When it comes to enhancing network security, few things work as well as smart cards. In this article, I’ll introduce you to smart cards. I’ll explain how they work, and I’ll also discuss some techniques that you can use to ensure smart card security in a Windows 2000 environment.
What is a smart card?
If you’ve never heard of a smart card, you’re not alone. Even though some types of cryptography cards, such as the Fortezza card, have been in use by the military for years, cryptography cards have only recently entered the mainstream. In spite of this limited usage, Windows 2000 offers full, rich support for smart cards.
So what are smart cards? Smart cards are, in their simplest form, credit-card-sized digital electronic media. The circuits in smart cards are encased in a plastic shell that’s designed to be tamper-resistant. The card itself is designed to store encryption keys and other information used in authentication and other identification processes. The main idea behind smart cards is to provide undeniable proof of a user’s identity. Smart cards can be used for everything from logging in to the network to providing secure Web communications to providing secure e-mail transactions.
Why use smart cards?
So far, it may seem that smart cards are nothing more than a repository for storing passwords. Aside from benefiting those password memory-challenged folks who forget their passwords on a daily basis, you may be wondering what the security benefits to smart cards really are. After all, what’s to prevent someone from obtaining the proverbial “keys to the kingdom” by stealing a smart card?
Obviously, these are very real concerns. Fortunately, there are safety features built into smart cards to prevent someone from using a stolen card. For starters, smart cards require anyone who’s using them to enter a personal identification number (PIN) before they’ll be granted any level of access into the system. The PIN is similar to the PIN used by ATM machines.
At first, using a PIN may seem like a bad idea. After all, a PIN is nothing more than a small set of numbers. However, in many ways a PIN is actually more secure than a password. To understand why this is the case, think about the nature of passwords. There are basically two types of passwords. First, there’s the type that users pick out themselves. These passwords usually end up being a cat’s name, a child’s name, a popular sports team, or even an obscenity. My personal favorite password story is about a man I once knew who used the name of a different illegal drug each month when he had to change his password. At any rate, these passwords tend to be very insecure because they are often based on common words. Programs exist that can crack a password by attempting to use every word in the dictionary and many common names to figure out the password. Such programs can usually crack passwords such as the ones that I described above in a matter of minutes.
The other general type of password is the kind that’s made up by the administrator and then assigned to the users. These passwords are often a random combination of numbers, uppercase letters, lowercase letters, and symbols. An example of such a password might be 3Ghveddf73r467#$%^. Obviously, this type of password is safe from dictionary-based cracking programs. The only way that a hacker could decipher such a password would be to use a brute force password-cracking program. Such a program uses every possible combination of letters, numbers, and symbols to break the password. Brute force password-cracking programs can take days, weeks, or even months to break the password, depending on how many digits the password contains.
While it may seem that the administrator-assigned passwords are safe, they’re really not. Most users have trouble remembering long, random passwords, especially when those passwords change frequently. Therefore, they tend to write the passwords down. I’ve even seen users tape their passwords to their monitor because they have trouble remembering them. Those users who don’t write the passwords down often place a tremendous burden on help desk personnel because they require frequent resets of forgotten passwords.
Finally, there’s the problem that all passwords have in common. Even a random password that hasn’t been written down is susceptible to being stolen. If you don’t believe me, just consider the Windows 2000 login process. A user enters a password at their workstation and the password is sent across the network to a domain controller, which will then either grant or deny access to the network. Sure, you can encrypt passwords, but even encrypted passwords can be intercepted as they flow across the network.
Another inherent weakness in the standard authentication process is that it’s software-based. Although Microsoft has gone to great lengths to make sure that it’s difficult to monkey around with Windows 2000’s security settings, it’s not impossible to do. Any software can be cracked or modified with enough work. The only truly secure environments are hardware-based.
With that said, let’s look at the smart card authentication process. When a user inserts the smart card into the card reader, the smart card prompts the user for a PIN. This PIN was assigned to the user by the administrator at the time the administrator issued the card to the user. Because the PIN is short and purely numeric, the user should have no trouble remembering it and therefore would be unlikely to write the PIN down.
But the interesting thing is what happens when the user inputs the PIN. The PIN is verified from inside the smart card. Because the PIN is never transmitted across the network, there’s absolutely no danger of it being intercepted. The main benefit, though, is that the PIN is useless without the smart card, and the smart card is useless without the PIN.
This is because the card itself is responsible for the PIN verification process. For example, suppose someone were to steal your PIN. If they tried to use your PIN with their smart card, the PIN would be rejected because as far as their card knows, the PIN is invalid. Now, suppose that someone were to steal your smart card but didn’t know the PIN. The thief might try to guess the PIN or try to use a brute force technique to discover the PIN; however, the card is smart enough to prevent such an operation. After a few consecutive failed PIN entry attempts, the card renders itself useless.
Other security issues
Okay, smart cards sound like a good idea, but there are still some very serious issues that you’ll have to get past before implementing smart cards. First, there’s the issue of a password. As I mentioned earlier, a smart card stores the password that’s actually used for domain authentication. So, if the passwords must still flow across the network before authentication can occur, what’s to stop a hacker from simply stealing a conventional password and logging in to the network with that password; bypassing the smart card login completely?
First, any passwords that are exchanged between the server and the workstation in smart card environments are encrypted by Kerberos version 5. More important though, you can actually configure Windows 2000 to accept only smart card-based logins. As you’re implementing smart cards on your network, the network can be configured to accept either a conventional, password-based login or a smart card login. Once everyone has been issued smart cards and knows how to use them, there’s no reason not to disable conventional password logins. Therefore, in such a situation, it’s impossible to log in without a smart card.
Of course, there’s always the issue of theft. In and of themselves, smart cards do a good job of creating a secure environment. But how do you further protect your network from smart card theft? One way of doing so is to tell your users to take the smart card with them if they step away from their computer. In fact, some companies have gone so far as to integrate smart cards with photo IDs and electronic keys to secure doors in the building. If the users can’t leave the room without an electronic door key, and the smart card is permanently attached to that key, you can be reasonably sure that they will take the smart card with them when they leave their desk. From the Windows standpoint, you can further increase security by configuring Windows to lock the Desktop if the smart card is removed from the system.
Finally, there’s the issue of remote users. Traditionally, remote users are the least secure of all computer users. That’s because passwords flow, often unencrypted, across public telephone lines. This makes it easy for a hacker to steal a password. However, smart cards can help with this situation.
As you probably know, the machines used by remote users are often laptops. These machines usually function as stand-alone entities except when they are online. The stand-alone nature of such machines means that there’s almost no security, except for the security that’s built into the Windows operating system. Fortunately, you can configure the policy of these remote machines to demand a smart card before the user is allowed to use the machine. If this seems a little harsh for your environment, then another option is to set up your network to require the remote user to insert a smart card before being allowed to log in. Such an arrangement allows the user to use the remote computer without restriction, except when attaching to the network. I should also point out that smart cards work with a variety of Windows-based network clients, not just with Windows 2000. Therefore, if you have remote users who run Windows 98, they can still use smart card security.
Where does the smart card data come from?
After reading this Daily Drill Down, you may be wondering how a smart card gets programmed with such things as passwords, encryption keys, and PINs. After all, you can’t just go to the store, buy a smart card, and expect it to already contain your security data. Instead, smart cards must be programmed by the administrator.
Only a domain administrator can program a smart card. This process is known as enrollment. Furthermore, the enrollment process can be performed only from a dedicated machine. This machine must download an enrollment certificate from the certificate agent. Only a machine with this enrollment certificate can be used to program a smart card. Once the administrator begins the enrollment process, they can program the smart card with a PIN, password, and any digital certificates that the user may require.
In this Daily Drill Down, I introduced the concept of smart card security. I explained how smart cards work and discussed some techniques that you can use to ensure the integrity of your smart card-based security.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.