Re: smart card to user token



The smart card SIGNS the challenge and the server VERIFIES it (not encrypt /
decrypt). In Windows logon when you use smart cards, this authentication
REPLACES the password, so you won't need any password (just the user name).

Sorry, but I am less familiar with smart card APIs. However, depending what
you are using on the client side
- Java has crypto API which can access smart cards and I am sure there are
certificate related functions
- if you have a PKCS#11 (Cryptoki) library for the smart card, you can use
the Cryptoki API (C_FindObjects, C_GetAttributeValue, etc.)
- if the client is running Windows and you have a CSP for your smart card,
you should be able to use the Microsoft CryptoAPI. Look at the Platform SDK's
CertXxx fucntions (CertOpenStore, CertEnumCertificatesInStore, etc).

Laszlo Elteto
SafeNet, Inc.

"Marc Sherman" wrote:

Thanks lelteto. Some more questions:

Is there a smart card API that will read the certificate from the card that
I can use in step 2?

I'm assuming the challenge is some arbitrary data that the server sends to
the smart card. The smart card encrypts it with its private key which it
then sends back to the server. The server decrypts it with the smart card's
public key (from the cert received in step 2), and then verifies that the
data is the same that it originally sent. Is that correct? If so, is there a
smart card API that does all this for me or do I use some crytpo API to
generate a challenge and later decrypt it?

If the challenge-response is successful, do I then need to get the user's
name and password from the smart card and return that to LogonUser?

thanks,
Marc

"lelteto" <lelteto@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CA40B045-115F-4639-8183-0A455EDF21D1@xxxxxxxxxxxxxxxx
Yes, that's the sequence you would need to implement. I think there is
only
one round-trip back (the smart card should sign only one challenge) but
you
also have to handle the certificate from the smart card (which you could
actually send "up front" in step 2.)

Laszlo Elteto
SafeNet, Inc.

"Marc Sherman" wrote:

Hi lelteto,

Is this what you mean:

1. On client, user does something that requires him to authenticate with
our
server.
2. On client, instead of prompting for credentials, notify server to
begin
smart card authentication.
3. On server, call LogonUser
4. On server, LogonUser eventually calls our credential provider.
5. On server, our credential provider connects back to our client.
6. On server, our credential provider sends the challenge to our client.
7. On client, we read the challenge and pass it on to the local smart
card.
8. Do until challenge-response is done: Server <--(network i/o)--> Client
<---(function calls)---> smart card
9. On server, our credential provider returns to LogonUser, which then
logs
on the user.

thanks,
Marc

"lelteto" <lelteto@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:560F7F23-776E-40F7-9BC9-B51A0BDD79CF@xxxxxxxxxxxxxxxx
The diference between password and smart card authentication is that
you
can
obtain the password "up front" but with smart card it is a
challenge-response
process. You would need to write your own credential provider which
would
need to interact with the remote smart card (AFTER initiating LogonUser
send
the challenge to the remote card, have it signed and returned to the
server,
where now the logon can complete).
But you cannot do in one step (ie. initiate it from the remote computer
then
not communicate further with the smart card).

Laszlo Elteto
SafeNet, Inc.

"Marc Sherman" wrote:

"Marc Sherman" <masherman1970@xxxxxxxxx> wrote in message
news:efyNkO7AJHA.5160@xxxxxxxxxxxxxxxxxxxxxxx
Hello,

We have a client that prompts for username and password and then
send
this
to our server. Our server uses the supplied username and password in
a
call to LogonUser() which returns the user's token. From the token
we
extract the user's group membership.

A customer has asked if we can do the same with smart cards. Is it
possible to have our client read the user's credentials from the
smart
card, send them to our server, then have our server somehow
authenticate
the user's credentials in order to obtain a user token?

A bit more info:

The machine running our client is not part of a domain.
The machine running our server is part of a domain.
The credentials supplied by the user are domain credentials.

Marc









.



Relevant Pages

  • Re: how to modify text in html form from python
    ... I'm back to finding a way for a browser plugin and a server based cgi ... >> -) the communication between the server and the client involves a few ... >> -) The smart card on the server side eventually decides whether or not ...
    (comp.lang.python)
  • Re: smart card to user token
    ... I'm assuming the challenge is some arbitrary data that the server sends to ... the smart card. ... On client, instead of prompting for credentials, notify server to ... our credential provider connects back to our client. ...
    (microsoft.public.platformsdk.security)
  • Re: Remotely initiated smart card authentication
    ... I'm pretty SSL offers more granularity though (i.e the server can obtain the ... is logged in with a smart card but I don't know if it is the correct ... Another option is to use SSL with client authentication, ...
    (microsoft.public.platformsdk.security)
  • Re: how to modify text in html form from python
    ... -) a client opens his/her browser and click on some button which triggers my ... -) the plugin starts to communicate with a server on some URL. ... -) The smart card on the server side eventually decides whether or not the ... (on the server there is an html file and a cgi file) ...
    (comp.lang.python)
  • Re: smart card to user token
    ... but I am less familiar with smart card APIs. ... - if the client is running Windows and you have a CSP for your smart card, ... I'm assuming the challenge is some arbitrary data that the server sends ... our credential provider connects back to our client. ...
    (microsoft.public.platformsdk.security)