Do not be afraid of implementing smart card logon with Windows 7, Windows 8 and Windows 2008 or Windows 2012 in a domain environment based on the Active Directory and Kerberos. It is not that complex, it is also not that expensive.
My small series about smart card logon start here with some basic introduction into the smart card phylosophy and security principles. Later, I will publish some screenshots from users' perspective followed with directions on how to implement them easily and securelly. Of course, we will have a detailed troubleshooting article as well.
Note that by using the term smart card, we mean either real smart cards in the form of credit card shaped object, or various USB flash-disk like security tokens. The very first question answer their difference just now.
What we will discuss here is the Active Directory based Kerberos smart card logon (implemented as PKINIT pre-authentication) which uses public key certificates and their associated private keys (stored on the card) to authenticate and log domain users on. It works only with domain user in a domain environment. It work since Windows 2000 and Windows XP, but has received a lot of user experience improvements in Windows Vista and newer systems.
Certificates bring muuuch better security than user passwords. Smart cards are even simpler and easier to use for end users. Just imagine, you plug a card or token, punch in the 4 character PIN and you are in. Not retyping your 10+ password several types and still much more secure. Once you are finished, you just yank out the object and your machine locks automatically, RDP disconnects as well.
What are some differences between a smart card and a security token?
From a security and functional point of view, there is no difference, if they are used for Windows based smart card logon technology. Both have builtin cryptographic chip (CPU), both are equipped with a relatively small secure memory for storing private keys, both contain (EP)ROM with simple cryptographic operating system, both usually require a PIN to provide cryptographic functions.
They differ mostly in their physical properties. Smart cards require an additional and separate smart card reader (PC/SC reader). Smart card readers usually connect to computers over a USB cable, they might be built into keyboards or in the form of PCIMCI or PCIMCI Express cards. You can print on the cards, personalize them with photos or other design paterns. You can also have an RFID chip mounted into them which may enable people perform other functions such as passing physical access control devices at doors or using public print devices etc.
As you need two devices, often even comming from two different hardware vendors, you will also need two different device drivers installed in your operating system.
Security tokens have the both the card and the PC/SC reader built into a common body. They are smaller then the pair smart card plus PC/SC reader. It may be simpler to move with a security token among computers, yet it still requires drivers to be present on the target computer where you are to plug it in.
Again, it is common that tokens can be opened in a wayt that enables a SIM form of a card to be plugged in, or even easily changed by user later. From this, you can see that tokens are nothing else than simple combination of the card and reader, packed in a neat flash-disk like token.
Tokens usually have a small eye to be mounted to strips or keyrings. On the other hand, their surface is limited to print or to contain RFID antenas. Again, as they are actually comprised of the card PC/SC reader and the card, you need to have two device drivers installed in your operating system.
From this point on, I will use the "smart card" term for both physical forms because everything applies to them mutually without any difference. Even from price point of view they are nearly the same. Both the pair card/reader or a security token plus its SIM chip (builtin or not) will cost you about 50 USD or 40 EUR.
Note that there are some special types of security tokens such as RSA's SecureID. This token requires a special software infrastructure installed, is not supported by Active Directory and Kerberos natively and has different security and technical properties which we do not cover here.
Examples of smart cards that integrate well with Windows 7 or Windows 8 and Windows 2008 or Windows 2012 infrastructure based on AD and Kerberos are Monet+ ProID, Gemalto IDPrime (formerly .NET cards) or Infineon Sicrypt.
What are security properties of smart cards
They contain cryptographic chip, its own operating system and secure memory which stores private keys. Cryptographic operations are performed by the chip which isolates sensitive operations from the computer which only sends instructions and data and receives encrypted/decrypted or signed content. To request a cryptographic operation, user must supply a user PIN.
Note that PIN usually means just a normal password, because it can commonly be longer than 4 characters and contain even other character types than only numbers.
The card operating system does not allow private key to leave the card. Not even after you supply the user's PIN. When you know the PIN and have the card, you can request cryptooperations only. Not that you would be able to copy the card or extract its private keys. This feature enforces an important security property of cards which you don't have with traditional passwords. As the card cannot be duplicated, you must HAVE the card and KNOW the PIN. It is a real multifactor authentication.
In case of passwords, if somebody learns your password, he can use it without your knowledge whenever and wherever he/she wants. With smart card, although somebody can obtain your PIN (keyloggers, watching carfully when you type), he/she will not be able to use it without having your particular card. If the attacker steals your card, you quickly find out and can act appropriatelly.
Note that cards usually have another administrator, super-user or master PIN. If you know this master PIN, you can usually extract private keys, or format or clean the card or install new private keys. Administrators would not usually tell master PIN to their users thus enforcing the multifactor authentication properties of the cards.
Note that there are sometimes flash-disk smart card like products. These are based on regular flash disks which store private keys just encrypted with user's PIN. Although you cannot obtain the private keys without knowing PIN, you can copy its contents easily in a matter of seconds. After you learn PIN, you would have the poor your identity at your hand. The attacker may also try cracking the encrypted flash contents offline - there is no way to enforce PIN lockout once the attacker has his copy. Do not trust such solutions.
With smart cards, logon is even kind of simpler. Security of cards do not depend on PIN quality too much. As long as you have some four or five characters PIN and the card locks itself after several wrong PIN attempts, you are safe. As we said, if somebody has your card, regardless he knows or tries to gues your PIN, you will learn quickly.
On the other hand, cards contain very secure, long, cryptographical quality, random private keys. Private keys are used to encrypt network communications instead of weak passwords. As we said, PIN is used to access card services only, not that it would be used for the actual traffic encryption. If any attacker intecepts your network communication which was encrypted with a private key, it is mostly unbreakable. Which is not the case with weak passwords which are shorter than say 10-12 characters.
Another note about the cryptographic memory. Cards do not have too much memory to store private keys. It is usually like able to store 4 or 8 or 16 private keys (usual RSA private key is like 2048 bits = 256 bytes). So no gigabytes, not even megabytes, like traditional flash-disks. The memory must be physically secure. It does not store data in the normal plain form. It is scattered chaotically to be difficult to crack and obtain offline with a physical analysis. Basically, you cannot just connect the chip to some wires and read out private keys. One of my friends works as security analyst and partially works on physical security analysis of smart cards for various "secure agencies". What they do is physically destroying cards and trying to obtain the keys. Basic principle says - if you want private data, you must destroy the card. This is what makes the memory expensive and cards are thus limited in this regard.
What about fingerprint readers, how they compare with smart cards?
Fingerprint readers are not supported natively by Kerberos or Active Directory. Although they have received some device driver support since Windows 7, they need user password to log the user on. They work similarly to SecureID. You must install some specialized software on client computers which integrate with logon screen (plug-in called GINA on Windows 2003/XP and older or a Credentials Provider on newer systems).
The devices must store user password somewhere. Fingerprint readers store passwords in their full form locally. After you swipe your finger over the reader, it validates its pinpoints with its local database and extract the full-text password from local disk. SecureID tokens do not have local password storage. They ask a central network server to supply the user's full-text password.
Fingerprint readers can be fooled with duplicate finger prints, they are usually only picture scanners. You can also lookup the MythBusters series, season 2006, episode 59 to see an example of cracking professional fingerprint reader. Storing user passwords on workstations is generally insecure practice unless the computer is encrypted with BitLocker. Such a storage is prone to offline attacks.
Biometric authentication has a desired property of binding an electronic identity to a physical person, but have yet some time to become really secure. Although smart cards cannot be duplicated, they can be borrowed (together with telling PIN). If biometrics actually worked, it would be nice method to prevent users from giving their cards to others. But biometrics just do not work yet.
How cards work or do not work with user passwords?
The card stores user's public key certificate and mainly its associated private key. The certificate is generated and digitally signed by you internal certification authority (CA, in our case AD CS). The private key is used to sign authentication message for Kerberos PKINIT pre-authentication during your logon attempt. Users do not use their passwords.
Although users do not use their passwords (and they do not need to know them at all), Active Directory still stores some passwords. Usually randomized for better security. Passwords are still sometimes used automatically even when users log on with smart cards and certificates. An example may be NTLM authentication which requires the password. It works automatically and seamlessly to the end user, but it is good to understand, that AD still stores the passwords and you should also pay attention to randomizing them.
Certificate authority (CA) generates the certificates while DCs store user passwords. If you reset user password in AD, nothing happens with the certificate and the user can still log on with his/her card. If user's password expires in AD, the user can still log on with the card. If his/her password gets locked out after several incorrect password attempts, the user can still log on with the card.
On the other hand, if you revoke user's certificate on the CA, although the user cannot now log on with the card, he/she can log on with his/her password if he/she knows it.
On another hand, if you disable a user account, the user cannot log on with password nor with smart card. This applies also to situation when user's account expires as well (here I say "account expires", not "password expires" - note that these are two distinct AD user properties).
What will we need to implement to enable smart card logon?
In short, you need Active Directory on at least the domain functional level (DFL) of Windows 2000. You need domain member computers on Windows platform, based at least on Windows 2000, but we will mainly cover clients on Windows 7 and Windows 8 which have nice user GUI integration with smart cards. While servers can make do with as old OS as Windows 2000 very well as long as they are members of an AD domain.
We will need internal PKI infrastructure, but we will make do with a simple AD CS server (Active Directory Certificate Services) based on Windows 2008 or newer. No need to bother with multilevel CA hierarchy. It would not be more secure nor flexible. We will have Windows 2008 with nice user role and enrollment (certificate) policy separation.
And the cards and readers. In the Czech Republic and Slovakia, we have our local smart card vendor called Monet+ (Monet Plus) with its own ProID cards, while Gemalto IDPrime (formerly .NET cards) cards are worldwide leader in amounts distributed. I will talk about both and will cover their differences if any at all.
We definitely talk about smart cards or security tokens that support Kerberos PKINIT pre-authentication. We do not cover non-sense home-users' fingerprint readers or the heavy infrastructure and expensive RSA's SecureID.