Re: Windows logon through smart card.
- From: "anshul makkar" <anshulmakkar@xxxxxxxxx>
- Date: 2 Feb 2007 04:54:44 -0800
On Feb 2, 4:27 am, Eric Perlin [MSFT]
<EricPerlinM...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
If the username\password is stored on a smartcard, then from the OS
perspective, only your GINA would know it's not been typed by the user.
It's not considered a smartcard logon.
A real PKINIT SC logon uses a private key on the card.
To support this scenario, what you need is a CSP for the card you will be
using.
A custom GINA is not needed.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Eric Perlin [MSFT]
"anshul makkar" wrote:
Hi,
I am working on project that involves doing Windows logon through
Smart Card.
Smart Card specs provide a some details about the command set for
signature verification, file system access and some encryption
decryption techniques.
I have also read windows interactive logon architecturte, kerberos
architecture and to enable smart card logon we have to hook msgina.
Now I am confused regarding , how can we authenticate user using smart
card so as to enable him to logon to the system-:
1) Whether we should save password (after capturing it from GINA) in
the files in the smart card and then while authenticating read the
password from the file and then call LSALogonUser with the read
password.
2)Should we save some certificates into the smart card. Then carry
out certificate based logon. If its a certificate based logon then how
we will be able to logon to domain, as domain kerberos expects a
hashed password and not a certificate/key.
Please if you have any idea or any reference material , then do let me
know.
Thanks.- Hide quoted text -
- Show quoted text -
Hi,
Thanks for reply.
Along with the card I have been given the specs that shows the set of
APDUs that are used for carrying out encryption /decryption, reading
writing the files etc.
Is the set of APDUs that are given, is the CSP that I have to use
for certificate enrollment etc or I have to write a wrapper above
those APDUs that will be recognised as CSP,
While doing R&D , I read certains steps for "Enrolling the smart
card", "Preparing Certification Authority To Issue Smart Card
Certificates, "Setup Smart Card For User Logon". These were simple
steps that indicates use of MMC for certificate enrollemnt etc. It was
written that after completion of these steps you will be able to logon
to system using smart card.
If this is true then why I need to write CSPs or CryptoAPI or for any
other programming effort etc.
Other Point I found was that in specs it was written that the smart
card chip does not handle certificates(i.e. neither verify
certificates or extract public key). It stores certificates only in
raw binary form. So the delimma is , If this card can still be used
for windows logon or not. ?
Please if you have any suggestion or direction then do let me know. I
am in design stage , and it is very crucial for me to sugggest a
proper mode.
Thanking You
.
- Follow-Ups:
- Re: Windows logon through smart card.
- From: lelteto
- Re: Windows logon through smart card.
- References:
- Windows logon through smart card.
- From: anshul makkar
- Windows logon through smart card.
- Prev by Date: Re: How to check if user is member of group x
- Next by Date: Re: Password Hack
- Previous by thread: Windows logon through smart card.
- Next by thread: Re: Windows logon through smart card.
- Index(es):
Relevant Pages
|
