Windows NT/2000 Server Logon using Fineid Smart Cards

REMOTE WINDOWS NT/2000 SERVER LOGON USING FINEID SMART CARDS
1 Background
This section describes the components that are used in a Microsoft Networkfor Authentication purposes.1.1 Client side authentication using Winlogon and GINA
Winlogon is a component of the Microsoft Windows NT/Windows 2000 operatingsystem that provides interactive logon support. Winlogon consists of threecomponents: the Winlogon executable program, a Graphical Identificationand Authentication dynamic-link library (DLL), referred to as the GINA,and any number of network providers. The GINA is a replaceable DLL componentthat is loaded by Winlogon.The GINA implements the authentication policyof the interactive logon model, and is expected to perform all identificationand authentication of user interactions. For example, replacement GINADLLs can implement smart card, retinal-scan, or other authentication mechanismsin place of the standard Windows NT/Windows 2000 user name and passwordauthentication.
On Windows 9x operating systems the Graphical Identification and Authenticationis performed by network providers.

1.2 Server side authentication using Sub-authentication
The Local Security Authority (LSA) is a component of the Microsoft Windowsoperating system used to authenticate and log users on to the local orremote system with logon authentication by user name, password data andthe domain name. The LSA authentication model provides an API (applicationprogramming interface) for the remote authentication system called sub-authentication.Sub-authentication can be used to provide additional password or logonvalidation while logging on to domains.

1.3 Smart Cards
Typically, cryptographic private keys and digital certificates relatedto these keys are stored in the memory of a smart card. Using smart cardsit‘s possible to enhance the security of a Public Key Infrastructure (PKI).The whole PKI concept relies on the fact, that private keys are kept private.If this private key concept is compromised, secret information cannot beprotected.
Smart cards offer good protection against this threat. Smart cards provide:
Tamper-resistant storage for protecting private keys, certificates and other forms of personal information.
Isolatation of security-critical computations involving authentication, digital signatures and key exchange from other parts of the system, which do not "need to know" anything about these security-critical operations.
Portability of credentials and other private information between computers. These functions provide security functions that relate to the identity of its owner:
Perform strong authentication, i.e. secure identification of the cardholder.
Strong authentication can be performed in such a way that there is no need for anybody to know any passwords. It is strong in the sense that it is impossible to forge even if multiple previous authentication-sessions are known.
Decrypt confidential messages containing secret information.
The encryption process is done in a way that ensures that only the recipient of the message is able to read it.
Make legally binding electronic commitments using digital signatures, e.g. payment orders or contracts.
A digital signature is created in such a way that the signature is unique to the cardholder and the signed documents.
1.4 F-Secure VPN+
F-Secure VPN+ implements the IPSec protocol, that is used to encrypt and/orauthenticate all network traffic between workstations.
F-Secure VPN+ provides the following features:
Smart card authenticated connections.
Single Sign on to Windows using F-Secure‘s own GINA.
Encrypted connections.
Host/Connection/Smart card based access control.
Certificate validation using CRL‘ s using PKI.
Platforms supported: Windows95
Windows98
Windows NT
Linux (does not support client side smart card authentication)
Windows 2000
The F-Secure GINA also provides an API for plugins that need notificationsof different stages of the authentication process. For example a notificationis sent when smart card logon is used and the PIN Code is entered correctly.2 Requirements
System administrators need to logon to a domain server using smart cards.Only persons with administrative rights are allowed to connect to the server(with a smart card). The server must be able to validate the certificateon the smart card by its CRL. The CRL can be fetched (updated) from anLDAP server. This LDAP server‘s IP-address is stored in the certificate.It must also be possible for normal users to log on to the domain serverwith normal password based logon. If the server has lost it‘s connectionto the LDAP server it must refuse smart card connections and only administratorsfrom the console can be logged in.
Support for the following servers/platforms should be included:
Windows NT 4
Windows 2000
Windows 98 and 95
Netware
Linux
3 Problems with Smart Card Logon
This section outlines some of the problems that are faced when implementingsmart card domain logon in Microsoft networks.3.1 Smart card logon is not supported by all Microsoft Networks
While Windows 2000 networks (with Active Directory) has a limited supportfor smart card authentication the need for other Windows workstation supportis impossible to implement using the standard Microsoft Windows Networkcomponents.3.2 Needed components
F-Secure VPN+ supports smart card authentication, but that is not enoughto achieve domain logon. In addition to a authenticated connection to theprimary domain controller (PDC) there is a need for access control peruser. Third party access control can be implemented using sub-authentication.F-Secure VPN+ creates an authenticated tunnel after the user has loggedon to the workstation, but if domain logon authentication using smart cardmust be achived the tunnel must be created just before the user is authenticatedto the PDC. This tunnel can be created before the logon authentication;just after the PIN code is validated, using the plugin API provided byF-Secure GINA.4 F-Secure VPN+ configuration
This section describes how F-Secure VPN+ must be configured to enable bothnormal users and administrators to use an IPSec tunnel or not.4.1 Server side
The F-Secure VPN+ server can be configured to use IPSec tunnels alwaysor just based on theclient request to do so. If it is configured to alwaysuse IPSec tunnels, it will deny any connection to the server if it is notan authenticated IPSec tunnel. The F-Secure VPN+ server must be configuredto only respond to IPSec tunnel requests from clients in order to preservethe acceptance of plaintext connections.4.2 Client side
The F-Secure VPN+ client has a set of rules that it uses to determine towhich host (server) it will try to establish an IPSec tunnel. These rulescan be disabled or enabled (if configured) with so called flags. Theseflags can be set by the clients themselves (if allowed).5 Implementations
This section describes the software that must be implemented in additionto F-Secure VPN+ to achieve smart card based domain logon.5.1 GINA preconfiguration plugin (vpnconf plugin)
The GINA plugin configures the F-Secure VPN+ client by setting some specificflags. The plugin receives a notification when the correct PIN code hasbeen entered and then configures the F-Secure VPN+ to use a specific rule.
When the GINA tries to authenticate the user the NTML authenticationtries to connect to the PDC to verify the password. This will trigger theF-Secure VPN+ to create an IPSec tunnel to the PDC. After the tunnel hasbeen created the authentication request will proceed to the PDC over thesmart card authenticated tunnel.

5.2 Sub-authentication plugin
When the IPSec tunnel request arrives from the workstation the certificatesare validated on their corresponding LDAP servers. If the certificate isverified the IPSec tunnel is created. After the IPSec tunnel has been createdall traffic between the server and the workstation is encrypted.
The authentication request will also be encrypted and when it has beenprocessed by the NTML authentication system it will be passed on to thesub-authentication system. The sub-authentication plugin checks whetherthe authentication request is for a user that has administrative permissionsto the corresponding domain. If so, the plugin checks (from the F-SecureVPN+ server) if an IPSEC connection is up to the workstation that the requestcomes from. If there is no IPSec tunnel the
logon request will be denied.