Project 6411

Win logon system based on smart cards for secure access control to Workstations

Leader: dr Zoran Markovic

Abstract

Subject of research

The research objective is development of secure Win logon system based on smart cards for logging to workstation or domain. Computer operating systems, such as Windows 2000 or Windows XP, provides login to the operating system, logging on the network domain and downloading user profile based on smart card. Generally, there are two ways of realization of Win logon function: a method based on digital certificate and a method based on username/password for accessing to a domain which are stored on a smart card. In the case of the first method, during the login phase, a certificate is get from the card (by using the PIN or username/password for accessing the card) and checked at the Active Directory for the purpose of validity check, as well as revocation status check. If the certificate is valid, the user will be allowed to log in onto the workstation, or a network domain, depending on the solution. The second method uses an username/password for standard login procedure onto the network domain, but this username/password are obtained by typing PIN or username/password for accessing the smart card.

There are several scenarios for work with Win logon function:

Win Logon based on PIN code - In this case, during the operating system login phase, the user put a smart card in the reader and types a PIN code. Operating system by using some tools access the secret memory part of the smart card (opened by the PIN), takes a certificate or username/password stored on the card and by using them is logged onto the workstation or network domain.

Win Logon based on username/password - In this case, the user put a smart card in the reader and types an username/password instead of PIN code, and this way access to the secret memory part where the certificate or username/password for login to the network domain are stored. Both username/password could be the same but they do not need to be. The user could change the username/password for accessing the card not influencing the username/password for accessing the network domain. The username/password for accessing the network domain are system parameters and could serve for accessing the security applications and central services.

Win logon based on fingerprint - In this case, the user put his smart card and, instead of PIN code (or username/password), uses his fingerprint for accessing the secret memory part of card and obtain the username/password for accessing the netrwork domain. There is a version which uses all of the three authentication components, i.e. the user uses username/password, smart card and his fingerprint.

There are commercial products on world market for such a purpose and, practically, all of the best known manufacturers of smart card operating system have also an appropriate product for the purpose of Win logon. However, the proposed system will have much more functions than commercially available products and, having in mind that it is completely original product and that this will be result of the fully domestic development, it is possible to customize it both in sense of adding new functionalities according to the end user requirements and in sense of modification of cryptographic functions towards implementing custom designed cryptographic algorithms, defined solely by the end users.

Description of the work

Proposed secure Win logon system controls the access to the user accounts, regularly established on the domain server (domain based) or the workstation itself (local) through the original login procedure based on smart card and which is accessed by PIN or username/password.

This procedure will be based on the originally developed GINA dll. Win logon module is generally responsible for recognizing SAS (Secure attention Sequences) sequences. SAS is a key sequence with which begins the process of logging on or off; the default sequence is CTRL+ALT+DEL, and monitors different SAS events. GINA is responsible for notifying Win logon when an SAS has occurred and their processing (starting adequate actions and procedures).

After accepting the SAS sequence, dialog will be open for smart card authentication (this looks similar to the normal Windows login dialog) and, instead of original Gina.dll, originally developed Gina.dll with wrapped functions (specific cryptographic API) for working with smart cards will be loaded.

After successful login to the smart card which is controlled by the originally developed Gina.dll, credential structure is read from the smart card secret memory which is used by the Gina.dll for domain server login (or local login) and accessing the user profiles on the domain server (it could be also on this workstation). After all these successful activities, the process is created for this user and monitoring of the SAS events are proceeded.

Administration of the proposed secure Win logon smart card system will be done by the following activities:

During the personalization of smart cards, a special parametric structure on smart card will be created for accessing the network resources (username/password, domain).
Domain administrator will create user accounts and profiles on domain controller with specially defined privileges for each user for accessing network resources, based on username/password data obtained from CA database in agreed format. Administrator will install the proposed secure Win logon system on the end-user workstation by the following:
Run the specific program on the particular workstation (which should be enabled for secure smart card Win logon) which writes some specific records in the system registry,
Installs some originally developed programs (dlls) into some specified and user forbidden directories.

The scope of the proposed developing research is in development of all necessarz modules and subsystems in order to realize the above described system.

Research Goal

The goal of the proposed research is in developing the original system for secure Win logon for logical access onto workstation based on smart cards and with following characteristics:

Logical secure access system to the Win 2000 or Win XP workstations and Win 2000 or Win 2003 servers; access control could be local or network domain based,
It represents an original procedure based on smart cards,
Proposed system supports different smart cards, both with proprietary and JAVA operating systems,
Credential structure (user, password, domain) is securely stored on smart card limiting the access to users that have corresponding smart cards from this system only,
Use of the user profiles (roaming or mandatory), defined and established on the server by the administrative authorized person (system administrator),
Users could change the password for the smart card access but could not change the credentials for the system access (this could only be done by the administrator),
Monitoring of the user activity/inactivity and control of the actions that should be done when the card is out of the reader or in the case of user's inactivity (Windows operating system could lock the monitor in predefined form (nothing will be seen from the screen) or proceed with Log Off or even Shut Down); Also, inactive time based lock of the computer could be preset and customized by the customer,
Proposed secure smart card based Win logon system will be a result of an original development and based on access to the smart card on the basis on the username/password, PIN code, or certificate and will be additionally based on original cryptographic API which interacts during the smart card accessing.
Proposed system provides three-component strong authentication procedure with function of fingerprint checking enabled.
Since it is domestic and originally developed system, proposed secure Win logon system based on smart cards offers different customization possibilities, defined by the end users, related to realization of specific activities during the login procedure. Having this in mind, this system represents a much more suitable solution compared to similar commercial systems available on the world market.
Proposed system could be integrated with a system of physical access control by using the hybrid cards with including a contactless chip (contact chip serves for Win logon and contactless chip for physical access control).

A result of such developing research should be a prototype of the system which will have all the above characteristics.

Importance of the research

Proposed developing research is of the considerable importance for realization of reliable and secure system for logical access control to workstations based on smart cards. Today, there are a lot of different Win logon system's realization on the world market. Namely, the most of (if not all) manufacturers of the smart card operating systems have in their production list an appropriate system for smart card Win logon. All of these systems mostly perform the same set of functions. The proposed system, which should be the result of the proposed program for technological development, will have all functionalities as commercially available products on the world market. However, since it is completely represents a result of domestic development, the proposed secure smart card Win logon solution provides full customization from the end users, both in sense of choosing and adding new functionalities and in sense of proprietary defined cryptographic elements integrated in the system. On the other side, by applying this developing research, it will result in the system which will be one of the most sophisticated system in the market, since it will include also a checking of biometrical characteristics (e.g. fingerprint).