Slashdot Mirror

← Back to Stories (view on slashdot.org)

Smart Cards for Windows XP Login?

Posted by Cliff on from the don't-lose-the-card-with-"Administrator"-access dept.

coleman asks: "I just bought a used Litronic Netsignia 210 smart card reader / programmer, from a friend for 20$. It came with 2 Cyberflex Simera phase 2 + java sim cards from Schlumberger. I was looking for a way to use the smart card (with a pin) to log in to the machine. The litronic people make a software called net sign that does this, but it is 99$ and comes with a Netsignia 210. I'd rather not have to pay that much money for such software and am looking into other options. I have heard that the University of Michigan has done this, but I don't know if they've released any of their software. I've tried several searches on the net and have only found links on DSS hacking." Anyone know of cool smart card apps for windows?"

23 comments

  1. Using Smart Cards with Windows 2000/XP by eldub1999 · · Score: 4, Informative

    Using smart cards with Windows 2000/XP is a two-fold problem.

    First, you need to have the card manufacturer's Cryptographic Service Provider (CSP) installed. For Windows 2000/XP, the Schlumberger and Gemplus CSPs are installed and using a "Win2K Compatible" card from either of these vendors does not require the installation of additional software.

    The second part to the involves getting a certificate in the correct format onto the card. Assuming you are refering to PKINIT, you will need to have a card with only a single certificate that follows Microsoft's "Smart Card Logon" profile. Additionally, you will need to do some configuration on the Active Directory side to make it work.

    Microsoft summerizes the process in the following Knowledge Base article:
    http://support.microsoft.com/default.aspx?scid=k b; EN-US;q281245

    One of the hardest parts is finding a CA (besides Microsoft's) that will UTF8 encode the SubjectAuthName field.

    It can be done. Good luck.

    1. Re:Using Smart Cards with Windows 2000/XP by seann · · Score: 1

      can't you just make a program that monitors for the smartcard device's drive to be shut, reads the card, presents a window asking for your pin, logs you in via sendkeys?

      am I so outdated with this XP crap, that the above would not work at all?

      --
      I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
    2. Re:Using Smart Cards with Windows 2000/XP by Fiznarp · · Score: 1

      It's a bit more involved than that. The operating system needs to be able to read a certificate off of the card and verify it against an authority before allowing you access. Simply using the card reader as a replacement for typing passwords would just defeat the whole purpose.

    3. Re:Using Smart Cards with Windows 2000/XP by seann · · Score: 1

      ahh I understand.

      nothing like a cheap hack though.
      heck you could have your roaming profile on that card too..

      meh
      whatever floats your boat

      --
      I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
    4. Re:Using Smart Cards with Windows 2000/XP by fm6 · · Score: 2
      One of the hardest parts is finding a CA (besides Microsoft's) that will UTF8 encode the SubjectAuthName field.
      OK, maybe I don't know what I'm talking about, but can't anybody be a CA? Of course, if you're not some recognized entity like Verisign or Thawte, other people shouldn't trust you to issue their certificates. But presumably you trust yourself!
  2. PIN? by fm6 · · Score: 2

    So if your smart card is your proof identity, what's the PIN for?

    1. Re:PIN? by monkeyserver.com · · Score: 1

      How secure would the card be if anyone could use it they ganked it from him. I believe it is standard to have to enter a pin to access the data on a smart card (is it required? I can't remember I haven't worked with these in years).

      This is similar to pins on digital certs (in many ways they are the same thing, but I digress), you need the proof that it's you, but just like your driver's liscence or passport, someone could steal it. A pin is a simple way to further protect such an identity from becoming freely available to anyone with physical access to it.

      --
      http://monkeyserver.com --- weeeeee
    2. Re:PIN? by phamlen · · Score: 1
      Apologies for the non-technical language - I'm not up on all the techni-speak stuff.


      Typical security requires what is termed "multi-factor" authentication - that is, merely stealing a single piece of information will not give you access to the system.


      Cryptocards accomplish this by requiring the user to enter in a PIN into the CARD in order to get the current passphrase (which is then entered into the computer).


      This means that in order to login you must:

      1) have physical access to a "smart card"

      2) have the associated PIN to the smart card.


      Thus, someone who steals the smart card is out of luck without the PIN, and someone who knows the PIN is out of luck without the smartcard.

    3. Re:PIN? by mfarver · · Score: 5, Informative
      Any good auth system (according to Bruce Schneier ) should use two things from the following list:
      • Something you have. (Smartcard, token card)
      • Something you know. (Pin, password)
      • Something you are. (Biometrics, fingerprint iris scan etc
      A smartcard + pin solution would be far better than a system that only used on form of auth. A smartcard can be stolen, but without the pin: no access. A password can be evesdropped, but you'd need to swipe the card too.

      The best security is a layered defense...

    4. Re:PIN? by Anonymous Coward · · Score: 0

      Then the only advantage with the card method over the regular username/password is that you have to have physical access to the card to log in?

      Sure it's one extra layer, but is it enough?

    5. Re:PIN? by coleman · · Score: 1

      That was the whole point.

      Siemens came out with a new thumbprint smart card this year at comdex. You could use the card as the username and the thumbprint as the password . . .

  3. Certificate Authority by JMZero · · Score: 1

    It's probably worth creating your own Certificate Authority if you're going to deploy this.

    Our company was slow to adopt security until we did this. Verisign is great, but using an outside certificate provider makes managing certificates a huge heartache.

    In your case, you probably wouldn't need to add the new root certificate to all machines, but it's a fairly trivial matter to do so if needed.

    What we did is write a quick executable which included a serialized copy of the certificate. We then put this executable in user's login scripts. Note that however you do this, the user will need to click Yes to a system dialog box - a fairly simple matter but they'll need some warning.

    --
    Let's not stir that bag of worms...
  4. There are layers, and then there are layers by fm6 · · Score: 2
    I respect Schneier (God knows I quote him often. enough) but on this issue he's being too doctrinaire. A layered defense is only useful if all the layers are serious defenses by themselves. Besides (quoting Schneier yet again) a bogus defense is not merely useless -- it's dangerous, because of the false sense of security it engenders.

    PINs are just not a credible way to secure information. A short character string chosen from a character set with only ten elements? That's about 8 bits of entropy. (Thanks Bruce, for teaching us about entropy.) Hardly worth the trouble.

    Of course, PINs are popular because they're easy to remember. But that just points up the problem with all password-based security systems: if the password is simple enough for most people to remember, it's simple enough to crack.

    Alternately, you can tell people to write down their password and keep it in a secure place. But that place had better not be the same place they keep the smart card! If you're going to do that, you might as well just issue two smart cards.

    Schenier trumpets the "social engineering" and "security as a process" doctrines with all the zeal of a convert. But he too often fails to see all their implications. You have to have a security process that doesn't overwealm users with complicated detail, or else Captain Murphy steps in and the whole process breaks down.

    Here's a way to use smart cards that is perfectly adequate in most situations. Possesion of the smart card is proof of identity, period. If the smart card is reported lost, you cancel it. Does this system have an obvious vulnerability? Of course it does. But the important question is, is it less secure than a smart-card-plus-PIN system?

    I would argue that the smart-card-only system is more secure. It's lacks the extra "layer" of a PIN, but that's just an extra complication that is worse than useless.

    1. Re:There are layers, and then there are layers by Anonymous Coward · · Score: 0
      Are you really dumb enough to think that you can steel my wallet and use my bankcard before I contact the bank and tell them it has been stolen.


      Try the scenario with a PIN, and without.


      Without a PIN you could probably make it to the bank even if I knew you stole it within 1 minute. It will take me that long to call the bank and get through to someone before they even think of deactivating the card.

      With a PIN I probably have more time than that.

      And no. PIN + smart-card/mag strip are not terribly secure. But thanks, I'll take it over the current alternatives.

    2. Re:There are layers, and then there are layers by coleman · · Score: 1

      Exactly,

      The pin is designed to simply delay the use of the stolen card long enough to cancel the card.

      I.E. It is like a hold down timer for distance vector based routing, like IGRP. Execpt a hold down timer helps stop routing loops.

    3. Re:There are layers, and then there are layers by jmaslak · · Score: 3, Interesting

      This is incorrect. Proper smartcard implementations zeroize the key of the smartcard after a short number of incorrect PIN entries (a better word then PIN is "password", since it can be a traditional strong password).

      The result of this zeroization is that password guessing is not able to work most of the time, if your password isn't one of the first "x" that the attacker guesses. (I set "x" to 5)

      Because the card is zeroized, the only way to "reset" your password is to go - with the card - to someone with the authority to reinitialize your card. Once again, with proper implementation (policy), you won't be able to get that stolen card reinitialized without presenting photo ID (really good implementations have a combined smartcard/photo-id card implementation).

      Also, smartcards are not vulnerable to sniffing or keystroke monitoring. Even though you could capture the PIN with the monitor (but not sniffer), you still need the card.

      Finually, even a program running on the same computer as a logged-in smartcard user can not get the private key off the card. Not even the smartcard user can do that - it is generated on the card and stays on the card (alternatively it is written, but not readable, and it is written from a secure non-networked terminal). Because the private key is needed to answer the cryptographic challenge - which can't be anticipated in advance - the smartcard must be in the attacker's possession. It eliminates almost all network based attacks (the only ones that remain are due to software bugs - not technology bugs).

      Thus, a compromise of one component of the smartcard system (either the PIN or the card) is not enough to attack the system. Both systems are gaurded carefully in a well-implemented solution, making it very difficult to gain illicit access. Combined with widespread encryption and digital signatures - with decryption and signing taking place on the card - even a network-based attacker won't find any data he can read. (yes, there are cryptographic attacks, but these are very difficult to do compared to normal computer security attacks)

  5. University of Michigan Smartcard Software, Info by wbraunoh · · Score: 4, Informative

    The University of Michigan's CITI group does indeed have a bundle 'o info and programs available for applications of a Smartcard environment if you're interested.

    Though I have to say I enjoy being able to login without one here at the moment, but maybe that's just me.

    1. Re:University of Michigan Smartcard Software, Info by coleman · · Score: 1

      Yea, I love the Idea of smart cards.

      Here at auburn we don't have the luxury of smartcard login.

      What does UM do for windows?

      Looks like we found something linux can do for free that windows can barley do for pay.....

  6. what the fuck is up with ask slashdot? by Anonymous Coward · · Score: 0

    has it been bought by Microsoft tech support or something?

  7. Assumptions by fm6 · · Score: 2
    What an assumption! You're sure the card's designer has anticipated every possible strategy the attacker might think of. That's not an assumption you should make in the real world.

    There are precisely two ways to protect information. One is to keep it physically inaccessible to a potential thief. A stolen smartcard just doesn't qualify, no matter how many clever tricks your program into it. People are still smarter than software.

    The other way is strong encryption. Eight bits is not strong.

  8. Write your own by Anthanos · · Score: 1

    You can replace the GINA interface in 2000/XP to support whatever you want. But for smartcard stuff checkout the discussion groups on www.codeguru.com and search for "GINA" - several others have gotten this working already, with no programming necessary.

    --
    pGina, http://www.xpasystems.com - Making the big boys play nice.
  9. Sun Version?? by Anonymous Coward · · Score: 0

    Sun have a new range of thin clients that go by the name of Sun Ray, authentication for login is via a smartcard. See the downloadable pdf at http://www.suncom/sunray