Setting Up Smart Cards
Before you can use smart cards, you need a PKI, which Win2K provides with Certificate Server and Active Directory (AD). You have a bewildering array of options for how you set up PKI, depending on whether you'll host your own Certificate Authority (CA), outsource it to a provider such as VeriSign, or use a combination of the two.
In this article, I describe the simplest scenario you can implement—one computer serving as the AD domain controller, Certificate Server installed on an enterprise root CA, and one smart card reader. A root CA is the highest in the trust hierarchy. An enterprise CA means that the certificate server will use AD as its data store and thus offer you a host of certificate management features. A standalone CA, which uses a local database instead of AD, is what public Web servers typically use to issue certificates to Internet users.
After you install Win2K as a domain controller running DNS and Microsoft Internet Information Server (IIS), you must install Certificate Server. Go to the Add/Remove Windows Components applet in Control Panel, and select Certificate Services. Install Certificate Server as a root enterprise CA. Other than specifying the name, you can use the defaults on the subsequent dialog boxes. Next, you need to define which types of certificates your new CA can issue. You can use certificates for many purposes, including validating Web servers, encrypting files with Encrypting File System (EFS), and securing email. A certificate template—a management feature of enterprise CAs—defines valid uses for a particular certificate.
Screen 1 shows that I've added templates to my example CA and that I'm about to add the Smartcard Logon template. (You access these templates through the Certificate Authority Microsoft Management Console (MMC) snapin, which is available after you configure Certificate Server.) As their name suggests, Smartcard Logon certificates are limited to logon; Smartcard User certificates let you use one smart card for logging on and signing email. You must also add the Enrollment Agent template, which you need if you want to create new certificates. You now have a PKI that can authenticate users via smart cards.
Your next step is to install the GCR410 smart card reader, which is a simple step thanks to Plug and Play (PnP). Shut down the system, then connect the reader's two cables to the computer. The PS/2 cable is a wedge connector that inserts between the PS/2 port and the keyboard or mouse cable. The reader draws power from the PS/2 port. The serial cable, which plugs into a spare serial port, establishes communication between the system and the reader. When you start up your system, Win2K automatically detects the new reader—a welcome banner now prompts you to log on with a smart card or password, as Screen 2, page 87 shows.
Because smart card enrollment is a sensitive administrative function such as assigning user IDs and passwords, you need to limit this capability to specific users and workstations. Consequently, your next step is to enable one system as a smart card certificate enrollment workstation. First, request an Enrollment Agent certificate for the administrator who will enroll users with smart cards (i.e., assign smart cards to users). When the administrator requests smart card certificates for new users, Win2K signs the request with this Enrollment Agent certificate. Next, open the MMC snap-in Certificates. This MMC snap-in lets you manage certificates associated with your user account and request new ones. Request a new Enrollment Agent certificate, provide a friendly name, and click Install.
The preceding steps are necessary only for initial setup. You'll repeat the remaining steps for each user who needs a smart card. (In this article's example of only one computer, the user will need the right to log on locally to this server, by being a member of the Server Operators group, for example.)
You can now request smart card certificates on behalf of other users. Select an existing user account or create a new one. Open Microsoft Internet Explorer (IE), and enter your CA's server name (e.g., b1) followed by /CertSrv, as the URL in Screen 3 shows. Request a certificate, then specify an advanced request on the next screen. On the following screen, select Request a certificate for a smart card on behalf of another user using the Smart Card Enrollment Station. Screen 4 shows Certificate Server's final user enrollment screen. Select the Certificate Template (i.e., Smartcard User or Smartcard Logon). You can also specify which CA to use, although this field defaults to the CA you've installed. You can specify the Cryptographic Service Provider (CSP) to use with this certificate. A CSP provides basic cryptographic services to the OS and applications. A smart-card-specific CSP uses the smart card to fulfill requests for the services that involve the private key. Screen 4 shows the GemSAFE as the selected CSP. You can also specify the Enrollment Agent certificate that will sign this request. Use the Enrollment Agent certificate you created earlier. Finally, you need to specify the user for whom you're requesting this certificate, then click Enroll. The system will prompt you to insert the smart card into the reader and enter its PIN. Certificate Server will display a page in your browser informing you that the operation was successful. You can then view the certificate on the smart card or enroll another user.
Now you're ready to log on using the smart card. First, log off the system and reinsert the card. The reader notifies the system that you've inserted a card, and the system asks you for the PIN. Enter the PIN, and your portion of the logon is complete. Win2K sends the PIN to the smart card for authentication. Then, the PIN performs cryptographic functions that Win2K requests (e.g., Win2K asks the smart card to sign a logon request).
Microsoft facilitated an Internet Engineering Task Force (IETF) proposal called PKINIT to extend the Kerberos version 5 (V5) authentication protocol to support public-key- and private-key-based authentication in addition to Kerberos' shared secret symmetric key method. Consequently, the workstation sends the logon request to a domain controller via a Kerberos Authentication Services (AS) request. The Kerberos Key Distribution Center (KDC) running on the domain controller verifies the request by using your certificate's public key, which the CA publishes. If everything checks out, Kerberos grants a ticket and you can log on. If a user loses his or her smart card, you simply open the certificate Services MMC snap-in, select the certificate under Issued Certificates, revoke it, publish the updated certificate revocation list (CRL), and issue a new smart card to the user. If someone tries to log on with the now invalid smart card, Win2K will refuse the logon.
Only Time Will Tell
The simplest-case scenario of implementing smart-card-based logon, which this article describes, is fairly easy. Ideally, a company with Win2K Professional (Win2K Pro) workstations, a spare serial port, and a CA hierarchy in place could implement smart card logon by simply plugging a reader into each workstation and issuing a smart card to each user.
However, the real world requires much more planning. Smart card deployment is really PKI deployment, which, according to the media, is fraught with complication and complexity. Win2K, with its PKI support at the desktop and directory levels, promises to provide a platform for the interoperability and integration necessary to make PKI take off.
I hope Microsoft releases a quality, usable OS that catches on quickly. If Win2K beta 3 is any indication, Microsoft might actually pull it off. When I implemented smart cards based on the procedures I outline in this article, everything worked the first time. If application vendors take advantage of Win2K's directory and public-key services, PKI could become a reality much sooner for everyone. And if manufacturers start building smart card readers into the PC, deployment costs will drop even lower and accelerate the move to smart-card-based PKI. Only time will tell.
)
Register
expecting a note on digital certficate from you.
rakesh kumar singh May 24, 2004