Windows Insider

Getting Carded

Smart cards can dramatically enhance your organization’s security. Here’s what you need to know.

• By Bill Boswell
• 09/01/2002

The demand for proof of identity is as old as humanity itself. In the footnotes of a paper titled, “From the Wicked Emerges Wickedness,” Professor Yaakov Klein writes that peoples in the Ancient Near East used corners from their clothes as identification. Today, this would result in 35,000 Los Angeles Laker fans being identified as Kobe Bryant. Something a little more unique and personal is called for.

In computing, passwords are the primary form of personal identification. Computers and passwords are like popcorn and salt; they appear inseparable. But, despite the universal acceptance of passwords, they share the same fundamental limitation as the corner of a garment: You can’t be sure that the person using a password is the same person to whom the password was issued. To get past this limitation, you need two-factor authentication—something that couples a password with a unique item that can’t be forged, impersonated, hijacked or bullied into yielding up its contents. The most common form of two-factor authentication is a smart card.

A smart card, sometimes called a smart token or simply a token, houses a microchip containing a cryptographic module, I/O processor and a dab of memory. The cryptographic module generates public-private key pairs, the Penn and Teller of cryptography. Anything encrypted by one key in the pair can only be decrypted by the other key in the same pair.

The public key generated by a token can be certified by a Certification Authority, which issues an X.509 certificate also stored in the token. Figure 1 shows the certificate and keys stored inside an example token. A Cryptographic Service Provider (CSP) in Windows can use the keys in a smart card to sign communications digitally between a client and host. Because every key pair is unique, the digital signature originating from a particular token is unique.

Figure 1. Keys and certificates stored in a typical smart token.

Here’s where two-factor authentication comes into play. The processor in a smart card also stores a personal identification number (PIN). The user must enter the PIN to obtain access to the keys stored in the card. This makes smart card authentication dramatically better than a simple password because a bad guy must both steal a user’s smart card and know the PIN. A typical smart card locks up if the wrong PIN is entered more than three times, so guessing the PIN is generally infeasible. Locked cards can only be unlocked by someone who knows the administrator PIN. If the incorrect administrator PIN is entered too many times, the card is rendered useless until the contents are wiped.

Smart cards give you a level of accountability that is otherwise lacking in standard password authentication. A user cannot deny having performed a particular activity, claiming, “Someone must have stolen my password.” You can set group policies that force a logoff (or lock the workstation) if the smart card is removed. This prevents a user from being actively logged on at multiple locations. You can also use smart cards to authenticate dial-in and VPN connections.

Deploying Smart Cards
Smart cards have an undeserved reputation for being complex to manage, expensive to deploy and finicky to use. In practice, if you’ve already deployed a Windows 2000-based Active Directory domain, you can configure your system for smart card authentication with very little pain.

As you consider how best to use smart cards in your system, read through the “Smart Card Deployment Cookbook” in Microsoft TechNet, http://microsoft.com/technet/treeview/default.asp?url=/TechNet/
security/prodtech/smrtcard/smrtcdcb/DEFAULT.asp, and the excellent book Planning for PKI by Russ Housley and Tim Polk (Wiley Computer Publishing.) These detailed references can be a little daunting; but don’t let the convolutions of public key infrastructure (PKI) management discourage you from using smart cards. Setting up a system for smart card authentication isn’t as much trouble as you might think. Here’s a quick checklist:

1. Select a suitable smart card vendor.
2. Install a PKI with Certificate Authority servers capable of issuing certificates for the public keys generated by smart cards, a process called enrollment.
3. Distribute the vendor’s smart card readers and reader software to client desktops and laptops.
4. Enroll each user by issuing a smart card with a unique key and certificate.

Selecting a Smart Card Vendor
OK, so you’ve decided to take the plunge and deploy a smart card solution. Start your search for a vendor at the Smart Card Hot List, www.andreae.com/hotlist.htm. Most vendors sell an evaluation package with a reader, software and a couple of cards for around $100. As you evaluate products, keep these criteria in mind:

• PC authentication. Many smart cards, especially the Java–based cards, have a variety of uses that don’t include authentication. Commonly used solutions include GemSAFE cards from Gemplus, www.gemplus.com/;Crypto-flex cards from SchlumbergerSema, www.cryptoflex.com/; iKey tokens from Rainbow Technologies, www.ritlabs.com; SecurID tokens from RSA Security, www.rsasecurity.com; and ActivKey cards from ActivCard, www.activcard.com/activ/index.html.
• Compatibility. The clients in your network must have the correct cryptographic support provider (CSP) to communicate with the processor on the smart card. In general, this means installing additional software at each desktop. Vendors are starting to simplify this task by packaging their CSP drivers into a Windows Installer bundle (an .msi file.) When you install the drivers, the standard logon window changes slightly to include an icon for a smart card reader. Figure 2 shows an example.

Figure 2. The Windows logon window is changed slightly following installation of smart card drivers.

• PKI integration. Although you can use third-party PKI products to support Windows smart card authentication, the process is much simpler if you deploy a Win2K-based PKI where the necessary enrollment information is published in AD. If you already have a third-party PKI, you can still deploy a Windows PKI that is subordinate to the third-party solution. Refer to the Microsoft white paper “Public Key Interoperability,” http://microsoft.com/
  technet/treeview/default.asp?url=/TechNet/prodtechnol/
  windows2000serv/maintain/security/pkintop.asp, and documentation from your PKI vendor.
• Active Directory integration. Make sure the smart card solution you choose takes advantage of AD’s ability to store cryptographic information for users. This avoids deploying proprietary servers with unknown vulnerabilities.
• Kerberos integration. Some smart card solutions have their own authentication systems that require additional training and planning for unforeseen exploits. The most desirable smart card solutions rely on native Win2K/XP Kerberos for exchanging digitally signed authentication information inside ticket-granting tickets.
• FIPS 140-1 and 140-2 certification. Federal Information Processing Standards (FIPS) document FIPS 140-2, Security Requirements for Cryptographic Modules, defines a stringent set of criteria for vendors who sell cryptographic products. This document is available at csrc.nist.gov/cryptval/140-2.htm. An independent testing lab must validate that a product meets the FIPS 140-2 requirements. The National Institute of Standards and Technology (NIST) maintains a list of cryptographic vendors and their products that have passed FIPS 140 testing. This list is available at csrc.nist.gov/cryptval/140-1/1401val.htm. (FIPS 140-2 recently superceded FIPS 140-1 and only a few vendors have certified their products to the new 140-2 standards.)
• Form factor. A standard smart card takes the form of a credit card-sized package that’s inserted into a reader connected to the PC via a parallel or USB port or a PCMCIA card. Rainbow Technologies and ActivCard house their smart token inside a small USB dongle that doesn’t require a reader. Either form factor ends up costing around $80 to $100 per node to deploy.

Smart Card User Enrollment
To enroll a user, you must obtain a Smart Card Enrollment Agent certificate from your Certificate Authority. This certificate must be installed on the machine you use to do the user enrollments. The steps for this process are detailed in the Smart Card Deployment Cookbook.

You must also prepare the smart card. Every vendor supplies a utility for managing smart card properties, such as setting the user and administrator PIN, unlocking the card after a user has repeatedly submitted an incorrect PIN, managing stored certificates and so forth. It’s not unusual to find that a vendor’s smart card and CSP are compatible with Windows XP but the utility requires Win2K or even Windows NT. Figure 3 shows a typical card management utility window.

Figure 3. A typical smart card management utility interface, this one from SchlumbergerSema.

It’s extremely important that you assign a unique user PIN when initializing a smart card. The default PINs from all manufacturers are well-known. An eight-character PIN is generally sufficient. Tightly control the administrator PIN. Make it complex and give it only to selected, trustworthy individuals. If the administrator PIN becomes known, your smart card deployment is compromised. You’d be forced to remove all smart card credentials from AD and re-enroll all users.

Once the card’s been prepped, the user is enrolled using a Web-based enrollment page from a Win2K Certificate Authority server. The URL is http:///certsrv. At the welcome page, click Request a Certificate. At the Request a Certificate page, click Advanced Certificate Request. At the Advanced Certificate Request page, click the option that starts Request a Certificate for a Smart Card. The Smart Card Certificate Enrollment Station page opens. Figure 4 shows an example.

Figure 4. Smart card enrollment page from a Windows 2000 Certificate Authority server.

Once you enroll a user, test the smart card logon. Insert the smart card into the reader or the USB dongle into the USB port. Winlogon realizes you’re using a smart card rather than a standard password and contacts the appropriate Cryptographic Service Provider to display a PIN window, as shown in Figure 5. The CSP validates the PIN and permits access to the keys, which are then used along with Kerberos to authenticate the user. Within a few seconds, the desktop appears.

Figure 5. The PIN window in a smart card logon process.

Say Good-bye to Passwords, Almost
After you deploy a smart card to a user, the User object in AD still has a copy of the user’s old password. As part of your smart card deployment, you should change the user passwords to long, complex values that aren’t recorded anywhere. This accomplishes two things: It prevents the users from bypassing the smart card logon process by entering a password, and it foils password dump-and-crack programs that prey on simple passwords.

A 14-character password consisting of upper/lowercase letters, numbers and special characters will defeat a password cracker. You may want to use a password generator such as Random Password Generator Expert from SoftDemon at www.softdemon.com.

The password situation isn’t as simple for administrators. Ordinarily, an administrator doesn’t want to log on with full admin privileges. Win2K has a Secondary Logon feature that uses the RunAs command (or a GUI equivalent) to submit alternate credentials, but RunAs doesn’t currently support smart card authentication. Neither does the NET USE command commonly used to map drives to network shares using alternate credentials. This deficiency is fixed in XP and .NET.

Do You Really Need This?
If all this seems like a lot of work and expense, you might want to consider that recovering from an intrusion caused by inadequately controlled passwords often involves even more work and expense. The day is rapidly approaching when we’ll look back at the era of simple password authentication with the same bemusement that we get from watching a game of Pac-Man or finding a 5-and-1/4-inch floppy disk in a junk drawer. You should at least set up a smart card solution in a lab and get accustomed to using it. You might also want to look at biometric authentication systems such as fingerprint scanners and facial recognition solutions, that can be combined with smart cards to avoid PINs.