Project 6411

Win logon system based on smart cards for secure access control to Workstations

Leader: dr Zoran Markovic


Subject of research

The research objective is development of secure Win logon system based on smart cards for logging to workstation or domain. Computer operating systems, such as Windows 2000 or Windows XP, provides login to the operating system, logging on the network domain and downloading user profile based on smart card. Generally, there are two ways of realization of Win logon function: a method based on digital certificate and a method based on username/password for accessing to a domain which are stored on a smart card. In the case of the first method, during the login phase, a certificate is get from the card (by using the PIN or username/password for accessing the card) and checked at the Active Directory for the purpose of validity check, as well as revocation status check. If the certificate is valid, the user will be allowed to log in onto the workstation, or a network domain, depending on the solution. The second method uses an username/password for standard login procedure onto the network domain, but this username/password are obtained by typing PIN or username/password for accessing the smart card.

There are several scenarios for work with Win logon function:

Win Logon based on PIN code - In this case, during the operating system login phase, the user put a smart card in the reader and types a PIN code. Operating system by using some tools access the secret memory part of the smart card (opened by the PIN), takes a certificate or username/password stored on the card and by using them is logged onto the workstation or network domain.

Win Logon based on username/password - In this case, the user put a smart card in the reader and types an username/password instead of PIN code, and this way access to the secret memory part where the certificate or username/password for login to the network domain are stored. Both username/password could be the same but they do not need to be. The user could change the username/password for accessing the card not influencing the username/password for accessing the network domain. The username/password for accessing the network domain are system parameters and could serve for accessing the security applications and central services.

Win logon based on fingerprint - In this case, the user put his smart card and, instead of PIN code (or username/password), uses his fingerprint for accessing the secret memory part of card and obtain the username/password for accessing the netrwork domain. There is a version which uses all of the three authentication components, i.e. the user uses username/password, smart card and his fingerprint.

There are commercial products on world market for such a purpose and, practically, all of the best known manufacturers of smart card operating system have also an appropriate product for the purpose of Win logon. However, the proposed system will have much more functions than commercially available products and, having in mind that it is completely original product and that this will be result of the fully domestic development, it is possible to customize it both in sense of adding new functionalities according to the end user requirements and in sense of modification of cryptographic functions towards implementing custom designed cryptographic algorithms, defined solely by the end users.

Description of the work

Proposed secure Win logon system controls the access to the user accounts, regularly established on the domain server (domain based) or the workstation itself (local) through the original login procedure based on smart card and which is accessed by PIN or username/password.

This procedure will be based on the originally developed GINA dll. Win logon module is generally responsible for recognizing SAS (Secure attention Sequences) sequences. SAS is a key sequence with which begins the process of logging on or off; the default sequence is CTRL+ALT+DEL, and monitors different SAS events. GINA is responsible for notifying Win logon when an SAS has occurred and their processing (starting adequate actions and procedures).

After accepting the SAS sequence, dialog will be open for smart card authentication (this looks similar to the normal Windows login dialog) and, instead of original Gina.dll, originally developed Gina.dll with wrapped functions (specific cryptographic API) for working with smart cards will be loaded.

After successful login to the smart card which is controlled by the originally developed Gina.dll, credential structure is read from the smart card secret memory which is used by the Gina.dll for domain server login (or local login) and accessing the user profiles on the domain server (it could be also on this workstation). After all these successful activities, the process is created for this user and monitoring of the SAS events are proceeded.

Administration of the proposed secure Win logon smart card system will be done by the following activities:

The scope of the proposed developing research is in development of all necessarz modules and subsystems in order to realize the above described system.

Research Goal

The goal of the proposed research is in developing the original system for secure Win logon for logical access onto workstation based on smart cards and with following characteristics:

A result of such developing research should be a prototype of the system which will have all the above characteristics.

Importance of the research

Proposed developing research is of the considerable importance for realization of reliable and secure system for logical access control to workstations based on smart cards. Today, there are a lot of different Win logon system's realization on the world market. Namely, the most of (if not all) manufacturers of the smart card operating systems have in their production list an appropriate system for smart card Win logon. All of these systems mostly perform the same set of functions. The proposed system, which should be the result of the proposed program for technological development, will have all functionalities as commercially available products on the world market. However, since it is completely represents a result of domestic development, the proposed secure smart card Win logon solution provides full customization from the end users, both in sense of choosing and adding new functionalities and in sense of proprietary defined cryptographic elements integrated in the system. On the other side, by applying this developing research, it will result in the system which will be one of the most sophisticated system in the market, since it will include also a checking of biometrical characteristics (e.g. fingerprint).