Slashdot Mirror

← Back to Stories (view on slashdot.org)

Smart Card Authentication in Mixed Environments?

Posted by Cliff on from the life-does-not-consist-of-only-one-monolithic-OS dept.

Rednerd asks: "I've been looking into Smart Cards as a good alternative to password authentication but other than the ISO 7816 standard there doesn't seem to be a lot of standards that govern the use of these devices. It seems pretty clear that if I was working in an all Sun, or Microsoft environment implementing a network wide Smart Card solution would be simple, but there doesn't seem to be a lot of heterogeneous Smart Card support out there. I was wondering what kind of experience slashdot readers have had with Smart Cards in mixed environments? What cards and card readers seem to work the best? How have remote users dealt with the use of Smart Cards?"

11 comments

  1. What a great idea! by tunah · · Score: 3, Funny
    Seen in the war room:

    Exec 1: We've been having problems with unauthorised access.

    Exec 2: Yes, the employees are using the word 'password' or their login names as their passwords.

    Exec 1: And the employees that *do* use secure passwords can never remember them.

    Exec 2: Yes, employees are stupid. They need Smart Cards to make them Smart!

    Exec 1: And I need a new car!

    --
    Free Java games for your phone: Tontie, Sokoban
  2. Careful... by Crazyscot · · Score: 4, Informative

    Are you proposing to use a smartcard alone to authenticate a login? Make sure you understand the security properties of what you're trying to achieve.

    A card is something you have, not hugely secure (easy to lend/steal, though easy lendability might be an advantage in some situations) unless combined with something you know (eg. passphrase) or something you are (insert the usual biometrics worries here.)

    If you want to build such a system yourself, GemPlus cards are very popular, also check out the smart cards division of Schlumberger. You can get RS232-connected card readers (sorry, the make escapes me); I'm not in touch in this field, but I'd be surprised if there weren't USB-connected and keyboard-embedded readers too.

    1. Re:Careful... by larien · · Score: 4, Insightful
      Yup, there are USB and keyboard devices. Where I work, we use smart cards in Win2K and Compaq keyboards with inbuilt card readers. Even the laptops have a card reader builtin. For older hardware being reused, there are external USB or serial readers available, but you really want to use the USB versions as they are apparently much faster than the serial or keyboard devices.

      Oh, and we have to have a PIN (it says PIN, but it's really a password) to log in as well, to prevent card theft being an easy back door into the system.

    2. Re:Careful... by coleman · · Score: 1

      I have the netsignia 210 smart card reader / programmer by litronic, it is a serial device.

      I have seen the native support for windows login in win 2k and Windows XP claims to support it w/o 3rd party software but I have yet to see it work with the above reader. Litronic wants you to purchase "netsign", which is around 70$ per liscense.

      If you find a way or get win xp to login with a smartcard / pin let me know.

      There is an open source movement for linux (might work for most unix os's) that was started by the university of michigan. (look at my ask slashdot from a little while back about xp login, there is a reply about the UM soultion).

      One cross platform thought would be to have an Active directory / domain controller for smart card login (yea ms sucks I know).

      Also lookin to the new smartcards that have thumbprint scanners on them (instead of the pin), they came out this year at comdex from siemens.

  3. CDSA / CSSM by Anonymous Coward · · Score: 0

    is one attempt (mostly Intel-driven, but Apple's on the bandwagon too, as are other companies) to produce a unified security architecture, including smart cards. Might be worth looking into (or not).

  4. Maybe you're looking for a java based solution? by fastenrath · · Score: 1

    Have a look at OpenCard and e.g. iButtons

    --
    THIS ACCOUNT IS NO LONGER IN USE, PLEASE DELETE.
  5. MUSCLE by Anonymous Coward · · Score: 0

    I thought you would maybe like to check MUSCLE

    It includes a very good PC/SC reader abstraction layer and other goodies like PAM modules, Perl wrappers,... Most of it runs on any Unix flavor (including Mac OS X).

    It won't give you a "Plug&Play" solution but most of the stuff is Open Source, so feel free to hack...

    For readers, you can have a look at the GemPlus's web store for USB & serial readers. The drivers are available on MUSCLE and as Debian packages.

  6. It can be done, but... by eldub1999 · · Score: 1

    First, there is almost no demonstrable ROI for using smart cards for logon only. You are better off looking into time-based tokens (SecurID, Defender, etc.) as they are cheaper, easier to maintain, suport and administer, and better supported as an OS authentication method.

    If you are set on cryptographic smart cards (my assumption), then you need something else to drive ROI. The easiest thing is to look at using cards for logon and S/MIME. The other way to go is to use the physical smart card an physical access device (HID and Honeywell can embed coils into the smart card).

    Not to pick, but whenever I see this question it scares me. It typically means that someone is more infatuated with the technology than with really trying to solve a business problem.

    Please, feel free to refute me if you think there is an ROI for smart card logon. I've never seen it.