 |
 |
 |
 |
February 2005 • Volume 10 Number 2
|
 |
|
Feature of the Month Smart Cards and the IT Infrastructure
Strong authentication for logical access requires the use of multiple authentication factors. Smart card technology - typically used in conjunction with a PIN to unlock the card - is increasingly being used to offer the critical second or third factor of authentication that makes logical access more secure. Since smart cards can also support multiple applications, a single smart ID card can perform multiple functions. For example, the same smart ID card can allow an individual to enter a building securely, log onto the corporate network securely, sign documents securely, encrypt e-mail and transactions, and pay for lunch at the organization's cafeteria. This flexibility makes it easy for organizations to develop a strong business case for smart-card-based access control systems. Modern desktop operating systems offer a significant level of smart-card-related functionality, through either built-in (out-of-the-box) support or commercial add-on software packages. This article describes the capabilities built into the Microsoft® Windows® operating systems and the freely available Linux operating systems. More sophisticated capabilities are also available from third-party vendors. Microsoft WindowsThe Microsoft Windows family of operating systems has included smart card functionality since the release of Windows 98 and Windows NT ® 4.0. This functionality supports three types of operations:
Smart Card and Reader CommunicationsPC/SC. The basic technology for communication between personal computers and smart cards is PC/SC, defined by the PC/SC Workgroup (www.pcscworkgroup.com). PC/SC defines an application program interface (API) that provides software developers with a standard set of tools for managing smart card readers and communicating with readers and cards. The PC/SC interface defines standard interfaces for a variety of smart card related-operations. The most common are:
Microsoft has implemented the PC/SC API as part of the Win32® API, which is the fundamental toolset for building Windows applications. Microsoft is also a member of the PC/SC Workgroup. Support for Microsoft's PC/SC implementation is handled as part of Windows operating system support as a whole. Microsoft support contracts are available, as is fee-per-incident support. Installation of Reader Drivers. Microsoft takes the same approach to installing smart card reader drivers as it does to installing other hardware drivers in the Windows operating system. Reader manufacturers provide device drivers that are installed by the user. After the driver is installed, the reader is visible through the PC/SC API. In addition, a handful of recommended readers are pre-installed with Windows 2000, Windows XP, and Windows 2003. The complexity of the installation process depends on the hardware connection. Installing and configuring a smart card reader attached to the USB port is straightforward. The user connects the reader to the port, inserts a driver disk (if necessary), and follows the prompts. Readers that connect to the serial port are somewhat more difficult to install, since the operating system cannot automatically recognize the type of attached device. However, the basic process is the same: attach the reader and install the driver. Microsoft has a Windows logo program for smart card readers, which certifies that the readers have been tested by Microsoft to verify their compliance with Microsoft's implementation of the PC/SC standards. Microsoft recommends that only tested and approved smart card readers be used with Microsoft operating systems. However, most of the manufacturers of non-approved card readers have put considerable effort into ensuring that their hardware is compatible with Microsoft's operating systems, and compatibility problems are rare. CCID. The Chip Card Interface Device (CCID) specification is an approach to smart card reader communication that is gaining in popularity. The specification defines a standard communication protocol for smart card readers that connect to a computer via USB, allowing the same host-side driver to communicate with any CCID-compliant smart card reader. Microsoft provides a CCID driver through the Windows Update system. All new smart card reader deployments should seriously consider using CCID-compliant readers, both to reduce driver installation issues and to ensure that, in the future, the installed smart card readers can be easily and transparently replaced with any other CCID-compliant reader. Contactless Smart Card Readers. Through PC/SC and now CCID specifications, contact readers have become very well-standardized and easy to integrate. With the finalization of Revision 2.0 of the PC/SC specification, which is expected to be released shortly, similar support has been introduced for contactless smart card readers. It is recommended that organizations interested in deploying contactless smart card readers use PC/SC-compliant readers. Communication with Applications. After a smart card reader is installed and configured, an application programmer can use the PC/SC API to exchange commands with a smart card in the reader. PC/SC makes an attempt to hide the complexities of different card-reader communications protocols but does not currently provide a higher level abstraction of different card types. The API provides a communications channel for smart card commands. The structure of these commands is defined by ISO standards, but the meaning of specific commands is largely defined by the manufacturer of the individual smart card. Communicating with smart cards at the application level requires programming skill. Because command semantics are defined by each unique smart card implementation, applications that wish to operate with different types of cards must determine what type of card is present and adapt to the card's command set. For some applications, like payment using the EMV specification, the command set is standardized, and interoperability is assured by the card vendors. Other applications can accomplish the same effect by using programmable card operating systems, such as Java Card(TM) or MULTOS, so that cards from different vendors can be configured to respond to the same set of application commands. Application Selection. PC/SC provides automatic application selection. Applications can register with PC/SC, requesting notification when a particular type of smart card is inserted in the reader. The insertion of a card triggers the loading of an application that knows how to use that card. User Authentication Windows 2000 and Windows XP provide full support for smart-card-based logon and authentication, both to a local machine and to a Windows domain server. The Windows authentication system is built around PKI, using a central certificate authority to issue per-card certificates that are associated with the cardholder's machine or domain username. Microsoft's Internet Explorer and Outlook ® applications can also use the certificates on smart cards. Web and E-mail Services Many of the Web browsers that run under Windows (such as Internet Explorer and the popular Netscape ® and Mozilla families of browsers) can use the smart card as a PKCS#11 token. A PKCS#11 token holds certificates and performs private key operations. The certificate on the smart card can perform client-side certificate-based authentication to a Web server, using the SSL/TLS protocols. In addition, the certificate can digitally "sign" Web forms. Not only does a digital signature provide integrity and authenticate the origin of the form's contents, in some places it can also be a legally-binding signature. Many of the e-mail clients that run on the Windows platform, such as Microsoft Outlook and the e-mail clients integrated into the Netscape and Mozilla Web browsers, can also use smart-card-based certificates to sign and encrypt e-mail messages. Digitally signing an e-mail message ensures that the recipient can trust the identity of the sender - especially important since an e-mail message "from" address can be easily forged. E-mail encryption ensures that only the intended recipient can read a message and any attachments. Since e-mail messages routinely traverse many servers and routers, often over public networks, encryption is necessary when private communications are desired. Microsoft Outlook supports the S/MIME standard technology for digitally signing and encrypting e-mail messages. S/MIME uses public/private key pairs, embodied in certificates, to perform signing, encryption, and decryption operations. The PCKS#11 standard enables Outlook to use a private key stored on a smart card to perform digital signing and decryption operations. Encryption is performed using public keys stored by Outlook on the user's PC. File System Encryption The NTFS file system provided by Windows NT, Windows 2000, and Windows XP offers per-file and per-directory encryption to protect file contents (but not file names). The file encryption keys are encrypted with one or more public keys and stored with the encrypted files. The private key used to retrieve the file encryption key is also usually stored on the local file system but can be stored on a smart card for greater security. To the user of the system, the encryption and decryption are transparent. Once the system is configured, the user can select files that should be secured. Those files will open only when the smart card is inserted and be inaccessible when the smart card is removed. Accessing and writing to encrypted files is often noticeably slower than the same operations on unencrypted files. Support Offered by Different Windows Versions Different versions of the Windows operating system offer different levels of support for smart cards. The newest version, Windows XP, has the best support. It provides all of the features described above and comes with built-in drivers for a good selection of smart card readers. Nearly all other smart card reader manufacturers provide drivers for use with Windows XP. Windows 2000 also has extensive support for smart cards. The only significant difference between Windows 2000 and Windows XP is in the selection of smart card reader drivers provided out-of-the-box. But again, other reader manufacturers provide drivers that function with this operating system. Windows NT, Windows ME, and Windows 98 all provide some level of support for smart cards. They provide most of the capabilities described above but do not provide a wide selection of reader drivers. In addition, minor difficulties frequently occur, particularly during the installation process. Windows ME and Windows 98 do not use the NTFS file system and do not provide file system encryption features, nor do they provide smart-card-based logon. Windows 95 and Windows 95SE provide no built-in support for smart cards. Microsoft has created a module that can be installed to implement smart card support, but the module is notoriously difficult to get working. Currently, Microsoft has formally dropped support for Windows 95, and it is not clear how much longer Microsoft will continue to distribute the smart card support module. LinuxSmart card capabilities have been available for several years for systems running the Linux operating system. There is no smart card support available within the Linux kernel, but user space tools provide a powerful environment for smart card technology. Most of the smart card work for Linux and other Unix ® operating systems is performed by the MUSCLE project (for more information, see www.musclecard.com ). One key difference between the smart card support provided by Linux or by a variety of Unix and the Windows operating system is the options. The options available from Microsoft are few but complementary. The open source world provides greater choice, but many of the tools, particularly for implementing high-level functionality, are somewhat duplicative. Users of smart card security functions in the open source world must do more research to understand what options are available, but this effort is generally rewarded with a more appropriate and more flexible solution, often with no required license fees. Smart Card and Reader Communications The central component of the Linux smart card infrastructure is a tool called PCSC Lite. PCSC Lite implements the PC/SC API defined by the PC/SC Workgroup. This implementation provides the same basic tools as the PC/SC implementation in Microsoft's Win32 API. PCSC Lite. PCSC Lite is open source software, licensed under a BSD ® -style license, which essentially gives everyone permission to do anything they like, as long as they pass the license along (see the copyright notice in the PCSC Lite source files for details). PCSC Lite has been ported to many different platforms, including Linux, Solaris(TM), FreeBSD, NetBSD, OpenBSD, Mac OS ® X, HP-UX, and Microsoft Windows. Porting it to other operating systems is fairly easy. PCSC Lite is stable, fast, and easy to use. In fact, some Windows deployments of smart cards have opted to use PCSC Lite, rather than the native Windows PC/SC implementation, because of the transparency and flexibility of PCS Lite. Free support for PCSC Lite is available through the project's mailing list, which is also where design and development discussions occur. Questions are often answered within an hour and nearly always within a day or two, often by the PCSC Lite developers themselves. Most installation and development questions can be answered by searching the list archives. Paid support is available from some of the developers of PCSC Lite and can also be obtained from companies who specialize in supporting open source software, such as Red Hat. Most Linux distributions provide easy-to-install binary packages that automatically install and configure PCSC Lite. Reader Driver Availability. Many smart card manufacturers provide PCSC Lite reader drivers. When manufacturer-provided device drivers are not available, independently developed drivers often are. Drivers for a large selection of smart card readers are available at www.musclecard.com/drivers.html . In addition, many smart card readers use compatible chip sets, so readers that are not listed explicitly often function with an appropriate driver. The best approach is to select a reader that is known to have good manufacturer support for PCSC Lite. However, drivers for other readers can often be located through the reader manufacturer or the PCSC Lite mailing list. If necessary, an experienced programmer with the right skills and the appropriate manufacturer documentation should be able to produce a solid driver in 1 to 2 weeks. Many of the PCSC Lite developers offer driver development services. Most Linux distributions provide prepackaged and often preinstalled drivers for the most common smart card readers. CCID. There is a CCID driver for PCSC Lite, so all CCID-compliant smart card readers should work on all platforms supported by PCSC Lite. User Authentication The MUSCLE project provides the tools required to implement smart-card-based logon and other authentication for any operating system that uses the Pluggable Authentication Modules (PAM) system for authentication. These systems include Linux and most Unix operating systems. MUSCLE provides the PAM module, a Java Card applet (for the smart card), management tools, and complete instructions for installing and using the MuscleCard authentication system. Oberthur AuthentIC and Axalto Cryptoflex cards are supported out-of-the-box, as are all other PKCS#11-compliant smart cards. The MuscleCard system has also been ported to Windows, as a Windows Cryptographic Service Provider Module, enabling the Windows smart card infrastructure to be used with MuscleCard cards. Web and E-mail Services The MuscleCard project provides PKCS#11 modules that enable Web authentication and form signing in all of the major Linux, Unix, and Macintosh® Web browsers. The project also provides S/MIME integration for nearly all of the e-mail clients that support S/MIME. Support is provided on any PKCS#11-compliant card or any Java Card through the MuscleCard applet. In addition, some e-mail clients, like Kmail, provide PGP/MIME for digital signing, encryption, and decryption of e-mail messages. File Encryption Although Linux includes several tools for file encryption, none provide the convenience of NTFS file encryption. However, tools are available that allow smart cards to unlock any of the Linux-encrypted file systems. One Linux 2.4 tool, Cryptoloop, transparently encrypts and decrypts an entire disk partition. Configured in one way, Cryptoloop can encrypt an entire system, so that the system will not even boot without presentation of an appropriate password or smart card. Configured another way, Cryptoloop can protect a block of storage within an otherwise unsecured partition. In any configuration, Cryptoloop has the advantage that file names and sizes, as well as file contents, are hidden from unauthorized users. Unfortunately, Cryptoloop's security has been questioned by experts. With the introduction of Linux 2.6, dm_crypt became the recommended way to achieve transparent file encryption. Like Cryptoloop, dm_crypt works on complete disk partitions or on blocks of storage that act like partitions. dm_crypt has significantly better performance than Cryptoloop and, depending on the encryption cipher chosen, can operate almost as quickly as an unencrypted file system. In addition to transparent file-system-level encryption tools, tools are available that provide encryption services for single files or file archives. Some of these tools protect file names and sizes as well as file contents, and many of them integrate with smart cards. The user must take steps to encrypt or decrypt each file for use. Although a thorough overview of these tools is beyond the scope of this article, one example, KGPG, provides drag-and-drop file encryption and decryption using the GNU Privacy Guard tool. Support Offered by Different Varieties of Unix Nearly all of the smart card functionality described here is available under any of the Unix operating systems, including NetBSD, FreeBSD, OpenBSD, Solaris, HP-UX, Mac OS X, IRIX® , and many others. The only exceptions are Cryptoloop and dm_crypt, which operate under Linux only. For more information about smart-card-related tools and functions on non-Windows platforms, use any Internet search engine (such as Google) and the PCSC Lite mailing list. Summary Smart cards are becoming the preferred method for logical access. With increasing operating system support for smart card integration and wide availability of standards-based smart card readers, smart-card-based strong authentication is practical and cost-effective. Smart cards provide the additional advantage of supporting multiple applications and functions. A smart ID badge allows organizations to support logical access, physical access, secure data storage and other applications with a single ID card. By using smart cards, organizations can improve security, reduce costs and increase end-user convenience. This article is an extract from the Smart Card Alliance report, "Logical Access Security: The Role of Smart Cards in Strong Authentication," researched and written by the Smart Card Alliance Secure Personal Identification Task Force and published in October 2004. Individuals from 22 member organizations were involved in the development of the white paper. Lead contributors included representatives from Axalto, CardLogix, Gemplus, Honeywell Access Systems (OmniTek), IBM, Identix, Litronic, a SAFLINK Company, Lockheed Martin, MartSoft Corporation, Northrop Grumman Corporation, SafeNet, SCM Microsystems, Smart Commerce, Inc., Sun Microsystems, VeriSign and XTec, Incorporated. The full report and additional information about smart cards and the role that they play in secure identification and other applications can be found on the Smart Card Alliance web site at www.smartcardalliance.org .
|
|
Virtually every day another news story highlights the importance of network security - corporate networks are breached, databases are accessed by unauthorized individuals, and identities are stolen and used to conduct fraudulent transactions. As a result, both businesses and governments are evaluating or implementing new identity management systems to provide more secure logical access. 