.

SmartCards

<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Fri Apr 25, 2008 11:14 am

SmartCards

Just picked up a Smart Card reader and a few cards.

Apparently trying to program smart cards for use in a Windows Domain is freaking ridiculous, so I was wondering if anyone has had any luck with this either in Windows or Linux? It's really just for personal use and practice right now. After I have a good understanding of how they work, how to program them and implement them effectively, I may use them in the office.

Thanks!
Put that in your pipe and grep it!
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Thu May 22, 2008 1:45 am

Re: SmartCards

I guess there isn't much of a standard for implementing smart cards in any environment. :P

Does anybody have a success/failure story about implementing smart cards?
Put that in your pipe and grep it!
<<

jimbob

Post Thu May 22, 2008 4:15 am

Re: SmartCards

The problem with smartcards is, while they are technically more secure than passwords users have a tendancy to leave them inserted in the machine. I don't know if this alone has slowed their adoption, most likely cost is the main factor.

I've not heard of anyone using smartcards for anthing other than thin clients. I think the Sun Ray thin client used smartcards so you could plug  in and see your desktop from any terminal. I too would be interested in hearing from anyone else who has implemented this technology.

Jimbob
<<

LSOChris

Post Thu May 22, 2008 10:36 am

Re: SmartCards

you can integrate smartcards into AD but  i dont think it is as simple installing one application.  there are card readers/software, certificate management, getting the certificates/tokens on the smart cards. its been done though. i think microsoft has some documentation on it.
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Thu May 22, 2008 1:30 pm

Re: SmartCards

I know a little bit about implementing it in Windows, but I haven't been able to do the whole process. You're right, it does require a certificate authority, etc., but it is difficult. I was having problems with the smart cards I bought. Something about not having a driver for the type of smart card I had, though I had no problems with the driver for the reader.
Put that in your pipe and grep it!
<<

JobMatchNow

Newbie
Newbie

Posts: 24

Joined: Thu May 01, 2008 1:53 pm

Post Thu Jun 12, 2008 9:34 am

Re: SmartCards

I have seen some installed at the military recruiters office.
<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Mon Jun 16, 2008 5:05 pm

Re: SmartCards

My office has been 'moving toward' them for about... 3 years now.  We have to purchase new keyboards with "smart card" reader strips along the top.  And our new doors are supposed to have them as well.  Due to other more prioritized things.... 3 years later and we don't have a single smart card reader actually being used in the office.  But... we have them around for IF we ever do use them. ;)  I'd be interested in hearing anyone's personal experience in implimenting them too, since I will probably be the one who has to do it.
"Bad.. Good?  I'm the guy with the gun"
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Mon Jun 16, 2008 9:16 pm

Re: SmartCards

As far as using smart cards for Two-Factor Authentication(TFA), unless the smart cards are being used for things like code-signing, X of Y authentication where a certain number of people have to be present to do something,  or encryption, I prefer the key-fob method.  RSA and a number of others implement token based authentication where you are required to enter both your pin and a token value which changes periodically in order to authenticate.    These types of technologies are implementable cross platform and can tie into things like VPN's and radius fairly easily. 

For things like file encryption, smart cards/USB Keys are really neat.  Combining with two factor authentication with certificates allows for the encryption/decryption keys for files/file systems to live with you.  I like the USB token idea better because if your company is devoted to the solution it's less likely to be left at the office because it's required to check email from home.  The only caveat is, make sure that your PKI implements a key recovery agent for EFS/Bitlocker if you use a solution like that because people will lose these things. 
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

ChrisC

Newbie
Newbie

Posts: 4

Joined: Thu May 31, 2007 3:01 pm

Post Wed Jun 18, 2008 1:04 am

Re: SmartCards

g00d_4sh: I'm not sure how much experience you have with smartcards or various solutions pertaining to them.

While I have not deployed and implemented a solution within my company, I can say we have reached the pilot stage and we are more or less awaiting management approval...

I have found that Gemalto is a very good company to work with. Our goal was to utilize smartcards for network log on, local log on for VPN users, and physical access with our existing access card system. In other words they needed to be contact and contactless smartcards. I contacted Gemalto and they were very diligent in finding an appropriate solution, even going as far as creating a custom card for our particular environment so we didn't have to update our physical access readers (they have a great relationship with HID) - it's also worth mentioning Gemalto cards are natively supported on Vista.

If you have any more technical questions, don't hesitate to private message me, or post here for the benefit of all members.

Chris
<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Wed Jun 18, 2008 12:47 pm

Re: SmartCards

ChrisC, thank you very much for your reply.  My organization is a bit on the 'slow' side on many things.  We are going to have to impliment the cards due to mandates from Wash DC though eventually.  The cards/system from Gemalto, do you know off hand if it meets with HSPD-12 compliance?
"Bad.. Good?  I'm the guy with the gun"
<<

ChrisC

Newbie
Newbie

Posts: 4

Joined: Thu May 31, 2007 3:01 pm

Post Wed Jun 18, 2008 2:32 pm

Re: SmartCards

g00d_4sh, no problem - glad to help.

There are many variations on the cards that you can get from Gemalto, to suit certain needs.

Your best bet would be to identify the requirements that are needed and begin your search based on your set of requirements. But just a quick look using:

http://www.google.ca/search?hl=en&q=sit ... ance&meta=

Hit quite a few pages, so I think you're in luck. It's important to remain vendor neutral and maybe I haven't been. So another great company is Giesecke & Devrient - http://www.gi-de.com/ - I'm sure they can suit your needs also.

It should be noted based on you mentioning you're in the US, that Gemalto was the underlying card used in the Department of Defense Common Access Card initiative.

I meant to address jimbob's comment earlier - there is a big concern regarding people leaving their cards left within the device. There are a few ways to combat this, first a directive control can be used such as policy, and measured with spot checks. Unfortunately this isn't a preventative measure in nature - only detective. That's why we opted to use our cards for physical access as well. They can only get around the building with their card.

Chris
<<

Xiv

Newbie
Newbie

Posts: 3

Joined: Thu Aug 06, 2009 1:44 am

Post Thu Aug 06, 2009 2:26 am

Re: SmartCards

Hi Guys,

I've been lurking for a while, and this thread prompted me to sign up.
I know this is an old post, but I figured id put my 2c worth in anyways.

I am the IT / Manager for a health clinic and have recently implemented Sun's SunRay Server with Sun Ray thin clients. The security side of the system has its benefits for us, but the technology really fits our working model.

The reason for the change is because all the staff move around between workstations during the day. Not only was this a security issue, the main problem I had was that at the end of the day come balancing time, I could never pin down the "problem" entries on the balance sheet to any one particular person.

"oh, that wasn’t me, I wasn’t here then, someone else was using my profile"

*ugh*

In the morning, the staff would come in and log onto a workstation and then move around with all the rest of the staff between workstations. This is something that is part of the job and the staff do actually need to do, but logging in and out upon moving was too much of a hassle, so they didn’t bother.

So the application of the smart cards and SRSS was to enable my staff the ability to continue moving between workstations, but have their session follow them with their smart card. Although I know its possible, I don't use the Smart Cards for authentication to the TS box, each user still needs to input a valid password to access the terminal server.

So now at the end of the day when it comes time to balance, I know that each user entry on the balance sheet is correct, and have identified staff who need more training.

Additional benefits have been:

1. Increased privacy as workstations are no longer left logged in and unattended.
2. Increased security as you can only access the TS box from a Sun Workstation if you have a card.
3. Reduction of power consumption as the thin clients really are very thin!

The biggest hassle I had to begin with was making sure the staff actually DID take their damn card with them when they left a workstation. Being so used to just moving between workstations made it hard to break this habit. Although a few unannounced trips around the office collecting cards from unattended workstations fixed the problem fairly quickly. Staff felt rather stupid having to come to me to get their card back after a number of times.

If anyone is interested in more detail about the setup, please let me know. I'm more than happy to share exp / thoughts.

How did everyone go with their smart card implementations?

Xiv
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Tue Aug 25, 2009 7:52 am

Re: SmartCards

I still haven't found a good way to implement smart cards with Windows, it is either too confusing for me, or I haven't found the right hardware.
Put that in your pipe and grep it!
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue Aug 25, 2009 9:28 am

Re: SmartCards

Xiv,

How did you get management buy in on this? My group has been arguing for thing clients for the 3 years I've been here. It'd save on money, and would make more since, since we have the same problem of people moving around / multiple people using the same work station. Problem is, we keep getting push back from management saying no.

eth3real:
Where / how did you acquire those? From my experience the vendor / var that gives me things to play with usually have no problems answering my questions and helping me out (they see it as good marketing and more likely to make a sale to me).
OSWP, Sec+
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Aug 25, 2009 10:29 am

Re: SmartCards

I have a few clients using thin clients.  There is actually quite a bit of cost savings for some organizations.  It's less management for IT, thin clients cost less than PCs, it's easy to move profiles, there is uniformity in the settings, more centralized control, etc.  Perhaps you can put together an ROI presentation for management. 

I have abandoned smart card implementations more than I would like to admit.  It really is a pain in the butt and there are tons of horror stories.
~~~~~~~~~~~~~~
Ketchup
Next

Return to Hardware

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software