If you follow our blog and our product, then probably you have seen on many places we are mentioning how our product is cloud oriented with high security features.
One of them is SmartCard support. To find how does it work and what is its use, continue reading.
Introduction
So, what is a Smart Card actually? Your mobile SIM card is smart card, your bank/credit card, ePassport, eID card, HealthCare card, all of them are smart cards if they contain chip onboard.
Well, simply put, it is conceptually similar to a USB memory stick with two major differences. It contains an encryption processor on board and access to memory can be protected by a pin. Even, this description is not quite correct, but it is close enough to get an idea.
Smart cards might be read-only (bank cards, government issued cards etc.) or read-write as security keys. Some smart cards might contain single functionality, while some might contain multiple functions (applets) as security keys.
A great example is YubiKey security key. It is actually a smart card with 5 applets (otp, yauth, pgp, fido, piv). The one we are writing about here is PIV - Personal Identity Verification based on ISO 7816-4.
To understand the purpose of all of this there is one more thing to understand regarding security.
- user authentication
- encrypted access
User authentication
Green Screen Server supports not only standard login, but also OTP or FIDO (biometric access) which, when used by the Web is called WebAuthn - latest and the most secure authentication method with the highest security standards. Replacement for OTP. For WebAuthn to work, encrypted protocol (SSL/TLS) is required.
Encrypted access
Encrypted protocol might be light (server-side certificate only) or full, requiring user to have a certificate to enter into the system. Having enforced user certificate requirement is the most secure online protection, combined with FIDO (WebAuthn) makes you credential practically unbreakable.
But....
Here we came to the problematic part.
- It is complicated and very confusing to the end clients. How setup to be the easiest and safest as possible for end user?
- If company is using client certificates, the most problematic segment is how to securely distribute certificates to the end users, so 3rd party can't hijack them and impersonate you?
Solution came in smartcard PIV applets. Instead, to receive your client certificate through email and manually install in the OS certificate store, you might receive a smartcard locked-in with your personal certificate. When you need to access to the protected website, just plug the smart card into your PC, open the website and OS will ask you for card PIN and certificate to use (if there are multiple versions installed).
As client certificate contains your identification as your username, email etc. so it can be also used to log in to the system.
If you have a multi-applet security key, the best protection you can get is a combination of client certificate to enable very high online data exchange encryption, and WebAuth to enable extremely safe password protection from stealing by the 3rd party.
What is the benefit of having a security key?
Well, if a client certificate is installed on a single PC, that means you will be able to connect only from that PC. If you leave your PC unlocked, someone can use your certificate to login (WebAuth came here to protect you), if you travel a lot, and you forgot your laptop, you won't be able to connect to the system. Installing your personal certificate to other computers is high security risk.
Having your security smartcard key on your keychain is always with you and when you need to access to the system from anywhere and from any PC just plug the security key into USB and access to the remote system, OS will take the rest. That's all. Simple and very safe. No need for VPN or VPN client installation and no need for manual certificate setup.
Setup requirements
In most cases, the end user will not have to do anything, however, there are edge cases which requires some simple steps.
Client and server certificates have a common ancestor certificate, Root or CA certificate used to sign client and server certs. For web server and security key to work properly, it is mandatory to have that certificate on your user and server system.
Please note that many smart cards support installing root certificate. For example through certutil -scroots update.
certutil -scroots update ca.cer "Yubico YubiKey OTP+FIDO+CCID 0"
Another option is...
If certificates are signed by a known registered issuer, then you are good to go. If certificate is in house made, self-signed certificate, then your clients must install CA certificate onto the system as Trusted Root Certificate simply by clicking to the cert and OS will show info page with installation button to open install wizard.
Root certificate can be freely put on public website for download, so end user can get it and install it into the system.
WebKit based browsers and IE should work out of the box. If you encounter problems, try to install a smart card mini driver.
For Firefox, it is required to install a security device lib responsible to communicate with a smart card device. We can recommend OpenSC Framework.
For developers
If you want to learn more about SmartCard technology, check out the following...
- Smart Card Tool to explore device memory content
- 7816-4 ISO Book
- Smart Card Testing Tool (open source; GitHub) written in GO language by Green Screens Ltd.