EIDAuthentication
Goal:
Allow the
use of electronic id distributed (like the beid project in Belgium) to logon on
Windows Vista & later.
Latest Release:
Get the source code:
·
Source
code for this project is available through the Subversion SCM repository used
by the project, as accessible from the project summary page.
Requirements:
·
Windows
Vista or Windows Seven
·
Smart
Card Reader
·
A
Smart Card with CSP Support
(the following cards have been successfully tested)
o
Belgium Identity Card (both current
middleware and Windows 7 mini driver)
o
SCsquare
o
Athena
o
ActivIdentity ActivClient (Oberthur
CosmopolIC 64K V5.2 Fast ATR)
·
A
computer not connected to a domain (else you should configure MS Smart Card
logon)
Note for the Belgium Users :
The Belgium government will release a Windows 7 mini driver which will enable
domain logon.
If you can't wait, compile yourself the minidriver
and follow the instructions.
I've tested it and it works !
Demo:
Features:
·
A
Credential Provider to allow the user to input its Pin (see screenshot)
·
An
Authentication Package which authenticates the user.
·
A
Password Filter package to handle password changes
·
A
Wizard to configure everything
Two
scenarios are supported:
1. Use of blank card – the wizard can
create the certificate chain on the computer and on the smart card
2. Use of preconfigured card – like an
ID card – where credentials cannot be changed
To deal
with common certificate problems, the wizard includes checks and some solutions
to them. (see the “Make this certificate trusted” button)
The project
supports most of the original Smart Card Credential Provider features like:
·
The
“Require Smart Card Logon” Policy
·
The
“Remove” Policy
·
“Allow
Signature Only” Policy
·
“Allow
Certificate with no EKU” Policy
·
“Allow
Time Invalid” Policy
·
More
than one certificate per card
·
More
than one reader per computer
How to use it?
The
installer creates an icon on the control panel, security page:
How to change the PIN?
Ctrl+Alt+Del,
Change the password, Other Credential, Smart Card.
Note : only
Base Smart Card CSP smart card compliant works with this procedure. Only the
user pin can be changed, not the admin pin.
Terminal services
Currently Network Layer Authentication (NLA) doesn't work.
It's because credssp (which does the authentication in RDP) pass the credential
to the negotiate security package. I'm looking for a solution.
However you
can disable NLA as a workaround. Just add the following line to the rdp file : EnableCredSspSupport:i:0
Note : You don't need this workaround on Windows 7.
FAQ
1. Why Microsoft doesn’t allow smart
card logon without a domain?
Stand alone
windows use MSV1_0 for logon and domain joined computer use Kerberos as
authentication package. Microsoft aim at professional market for security and
vanilla users doesn’t fit in this category. Smart card logon is a high standard
which requires, being consistent, disk encryption. Microsoft states that there
is no need for that and I agree with them. However, if you want to get rid of
password or to use your electronic id, you’re stuck with that. That’s the
purpose of this project.
2. Why do you ask me my password?
Technically
the password is not needed to establish a session. However you may use a
security library named “DPAPI”. It’s used to protect private keys (the one
associated with a certificate), IE7 passwords, EFS certificates and many other
products. DPAPI uses the SHA1 of the password to encrypt master keys used to
encrypt sensitive data. Without this hash, which is not stored on the computer,
you can’t access this data. A workaround is to store the password, encrypted by
the public key and decrypted when the logon is done. Password change is handled
by a password package which intercepts the new password and encrypts it using
the public key stored in the LSA.
3. Why MS smart card logon doesn’t need
my password?
In fact, it
does. DPAPI master key encryption is not the same on a standalone computer and
on a domain joined computer. In the second case, it’s encrypted using NT Hash,
which is retrieved using the domain controller or using the stored credential.
The first retrieval of this hash is done using Kerberos package which is then
stored for later use. Technically it should be possible to retrieve the SHA1
password from the credential used by the current connection and to submit it
when log on. But these interfaces are not documented.
4. What about the security?
The
weakness of this solution is the use of the password. It’s technically possible
to retrieve the stored credential by using hacker tools (Cain & Abel for
example). Most of these tools are detected by antivirus but you should know
that antivirus will only stop script kiddies. Then you’ll need to decrypt this
credential by using the smart card configured and your pin. If your smart card
and your pin are stolen, revoking your certificate will not stop offline
attacks. Mitigation: change the password.
Note for
Belgium EID users: because encryption is not supported (yet), the card can’t
encrypt the password. (Several works around were needed to make it works). You
should know that your password can be recovered easily from the stored
credential if your disk is not encrypted. But you should know either that there
are other methods: pass the hash, rainbow tables and dictionary and brute force
attacks. Recovering password take between a few seconds and a few days. It
depends on the complexity of your password …
If you need
higher security, buy a crypto card (see the list of manufacturers at the beginning)
and encrypt your disk!
Technical informations
Debugging
This
project includes a test program (not sent with the installer) which can test
every step of the logon. Obviously, it requires an advanced knowledge of the
involved processes.
This project
implements Windows Event Tracing. To enable it, run as admin “rundll32
EIDAuthenticationPackage,DllEnableLogging” and to disable it, run as admin
“rundll32 EIDAuthenticationPackage,DllDisableLogging”. This will register all
events provided by the auto logger feature. It doesn't require reboot to be
active. Then, as admin, open a command prompt in
c:\windows\system32\logFiles\WMI and find the newest file. Run “tracerpt
EIDCredentialProvider.etl.001 -o %USERPROFILE%\Desktop\report.txt -of csv” to
get a report.
Brussels: Sunday,
January 24, 2010- Vincent.letoux@gmail.com