Re: Own GINA dll with special requirements
- From: "Frank Stegerwald" <stegerwald@xxxxxxxxxxxxxxxx>
- Date: Thu, 27 Apr 2006 07:36:38 +0200
Hi,
Thanks for your reply and pointing out the security issues.
I discussed the issues and we came up with a (hopefuly) more
Secure solution:
Based on the Chip-ID only the username is retrieved from AD
And entered into the username field of the login box. The
Password needs to be entered manually by the user.
The main purpose for using the chip is that if it is removed,
The user is automatically logged out of the system.
So the only thing to do is:
1. Retrieve the Username out of Active Directory and fill
The standard login-box with the username. The user enters its
Password and is then authenticated using standard windows login
functionality.
In my eyes this would not expose no security risks, or am I overlooking
something?
Thanks for your valuable responses so far!!!
Greetings
Frank Stegerwald
"lelteto" <lelteto@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8B59DFBC-EC06-4A6E-8A32-452D68D6DDA4@xxxxxxxxxxxxxxxx
Storing the user passwords in AD (even in reversible encrypted form) is a
big
security risk. In addition since the id chips does not require PIN from
the
user if they are lost / stolen anybody can log in using them. Also, as you
identified, if the reader / chip communication is not encrypted
(preferably
differently each time) than somebody can get the chip information and can
give it to the reader. (replay attack)
Your 'ease of use' solution would considerably weaken the login
protection.
Laszlo Elteto
SafeNet, Inc.
"Frank Stegerwald" wrote:
Hi,
i need to replace the GINA dll of an XP System to support the following
requirement:
We have a chip-reader that reads "chip-IDs" from transponder chips.
Instead of typing in a username and password, the user puts the chip on
the
transponder
and the "chip-ID" should be matched to a Active Directory user. In Active
Directory
a chip-ID is assigned to each AD user.
The username and the passowod should be entered into the login box
automatically based on the chip-id.
I already set up a thread that retrieves the chip-id from the
transponder.
So the missing part that i have is the following:
1. Can Active Directory be expanded to assign a chip-id to a user?
2 How to retrieve the password and username based on the chip-id out of
active directory
(which user should i use for this, since the actual user is not logged in
the machine yet)
3. Is it appropriate to use .NET to replace a gina dll or must it be
implemented in native code?
How can I achive this, or where should I look for this information, if
this
is the wrong newsgroup?
Thanks for any help
Greetings
Frank Stegerwald
.
- References:
- Own GINA dll with special requirements
- From: Frank Stegerwald
- RE: Own GINA dll with special requirements
- From: lelteto
- Own GINA dll with special requirements
- Prev by Date: Re: Access Violation Releasing CComPtr<IAzAuthorizationStore>
- Next by Date: Re: Importing a Symmetric Key into the Microsoft Base Smart Card C
- Previous by thread: RE: Own GINA dll with special requirements
- Next by thread: Re: Own GINA dll with special requirements
- Index(es):
Relevant Pages
|
