Slashdot Mirror

← Back to Stories (view on slashdot.org)

Smart Card Authentication in Mixed Environments?

Posted by Cliff on from the life-does-not-consist-of-only-one-monolithic-OS dept.

Rednerd asks: "I've been looking into Smart Cards as a good alternative to password authentication but other than the ISO 7816 standard there doesn't seem to be a lot of standards that govern the use of these devices. It seems pretty clear that if I was working in an all Sun, or Microsoft environment implementing a network wide Smart Card solution would be simple, but there doesn't seem to be a lot of heterogeneous Smart Card support out there. I was wondering what kind of experience slashdot readers have had with Smart Cards in mixed environments? What cards and card readers seem to work the best? How have remote users dealt with the use of Smart Cards?"

11 comments

  1. fp by Anonymous Coward · · Score: -1, Offtopic

    5am first post!

  2. What a great idea! by tunah · · Score: 3, Funny
    Seen in the war room:

    Exec 1: We've been having problems with unauthorised access.

    Exec 2: Yes, the employees are using the word 'password' or their login names as their passwords.

    Exec 1: And the employees that *do* use secure passwords can never remember them.

    Exec 2: Yes, employees are stupid. They need Smart Cards to make them Smart!

    Exec 1: And I need a new car!

    --
    Free Java games for your phone: Tontie, Sokoban
  3. Careful... by Crazyscot · · Score: 4, Informative

    Are you proposing to use a smartcard alone to authenticate a login? Make sure you understand the security properties of what you're trying to achieve.

    A card is something you have, not hugely secure (easy to lend/steal, though easy lendability might be an advantage in some situations) unless combined with something you know (eg. passphrase) or something you are (insert the usual biometrics worries here.)

    If you want to build such a system yourself, GemPlus cards are very popular, also check out the smart cards division of Schlumberger. You can get RS232-connected card readers (sorry, the make escapes me); I'm not in touch in this field, but I'd be surprised if there weren't USB-connected and keyboard-embedded readers too.

    1. Re:Careful... by larien · · Score: 4, Insightful
      Yup, there are USB and keyboard devices. Where I work, we use smart cards in Win2K and Compaq keyboards with inbuilt card readers. Even the laptops have a card reader builtin. For older hardware being reused, there are external USB or serial readers available, but you really want to use the USB versions as they are apparently much faster than the serial or keyboard devices.

      Oh, and we have to have a PIN (it says PIN, but it's really a password) to log in as well, to prevent card theft being an easy back door into the system.

    2. Re:Careful... by coleman · · Score: 1

      I have the netsignia 210 smart card reader / programmer by litronic, it is a serial device.

      I have seen the native support for windows login in win 2k and Windows XP claims to support it w/o 3rd party software but I have yet to see it work with the above reader. Litronic wants you to purchase "netsign", which is around 70$ per liscense.

      If you find a way or get win xp to login with a smartcard / pin let me know.

      There is an open source movement for linux (might work for most unix os's) that was started by the university of michigan. (look at my ask slashdot from a little while back about xp login, there is a reply about the UM soultion).

      One cross platform thought would be to have an Active directory / domain controller for smart card login (yea ms sucks I know).

      Also lookin to the new smartcards that have thumbprint scanners on them (instead of the pin), they came out this year at comdex from siemens.

  4. third post by Anonymous Coward · · Score: -1, Offtopic

    you lose

    Slow Down Cowboy!

    Slashdot requires you to wait 20 seconds between hitting 'reply' and submitting a comment.

    It's been 17 seconds since you hit 'reply'!

    If you this error seems to be incorrect, please provide the following in your report to SourceForge.net:

    * Browser type
    * User ID/Nickname or AC
    * What steps caused this error
    * Whether or not you know your ISP to be using a proxy or some sort of service that gives you an IP that others are using simultaneously.
    * How many posts to this form you successfully submitted during the day

    * Please choose 'formkeys' for the category!
    Thank you.

  5. Snotcard Authentication in Mucus Environments? by The+WIPO+Troll · · Score: -1
    THE OFFICIAL TACO-SNOTTING FAQ By J. Wipo Troll, Esq., $Revision: 1.16 $
    [This article attempts to document a vile, ungodly practice that runs rampant through the homosexual geek and hacker community, a practice known as Taco-snotting, or simply snotting. Taco-snotting is something that few geeks dare talk about in free or open conversation, but it is nonetheless a widely-practiced and dangerous form of homosexuality. If you or anyone you know has ever engaged in Taco-snotting, please get professional help before it is too late. ed.]

    Why do I keep receiving emails from an individual calling himself CmdrTaco?

    You have been receiving unsolicited mailings from a certain Robert CmdrTaco Malda, owner of the popular technology website slashdot.org. Actually, its not a very popular site in the common sense of the word; the site is rife with pimply, antisocial geeks and hackers, zit-faced nerds, communists, dirty GNU hippies, and other societal rejects and outcasts. Its also home to one of the worlds largest suspected pædophile rings, the infamous Slashdot crew.
    Whenever Mr. Malda gets bored (and who wouldnt, running a site like Slashdot all day), he roams through the user database, penis in hand, looking for people who might enjoy engaging in homosexual activities with him. How he determines this is anyones guess; but if you have a homosexual-sounding nickname, or a nick with a letter of the English alphabet in it, youre a potential candidate.
    This time, he found you. Lucky you.

    Mr. Malda seems to be speaking in some sort of code. Do you know what it means?

    CmdrTacos code language is relatively easy to decipher. This pervert prefers to speak in thinly-veiled sexual innuendo (yes, thats right: he wants you) to evade the watchful eye of Slashdots parent corporation, VA Software. Mr. Maldas Commander is, of course, his penis: a small, withered little thing that lives in his pants and only comes out in the presence of other male geeks or at the beck and call of Maldas own lubed-up right hand. His Taco bells are the shriveled testicles that droop beneath his Commander, and his Taco sauce is his thin, runny semen. It should be more than obvious to you now what he means if he asked you to ring his Taco bells or taste his gourmet Taco sauce.
    I would also guess CmdrTaco asked you to engage in a practice known as Taco-snotting and, if he was in a particularly depraved mood at the time, a circle-snot.

    Good Lord. And, yes, he did. What is Taco-snotting?

    Taco-snotting is the term used by Robert Malda to refer to the depraved act of fellating another man (homo- or heterosexual; CmdrTaco is rumoured to prefer raping unwilling victims), then blowing the semen out his nose and back onto the face and body of his victim. Naturally, a long, bubbly stream of milky-white semen is left on CmdrTacos face, dribbling out of his nose and down his cheek: hence the term, Taco-snotting.
    And if thats not bad enough
    A circle-snot is a Taco-snotting circle-jerk, another practice common among the Slashdot crew. CmdrTaco, CowboiKneel, and Homos get together and snot each other with their gooey, sticky cum spooging their jizz-snot all over each others faces and pasty, white bodies, until theyre covered head to toe with their own and each others man juice. This vile, ungodly ritual can go on for hours. For the homosexual penetration that follows this lengthy foreplay, Roblowme is usually there to provide plenty of anal lubricant; he owns a limousine service and has ample supplies of motor oil and axle grease ready to go.
    To complete this perverted orgy, fellow faggots Michael, Timothy, and Jamie will usually join in, dressed in tight leather mock-S.S. uniforms, jack boots, and leather gloves. The homosexual shenanigans that follow are nearly beyond description. The whole group begins to snot each others spunk and whip each others pudgy asses with riding crops and chains until their pale, white geek bodies are exhausted and soaked in stinking sweat from the hours of passionate, homosexual revelry.

    Ewwwwww. So, can I stop receiving these emails?

    Hopefully, but I wouldnt count on it.
    To begin with, you most likely forgot to uncheck the Willing to Snot checkbox in your account preferences. CmdrTaco has probably already got the hots for your wad (do you have a homosexual-sounding nick?), and hes probably already been lurking outside your bathroom window for weeks with a camera, some tissues and lube, just waiting to pounce and declare you his new bitch. Theres no escaping a geek in heat (trust me), so its probably too late for you, but you can possibly rectify this situation. To remove yourself from CmdrTacos sights, log into your Slashdot account, go to your user page, click on Messages, and uncheck the box next to Willing to Snot. Maybe hell ignore you. Probably not.

    I cant stop receiving these emails from CmdrTaco!?

    If you indulge him in a Taco-snot or two, he might leave you alone. You might also want to look into mail filtering, restraining orders, or purchasing a heavy, blunt object capable of warding off rampaging homosexual geeks in heat. Trust me, when they charge oh, the humanity. If he gets you, and you let him Taco-snot all over you, you will most likely end up tied up in his basement to be used as his sex slave for the rest of your life (or until he accidentally drowns you in spunk in a circle-snot).

    Have you ever been Taco-snotted?

    Unfortunately, yes. I first met Mr. Malda at an Open Source Convention. He invited me back to his room for a game of Quake and some gourmet Tacos, but when I got there, the perverted geek jumped me and handcuffed me to his bed, stripping me. After taking his Commander out of his pants, Mr. Taco made me suck the withered thing six times, virtually nonstop. He then performed his vile Taco-snotting ritual on me three times over the next two hours, bringing me to orgasm after orgasm after sweaty, mind-numbing orgasm then he snotted my own thick, gooey jizz back onto my face out of his nostrils! He snotted me two more times, first into my mouth, then again on my exposed belly.
    CmdrTaco invited several of his Open Source (or rather, Open Sauce man sauce) buddies over to continue their ungodly snotfest. European hacker and known überfaggot Linux Torvalds raped my ass with his monolithic kernel; his partner-in-crime Anal Cox used their network stack in a multitude of unspeakable ways on and in every orifice of my defenseless, tender, young body. Michael Sims was there in his leather Nazi uniform, caning my previously-virginal ass with a bamboo pole and ranting about all those Censorware freaks out to get him.

    That is so disgusting! How did you finally escape?

    After about 16 hours of countless unholy, homosexual atrocities perpetrated against my restrained body, they all finally went to sleep on top of me, sweat-soaked and exhausted. I was left there, completely covered in bubbly, translucent jizz-snot, chained to the bed, with half a dozen fat, pasty-white fags lying around and on top of me. Fortunately the spooge coating my flesh worked wonderfully as a lubricant I was able to squirm my way out of the handcuffs and slip out the back door (of the apartment, not their back doors). Im just glad I survived the awful ordeal. These sexually-repressed hackers had a lot of built-up spunk in their wads I couldve easily been drowned!

    Thats horrible. Does Taco-snotting have anything to do with CmdrTacos special taco?

    No, thats a different disgusting perversion CmdrTaco indulges himself in. Mr. Malda is usually not satisfied with merely snotting your own jizz back onto your face, he most often enjoys involving his own bodily fluids in his twisted games. WeatherTroll has spent some time trying to educate the Slashdot readership about this vile practice (emphasis added):
    You may be wondering what CmdrTacos special taco is. You will be wishing that you hadnt been wondering after you finish reading this post. To make his special taco, CmdrTaco takes a taco shell and shits on it. He then adds lettuce, takes out his tiny withered dick (otherwise known as his Commander), puts his special taco sauce on it which means he jacks off on the taco, and adds a compound to make the person who eats the taco unconscious. Of course, the compound does not make the person unconscious until the taco is fully eaten. Thus CmdrTaco force-feeds the taco to the unsuspecting victim. After all, who would knowingly eat shit and CmdrTacos jizz?
    After the victim is unconscious, he is held against his will and used for CmdrTacos nefarious homosexual purposes. This includes shoving taco shells up the victims ass, Taco-snotting, and getting Jon Katz involved. Trust me, you do not want Jon Katz anywhere near your unconscious body. Also, rumor has it CmdrTaco is looking for a new goatse.cx guy. Dont let it be you!
    Different ungodly perversion, yet no less revolting. It should be clear to you now that Robert CmdrTaco Malda is a very, very sick individual, as are most of the Slashdot editors.

    Does Jon Katz get involved in any of this? I thought he was a pædophile, not a homosexual.

    Actually, Jon Katz is a homosexual pædophile. Hes also a coprophiliac, and, many suspect, a zoophile.
    Mr. Katz is somewhat of a loner and doesnt involve himself in the circle-snots, but that doest mean hes any less of a freak than the rest of the Slashdot crew. Katz often engages in a game called juicy-douching with a harem of little-boy slaves that he has collected over the years: yet another vile practice which involves administering an enema to himself of the little boys urine (forced out of them with a pair of pincers), spooging the vile muck from his ass back into the enema bag, then dribbling and slathering the goo all over himself and the boys chained, naked bodies. If hes in the mood, he will sometimes skip refilling the enema bag from his distended anus and just squirt it from his ass onto the crying, terrified boys. Unwilling boys are further tortured with the pincers until they comply and allow Mr. Katz to juicy-douche them at will. A boy will usually last about two years before Mr. Katz either accidentally drowns them in diarrhea or kills them once they get too old, usually around 13 or 14.
    Not content with being a pædophilic coprophile, Mr. Katz is also quite the zoophile. As if the sexual escapades with the helpless little boys arent enough, Jon usually enjoys his juicy-douches best when his penis is firmly planted in a female goats anus. He is also rumoured to get off on watching his little boys eat the goats small, bean-like turds, and he often kills his older boys by letting his goats trample them.

    Are you getting hard writing this?

    Why, yes. :) Join me in a WIPO-snot?

    No, thanks. Im already CmdrTacos boi toi.

    ________________________________________
    $Id: tacosnotting.html,v 1.16 2001/12/28 21:20:03 wipo Exp $
    Copyright © 2001 J. Wipo Troll, Esq. Verbatim crapflooding of this document is permitted in any medium, provided this copyright notice is preserved, and next time you take a dump, you think of the WIPO Troll and all hes done to make Slashdot a better place.
    --

    J. Wipo Troll, Esq.
    Crapflooder Associates
    Slashdot.org

  6. CDSA / CSSM by Anonymous Coward · · Score: 0

    is one attempt (mostly Intel-driven, but Apple's on the bandwagon too, as are other companies) to produce a unified security architecture, including smart cards. Might be worth looking into (or not).

  7. Maybe you're looking for a java based solution? by fastenrath · · Score: 1

    Have a look at OpenCard and e.g. iButtons

    --
    THIS ACCOUNT IS NO LONGER IN USE, PLEASE DELETE.
  8. MUSCLE by Anonymous Coward · · Score: 0

    I thought you would maybe like to check MUSCLE

    It includes a very good PC/SC reader abstraction layer and other goodies like PAM modules, Perl wrappers,... Most of it runs on any Unix flavor (including Mac OS X).

    It won't give you a "Plug&Play" solution but most of the stuff is Open Source, so feel free to hack...

    For readers, you can have a look at the GemPlus's web store for USB & serial readers. The drivers are available on MUSCLE and as Debian packages.

  9. It can be done, but... by eldub1999 · · Score: 1

    First, there is almost no demonstrable ROI for using smart cards for logon only. You are better off looking into time-based tokens (SecurID, Defender, etc.) as they are cheaper, easier to maintain, suport and administer, and better supported as an OS authentication method.

    If you are set on cryptographic smart cards (my assumption), then you need something else to drive ROI. The easiest thing is to look at using cards for logon and S/MIME. The other way to go is to use the physical smart card an physical access device (HID and Honeywell can embed coils into the smart card).

    Not to pick, but whenever I see this question it scares me. It typically means that someone is more infatuated with the technology than with really trying to solve a business problem.

    Please, feel free to refute me if you think there is an ROI for smart card logon. I've never seen it.