CAC Smartcard Reauthenticate

There are two ways of doing smartcard client authentication on the web: standard TLS/SSL or custom plugins for the browser. I assume you're talking about standard web browsers (IE/FF/Safari) and SSL authentication.

There are two things that matter for PIN prompts:

SSL session and SSL session cache of the browser
on-card authentication state of the related private key
the way middleware is implemented.

In the end, from security perspective, it is the card that knows when to "ask for” a PIN - some cards and keys require a PIN for every operation with the key, some cards are OK to get a PIN once and leave the keys in authenticated state until it is removed from the reader or reset by an application.

If the session in the cache of the browser can not be re-used or when the connection is being established, smart card middleware (PKCS#11 on Linux, CryptoAPI/BaseCSP module on Windows or Tokend on OSX) needs to talk to the keys on the card. If the authentication state on the card requires a PIN to be entered, a callback is usually triggered by the browser. Or if the middleware knows it will need the PIN, it will ask it before talking to the card.

There is no 1:1 relation between entering a PIN and actually re-authenticating access rights to the private key and re-authenticating the SSL session.

With standard SSL, you depend on the way SSL is implemented in browsers and can not have a 100% reliable "re-authenticate by entering PIN" on the client side.

If you are using Linux, then with OpenSC (which, AFAIK can use CAC cards) you can set "transaction_reset" in opensc.conf to true, which results in the card being reset after every transaction (every SSL session negotiation) and this way you can be sure that whenever you open a new SSL session, user has to enter the PIN again. This is a client side configuration though, not a server-initiated feature.

Thanks sylvarking, I think I understand what you are saying. I do have a lot of control over both the servers and the workstations (a few hundred of them) so maybe I could do something in the browser that would cause the smart card to require a PIN?

ag5653 2009-11-27 22:01:39

That's right. If you administer the workstations, you might be able to configure all of the card reader software to prompt for PIN more often. For example, I've used ActivClient as the card reader software. It's what actually pops up the dialog to ask for the PIN, and there's a setting to control how often a user needs to re-enter it.

erickson 2009-11-27 22:44:24

I feel fortunate to have found someone with ActivIdentity Experience. Your response prompted me to look at the PIN Caching Service, which I had not seen before. I can see 12 properties and one of them is called "Enable PIN Caching". I'm going to try turning that off.

ag5653 2009-11-28 01:12:45

PIN Caching Service being a property in the ActivClient configuration manager.

ag5653 2009-11-28 01:14:42

To not mess with terms - it is the "card software" not "card reader software"By changing PIN cache settings you can't beat the way SSL works in the browser. If you need custom authentication flows, maybe look at OpenID and trustbearer.com openid service. If I remember correctly, they implement a plugin based authentication where there is a custom plugin that talks to the card. Probably that triggers a PIN dialog (as it uses an implicit sign operation? don't know the details..) for every transaction.

martin 2009-11-28 10:09:34

Thanks again Martin, I suspect I'm using the wrong vocabulary in numerous places which makes it hard for people to understand my goal. I appreciate your being so patient.

ag5653 2009-11-29 23:42:21

Thanks martin for the excellent comment. I see that I should have provided more info but I'm still very ignorant about what is meaningful in this situation. The workstations do have middleware called ActivIdentity or ActivClient. The process is named accoca.exe. They are also running Tumbleweed.

ag5653 2009-11-27 22:02:43

Also, I get from your comment that my challenge is to somehow convince the card that it needs to ask for a PIN again. I haven't figured out how the middleware works yet but would it be reasonable to say that when the user accesses a URL, I could put something in the web page that would cause the CAC to decide that it needs to ask for a PIN? Maybe I could kill the SSL session? (Sorry if that is dumb idea, I'm a little confused).

ag5653 2009-11-27 22:03:17

When I clear the SSL state (using IE7-Tools-Internet Options-Content-Clear SSL State, it prompts me for the cert but not the PIN. If I pick the correct cert it works, if I pick the wrong cert, it fails. So why would it prompt me for the cert again, if it isn't going to prompt for the PIN? I don't get it!

ag5653 2009-11-28 01:33:48

Clearing browser SSL cache removes the session. So probably the middleware does not implement any special PIN tricks and works exactly the way I described - once the card is in authenticated state, the key can be used as long as the application is not restarted or card removed.It asks the certificate to know which private key you want to use and if you choose your smart card one, it can use it to establish a new session because the key on the card is already in the authenitcated state.

martin 2009-11-28 09:27:17

Ah, I see. It is asking for the cert because you could be doing different things with different keys at the same time. I should have thought of that! You might have seen my other question where I found out that exiting IE7 will always cause a PIN prompt the next time IE7 starts. The leads me to believe that IE7 does something on exit that "resets" the card state. If I could figure out what that is I would be a step closer to what I need (I think).

ag5653 2009-11-29 23:48:21

Yes, acquiring a crypto context from CryptoAPI and releasing it (that's what happens when you start/close an application) does reset the card. It's not "something" that needs to be believed in, as it is a simple SCardConnect() SCardDisconnect() pair that is required to access smart cards.You can't request a card reset from SSL layer.It's like knowing that turning the key starts or stops a card, you can make it stop if you go over 100km/h by hacking some wires to the speedometer but that's not the way a car (or a speed limiter, as that is what you actually want) is supposed to work.

martin 2009-11-30 09:43:15

I think I get it now. Thank you for helping me understand. The PIN doesn't leave the smartcard and the PIN time out is completely independant of the browser SSL session. I have put the idea of using a hack to force a new PIN prompt combined with clearing SSL cache in my "not such a good idea" folder. I'm pushing back to get the requirement changed. Thanks again.

ag5653 2009-12-01 21:19:47

ansaurus

tags:

views:

answers:

CAC Smartcard Reauthenticate

related questions