If you follow our blog and our product, then probably you have seen on many places we are mentioning how our product is cloud oriented with high security features.
One of them is SmartCard support. To find how does it work and what is its use continue reading.
So, what is SmartCard actually? Your mobile SIM card is smartcard, your bank/credit card, ePassport, eID card, HealthCare card, all of them are smartcards if they contain chip onboard.
Well, simply put it is conceptually similar to USB memory stick with two major differences. It contains encryption processor on board and access to memory can be protected by pin. Even, this description is not quite correct, but it is close enough to get an idea.
Smartcards might be read-only (bank cards, government issued cards etc.) or read-write as security keys. Some smartcards might contain single functionality, while some might contain multiple functions (applets) as security keys.
Great example is YubiKey security key. It is actually a smartcard with 5 applets (otp, yauth, pgp, fido, piv). The one we are writing about here is PIV - Personal Identity Verification based on ISO 7816-4.
To understand the purpose of all of this there is one more thing to understand regarding security.
- user authentication
- encrypted access
Green Screen Server supports not only standard login, but also OTP or FIDO (biometric access) which, when used by the Web is called WebAuthn - latest and the most secure authentication method with highest security standards. Replacement for OTP. For WebAuthn to work encrypted protocol (SSL/TLS) is required.
Encrypted protocol might be light (server-side certificate only) or full requiring user to have a certificate to enter into the system. Having enforced user certificate requirement is the most secure online protection, combined with FIDO (WebAuthn) makes you credential practically unbreakable.
Here we came to the problematic part.
- It is complicated and very confusing to the end clients. How setup to be the easiest and safest as possible for end user?
- If company is using client certificates, the most problematic segment is how to securely distribute certificates to the end users so 3rd party can't hijack them and impersonate you?
Solution came in smartcard PIV applets. Instead to receive your client certificate through email and manually install in OS certificate store, you might receive smartcard locked-in with your personal certificate. When you need to access to the protected web site, just plug smartcard into your PC, open web site and OS will ask you for card PIN and certificate to use (if there are multiple versions installed).
As client certificate contains your identification as your username, email etc. so it can be also used to login to the system.
If you have multi-applet security key, the best protection you can get is combination of client certificate to enable very high online data exchange encryption, and WebAuth to enable extremely safe password protection from stealing by the 3rd party.
What is the benefit of having security key?
Well, if client certificate is installed on a single PC, that means you will be able to connect only from that PC. If you leave your PC unlocked, someone can use your certificate to login (WebAuth came here to protect you), if you travel a lot and you forgot your laptop, you won't be able to connect to the system. Installing your personal certificate to other computers is high security risk.
Having your security smartcard key on your key chain is always with you and when you need to access to the system from anywhere and from any PC just plug security key into USB and access to the remote system, OS will take the rest. That's all. Simple and very safe. No need for VPN or VPN client installation and no need for manual certificate setup.
In most cases, end user will not have to do anything, however, there are edge cases which requires some simple steps.
Client and server certificates have common ancestor certificate, Root or CA certificate used to sign client and server certs. For web server and security key to work properly, it is mandatory to have that certificate on your user and server system.
Please note that many smartcards support installing root certificate. For example through certutil -scroots update.
certutil -scroots update ca.cer "Yubico YubiKey OTP+FIDO+CCID 0"
Another option is...
If certificates are signed by known registered issuer, then you are good to go. If certificate is inhouse made, self-signed certificate, then your clients must install CA certificate onto the system as Trusted Root Certificate simply by clicking to the cert and OS will show info page with installation button to open install wizard.
Root certificate can be freely put on public web site for download, so end user can get it and install it into the system.
WebKit based browsers and IE should work out of the box. If you encounter problems, try to install smartcard minidriver.
For Firefox it is required to install security device lib responsible to communicate with smartcard device. We can recommend OpenSC Framework.
If you want to learn more about SmartCard technology check out following...