RE: Certs on smart card, re-prompting for PIN (Internet Explorer 6)



You would need to ask the card vendor's software / tech support.
1. If the CERTIFICATE is protected with PIN (unlikely), then caching it will
help. However, normally the PIN is needed only when the PRIVATE KEY is used
(to sign the request which goes to the server).

2. Most Smart Card software allows the caching of the PIN (ie. won't prompt
it if it's entered in the last N minutes). Check with the vendor if such
setting is available. Note, however, that some SIGNING private key is
purposefully configured that EACH signing act requires the PIN. This is good
security practice, as eg. in a banking environment if you sign only one
transaction, another (initiated by a rogue program running on the same
computer) would result another PIN prompt and the user would notice that
something is wrong.

3. You may have the issue because of the way you set up your Web server. If
the server requires authentication of EACH request then the smart card has to
sign each request. You should check the server configuration. Normally you
would establish an SSL connection between client and server - and the
connection setup would require that both side use certs and signatures. In
that case you would have only one PIN prompt (for the SSL connection) and all
other communication would be flowing normally (but protected).

Laszlo Elteto
SafeNet, Inc.

"ohaya" wrote:

Hi,

First of all, I'm not quite sure what the most appropriate newsgroup for
this post is, so hopefully I guessed correctly. If not, my apologies in
advance, and I'd appreciate a pointer to a more appropriate group.

Some background:

We are testing IE6 with client certificates stored on smart cards, and
we are browsing to an Apache webserver that is configured for SSL client
authentication. The Apache webserver is actually just proxying for a
WebLogic server "behind" it.

The problem that we're encountering is that when we do the above, we are
seeing the popup window asking for the smart card PIN, but this window
is appearing multiple times, sometimes 10-20 times (we enter the PIN
each time) before we start seeing the initial partial webpage. Then,
when we enter the PIN again, "pieces" of the webpage appear, e.g., an
image, then another image, etc., until the page is fully displayed.

I notice that the smart card "middleware" has settings for either
caching the PIN, or for the middleware temporarily copying the client
cert ("auto-registering") into the Certificate Store (until the smart
card is removed), and I'm pretty sure if we enabled either or both of
these settings, that we'd avoid the multiple popup PIN windows (right
now, both PIN caching and auto-registering the cert to the Certificate
Store are disabled).

From my research, IE will either create 2 or 4 simultaneous
connections, depending on whether HTTP 1.0 or HTTP 1.1 is used, so I'm
guessing that what is happening is that each time IE tries to establish
a new client-authenticated connection to the Apache server, it is going
through the SSL handshake, and thus retrieving the client cert from the
smart card, and this is causing the popup PIN window to appear each time.

As mentioned above, the smart card middleware appears to have some
settings that would also prevent the re-prompting for the PIN, but the
workstations are locked down (i.e., we can't change the smart card
middleware settings), and even if we could it would be a major process
to get approval to change the settings, so I'm wondering if there is
possibly something else that we can do to avoid the popup PIN windows
from re-appearing.

What I'm thinking of is either:

- Somehow configure IE or crypto to automatically cache the client cert,
but without having to change the setting in the smart card middleware, or

- Somehow configure IE to use just a single connection that is
persistent, i.e., so that IE doesn't keep dropping and then creating new
SSL connections.


The other thing that I'm wondering if maybe there's something 'wrong'
about the client certs that we have, i.e., maybe there's something like
a basic constraint in the certs that is causing something (e.g., the
smart card middleware) to force it (again the middleware) to re-prompt
for the PIN (e.g., maybe the certs are configured in such a way that the
middleware thinks that we're doing something like signing email, rather
than just doing SSL client authentication)?


Again, my apologies. I have some experience with smart cards, but not
much of it has been "practical", so I'm hoping that someone here who has
more experience with IE, MS crypto, smart cards, and smart card
middleware might shed some light on all of this.

Thanks in advance!!

Jim

.



Relevant Pages

  • Re: Certs on smart card, re-prompting for PIN (Internet Explorer 6)
    ... For the record, I finally got someone to agree to a test where we enabled some of the PIN caching policies in the middleware, and the problem with the multiple PIN prompts was eliminated:)!! ... I've since contacted the middleware vendor, and asked for their recommended settings when used with web browsers, and, lo and behold, they suggested changing the middleware settings. ... Most Smart Card software allows the caching of the PIN. ...
    (microsoft.public.platformsdk.security)
  • Re: Certs on smart card, re-prompting for PIN (Internet Explorer 6)
    ... That (that the middleware was not configured correctly) has also been my contention, but as I alluded, the "powers that be" didn't want to change the middleware settings and didn't want to believe me:)... ... I've since contacted the middleware vendor, and asked for their recommended settings when used with web browsers, and, lo and behold, they suggested changing the middleware settings. ... normally the PIN is needed only when the PRIVATE KEY is used. ... Most Smart Card software allows the caching of the PIN. ...
    (microsoft.public.platformsdk.security)
  • Certs on smart card, re-prompting for PIN (Internet Explorer 6)
    ... The problem that we're encountering is that when we do the above, we are seeing the popup window asking for the smart card PIN, but this window is appearing multiple times, sometimes 10-20 times before we start seeing the initial partial webpage. ... I notice that the smart card "middleware" has settings for either caching the PIN, or for the middleware temporarily copying the client cert into the Certificate Store, and I'm pretty sure if we enabled either or both of these settings, that we'd avoid the multiple popup PIN windows. ... As mentioned above, the smart card middleware appears to have some settings that would also prevent the re-prompting for the PIN, but the workstations are locked down, and even if we could it would be a major process to get approval to change the settings, so I'm wondering if there is possibly something else that we can do to avoid the popup PIN windows from re-appearing. ...
    (microsoft.public.platformsdk.security)
  • Re: Certs on smart card, re-prompting for PIN (Internet Explorer 6)
    ... Its purely a sign of poor card handling of your middleware. ... As mentioned we're using Apache as the webserver. ... normally the PIN is needed only when the PRIVATE KEY ... If the server requires authentication of EACH request then the smart card ...
    (microsoft.public.platformsdk.security)
  • Re: Certs on smart card, re-prompting for PIN (Internet Explorer 6)
    ... I'm aware of what you explained in #1 and #2, and we are checking with the middleware manufacturer, but as mentioned, there's a desire not to change the settings on the middleware. ... normally the PIN is needed only when the PRIVATE KEY is used. ... Most Smart Card software allows the caching of the PIN. ... Normally you would establish an SSL connection between client and server - and the connection setup would require that both side use certs and signatures. ...
    (microsoft.public.platformsdk.security)