Smart Card Logon .How it works and why it is better !

Kerberos is the authentication protocol when a user logged on interactively to a domain joined machine . Each domain joined machine has a secret that is only known to itself and to the KDC ( Key Distribution Service Running on every Microsoft Domain Controller) . This secret key is used to create a secure channel between the machine and the KDC . This channel is important because logon requests for users are passed through this channel , and if the correct group policies are configured, then this secure channel is encrypted and signed always .

How Normal Password type logon happens ?

I want to give a brief description of how normal logon is performed using passwords before moving on with smart card logon .When a user attempt to logon to a workstation , the workstation sends a request to the KDC .KDC generates a TGT ( Ticket Granting Ticket) and encrypts it with  a key (Ku) . This Key ( Ku) is derived from the hash of the user password , and only the user and the KDC know this key.The workstation asks the user for a password , derive the hash of the password to get (Ku) and then decrypt the TGT.

Why Password Logon is not good ?

In this protocol , (Ku) is exposed to two parties , the user and the workstation. A key memorized by the user can be vulnerable because he can tell it to another user or ( Shoulder Surf) it when he type it. Further more , her keystrokes may be snooped remotely without her knowledge.

A key in a workstation can be vulnerable if the workstation is not securely protected or cannot be trusted .If someone can scan the entire memory , he can obtain the key . If someone has admin access to the workstation, he can install logon program to store user password.

To solve those issues , it is preferable to decrypt the TGT outside the workstation.Therefore an external encryption device is required.

Furthermore , user passwords are subjective to dictionary attacks , and can be shared between multiple users .

How Smart Card logon happens ?

  1. If a reader is attached to the user’s machine, the user is prompted to put in a card.
  2. Then the user is prompted to enter a pin.
  3. The logon request is passed to the Local Security Authority (LSA).
  4. LSA communicates with the Kerberos authentication package on the client.
  5. Kerberos sends a request to the Kerberos Distribution Center (KDC) on the domain controller for authentication. The request includes a copy of the x.509 certificate (from the smart card) in the pre-authentication data field of the request and is signed by the private key.
  6. The KDC builds a certification path from the certificate to a root CA in the system root store.
  7. There must be an enterprise Certification Authority (CA, published in Active Directory). This prevents a rogue CA certified in another CA hierarchy from issuing a certificate in the domain.
  8. The KDC uses the public key from the certificate to verify the signature.
  9. KDC verifies the timestamp is within skew time, the time period during which a request can be processed. This helps to detect a replay attack.
  10. KDC looks in the AD for account information.
  11. If all tests are passed, the KDC returns a Ticket Granting Ticket (TGT). The KDC provides a copy of its certificate as well and signs the returned information with its private key.
  12. The client verifies the KDC by building a certificate path from the certificate to the trusted root CA and uses the KDC public key to verify the reply signature.
  13. If all is OK, the normal Kerberos path is followed from here (the TGT is used to get a service ticket and hence to the user’s desktop).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s