Besides, it is stored only on the smart card . During authentication, the smart card performs cryptographic operations using the private key, thus proving to the authentication server that the principal's smart card holds the key. However, to perform cryptographic operations a user must first authenticate to the card. The user proves his identity to the card by presenting a PIN. It means that the user is prompted only for the PIN rather than user name, domain name, and password during the logon procedure. A workstation interacts with smart cards via smart card readers. In Windows systems, smart cards can be used to log on only to domain accounts, not local accounts . Thus, the standalone smart card logon is not natively supported in Windows systems, though there are some commercial products offering this functionality. With the domain smart card logon, even in the case of a network service disruption or a failure of the domain controller, it is still possible to logon to a workstation that belongs to that domain using an offline logon capability. Smart card domain logon session for the Windows XP : 1. A smart card is inserted into a card reader. The insertion of the smart card starts the logon process automatically; 2. The Winlogon calls GINA to obtain user's credentials. GINA presents a logon screen to the user. The user is prompted only for a PIN; 3. GINA sends received PIN to the LSA; 4. The PIN is used by LSA to access the smart card. 5. LSA calls Kerberos Authentication Package (Kerberos SSP). Kerberos SSP creates a Kerberos Authentication Service Request to the KDC that contains principal's certificate and a cryptographic signature generated with the corresponding private key for the Kerberos pre-authentication . 6. The KDC validates the certificate (verifies certification path, checks revocation status, etc.) and checks the digital signature. After making these checks KDC retrieves user account information from Active Directory. This information is used to construct a TGT. Authorization data fields in the TGT contain principal's SID, the SIDs for domain groups to which the user belongs, and (in a multi- domain environment) the SIDs for any universal groups in which the user is a member. The public key from the certifacte is used to encrypt symmetric encryption session key. The KDC ’s digitally signed respons e among other things contains the TGT, the KDC ’s certificate, and the encrypted session key. If the client possesses the private key that corresponds to the public key in the certificate then he will be able to decrypt the session key and use it for the subsequent interactions with KDC. 7. Upon receival of the response the client validates the KDC certificate and checks the digital signature. Using the private key the client can decrypt the session key for communication with KDC. In order to log on to the computer the Ticket
41 Granting Service (TGS) to the local computer must be obtained from KDC. The remaining part of the authentication procedure is the same as for a standard logon session.
- Spring '14
- ........., smart card, Two-factor authentication, Authentication methods