Using PIV Smart Cards on Linux for Authentication to Windows Active Directory - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

Using PIV Smart Cards on Linux for Authentication to Windows Active Directory

Description:

Use Windows AD with cross-realm to existing Kerberos ... Code has been developed that will be widely distributed. OpenSC is packaged for Debian and Red Hat ... – PowerPoint PPT presentation

Number of Views:190
Avg rating:3.0/5.0
Slides: 13
Provided by: IPD98
Category:

less

Transcript and Presenter's Notes

Title: Using PIV Smart Cards on Linux for Authentication to Windows Active Directory


1
Using PIV Smart Cards on Linux for Authentication
to Windows Active Directory
  • Douglas E. Engert
  • Computing and Information Systems
  • April 26, 2006
  • DOE Cyber Security Group Training Conference
  • Dayton, Ohio
  • Updated for
  • 6th Annual PKI RD Workshop
  • NIST
  • April 18, 2007

2
Driving Force
  • Homeland Security Presidential Directive/Hspd-12
  • and logical access to Federally controlled
    information systems.
  • FIPS-201 Personal Identity Verification (PIV) of
    Federal Employees and Contractors.
  • Response to HSPD-12
  • NIST 800-73 Interfaces for Personal Identity
    Verification
  • Defines the PIV card
  • NIST 800-73-1
  • Updated version

3
Logical Access
  • NIST believes PIV smartcard login is essential
    to protecting logical access to Federally
    controlled information systems. promote
    compatibility of PIV cards with COTS smart card
    login mechanisms and common applications with
    minimal negative impact on privacy. NIST
    800-73-1 Appendix F-Errata
  • Login
  • To local workstation
  • Standalone
  • Part of a domain
  • To network applications
  • Part of a domain
  • Web authentication
  • Another login to network application

4
Whats in the PIV Smart Card for Logical Access
  • X.509 Certificate for PIV Authentication
  • Contains the public key
  • Issued by some CA trusted by the resource
    stakeholder
  • Private key
  • Generated on the card
  • Can not be retrieved from the card
  • Crypto engine to encrypt/decrypt data using the
    private key
  • Usually used to sign a hash of an authenticator
  • PIN

5
Ubiquitous Access to Data
  • Access to must be controlled independent of the
    means of access
  • Either make the use of PIV easy from all
    workstations
  • Or force users to use only selected PIV capable
    workstations
  • Windows
  • Microsoft Vista is expected to support PIV
    authentication
  • Apple
  • Mac OS 10 is expected to support PIV
    authentication
  • Linux
  • Thats where we come in with open source PIV code
  • Other Unix
  • Not clear, but our open source PIV code can be
    used here too

6
Assumptions
  • Major operating system vendors will support PIV
  • Federal agencies will require it
  • In their best interest to support it
  • On both the client and server side
  • Microsoft and Apple are good examples
  • Smartcard vendors will provide packages to manage
    cards
  • Only issuing agencies need to run this
  • With open source operating systems
  • Only the client side is needed now
  • Use commercial servers for now
  • Eventually server side support may be needed

7
The Project Goal
  • Add PIV support for logical access to some open
    source smart card package such that it can be
    used by other common applications. Get the
    modifications added to the open source
    distribution so it will be generally available
    when PIV cards are generally available.
  • OpenSC was chosen
  • Open source libraries for accessing smartcards
  • Many different smart cards
  • ISO 7816-4 routines
  • Can use PC/SC
  • Provides a PKCS 11 interface to applications
  • Was easy to add PIV
  • Modifications accepted and expected to be in
    0.11.0 release
  • Can run on Windows and Mac too!

8
Update for PKI RD Workshop
  • http//www.opensc-project.org
  • OpenSC 0.11.1 has basic PIV code
  • OpenSC 0.11.2-rc2 has gziped cert support
    thanks to Identity Alliance
  • SCA Mac OS X Installer
  • SCB Windows Smart Card Bundle
  • Pkcs11 for Fire Fox, needs ID Ally CSP for login
  • http//www.opensc-project.org/opensc/wiki/UnitedSt
    atesPIV
  • http//packages.debian.org/unstable/utils/opensc

9
NIST 800-73-1
  • Part 1 - PIV data model, and objects on card
  • Part 2.1 PIV Application Programming Interface
  • Part 2.3 Card Edge Commands
  • We chose to implement at the card edge command
    level as this is a natural separation between the
    card and the software. Thus any PIV card can be
    used, without any vendor drivers or middleware.

10
Smartcard Applications
  • Web browsers
  • Netscape, Mozilla, Firefox Security plug-in is
    a PKCS 11 shared library or DLL.
  • OpenSSH
  • Modifications available on mailing list to use
    PKCS 11
  • Could just use keys, without the certificates
  • Kerberos
  • Use PKINIT to get initial Kerberos Ticket
  • Can be done at login using pam_krb5
  • Globus
  • Needs a way to call PKCS 11

11
Kerberos
  • An initial ticket is obtained which is used to
    obtain additional tickets
  • Allows for delegation of tickets to other
    machines
  • Authentication method used by Windows Active
    Directory
  • Available on all Unix systems, Windows, Macs and
    Java
  • Can interoperate across systems
  • IETF standard protocol - RFC 4120
  • Open source vendors
  • MIT
  • Heimdal

12
PKINIT
  • IETF draft standard to use PKI as Kerberos
    pre-authentication method
  • i.e. use PKI to obtain initial ticket
  • Approved by the IETF-IESG on 2/24/2006
  • after 10 years and 34 drafts!
  • Early drafts implemented by DCE and Windows
    Active Directory
  • Microsoft very active in the working group
  • Microsoft Vista expected to have support for
    final version
  • Heimdal Kerberos has been implementing drafts
  • Has Windows 2003 compatibility mode
  • Interoperability testing with Microsoft

13
Back end Servers Do All The Hard Work
  • With PKINIT the PIV card is authenticating to the
    Kerberos KDC
  • Windows Domain Controllers are KDC for Active
    Directory
  • Local machine trusts the KDC, not the PIV card
  • PIV card signs PKINIT packet
  • KDC does all the Certificate verification.
  • OSCP, CRL, Federal Bridge
  • With Web access using https client does some PKI
    to verify web server
  • Same as today.
  • Web server does all the Certificate verification

14
Putting It All Together on the Client
  • OpenSC has smart card specific code and PKCS
    11
  • PC/SC Management of cards and readers
  • Vendor provided or Muscle pcsc-lite
  • OpenSSL Crypto and SSL libraries and utilities
  • Widely used for crypto in many applications
  • Above three are all that is needed for Web access
  • Heimdal Kerberos
  • PKINIT still under development, need to use the
    snapshots
  • Can work with Windows Active Directory
  • Pam_krb5 with modifications to use Heimdal PKINIT

15
Change in Existing PKI Environments Needed
  • PIV certificates will be issued outside of an
    enterprise
  • Certificate will not have enterprise specific
    extensions
  • Certificate must be useable at multiple sites
  • Microsoft Vista is said to address these problems
  • Other vendors are too

16
Our Test Environment
  • Ubuntu/Debian Linux
  • OpenSC daily snapshots and libp11 and
    engine_pkcs11
  • http//www.opensc-project.org
  • Pcsc-lite-1.3.0 and ccid-1.0.0 or newer
  • http//pcsclite.alioth.debian.org
  • Heimdal Kerberos 0.8.1 or snapshots
  • http//www.pdc.kth.se/heimdal
  • Pam_krb5-3.5
  • http//www.eyrie.org/eagle/software/pam-krb5/read
    me.html
  • Windows 2003 Active Directory with Enterprise CA
  • Other test environments
  • Mac OS 10.4
  • Solaris 9 and 10

17
PIV Test Cards
  • Beta cards from Obethur, Mobile Mind and GemPlus
  • Some protect the certificate with the PIN
  • NIST 800-73-1 is lifting this restriction
  • OpenSC used to initialize the test cards
  • Every vendors cards are a little different
  • Piv-tool used to generate key pair and save
    public key
  • OpenSSL used to create certificate request
  • Windows enterprise CA to issue enterprise
    certificate
  • Cut-and-paste request on Web form
  • Save certificate as file
  • Piv-tool used to load certificate on card
  • Piv-tool used to change PIN

18
What can you do with existing environments
  • Use Windows AD with enterprise certificates
  • Argonne has a site wide Windows Active Directory
    with all employees
  • We have a smart card project with people around
    the site using cards
  • Use Windows AD with cross-realm to existing
    Kerberos infrastructure
  • Use the Heimdal KDC, but it is still under
    development
  • Wait for MIT and Apple to add KDC support for
    PKINIT
  • In any case, the full PKI infrastructure is not
    available today
  • So start testing so you are ready

19
Conclusion
  • Commercial vendors will take care of 95 of the
    market
  • Both client and server side
  • Open source operating systems can use PIV cards
  • Code has been developed that will be widely
    distributed
  • OpenSC is packaged for Debian and Red Hat
  • Open source clients can use commercial servers
  • Standards
  • For web users, thats all that is needed
  • For Kerberos authentication, PKINIT client code
    is still under development
  • You can state testing today

20
Questions
  • deengert_at_anl.gov
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Using PIV Smart Cards on Linux for Authentication to Windows Active Directory" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!