Security with Smart Cards

Smart cards are credit card–sized plastic cards that contain integrated circuit cards. Smart cards are tamperproof and can be used to store users' certificates and private keys. Smart cards can perform sophisticated public key cryptography operations, such as digital signing and key exchange.

You can deploy smart cards and smart card readers to provide stronger user authentication and nonrepudiation for a range of security solutions, including logging on over a network, secure Web communication, and secure mail.

Benefits of Smart Cards

The benefits of using smart cards include the following:

• Because private keys are stored on the tamper-resistant smart card rather than on a less secure medium such as the user's hard disk, smart cards provide stronger security for user authentication and nonrepudiation.

• Because cryptographic operations are isolated from the operating system, smart cards are not susceptible to attacks on the operating system (such as buffer overflow attacks and memory dump attacks,which might reveal private keys or other cryptographic secrets).

• Because logon credentials accompany the user, you can issue a single smart card to each network user to provide a single set of logon credentials for logging on to local and remote networks, which can reduce the cost of administering separate user accounts for logging on to a network and logging on remotely.

In addition, logging on with a smart card provides much stronger security than other types of network logon processes that depend on traditional passwords. Furthermore, because the administrative support that is required to manage user passwords is a significant cost for most large organizations, you can deploy smart cards to reduce the cost of supporting users who forget their passwords or let their passwords expire. Smart cards use personal identification numbers (PINs) rather than passwords. The smart card is protected from misuse by the PIN, which is known only to the smart card's owner. To use the smart card, the user inserts the card in a smart card reader that is attached to a computer and, when prompted, enters the PIN. The smart card can be used only by someone who possesses the smart card and knows the PIN.

Personal Identification Numbers vs. Passwords

PINs offer significantly more protection than standard network passwords. Passwords (or derivations such as hashes) travel on the wire and are subject to brute-force attacks (key search attacks, in which an attacker tries all possible password combinations until he or she finds the password. Passwords are also subject to dictionary attacks, in which an attacker tries known words in the dictionary and numerous common password names in an attempt to guess the password. Because most users prefer easily remembered passwords, dictionary attacks are often a shortcut to finding a password in significantly less time than brute force attacks would take to find the same password. Therefore, the strength of a password depends largely on how long the password is, how well it is protected from being revealed by the owner, how well it is protected if it is "sniffed" on the network, and how hard it is to guess. Even good passwords that are protected by cryptography on the wire and are not subject to dictionary attacks can be broken by brute force in a few weeks or months by an attacker who sniffs the password on the wire.

In contrast, PINs never travel on the network, so they cannot be sniffed. In addition, dictionary attacks or brute-force attacks can be attempted only by someone in physical possession of the card. However, even when an attacker has the card in his or her possession, the smart card locks after only a few failed attempts by the attacker to guess the PIN. So dictionary attacks and brute-force attacks on smart cards are not feasible even then.

Another benefit of smart cards is that policies for PINs can be less restrictive than policies for network passwords. In general, good network passwords have to be changed often and require long, complex composition. Because users are more likely to write down their long, hard-to-remember network passwords, network security is weakened. Good PINs, however, can be changed infrequently and can be relatively short. Because users are more likely to remember their short PINs, network security is less likely to be broken by a misplaced written PIN.

Network Smart Card Logon Process

Windows 2000 supports logging on with a smart card for the network logon process by using extensions to the Kerberos v5 protocol. For logging on to a network, users usually press CTRL+ALT+DEL to initiate the Windows 2000 secure logon sequence. When the smart card logon process is enabled, a user inserts the smart card to initiate the Windows 2000 secure logon sequence. The user is then prompted to enter the PIN for the smart card. If the user's PIN and smart card credentials are valid, the user is logged on and granted rights and permissions for the user account.

When an administrator enrolls for a smart card logon certificate on behalf of the user, Windows 2000 automatically maps the smart card certificate to the user's account in Active Directory. Therefore, smart card certificates for logging on to the network must be issued by a trusted enterprise CA.

If you deploy smart cards for logging on to the network in a domain and allow some users to log on without smart cards (for example, with CTRL+ALT+DEL for Windows 2000–based clients or with NTLM for clients based on Microsoft® Windows® 98 and Microsoft® Windows NT®), the security of the network becomes only as good as the weakest password in the system. For maximum network logon security, deploy Windows 2000 and smart cards for all users and require that smart cards be used for logging on to all computers in your domains, including logging on from a remote location.

Note

You can use smart cards for logging on to computers even when the computers are offline and disconnected from the domain. When computers are configured for the smart card logon process, the smart card is used to authenticate users when they log on to a local computer or a network. Therefore, you can deploy smart cards for portable computers that are used by mobile users without requiring either separate logon credentials or separate logon processes for online and offline operation.

Remote Access Logon Process

Windows 2000 Server includes routing and remote access services to authenticate remote access network users. Routing and Remote Access supports smart card logon authentication by using the EAP-TLS extension of the Point-to-Point Protocol (PPP). When EAP-TLS is enabled, a remote access user is prompted to insert the smart card and enter the PIN during network logon authentication. If the user's PIN and smart card credentials are valid, the user is logged on and granted rights and permissions for the appropriate network user account. For more information about EAP-TLS, see "Internet Authentication Service" in the Microsoft ® Windows ®  2000 Server Resource Kit Internetworking Guide .

Other Smart Card Applications

A variety of third-party vendors manufacture Personal Computer Smart Card (PC/SC)–compliant smart cards and smart card readers that work with computers that are running the operating systems Windows 2000, Microsoft® Windows® 95, Windows 98, or Windows NT version 4.0. You can deploy smart cards and smart card readers in your organization to provide stronger security for Web communication, Web site access, and secure e-mail by using smart card–aware applications.

Smart card–aware applications, such as Microsoft Internet Explorer 5 and Outlook 98, can use smart cards to perform public key cryptography operations. For example, Internet Explorer can use smart cards to authenticate users for secure SSL and TLS communication sessions on the Web. Outlook 98 can use smart cards to perform S/MIME operations for secure mail.

Third-party vendors provide a variety of smart card applications that might meet your needs. For example, some third-party vendors provide code-signing applications that use smart cards to digitally sign software by using Authenticode technology. You can also build your own custom applications that use smart cards. For example, you can develop your own code-signing application to sign code by using smart cards.

Note

Some third-party file encryption products support smart cards. EFS, however, does not support smart cards because EFS is designed to work transparently without the need for user interaction.

Smart Card Enrollment

You can use Certificate Services Web pages and the Smart Card Enrollment Station (available from the Advanced Certificates Request Web page) to issue smart card certificates on behalf of users. Security administrators can centrally issue and manage the smart card program to provide a high level of network user assurance. If you allow users to request their own smart card certificates, it weakens the overall security provided by smart cards.

You can choose to allow smart card certificates to be renewed automatically for Windows 2000–based clients. However, to ensure the highest levels of network security, some organizations might want to re-issue smart cards and PINs on a periodic basis. PINs can be changed only when smart card certificates are issued or renewed by the smart card CSP.

For more information about the Smart Card Enrollment Station, see "Windows 2000 Certificate Services and Public Key Infrastructure" in this book.

Smart Card Compatibility

Windows 2000 supports Plug and Play smart cards and smart card readers that have been authorized to display the Microsoft "Designed for Windows" logo. The "Designed for Windows" logo ensures that smart card products work in Windows 2000, and ensures interoperability between smart cards and smart card readers from different vendors.

Microsoft provides drivers and support for a variety of Windows-compatible logo smart card readers. Some vendors might provide drivers for noncompliant smart card readers that do not work with the smart cards of other vendors. Some vendors might also provide noncompliant smart cards that do not work with the smart card readers of other vendors. To ensure maximum continuing support and interoperability of smart cards and smart card readers, it is recommended that you deploy only Windows-compatible logo smart cards and smart card readers with Windows 2000.

For more information about the "Designed for Windows" logo program, see the Microsoft Hardware Testing link on the Web Resources page at https://windows.microsoft.com/windows2000/reskit/webresources . For the list of currently compatible smart card products, see the Microsoft Windows Hardware Compatibility List link on the Web Resources page at https://windows.microsoft.com/windows2000/reskit/webresources .

Smart Card Options

When you design your public key infrastructure and plan the deployment of smart cards, you have the option of doing any of the following to create a secure system.

Force Users to Use the Smart Card Logon Process    Allowing the CTRL+ALT+DEL secure logon sequence for smart card users defeats the purpose of using smart cards. During the transition to smart cards, you must enable both logon methods until users are trained and the smart card logon process has been tested for your domains. Thereafter, however, you can configure individual user accounts (but not security groups) so that the CTRL+ALT+DEL secure logon process is disabled and users are forced to use their smart cards to log on to their computers. To configure individual user accounts, use the Active Directory Users and Computers console (a snap-in to MMC).

Force Systems to Lock Upon Removal of the Smart Card    When a user walks away from a computer with an active logon session and the user fails to secure the computer by logging off or locking the computer, an intruder might use the computer for malicious purposes. If you are requiring the use of smart cards for logging on to computers, you can force the systems to lock when users remove their smart cards from the readers. Use this option as necessary to meet your security needs, especially when computers are used in an environment with easy access by the public. You can configure Security options under Security Settings in Group Policy to force groups of computers to lock upon the removal of smart cards.

Combine Smart Cards and Employee Badges    Many organizations issue card keys and identification badges to their employees. You can add employee card keys and photographs to smart cards to provide a single solution for both building and network access. Such combination cards can be used to grant physical access to buildings and secure rooms, as well as to grant network logon access. Combination cards also can be used for electronic payment debit systems — for example, to pay for employee purchases at the organization's cafeteria or store. For more information about combining card keys and picture badges with smart cards, contact smart card vendors.