Smart Cards for Windows XP Login?

coleman asks: "I just bought a used Litronic Netsignia 210 smart card reader / programmer, from a friend for 20$. It came with 2 Cyberflex Simera phase 2 + java sim cards from Schlumberger. I was looking for a way to use the smart card (with a pin) to log in to the machine. The litronic people make a software called net sign that does this, but it is 99$ and comes with a Netsignia 210. I'd rather not have to pay that much money for such software and am looking into other options. I have heard that the University of Michigan has done this, but I don't know if they've released any of their software. I've tried several searches on the net and have only found links on DSS hacking." Anyone know of cool smart card apps for windows?"

Using Smart Cards with Windows 2000/XP

[eldub1999]

Using smart cards with Windows 2000/XP is a two-fold problem.

First, you need to have the card manufacturer's Cryptographic Service Provider (CSP) installed. For Windows 2000/XP, the Schlumberger and Gemplus CSPs are installed and using a "Win2K Compatible" card from either of these vendors does not require the installation of additional software.

The second part to the involves getting a certificate in the correct format onto the card. Assuming you are refering to PKINIT, you will need to have a card with only a single certificate that follows Microsoft's "Smart Card Logon" profile. Additionally, you will need to do some configuration on the Active Directory side to make it work.

Microsoft summerizes the process in the following Knowledge Base article:
http://support.microsoft.com/default.aspx?scid=k b; EN-US;q281245

One of the hardest parts is finding a CA (besides Microsoft's) that will UTF8 encode the SubjectAuthName field.

It can be done. Good luck.

Re:Using Smart Cards with Windows 2000/XP

[fm6]

One of the hardest parts is finding a CA (besides Microsoft's) that will UTF8 encode the SubjectAuthName field.

OK, maybe I don't know what I'm talking about, but can't anybody be a CA? Of course, if you're not some recognized entity like Verisign or Thawte, other people shouldn't trust you to issue their certificates. But presumably you trust yourself!

PIN?

[fm6]

So if your smart card is your proof identity, what's the PIN for?

Re:PIN?

[mfarver]

Any good auth system (according to Bruce Schneier ) should use two things from the following list:

• Something you have. (Smartcard, token card)
• Something you know. (Pin, password)
• Something you are. (Biometrics, fingerprint iris scan etc

A smartcard + pin solution would be far better than a system that only used on form of auth. A smartcard can be stolen, but without the pin: no access. A password can be evesdropped, but you'd need to swipe the card too.

The best security is a layered defense...

There are layers, and then there are layers

[fm6]

I respect Schneier (God knows I quote him often. enough) but on this issue he's being too doctrinaire. A layered defense is only useful if all the layers are serious defenses by themselves. Besides (quoting Schneier yet again) a bogus defense is not merely useless -- it's dangerous, because of the false sense of security it engenders.

PINs are just not a credible way to secure information. A short character string chosen from a character set with only ten elements? That's about 8 bits of entropy. (Thanks Bruce, for teaching us about entropy.) Hardly worth the trouble.

Of course, PINs are popular because they're easy to remember. But that just points up the problem with all password-based security systems: if the password is simple enough for most people to remember, it's simple enough to crack.

Alternately, you can tell people to write down their password and keep it in a secure place. But that place had better not be the same place they keep the smart card! If you're going to do that, you might as well just issue two smart cards.

Schenier trumpets the "social engineering" and "security as a process" doctrines with all the zeal of a convert. But he too often fails to see all their implications. You have to have a security process that doesn't overwealm users with complicated detail, or else Captain Murphy steps in and the whole process breaks down.

Here's a way to use smart cards that is perfectly adequate in most situations. Possesion of the smart card is proof of identity, period. If the smart card is reported lost, you cancel it. Does this system have an obvious vulnerability? Of course it does. But the important question is, is it less secure than a smart-card-plus-PIN system?

I would argue that the smart-card-only system is more secure. It's lacks the extra "layer" of a PIN, but that's just an extra complication that is worse than useless.

Re:There are layers, and then there are layers

[jmaslak]

This is incorrect. Proper smartcard implementations zeroize the key of the smartcard after a short number of incorrect PIN entries (a better word then PIN is "password", since it can be a traditional strong password).

The result of this zeroization is that password guessing is not able to work most of the time, if your password isn't one of the first "x" that the attacker guesses. (I set "x" to 5)

Because the card is zeroized, the only way to "reset" your password is to go - with the card - to someone with the authority to reinitialize your card. Once again, with proper implementation (policy), you won't be able to get that stolen card reinitialized without presenting photo ID (really good implementations have a combined smartcard/photo-id card implementation).

Also, smartcards are not vulnerable to sniffing or keystroke monitoring. Even though you could capture the PIN with the monitor (but not sniffer), you still need the card.

Finually, even a program running on the same computer as a logged-in smartcard user can not get the private key off the card. Not even the smartcard user can do that - it is generated on the card and stays on the card (alternatively it is written, but not readable, and it is written from a secure non-networked terminal). Because the private key is needed to answer the cryptographic challenge - which can't be anticipated in advance - the smartcard must be in the attacker's possession. It eliminates almost all network based attacks (the only ones that remain are due to software bugs - not technology bugs).

Thus, a compromise of one component of the smartcard system (either the PIN or the card) is not enough to attack the system. Both systems are gaurded carefully in a well-implemented solution, making it very difficult to gain illicit access. Combined with widespread encryption and digital signatures - with decryption and signing taking place on the card - even a network-based attacker won't find any data he can read. (yes, there are cryptographic attacks, but these are very difficult to do compared to normal computer security attacks)

University of Michigan Smartcard Software, Info

[wbraunoh]

The University of Michigan's CITI group does indeed have a bundle 'o info and programs available for applications of a Smartcard environment if you're interested.

Though I have to say I enjoy being able to login without one here at the moment, but maybe that's just me.

Assumptions

[fm6]

What an assumption! You're sure the card's designer has anticipated every possible strategy the attacker might think of. That's not an assumption you should make in the real world.

There are precisely two ways to protect information. One is to keep it physically inaccessible to a potential thief. A stolen smartcard just doesn't qualify, no matter how many clever tricks your program into it. People are still smarter than software.

The other way is strong encryption. Eight bits is not strong.