Security

Use smart cards for flexible, secure authentication

Smart card technology is catching on. Find out how this technology might fit in to your organization by reading this primer by Debra Littlejohn Shinder.


Because they provide a flexible, secure way to authenticate user information, smart cards have become the latest rage in computer and network security. Memory chips and/or processors embedded in the smart card allow data to be stored and manipulated, which means the cards can be used for logon authentication in a variety of arenas including banking and phone services and computer networks. Smart cards also provide an extra layer of security over other authentication techniques, because users must know a password or PIN and must have the actual card to gain access.

To help you understand if and how this technology can fit into your organization, I'll explain the basics of smart card technology. I will cover smart cards’ use for security, the hardware and software involved, and how smart cards can be used with Microsoft and UNIX technologies.

Smart card overview
To learn more about the history of smart cards and what components make up an actual smart card, check out this sidebar.

 

Why smart cards are growing in popularity
Smart cards are used in dozens of ways around the world. In many countries, they are popular for banking (debit cards) and pay phone access. Satellite TV receivers (such as DirecTV) use smart cards to identify subscribers and their subscription levels to the satellite network. In all these cases, smart cards are used for some sort of authentication: They verify that the user of a bank account, phone card, or satellite dish is indeed authorized to access that service.

Then why not use these cards to provide an extra level of security in logging on to a computer network? That idea is catching on. Smart cards have become commonplace in high-security networking environments because:
  • ·        They offer an added layer of security. Intruders cannot just guess a user’s password and gain access to the network; they must also possess the physical cards.
  • ·        They provide multilayer security. The smart card alone won’t give you access to the network; in most cases, you must enter a PIN and insert the card into a reader.
  • ·        They are tamper-resistant. Because they are self-contained and don’t depend on external resources, it is more difficult for a hacker to compromise their security.
  • ·        They are flexible. In many cases, the PIN can be changed (by an authorized user) for added security.
  • ·        They are relatively inexpensive when compared to other high-security authentication methods such as biometric devices (fingerprint readers, retina scanners, and iris scanners, etc.).

How smart card authentication works
Smart cards can store digital certificates for validating a user’s identity to the network. Such digital certificates must be issued by a trusted third party—this can be an entity outside an organization, such as VeriSign, or a certification authority (CA) set up within a company’s private network. For example, when you install and configure certificate services on a Windows 2000 server, the smart card can act as a CA.

Digital certificates are an important part of an organization’s public key infrastructure (PKI). Information that the certificate contains includes:
  • ·        The user’s identification information.
  • ·        The user’s public key (part of a public/private key pair).
  • ·        The issuing entity’s digital signature, which verifies that the certificate was issued by a valid certification authority.
  • ·        A time period for which the certificate is valid or an expiration date.

Smart card certificates are usually requested from a CA by an authorized enrollment agent. Such agents have a special certificate allowing them to both request certificates on behalf of other users and bind these certificates to the smart cards to be issued to the users.

The PIN is set using software provided by the manufacturer of the smart cards. Once a user has a smart card and PIN, two more things are required: a computer running an OS that supports smart card authentication and a smart card reader installed in or attached to the computer or terminal. The user inserts the card into the reader, is prompted to enter the PIN associated with that card, and is permitted to log on.

Smart card hardware and software
The smart cards are considered to be hardware components. The cards containing microprocessors also run miniature operating systems; however, these operating systems have been made proprietary, so each manufacturer’s cards aren't compatible with those of other manufacturers.

An emerging standard is a more generic, Java-based operating system, which will allow for standardization and use of Java applets that can run on the cards of different manufacturers.

JavaCards
Schlumberger, a popular manufacturer of smart cards, markets the JavaCard, which allows developers to take advantage of this technology. See JavaWorld for more information on the use of Java with smart cards.

The second piece of hardware that you need to deploy smart card authentication is a smart card reader. Readers come as add-on peripherals or, in some cases, as components integrated in a PC or terminal.

Add-on smart card readers
Readers that are attached to the computer as an add-on peripheral are probably currently the most common type. A reader can connect through the PC’s serial port, or for laptops, via the PC Card (PCMCIA) slot. More conveniently, newer readers can connect to the computer’s USB port or a USB hub. USB readers can communicate with the card at speeds up to 115,200 bps. (Older serial readers were limited to 9,600 bps, but newer Plug And Play devices can also achieve speeds up to 115,200 bps.)

USB support for card readers
PCs running Windows 95 or NT can't support USB, so you’ll need a smart card reader with a serial connector for those systems. Windows 98, Me, 2000, XP, and .NET do support USB. Linux drivers are available for some USB readers, such as the OMNIKEY CardMan.

Readers vary in cost, from under $40 to over $200 for smart card readers that are integrated with biometric devices such as fingerprint scanners.

Also technically classified as an add-on peripheral, a keyboard with a built-in smart card reader is made by several different manufacturers, including Compaq. Ankari makes a combination smart card reader/fingerprint scanner called the BioMouse Plus.

Integrated smart card readers
Security experts predict that in the future, many PCs will come with smart card readers installed. Internal readers are available. An example is the CHIPDRIVE, which can be installed in a floppy drive bay and connected to an ISA slot.

Thin client devices such as the Sun Ray terminal (for access to UNIX applications) and Acer’s Windows-based terminal come with built-in card readers. You will need special software installed on the server to use smart cards with Windows NT or 2000 terminal services; however, the new .NET terminal server includes support for smart card logon.

Smart cards and Microsoft technologies
Microsoft’s increasing focus on enterprise networking and security seems to have led to more evolved smart card support. Windows 2000, XP, and .NET all have built-in support for smart card authentication.

While smart card readers are available with drivers for Windows 95, 98, and NT, those operating systems don't support smart card logins. However, network logins via smart cards can be implemented using special software such as Sphinx.

Smart card support in Windows 2000
Windows 2000 was the first Microsoft operating system with built-in support for smart card authentication; however, smart card login to a Windows 2000 terminal server was not supported. If you use a supported card type (GemSAFE or Schlumberger Cryptoflex), no special configuration is necessary. You install a card reader in the machine, insert your card (which has been configured with a certificate issued by a valid CA), enter your PIN, and log in.

Windows 2000 includes drivers for a number of card readers. If your reader is supported, its driver will be in the Driver.cab file, which is installed by default in the WINNT\Driver Cache\i386 directory. When you attach the reader device and restart your computer, and then log in with an account that has administrative privileges, the installation of the driver will automatically begin. If the device isn't supported, you can install its driver manually using the Add/Remove Hardware wizard.

Smart card support in Windows XP and .NET
Windows XP and .NET include the same basic smart card support as Windows 2000, with some improvements. The .NET standard and enterprise servers, like Windows 2000 servers, can be configured as CAs that issue smart card certificates called a Smart Card Enrollment Station. The enrollment station is automatically installed when you install certificate services and configure the server to be an enterprise CA. Domain administrators can use the enrollment station to set up smart cards for other users.

Any Windows 2000, XP, or .NET computer can be used as an enrollment station. It must have a smart card reader installed and you must log on with enrollment agent privileges. You also must prepare the enrollment station by installing the enrollment agent certificate.

Smart card support in .NET Terminal Services
A big improvement to smart card support in .NET is the ability to use smart cards with X.509v3 certificates installed to log in to the domain via Windows Terminal Services, using the Remote Desktop Connection (RDC) interface.

This is done by smart card device redirection. You can also configure group policy to not allow such device redirection.

RDC
For more information on the Remote Desktop Connection interface, check out Deb’s article "Update Terminal Services with Windows XP's Remote Desktop Connection."

Smart cards and UNIX-based systems
Smart card readers are also available for Linux and other UNIX-based operating systems. Schlumberger and Towitoko smart card readers provide hardware and software for using smart cards with Linux.

An organization called M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) provides drivers and other smart card support for UNIX-based operating systems, including Linux, Sun Solaris, and the Macintosh OS X. Their Web site includes downloadable software such as PC/SC Lite for UNIX SRC, which allows you to port Windows-based smart card software programs to other operating systems.

You can also sign up for the Linux/Smart Card Mailing List, which is also devoted to smart card development under Linux.

Smart card standards
The International Organization for Standardization (ISO) has issued ISO 7816, which defines smart card specifications at the physical layer and for lower level protocols but doesn't regulate higher level programming standards.

ISO standard 7816
ISO standard 7816 governs the international specifications for smart cards. This covers the physical characteristics of cards, the positions of contacts on the card, and the protocols and signaling used.

There are two majors sets of standards or specifications governing smart card implementation at these higher levels: PC/SC and the OpenCard framework.

The PC/SC standard
The PC/SC Workgroup was formed to set standards for smart card implementation. It released version 1.0 of its specifications in 1997. Core members of the PC/SC Workgroup include Microsoft, Apple, Hewlett-Packard, Intel, and smart card manufacturers Schlumberger, Gemplus, and Bull. Microsoft has an approval program that certifies the PC/SC compatibility of products for Windows operating systems. PC/SC support is built in to Windows 2000.

PC/SC is built on eight specifications governing the physical characteristics of cards and readers as well as application programming. As its name suggests, PC/SC is focused on the PC platform.

The OpenCard standard
An industry consortium that includes IBM, Sun, Netscape, and again, Gemplus, Schlumberger, and Bull, along with other major companies, has developed the OpenCard framework to provide a standard architecture and set of APIs for smart cards that would span different platforms and promote interoperability between the products of different manufacturers. OpenCard is designed to work with a variety of operating systems, including Microsoft Windows, IBM AIX, and Linux, because it is based on Java and is not operating system dependent.

OpenCard focuses primarily on specifications that are not addressed by PC/SC but are specific to portability and interoperability.

For more information about the OpenCard standard, see the OpenCard Web site for more information.

For a technical paper on the architectures of both PC/SC and OpenCard, how they differ, and how they can work together, see this IBM white paper.

Conclusion
Smart cards have become an accepted authentication technology for many organizations. They provide extra security through the cards and PINs, and are flexible enough to be used as banking debit cards, in satellite TV receivers, and for computer network authentication. This overview gives only a broad view of the technology's many uses.

About Deb Shinder

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

Editor's Picks