|
|
|
date: Thu, 21 Aug 2008 13:30:29 -0400,
group: microsoft.public.platformsdk.security
back
Re: smart card to user token
Hi lelteto,
Is this what you mean:
1. On client, user does something that requires him to authenticate with our
server.
2. On client, instead of prompting for credentials, notify server to begin
smart card authentication.
3. On server, call LogonUser
4. On server, LogonUser eventually calls our credential provider.
5. On server, our credential provider connects back to our client.
6. On server, our credential provider sends the challenge to our client.
7. On client, we read the challenge and pass it on to the local smart card.
8. Do until challenge-response is done: Server <--(network i/o)--> Client
<---(function calls)---> smart card
9. On server, our credential provider returns to LogonUser, which then logs
on the user.
thanks,
Marc
"lelteto" wrote in message
news:560F7F23-776E-40F7-9BC9-B51A0BDD79CF@microsoft.com...
> The diference between password and smart card authentication is that you
> can
> obtain the password "up front" but with smart card it is a
> challenge-response
> process. You would need to write your own credential provider which would
> need to interact with the remote smart card (AFTER initiating LogonUser
> send
> the challenge to the remote card, have it signed and returned to the
> server,
> where now the logon can complete).
> But you cannot do in one step (ie. initiate it from the remote computer
> then
> not communicate further with the smart card).
>
> Laszlo Elteto
> SafeNet, Inc.
>
> "Marc Sherman" wrote:
>
>> "Marc Sherman" wrote in message
>> news:efyNkO7AJHA.5160@TK2MSFTNGP04.phx.gbl...
>> > Hello,
>> >
>> > We have a client that prompts for username and password and then send
>> > this
>> > to our server. Our server uses the supplied username and password in a
>> > call to LogonUser() which returns the user's token. From the token we
>> > extract the user's group membership.
>> >
>> > A customer has asked if we can do the same with smart cards. Is it
>> > possible to have our client read the user's credentials from the smart
>> > card, send them to our server, then have our server somehow
>> > authenticate
>> > the user's credentials in order to obtain a user token?
>>
>> A bit more info:
>>
>> The machine running our client is not part of a domain.
>> The machine running our server is part of a domain.
>> The credentials supplied by the user are domain credentials.
>>
>> Marc
>>
>>
>>
date: Thu, 21 Aug 2008 17:19:04 -0400
author: Marc Sherman
Re: smart card to user token
Yes, that's the sequence you would need to implement. I think there is only
one round-trip back (the smart card should sign only one challenge) but you
also have to handle the certificate from the smart card (which you could
actually send "up front" in step 2.)
Laszlo Elteto
SafeNet, Inc.
"Marc Sherman" wrote:
> Hi lelteto,
>
> Is this what you mean:
>
> 1. On client, user does something that requires him to authenticate with our
> server.
> 2. On client, instead of prompting for credentials, notify server to begin
> smart card authentication.
> 3. On server, call LogonUser
> 4. On server, LogonUser eventually calls our credential provider.
> 5. On server, our credential provider connects back to our client.
> 6. On server, our credential provider sends the challenge to our client.
> 7. On client, we read the challenge and pass it on to the local smart card.
> 8. Do until challenge-response is done: Server <--(network i/o)--> Client
> <---(function calls)---> smart card
> 9. On server, our credential provider returns to LogonUser, which then logs
> on the user.
>
> thanks,
> Marc
>
> "lelteto" wrote in message
> news:560F7F23-776E-40F7-9BC9-B51A0BDD79CF@microsoft.com...
> > The diference between password and smart card authentication is that you
> > can
> > obtain the password "up front" but with smart card it is a
> > challenge-response
> > process. You would need to write your own credential provider which would
> > need to interact with the remote smart card (AFTER initiating LogonUser
> > send
> > the challenge to the remote card, have it signed and returned to the
> > server,
> > where now the logon can complete).
> > But you cannot do in one step (ie. initiate it from the remote computer
> > then
> > not communicate further with the smart card).
> >
> > Laszlo Elteto
> > SafeNet, Inc.
> >
> > "Marc Sherman" wrote:
> >
> >> "Marc Sherman" wrote in message
> >> news:efyNkO7AJHA.5160@TK2MSFTNGP04.phx.gbl...
> >> > Hello,
> >> >
> >> > We have a client that prompts for username and password and then send
> >> > this
> >> > to our server. Our server uses the supplied username and password in a
> >> > call to LogonUser() which returns the user's token. From the token we
> >> > extract the user's group membership.
> >> >
> >> > A customer has asked if we can do the same with smart cards. Is it
> >> > possible to have our client read the user's credentials from the smart
> >> > card, send them to our server, then have our server somehow
> >> > authenticate
> >> > the user's credentials in order to obtain a user token?
> >>
> >> A bit more info:
> >>
> >> The machine running our client is not part of a domain.
> >> The machine running our server is part of a domain.
> >> The credentials supplied by the user are domain credentials.
> >>
> >> Marc
> >>
> >>
> >>
>
>
>
date: Fri, 22 Aug 2008 09:25:02 -0700
author: lelteto
Re: smart card to user token
Thanks lelteto. Some more questions:
Is there a smart card API that will read the certificate from the card that
I can use in step 2?
I'm assuming the challenge is some arbitrary data that the server sends to
the smart card. The smart card encrypts it with its private key which it
then sends back to the server. The server decrypts it with the smart card's
public key (from the cert received in step 2), and then verifies that the
data is the same that it originally sent. Is that correct? If so, is there a
smart card API that does all this for me or do I use some crytpo API to
generate a challenge and later decrypt it?
If the challenge-response is successful, do I then need to get the user's
name and password from the smart card and return that to LogonUser?
thanks,
Marc
"lelteto" wrote in message
news:CA40B045-115F-4639-8183-0A455EDF21D1@microsoft.com...
> Yes, that's the sequence you would need to implement. I think there is
> only
> one round-trip back (the smart card should sign only one challenge) but
> you
> also have to handle the certificate from the smart card (which you could
> actually send "up front" in step 2.)
>
> Laszlo Elteto
> SafeNet, Inc.
>
> "Marc Sherman" wrote:
>
>> Hi lelteto,
>>
>> Is this what you mean:
>>
>> 1. On client, user does something that requires him to authenticate with
>> our
>> server.
>> 2. On client, instead of prompting for credentials, notify server to
>> begin
>> smart card authentication.
>> 3. On server, call LogonUser
>> 4. On server, LogonUser eventually calls our credential provider.
>> 5. On server, our credential provider connects back to our client.
>> 6. On server, our credential provider sends the challenge to our client.
>> 7. On client, we read the challenge and pass it on to the local smart
>> card.
>> 8. Do until challenge-response is done: Server <--(network i/o)--> Client
>> <---(function calls)---> smart card
>> 9. On server, our credential provider returns to LogonUser, which then
>> logs
>> on the user.
>>
>> thanks,
>> Marc
>>
>> "lelteto" wrote in message
>> news:560F7F23-776E-40F7-9BC9-B51A0BDD79CF@microsoft.com...
>> > The diference between password and smart card authentication is that
>> > you
>> > can
>> > obtain the password "up front" but with smart card it is a
>> > challenge-response
>> > process. You would need to write your own credential provider which
>> > would
>> > need to interact with the remote smart card (AFTER initiating LogonUser
>> > send
>> > the challenge to the remote card, have it signed and returned to the
>> > server,
>> > where now the logon can complete).
>> > But you cannot do in one step (ie. initiate it from the remote computer
>> > then
>> > not communicate further with the smart card).
>> >
>> > Laszlo Elteto
>> > SafeNet, Inc.
>> >
>> > "Marc Sherman" wrote:
>> >
>> >> "Marc Sherman" wrote in message
>> >> news:efyNkO7AJHA.5160@TK2MSFTNGP04.phx.gbl...
>> >> > Hello,
>> >> >
>> >> > We have a client that prompts for username and password and then
>> >> > send
>> >> > this
>> >> > to our server. Our server uses the supplied username and password in
>> >> > a
>> >> > call to LogonUser() which returns the user's token. From the token
>> >> > we
>> >> > extract the user's group membership.
>> >> >
>> >> > A customer has asked if we can do the same with smart cards. Is it
>> >> > possible to have our client read the user's credentials from the
>> >> > smart
>> >> > card, send them to our server, then have our server somehow
>> >> > authenticate
>> >> > the user's credentials in order to obtain a user token?
>> >>
>> >> A bit more info:
>> >>
>> >> The machine running our client is not part of a domain.
>> >> The machine running our server is part of a domain.
>> >> The credentials supplied by the user are domain credentials.
>> >>
>> >> Marc
>> >>
>> >>
>> >>
>>
>>
>>
date: Fri, 22 Aug 2008 12:54:23 -0400
author: Marc Sherman
Re: smart card to user token
The smart card SIGNS the challenge and the server VERIFIES it (not encrypt /
decrypt). In Windows logon when you use smart cards, this authentication
REPLACES the password, so you won't need any password (just the user name).
Sorry, but I am less familiar with smart card APIs. However, depending what
you are using on the client side
- Java has crypto API which can access smart cards and I am sure there are
certificate related functions
- if you have a PKCS#11 (Cryptoki) library for the smart card, you can use
the Cryptoki API (C_FindObjects, C_GetAttributeValue, etc.)
- if the client is running Windows and you have a CSP for your smart card,
you should be able to use the Microsoft CryptoAPI. Look at the Platform SDK's
CertXxx fucntions (CertOpenStore, CertEnumCertificatesInStore, etc).
Laszlo Elteto
SafeNet, Inc.
"Marc Sherman" wrote:
> Thanks lelteto. Some more questions:
>
> Is there a smart card API that will read the certificate from the card that
> I can use in step 2?
>
> I'm assuming the challenge is some arbitrary data that the server sends to
> the smart card. The smart card encrypts it with its private key which it
> then sends back to the server. The server decrypts it with the smart card's
> public key (from the cert received in step 2), and then verifies that the
> data is the same that it originally sent. Is that correct? If so, is there a
> smart card API that does all this for me or do I use some crytpo API to
> generate a challenge and later decrypt it?
>
> If the challenge-response is successful, do I then need to get the user's
> name and password from the smart card and return that to LogonUser?
>
> thanks,
> Marc
>
> "lelteto" wrote in message
> news:CA40B045-115F-4639-8183-0A455EDF21D1@microsoft.com...
> > Yes, that's the sequence you would need to implement. I think there is
> > only
> > one round-trip back (the smart card should sign only one challenge) but
> > you
> > also have to handle the certificate from the smart card (which you could
> > actually send "up front" in step 2.)
> >
> > Laszlo Elteto
> > SafeNet, Inc.
> >
> > "Marc Sherman" wrote:
> >
> >> Hi lelteto,
> >>
> >> Is this what you mean:
> >>
> >> 1. On client, user does something that requires him to authenticate with
> >> our
> >> server.
> >> 2. On client, instead of prompting for credentials, notify server to
> >> begin
> >> smart card authentication.
> >> 3. On server, call LogonUser
> >> 4. On server, LogonUser eventually calls our credential provider.
> >> 5. On server, our credential provider connects back to our client.
> >> 6. On server, our credential provider sends the challenge to our client.
> >> 7. On client, we read the challenge and pass it on to the local smart
> >> card.
> >> 8. Do until challenge-response is done: Server <--(network i/o)--> Client
> >> <---(function calls)---> smart card
> >> 9. On server, our credential provider returns to LogonUser, which then
> >> logs
> >> on the user.
> >>
> >> thanks,
> >> Marc
> >>
> >> "lelteto" wrote in message
> >> news:560F7F23-776E-40F7-9BC9-B51A0BDD79CF@microsoft.com...
> >> > The diference between password and smart card authentication is that
> >> > you
> >> > can
> >> > obtain the password "up front" but with smart card it is a
> >> > challenge-response
> >> > process. You would need to write your own credential provider which
> >> > would
> >> > need to interact with the remote smart card (AFTER initiating LogonUser
> >> > send
> >> > the challenge to the remote card, have it signed and returned to the
> >> > server,
> >> > where now the logon can complete).
> >> > But you cannot do in one step (ie. initiate it from the remote computer
> >> > then
> >> > not communicate further with the smart card).
> >> >
> >> > Laszlo Elteto
> >> > SafeNet, Inc.
> >> >
> >> > "Marc Sherman" wrote:
> >> >
> >> >> "Marc Sherman" wrote in message
> >> >> news:efyNkO7AJHA.5160@TK2MSFTNGP04.phx.gbl...
> >> >> > Hello,
> >> >> >
> >> >> > We have a client that prompts for username and password and then
> >> >> > send
> >> >> > this
> >> >> > to our server. Our server uses the supplied username and password in
> >> >> > a
> >> >> > call to LogonUser() which returns the user's token. From the token
> >> >> > we
> >> >> > extract the user's group membership.
> >> >> >
> >> >> > A customer has asked if we can do the same with smart cards. Is it
> >> >> > possible to have our client read the user's credentials from the
> >> >> > smart
> >> >> > card, send them to our server, then have our server somehow
> >> >> > authenticate
> >> >> > the user's credentials in order to obtain a user token?
> >> >>
> >> >> A bit more info:
> >> >>
> >> >> The machine running our client is not part of a domain.
> >> >> The machine running our server is part of a domain.
> >> >> The credentials supplied by the user are domain credentials.
> >> >>
> >> >> Marc
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
date: Mon, 25 Aug 2008 09:32:03 -0700
author: lelteto
Re: smart card to user token
lelteto, thanks for your help.
Marc
"lelteto" wrote in message
news:B41DA716-3106-4355-95A1-C10FA039381C@microsoft.com...
> The smart card SIGNS the challenge and the server VERIFIES it (not encrypt
> /
> decrypt). In Windows logon when you use smart cards, this authentication
> REPLACES the password, so you won't need any password (just the user
> name).
>
> Sorry, but I am less familiar with smart card APIs. However, depending
> what
> you are using on the client side
> - Java has crypto API which can access smart cards and I am sure there are
> certificate related functions
> - if you have a PKCS#11 (Cryptoki) library for the smart card, you can use
> the Cryptoki API (C_FindObjects, C_GetAttributeValue, etc.)
> - if the client is running Windows and you have a CSP for your smart card,
> you should be able to use the Microsoft CryptoAPI. Look at the Platform
> SDK's
> CertXxx fucntions (CertOpenStore, CertEnumCertificatesInStore, etc).
>
> Laszlo Elteto
> SafeNet, Inc.
>
> "Marc Sherman" wrote:
>
>> Thanks lelteto. Some more questions:
>>
>> Is there a smart card API that will read the certificate from the card
>> that
>> I can use in step 2?
>>
>> I'm assuming the challenge is some arbitrary data that the server sends
>> to
>> the smart card. The smart card encrypts it with its private key which it
>> then sends back to the server. The server decrypts it with the smart
>> card's
>> public key (from the cert received in step 2), and then verifies that the
>> data is the same that it originally sent. Is that correct? If so, is
>> there a
>> smart card API that does all this for me or do I use some crytpo API to
>> generate a challenge and later decrypt it?
>>
>> If the challenge-response is successful, do I then need to get the user's
>> name and password from the smart card and return that to LogonUser?
>>
>> thanks,
>> Marc
>>
>> "lelteto" wrote in message
>> news:CA40B045-115F-4639-8183-0A455EDF21D1@microsoft.com...
>> > Yes, that's the sequence you would need to implement. I think there is
>> > only
>> > one round-trip back (the smart card should sign only one challenge) but
>> > you
>> > also have to handle the certificate from the smart card (which you
>> > could
>> > actually send "up front" in step 2.)
>> >
>> > Laszlo Elteto
>> > SafeNet, Inc.
>> >
>> > "Marc Sherman" wrote:
>> >
>> >> Hi lelteto,
>> >>
>> >> Is this what you mean:
>> >>
>> >> 1. On client, user does something that requires him to authenticate
>> >> with
>> >> our
>> >> server.
>> >> 2. On client, instead of prompting for credentials, notify server to
>> >> begin
>> >> smart card authentication.
>> >> 3. On server, call LogonUser
>> >> 4. On server, LogonUser eventually calls our credential provider.
>> >> 5. On server, our credential provider connects back to our client.
>> >> 6. On server, our credential provider sends the challenge to our
>> >> client.
>> >> 7. On client, we read the challenge and pass it on to the local smart
>> >> card.
>> >> 8. Do until challenge-response is done: Server <--(network i/o)-->
>> >> Client
>> >> <---(function calls)---> smart card
>> >> 9. On server, our credential provider returns to LogonUser, which then
>> >> logs
>> >> on the user.
>> >>
>> >> thanks,
>> >> Marc
>> >>
>> >> "lelteto" wrote in message
>> >> news:560F7F23-776E-40F7-9BC9-B51A0BDD79CF@microsoft.com...
>> >> > The diference between password and smart card authentication is that
>> >> > you
>> >> > can
>> >> > obtain the password "up front" but with smart card it is a
>> >> > challenge-response
>> >> > process. You would need to write your own credential provider which
>> >> > would
>> >> > need to interact with the remote smart card (AFTER initiating
>> >> > LogonUser
>> >> > send
>> >> > the challenge to the remote card, have it signed and returned to the
>> >> > server,
>> >> > where now the logon can complete).
>> >> > But you cannot do in one step (ie. initiate it from the remote
>> >> > computer
>> >> > then
>> >> > not communicate further with the smart card).
>> >> >
>> >> > Laszlo Elteto
>> >> > SafeNet, Inc.
>> >> >
>> >> > "Marc Sherman" wrote:
>> >> >
>> >> >> "Marc Sherman" wrote in message
>> >> >> news:efyNkO7AJHA.5160@TK2MSFTNGP04.phx.gbl...
>> >> >> > Hello,
>> >> >> >
>> >> >> > We have a client that prompts for username and password and then
>> >> >> > send
>> >> >> > this
>> >> >> > to our server. Our server uses the supplied username and password
>> >> >> > in
>> >> >> > a
>> >> >> > call to LogonUser() which returns the user's token. From the
>> >> >> > token
>> >> >> > we
>> >> >> > extract the user's group membership.
>> >> >> >
>> >> >> > A customer has asked if we can do the same with smart cards. Is
>> >> >> > it
>> >> >> > possible to have our client read the user's credentials from the
>> >> >> > smart
>> >> >> > card, send them to our server, then have our server somehow
>> >> >> > authenticate
>> >> >> > the user's credentials in order to obtain a user token?
>> >> >>
>> >> >> A bit more info:
>> >> >>
>> >> >> The machine running our client is not part of a domain.
>> >> >> The machine running our server is part of a domain.
>> >> >> The credentials supplied by the user are domain credentials.
>> >> >>
>> >> >> Marc
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
date: Wed, 27 Aug 2008 09:19:29 -0400
author: Marc Sherman
|
|
