[prev in list] [next in list] [prev in thread] [next in thread]
List: ms-cryptoapi
Subject: Re: Fw: CAPI and Smart Card Logout Issue
From: adfs apu <apu000a () HOTMAIL ! COM>
Date: 2003-02-25 22:02:42
[Download RAW message or body]
>IMHO, things are fine as they are: Leaving a smartcard in the
>reader is as irresponsible as leaving a key in a lock. Surely no
>company will ban the use of locks that remain open (or openable)
>when the key is left in. Logging "out" but leaving the smartcard
>"in" is like locking the door, and leaving the key in:
Although I would agree in general, the issue is not as clear in the "real
world". There are users who telecommute from home, they connect to access
internal resources and disconnect from the vpn. Since they are at home, they
don't usually remove the smart card from reader. Yes, that is not a good
practice from a purist pov but since they are at home, it will be done no
matter how much one wishes they don't do it. They connect again and they are
not prompted for the smart card password. If I was using applications
interfacing with the smart card using pkcs#11, the same user would be
prompted for the password to the smart card. With CAPI, this doesn't happen.
In addition, after you logged on to the smart card, if you logoff Windows,
and log back into Windows, you are still not prompted to the password to the
smart card (assuming the card was not removed) because the client interface
to the CAPI is a 2/XP service.
>Possible solutions are an obvious time-out, such that even though
>the smartcard is in the reader the VPN "logs-out" the user after a
>certain time of inactivity, or even activity, unless the user seeks to
>"continue" (done any e-banking lately?)
We are doing that, ie killing sessions via idle timeout but that does not
address the issue at hand, which is after the user's session is kicked off,
he/she can log back on *without* entering the password to the smart card. So
the idle timeout for VPN is not an effective tool for this issue.
We all know smart cards need to be removed once it is no longer needed but
that is not the only solution. Having a "chain" to the smart card/usb fob
may work for some but depending on the model of the laptop (determines the
position of the pcmcia slots/usb slots; front/side/back of the computer),
length of the "chain", etc, it may not be a viable solution. With a ID badge
card to access a room/your office/etc, you are pulling out the card for a
short time and you are allowed access into room and you're done. That is
about a second or two. You are not conncted to the reader for more than
that. If you have a contact-less card, you don't even need to stop and make
any contact with the reader. So in those cases, having a chain for the smart
card/usb fob would work.
In smart card/Client application (VPN specifically) world that I am speaking
of, the card needs to be in the reader/USB slot during the duration of the
VPN session, it is unrealistic to expect the user to sit there with a chain
connected to his/her pants/clothing with the other end (smart card/usb fob)
connected to the computer for the duration of the VPN session which could
last from few minutes to hours.
There should be a mechanism in CAPI that allows one to "clear-out" the
authenticated session between the client calling the CAPI and CAPI. I don't
think this is necessarily a smart card specific request.
apu
>
> "J. Andres Hall"
> <jah@ALUMNI.PRINCETON. To:
>CryptoAPI@DISCUSS.MICROSOFT.COM
> EDU> cc:
> Sent by: Microsoft Subject: Fw: CAPI and
>Smart Card Logout Issue
> Cryptographic API
> <CryptoAPI@DISCUSS.MIC
> ROSOFT.COM>
>
>
> 02/25/2003 06:36 PM
> Please respond to
> Microsoft
> Cryptographic API
>
>
>
>
>
>
>Unfortunately the Cryptograhy API (or COM) was written as a
>Cryptographic module?
>
>Excuse me? Am I missing something?
>
>IMHO, things are fine as they are: Leaving a smartcard in the
>reader is as irresponsible as leaving a key in a lock. Surely no
>company will ban the use of locks that remain open (or openable)
>when the key is left in. Logging "out" but leaving the smartcard
>"in" is like locking the door, and leaving the key in:
>Inconsistent!
>
>The smartcard functionality as designed is correct: The crypto
>code has every reason to believe that while the card is in the
>reader (and after password validation) access should be granted.
>
>Further, I would seriously presume that Microsoft put some serious
>thought into deciding this type of functionality...
>
>Now, if the application needs additional dumb-proofing measures,
>let the application decide what is needed, but donīt contaminate
>the crypto API with functionality that doesnīt belong there in the
>first place.
>
>Possible solutions are an obvious time-out, such that even though
>the smartcard is in the reader the VPN "logs-out" the user after a
>certain time of inactivity, or even activity, unless the user seeks to
>"continue" (done any e-banking lately?)
>
>Another solution, this time from the "real world": Like zillions
>of corporate door-opening access cards, attach a light metal
>key-chain, nylon string, whatever, from the card to the belt of
>the user! Then there is no way the user can walk away from
>his workstation and leave the card in the reader...
>
>HTH,
>
>Andrew.
>
>----- Original Message -----
>From: "Carlos Lopez" <clopez@MICROSOFT.COM>
>
>Unfortunately, CAPI was written as a cryptographic module. Smart Card
>CSP functionality was only added later as an afterthought.
>
>I don't know what plans Microsoft has on adding richer smart card
>functionality.
>
>Carlos
>
>-----Original Message-----
>From: adfs apu [mailto:apu000a@HOTMAIL.COM]
>
>Yeah, unfortunately, no matter how much and well you train them (the
>organization actually does a very good job here), there will be the
>occasional lapses. I came from the pkcs#11 world which has a much richer
>set of features, including surprise, surprise, a logout function. Coming
>to the CAPI world (forced) where basic smart card integration features
>(logout, smart card insertion/removal) are missing is kind of
>disappointing. In the pkcs#11 world, even if the user doesn't remove the
>smart card, a logout logs out the card which can mitigate user mistakes,
>unlike CAPI. Thanks for the suggestion and I'll go back to my vendor.
>Anyone from MS has any thoughts on this, on how this can be resolved?
>If there is a solution at all or are we just stuck with this dilemma?
>Will there be updates to MS CAPI that would add a richer set of smart
>card related features, ie logout, smart card insertion/removal/etc?
>
>Thanks,
>apu...
>
>
>----- Original Message -----
>From: Laszlo Elteto
>
>As you noted users supposed to remove the smart card when they log out.
>This is similar to users not logging out when they leave a computer.
>(And not writing their password / PIN on sticky notes, etc.) You need
>security education.
>
>Some CSPs handle logout if you call CryptSetProvParam (PP_KEYEXCHANGE_
>PIN or PP_SIGNATURE_PIN) with NULL or empty string parameter. However,
>this is not universal, so probably you cannot depend on it. It is
>unfortunate that CAPI does not define logout functionality.
>
>Laszlo Elteto
>Fellow Scientist
>Rainbow Technologies, Inc.
>
>-----Original Message-----
>From: adfs apu [mailto:apu000a@HOTMAIL.COM]
>
>I am currently using a VPN product that accesses certificates stored on
>a smart card via CAPI (2K and XP). The VPN product access the CAPI via
>a 2K/XP service that it installs for the VPN. The CAPI then calls the
>smart card vendor CSP to interface (ie login) with the smart card.
>Everything works fine. However, when one logs out of the VPN, it does
>not logout of the smart card, which means one can connect to the VPN
>again (assuming the card was not removed) without being prompted for
>a password to the smart card again. What is worse is that since the
>it (VPN) is a 2K/XP service that interfaces with CAPI, it means if
>one logs off the 2K/XP session and logs back in, one is still not
>prompted to login to the smart card since the service is still
>running and still "remembers" the authenticated session with CAPI/CSP
>from the initial login.
>
>Stopping and starting the VPN service clears out the "authenticated"
>session between the VPN and CAPI. Removing the smart card also does
>the trick..
>
>Is there a way in CAPI to resolve this situation, ie flush out/clear
>out the authenticated session between the client (VPN) and CAPI so
>everything is back to "not-logged in" state (if that makes sense) OR
>is there a way in CAPI to "logout" of the smart card, similar to the
>"c_logout" call in pkcs#11?
>
>I am working with our vendors on a solution but I would like to know
>from people on this list if something can be done within CAPI to
>resolve my dilemma since not being prompted to login to the smart
>card when establishing a VPN session (after successfully login once
>and the card is not removed) is a major security issue/hole/violation
>of our security policy. Users are suppose to remove the smart card
>after use but as we all know, that will always be followed.
>
>Thanks,
>Apu...
>
>----------------------------------------------------------------
>Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
>contains important info. Save time, search the archives at
>http://discuss.microsoft.com/archives/index.html .
>To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM
>
>
>
>
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus
----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic