Re: Certs on smart card, re-prompting for PIN (Internet Explorer 6)


I'm aware of what you explained in #1 and #2, and we are checking with the middleware manufacturer, but as mentioned (and which may be hard to explain), there's a desire not to change the settings on the middleware.

Re. your #3: As mentioned we're using Apache as the webserver. I'm not aware of, or found any setting in the Apache configuration (httpd.conf and ssl.conf) that would cause Apache to re-authenticate each HTTPS request. This is probably a little off-topic, so I'll post in one of the Apache newsgroups, but if you're (or anyone else) is aware of something like that in Apache, please let me know!


lelteto wrote:
You would need to ask the card vendor's software / tech support.
1. If the CERTIFICATE is protected with PIN (unlikely), then caching it will help. However, normally the PIN is needed only when the PRIVATE KEY is used (to sign the request which goes to the server).

2. Most Smart Card software allows the caching of the PIN (ie. won't prompt it if it's entered in the last N minutes). Check with the vendor if such setting is available. Note, however, that some SIGNING private key is purposefully configured that EACH signing act requires the PIN. This is good security practice, as eg. in a banking environment if you sign only one transaction, another (initiated by a rogue program running on the same computer) would result another PIN prompt and the user would notice that something is wrong.

3. You may have the issue because of the way you set up your Web server. If the server requires authentication of EACH request then the smart card has to sign each request. You should check the server configuration. Normally you would establish an SSL connection between client and server - and the connection setup would require that both side use certs and signatures. In that case you would have only one PIN prompt (for the SSL connection) and all other communication would be flowing normally (but protected).

Laszlo Elteto
SafeNet, Inc.

"ohaya" wrote:


First of all, I'm not quite sure what the most appropriate newsgroup for this post is, so hopefully I guessed correctly. If not, my apologies in advance, and I'd appreciate a pointer to a more appropriate group.

Some background:

We are testing IE6 with client certificates stored on smart cards, and we are browsing to an Apache webserver that is configured for SSL client authentication. The Apache webserver is actually just proxying for a WebLogic server "behind" it.

The problem that we're encountering is that when we do the above, we are seeing the popup window asking for the smart card PIN, but this window is appearing multiple times, sometimes 10-20 times (we enter the PIN each time) before we start seeing the initial partial webpage. Then, when we enter the PIN again, "pieces" of the webpage appear, e.g., an image, then another image, etc., until the page is fully displayed.

I notice that the smart card "middleware" has settings for either caching the PIN, or for the middleware temporarily copying the client cert ("auto-registering") into the Certificate Store (until the smart card is removed), and I'm pretty sure if we enabled either or both of these settings, that we'd avoid the multiple popup PIN windows (right now, both PIN caching and auto-registering the cert to the Certificate Store are disabled).

From my research, IE will either create 2 or 4 simultaneous connections, depending on whether HTTP 1.0 or HTTP 1.1 is used, so I'm guessing that what is happening is that each time IE tries to establish a new client-authenticated connection to the Apache server, it is going through the SSL handshake, and thus retrieving the client cert from the smart card, and this is causing the popup PIN window to appear each time.

As mentioned above, the smart card middleware appears to have some settings that would also prevent the re-prompting for the PIN, but the workstations are locked down (i.e., we can't change the smart card middleware settings), and even if we could it would be a major process to get approval to change the settings, so I'm wondering if there is possibly something else that we can do to avoid the popup PIN windows from re-appearing.

What I'm thinking of is either:

- Somehow configure IE or crypto to automatically cache the client cert, but without having to change the setting in the smart card middleware, or

- Somehow configure IE to use just a single connection that is persistent, i.e., so that IE doesn't keep dropping and then creating new SSL connections.

The other thing that I'm wondering if maybe there's something 'wrong' about the client certs that we have, i.e., maybe there's something like a basic constraint in the certs that is causing something (e.g., the smart card middleware) to force it (again the middleware) to re-prompt for the PIN (e.g., maybe the certs are configured in such a way that the middleware thinks that we're doing something like signing email, rather than just doing SSL client authentication)?

Again, my apologies. I have some experience with smart cards, but not much of it has been "practical", so I'm hoping that someone here who has more experience with IE, MS crypto, smart cards, and smart card middleware might shed some light on all of this.

Thanks in advance!!