter than software.

            The other way is strong encryption. Eight bits is not strong.

  • University of Michigan Smartcard Software, Info (Score:4, Informative)

    by wbraunoh ( 22509 ) on Monday December 03, 2001 @02:57PM (#2649263) Homepage
    The University of Michigan's CITI group does indeed have a bundle 'o info and programs [umich.edu] available for applications of a Smartcard environment if you're interested.

    Though I have to say I enjoy being able to login without one here at the moment, but maybe that's just me.
  • You can replace the GINA interface in 2000/XP to support whatever you want. But for smartcard stuff checkout the discussion groups on www.codeguru.com and search for "GINA" - several others have gotten this working already, with no programming necessary.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close