10.1 What Are Smart Cards?

Smart cards most often look like credit cards, with the addition of a small set of electronic contacts embedded in the surface of the card. You've undoubtedly seen such contacts, as they're used in a myriad of places such as credit cards, video arcades, and digital satellite receivers. A typical smart card is shown in Figure 10-1.

Figure 10-1. A typical smart card

Smart cards can take other physical forms, too, such as miniature versions that comfortably fit on key chains. USB key fobs that contain a smart card chip are also becoming popular, as they contain both the interface (reader) and the card. All these varieties operate essentially the same. So although this chapter will refer to them generically as smart cards, they may not take the shape of a card at all.

Smart cards provide one of the best means of electronic identity validation currently available. Consider how a user like David Loudon authenticates himself today, probably by using a username and a password. Both of those pieces of information?called factors?are something that the user knows. One of those pieces of information?the username?is a factor almost anyone can discover or deduce, meaning identification must rely primarily on a single factor: the user's password. As you learned in Chapter 2, passwords are subject to compromise by skilled attackers. As a result, the username and password combination is a relatively poor means of identifying users, because it can be easily compromised.

Smart cards, on the other hand, require two different types of factors: something the user has?the smart card?and something the user knows?a personal identification number, or PIN. Smart cards are practically impossible to duplicate, and PINs are easy for users to remember and difficult to guess. A PIN containing only four digits has more than enough complexity to successfully thwart most attackers, and you can require users to select PINs that contain more digits or contain a mixture of digits and letters, like a regular password. A password's vulnerability to attack is mitigated by the fact that the password by itself is useless?anyone seeking to misuse the password must also obtain the physical smart card associated with the password.

The person who has the smart card doesn't have to have the PIN. If the PIN and card are kept by separate people, then only the combination of the PIN (what someone knows) and the card (what someone else has) provide access to the credentials and key kept on the card. This can be a benefit when you want to ensure that some operations must be carried out by a minimum of two people. You can create a user account that requires a smart card for authentication and then assign only that account the rights necessary to perform the operation. You can then give the card to one trusted administrator and the PIN to another (or you can divide the PIN up between administrators for more than two factors!). Now only the combined efforts of those involved will be sufficient to perform the task.

Biometrics: Authentication Based Upon You

Biometrics is another means of identifying users, one that's been around since the days of Star Trek's retinal, voice, or palm scans (depending on the season). Biometrics are rapidly moving from the realm of science fiction into the real world. Several vendors currently offer devices that scan fingerprints, voice prints, and even retinas to verify a user's identity. Figure 10-2 shows a typical fingerprint scanner.

Currently, these methods are still fairly expensive and not completely reliable. A user who scratches his finger might not be able to log on until he sees an administrator to change his on-file fingerprint image. A user with a head cold might not be able to make a voiceprint match. A user with a hangover might stumble in Monday morning and be unable to log on with a retinal scanner. Biometric authentication technology is undergoing major improvements, however, and the equipment is becoming smarter and better able to deal with these types of minor variations.

Numerous other biometric factors are being explored, but all have drawbacks. The number of false positives, for example, must be nearly zero while reducing the number of false negatives to a tolerable value. The best biometric authentication in the world is useless if it requires numerous scans to achieve success.

As always, though, companies continue trying to improve biometric technology. In the near future, more accurate, less expensive devices will be available, making them a viable option for identification on your network. However, smart cards provide additional advantages, such as the ability to force a user to log off when the card is removed, easier replacement of lost or broken cards, and so forth. Smart card readers are also much smaller, making smart cards easier to use for mobile users than bulkier biometric scanners. Finally, smart card technology is inexpensive today and is getting less expensive and more feature-rich every day. Because of their wide acceptance and deployment, smart cards will undoubtedly continue to grow in popularity and functionality. Smart cards do have some disadvantages: they are a physical device that can be easily misplaced or even damaged. Users are much less likely to damage (or lose) their eyes or fingers!

Figure 10-2. Typical fingerprint scanner

10.1.1 How Smart Cards Work

Smart cards use public key cryptography and special additions to the Windows software. Special software?usually included with the smart card reader hardware?replaces or interacts with the graphical identification and authentication (GINA) component in Windows operating systems. You're already familiar with the GINA, although you may not know it by that name: it's the logon dialog box that appears when you press Ctrl-Alt-Delete on a Windows 2000, Windows XP, or Windows Server 2003 computer. The default GINA just asks for a username, password, and domain; the GINA provided with most smart card readers asks users to insert their smart card and type a PIN. Depending on the smart card technology, the standard Windows XP and Windows Server 2003 GINA may provide this functionality without replacement, prompting the insertion of a smart card when the proper device drivers are loaded and functioning.

Once a user inserts the card and types her PIN, Windows builds an authenticator, which it transmits to the smart card. The smart card verifies that the PIN provided by the user is correct and then encrypts the authenticator using the card's embedded private encryption key. The encrypted authenticator is sent back to Windows, where the authenticator is used to complete the logon process. The smart card-encrypted authenticator replaces the authenticator normally used in Kerberos authentication, and the domain controller authenticating the user retrieves the user's public encryption key from your public key infrastructure (PKI) rather than using a shared secret. The process is illustrated in Figure 10-3. For more information on how Kerberos authentication works, see Chapter 7.

Figure 10-3. Smart card logon process

Notice that no passwords are used. The role of the password during authentication is replaced by the PIN. Although the user account must still have a password, it is not used during the process.

The cryptographic operations that require the smart card's private key are done on the smart card itself. The unencrypted data is sent to the smart card and is returned as ciphertext. The card has enough processing power to encrypt or digitally sign data, albeit far slower than most computers. However, this provides one very important security feature: the private key never leaves the smart card. A compromise of a computer does not compromise any data protected with the smart card's private key. Only a compromise of the card itself would break this security, and as I've discussed, that is extremely unlikely.

Whenever the user needs to validate his identity, the credentials obtained by way of the smart card are used to encrypt an authenticator. The smart card itself is not normally accessed for each operation. Once the user has an access token, the smart card is not needed for each authentication operation. Other applications may access the card though, such as a login over Terminal Services or a signing operation that requires the private key on the smart card.

A core component in this process, of course, is the smart card reader. A typical reader is shown in Figure 10-4. The reader contains the electronics necessary to interface with the smart card and communicate with Windows.

Figure 10-4. Typical smart card reader

A disadvantage of many current readers is that their internal electrical contacts slide over the smart card's when the card is inserted. This wear and tear can eventually damage the card's contacts, rendering it useless. Some types of readers keep their contacts out of the way, lowering them into place when the smart card is fully inserted and reducing wear and tear on the card. Fortunately, most smart cards themselves are inexpensive enough that it's no burden to replace them every couple of years, if necessary. The cost comes from management and operations, not from the cards themselves.

The reader is also responsible for notifying Windows of the state of the smart card. For example, whenever the smart card is removed from the reader, the reader notifies Windows. You can configure a computer's local security policy (either on individual computers or by using a Group Policy Object on a set of computers) to lock the computer or log the user off when her smart card is removed. Figure 10-5 shows this policy setting.

Figure 10-5. Configuring the behavior for smart card removal

Typically, you would always want Windows configured to discontinue access whenever the smart card is removed, helping to ensure the security of the computer. This becomes very effective when combined with administrative policy that requires employees to always have physical possession of their smart cards. This will pose a minor inconvenience?say, when a user just gets up to get a drink of water and is forced to reauthenticate on his return. But the reauthentication procedure should take only a few seconds and is simple to accomplish. However, as I've stressed over and over again, you must weigh the usability drawbacks of this security setting against the benefits to determine the best configuration for your environment.

There are times when you might want to continue access when the smart card is removed. For example, you might not require users to use their smart cards to access their client computers, but instead require the card only to access a particular corporate application. In that case, removing the smart card might discontinue access to the application, but not to the computer on which it was running. In addition, many advanced users have more than one computer. Requiring the smart card to remain in the reader of one station makes multiple computer interaction impossible without multiple smart cards, which should never be done.

Smart cards can significantly simplify security for your users. A simple card and an easy-to-remember PIN let them log on and log off, without having to change passwords every 30 days, worry about forgetting a password, and so on. This can also reduce work for your helpdesk support team.

10.1.2 Requirements for Using Smart Cards

Although Windows Server 2003 contains native support for smart cards, you'll need additional hardware and software to actually use them in your environment.

First, you'll need to purchase blank smart cards. A number of vendors offer these at varying prices, currently around $1 to $2 each when purchased in bulk (prices can be somewhat higher for more complex cards). You'll also need to purchase a smart card reader for each computer in your organization. Smart card readers are available in a variety of styles, including some that connect via USB port. Some readers install inside a desktop computer, occupying a 31/2-inch drive bay, as shown in Figure 10-6. You can also purchase smart card readers in a PC Card format, designed for use with notebook computers. The smart card readers should come with driver software that is compatible with the operating system the reader will attach to. Most readers provide drivers for Windows 2000, Windows XP, and Windows Server 2003. The reader's bundled software usually includes a replacement GINA, which I discussed in the previous section. Readers often cost less than $10 each when purchased in sufficient quantities.

Figure 10-6. A typical internal smart card reader

Finally, you'll need to implement a public key infrastructure (PKI) in your environment, which you'll use to issue certificates for recording onto the smart cards. Chapter 9 discusses Windows Server 2003's native PKI capabilities. Your smart card vendor may need to provide additional software to request certificates from the PKI and write them to the smart cards. You can also use a commercial certification authority, although doing so can be significantly more expensive than implementing your own PKI. I discuss the benefits and drawbacks of these types of PKI deployments in Chapter 9.