No More Password!
Windows NT Login With Smart Card

We are using passwords for logging into computers in U of M computing environment.  But we are not satisfied with it mainly because it is not secure enough.  We are working on replacing password login with Smart Card login for Windows NT.

1. Why do we favor Smart Cards rather than Passwords?

 
Password Short, meaningful (e.g. English words) key is easy to be compromised with Dictionary Attack and Brute Force Attack. There is a report that 5% of passwords used in U of M computing environment can be compromised with Dictionary Attack.
Smart Card  Longer key and protection with PIN avoids Dictionary Attack and Brute Force Attack.
Password No way to detect stolen Password.
Smart Card Physically secure and can be detected when stolen or lost.
Smart Card Developing to have larger memory, advanced cryptography -> More Secure.
 
 
Password You have to remember and type.
Smart Card  You do not have to remember nor type. 
   
Smart Card  You can put credential information (e.g. Kerberos tickets) in the Smart Card.  When you take off the card from the slot, nobody can access your computer resources.
You can put your own profile or IP address in the card so that you can do your own configuration in the public computers.
Services other than computing can be integrated to the Smart Card with its security and user friendliness.  e.g. identification, libraries, parking lots ...

2. Current Status and Future Direction.
We implemented smart card authentication in Windows NT.  We store clear-text uniqname and password in the card.  The development of the smart card authentication was achieved with Windows NT Pluggable Authentication Module, or  NI_PAM.
Now we are investigating more secure way to store uniqname and password.  e.g. Instead of storing them in clear-text, storing Kerberos encrypted form of them.
 
Demo  SmartCard  NI_PAM

 Send mail to Naomaru Itoi