How to use Smartcard reader

[sailor]

Not sure where to put this. Mods please move it if it fits better elsewhere.

I have a Dell Latitude D620 laptop which has an integrated Smartcard reader but I do not know how to use it.

It is enabled in the BIOS and in the Windows Device Manager the Smartcard reader appears OK as well as something called "Broadcom Trusted Platform". The Smartcard Reader service is running.

So, now what? I was assuming the reader would show up in the Windows Explorer like a USB reader but I cannot see anything. What am I supposed to do next? Can I buy a plain Smartcard memory card and write and read like to a pendrive? Or is it only a reader? In which case, how do I write or program the Smartcards?

How is the Smartcard reader supposed to work? It seems it can be used to log in to Windows instead of a password but I have no idea how to use it.

Also, it seems there are different types of Smartcards, with different sets and number of contacts (8, 6, ?).

I understand that a Smartcard can hold certificate and other info to log in and to digitally sign. How do I get this to work?

 

[ElvisG]

Smartcards is done in a PKI environment. Meaning, your laptop needs to be joined in a Windows 2003 or 2008 server environment that is requiring usually a double key log-in. You would use an ID card sometimes along with a password to log-in to the machine.

http://en.wikipedia.org/wiki/Public_key_infrastructure

So to get your laptop working you are going to need the following...

ID card
ID card reader and software
Server with Certificate Authority installed
Be a member of the domain

Then, at this point, you would put the ID card into the Smartcard Reader and log-in to the machine.

 

[berky]

do you NEED a smartcard? or do you just WANT to know how it works?

also, you need software such as ActivClient (used to be ActivCard Gold) to be able to make use of the card.

 

[sailor]

Thanks for the replies. Well, if the Smartcard thing only works with computers which are part of a domain then I guess I am out of luck because mine is not. This seems quite complex. I just thought I could use a Smartcard to log into my own computer and to hold whatever certificates I have, rather than keeping them in the computer itself and making them available to whoever steals my laptop.

 

[J-Will]

You would not be able to create a smart card. They are created by a trusted and controlled party. They cannot be created by any regular user since they usually hold personal ID (PID) info. The integrety of this info needs to be protected.

Also, the comp only needs to be in a domain environment if you are trying to log in to the comp using the smart card. If you need to access a document or website or email with smart card authentication, then you only need certs and middleware (ActiveClient). However in practice, most locations force the user to log in to a computer using the smart card, and deny the user from working on a personal machine which may not be connected to a domain by issuing laptops.

 

[sailor]

I guess what I need is the "middleware" then. Where can I find some?

I am just totally confused by all this. It seems in some European countries the government-issued ID cards, as well as bank and credit cards, are smartcards which contain certificates which certify the holder who can use them to access bank accounts or deal with the government bureaucracy online. This is done from a regular home computer with a smartcard reader. No domains. Just put the card in the reader and use the browser to access whatever site is needed. This is what I am trying to understand. What software or middleware or whatever is needed for this type of transaction. It has to be pretty simple if millions are doing it from their homes in Europe.

 

[berky]

the "middleware" you are talking about is the software i mentioned above. activclient is what we use, but there may be other software out there.

anyway, all it does is provide a way for you to access the smart card using the physical card reader. basically the way it works for website auth is thus:

client tries to access a website that requires smart card authentication
server asks client to provide certificate
client provides certificate to server (user usually has to enter a pin # first to access cert)
server uses information in certificate to verify the user and authenticates user based on that info

 

[sailor]

Thanks, I'll look into it. Activclient costs about $65 which is more than I'm willing to spend without knowing if it will work for certain but I'll try to find out more.

 

[berky]

do you even have a smart card? do you want to access a resource that requires a smart card? I don't want you to think that just anyone can create and use a smart card for any particular reason.

 

[sailor]

Well, yes, as I said, I realize bank cards, credit cards, etc can be of the Smartcard type. I do not have one myself and I need to learn a bit about this for work. We are involved in something which is strictly commercial and I feel I need to know more about how these things work. I might try getting a Smartcard from some Credit card but I want to know what I will need. All I know for now is that my laptop has a Smartcard reader and I want to know what else I would need to use it.

 

[Zlash]

This isn't really something you can learn about at home as you need an infrastructure setup to support the use of a smartcard. You would really just need to see how it works in an existing setup.

 

[sailor]

Well, common sense told me what I was looking for had to be possible and I persisted and it turns out I was right and it was even much simpler than I imagined. Much of the information contained in the previous posts is just plain wrong.

From the Dell website I downloaded for free Embassy Trust Suite software which does exactly what I want: It works in conjunction with the TPM (Trusted Platform Module) to require a password or Smartcard before booting the OS.

http://www.wave.com/support/documents/esc/esc-012.asp

Dell PCs where the ETS software is pre-installed support the use of smart cards at pre-boot time to log on to the machine before the Operating System loads.

Read that link for more details.

 

[Zlash]

What exactly was wrong with what people posted? So you have some client software now, do you have a smartcard? How are you going to generate a certificate for it if you do? How does that software know it can trust you without a PKI infrastructure to verify that with?

I have 3 smartcards for work and I'm still not sure how your accomplishing what you want with just a client which someone mentioned one earlier (Activeclient). It just doesn't make any sense to me to want to use a smartcard stand alone, if you even can...and if there are ones for bank cards like you mentioned they are still communicating with some kind of authority to verify who you are when it reads the info off the card.

 

[sailor]

What exactly was wrong with what people posted?

Well, pretty much everything since everybody was telling me that what I wanted to do could not be done because ...

Smartcards is done in a PKI environment. Meaning, your laptop needs to be joined in a Windows 2003 or 2008 server environment that is requiring usually a double key log-in.

I wanted to use a smartcard just to log into my stand-alone computer and pretty much everyone was telling me it could not be done.

On the other hand it seems to me like a matter of common sense that if I log in to my computer by typing a password on the keyboard then I should be able to log in by entering the password stored in some medium like a smartcard, pendrive, etc., including fingerprint. It does not seem to defy my common sense.

So you have some client software now, do you have a smartcard? How are you going to generate a certificate for it if you do? How does that software know it can trust you without a PKI infrastructure to verify that with?

How does Windows know it can trust me when I type my password? It does not go and ask any authority. It just checks that the password I just entered matches the one I entered originally. There is no "authority" other than myself. Such an authority may be needed or desirable in a multi-computer, domain-server, network where I would have access to resources owned by others but I cannot see why it is necessary for me in order to log into my own stand-alone computer where I own everything. When it comes to my own stand-alone computer *I* am the ultimate authority.

I have 3 smartcards for work and I'm still not sure how your accomplishing what you want with just a client which someone mentioned one earlier (Activeclient). It just doesn't make any sense to me to want to use a smartcard stand alone, if you even can...and if there are ones for bank cards like you mentioned they are still communicating with some kind of authority to verify who you are when it reads the info off the card.

I am not sure how PKI works and I am not an expert in how Embassy Security Suite works internally but the way I understand it is that the pre-boot authentication is done by the BIOS before even starting the boot process. The pre-boot authentication can be done by (1) password, (2) smartcard and (3) fingerprint reader (my laptop does not have it installed). See http://www.wave.com/support/ets-support/preboot_enroll.htm

The passwords are kept in the TPM module and during the pre-boot authentication the user needs to supply a matching password by one of those three methods. Note that this authentication is done even before having *any* access to the hard disk, OS or network (which is what I want) so there is no way to check with any authority. If this authentication is not passed then there is no access to *any* of the laptop's resources.

I am not sure why the computer needs to comunicate with any "authority" to verify who I am. My "password" (either typed, in a smartcard or as a fingerprint) is what verifies to the satisfaction of the TPM who I am without need for further consultation. I am not sure why it makes any difference whether I input a password/key via the keyboard or via a smartcard. The Wave Embassy program "enrolls" the smartcard which I think means it records the password on it or whatever it does to later recognize it as authentic. In any case, with that Wave Embassy software I can do what I was wanting to do and more. It also has a feature that can encrypt files by just keeping them in a virtual drive (similar to PGP's virtual drive) and some other additional goodies.

If you want a more detailed explanation you might want to look at the Wave website I linked to because I am not an expert. I just know that it works and does what I want.

 

[ElvisG]

I'm glad everything worked out for you. Please report back once you have it setup and working.

 

[Zlash]

Well you also asked this in your original post...

I understand that a Smartcard can hold certificate and other info to log in and to digitally sign. How do I get this to work?

That requires PKI, certificates need a CA. I guess I'm just confused about you wanting to learn about smartcards but not wanting to use it the way they are 99.99999999999% of the time. I'm not sure what the point of using one stand alone would be? Paranoid about security?

 

[J-Will]

Most people use smartcards in an active directory environment, or to access content over the web on secured networks. In which case certificates are constantly issues, updated and revoked. So yes there is one central certificate authority for those people. You are not using a smart card the way they are used in practice. I hope you are learning, and you are on the right track. But I am telling you, without arguing, that you are not conforming to convention.

 

[berky]

Well, pretty much everything since everybody was telling me that what I wanted to do could not be done because ...

no, everything you mentioned previously was not what you are now trying to do. before you said about "logging in" to your computer. anyone will interpret that as logging into your OS. you never specified about authenticating before any boot loader is loaded. these are not the same things as you are aware. also, you kept mentioning about using smartcards to access other websites/servers. this is where the full PKI comes into play and must be set up so that the website/server you are accessing believes that your cert is valid and acceptable as a representation of who you are.

i'm not arguing here, but please be more specific in the future.

I wanted to use a smartcard just to log into my stand-alone computer and pretty much everyone was telling me it could not be done.

On the other hand it seems to me like a matter of common sense that if I log in to my computer by typing a password on the keyboard then I should be able to log in by entering the password stored in some medium like a smartcard, pendrive, etc., including fingerprint. It does not seem to defy my common sense.

yes, this can be done, but again, it requires

1) you have a smartcard (which you don't have)
2) you have the hardware (which you do)
3) you have some sort of middleware that utilizes the hardware to read the card (which you appear to have)

I would also assume that you have to register your smartcard cert with your local machine somehow so it recognizes it as valid. I dont' know how you would do that with your middleware since i wouldn't know where it would store that info if it's done before the hard drive is read.

How does Windows know it can trust me when I type my password? It does not go and ask any authority. It just checks that the password I just entered matches the one I entered originally. There is no "authority" other than myself. Such an authority may be needed or desirable in a multi-computer, domain-server, network where I would have access to resources owned by others but I cannot see why it is necessary for me in order to log into my own stand-alone computer where I own everything. When it comes to my own stand-alone computer *I* am the ultimate authority.

the authority in this case is the windows database of users and passwords. the similar logic can technically be applied to your computer, but as i mentioned above, would require you to somehow register the smartcard with the machine so it knows that the certificate on your smartcard is a valid user for the computer. as a side note, you would probably want to setup password failback for when the smartcard expires and you can no longer access your own pc. the important thing here is that this is not a typical use of smartcards.

I am not sure how PKI works and I am not an expert in how Embassy Security Suite works internally but the way I understand it is that the pre-boot authentication is done by the BIOS before even starting the boot process. The pre-boot authentication can be done by (1) password, (2) smartcard and (3) fingerprint reader (my laptop does not have it installed). See http://www.wave.com/support/ets-support/preboot_enroll.htm

The passwords are kept in the TPM module and during the pre-boot authentication the user needs to supply a matching password by one of those three methods. Note that this authentication is done even before having *any* access to the hard disk, OS or network (which is what I want) so there is no way to check with any authority. If this authentication is not passed then there is no access to *any* of the laptop's resources.

I am not sure why the computer needs to comunicate with any "authority" to verify who I am. My "password" (either typed, in a smartcard or as a fingerprint) is what verifies to the satisfaction of the TPM who I am without need for further consultation. I am not sure why it makes any difference whether I input a password/key via the keyboard or via a smartcard. The Wave Embassy program "enrolls" the smartcard which I think means it records the password on it or whatever it does to later recognize it as authentic. In any case, with that Wave Embassy software I can do what I was wanting to do and more. It also has a feature that can encrypt files by just keeping them in a virtual drive (similar to PGP's virtual drive) and some other additional goodies.

If you want a more detailed explanation you might want to look at the Wave website I linked to because I am not an expert. I just know that it works and does what I want.

it sounds like this middleware will do what you need it to do, but i have to ask where you plan to get a smartcard? you can't just walk into a store and ask for one (at least not that i've ever been aware of)

 

[J-Will]

I wanted to use a smartcard just to log into my stand-alone computer

The method you described is not allowing you to log in. It is allowing you to boot. TPM is a pre boot hardware check and in no way shape or form has anything to do with the way the OS functions.

If you want to log in, you need to setup your OS and software to allow for this. When you posed the question, this is the mannor for which I framed my responses. You will need a valid smart card, your laptop will need to be in an active directory environment, and you will need to get certs from your certificate authority. This environment is complex on purpose. If you want to play around and learn you will need a lab environment with two server OS (AD and CA) machines and one client at a min (this will just allow for the client to log in to windows in a trusted CAC/ PKI type environment). Add Exchange server and you can start to digitally sign emails.

 

[sailor]

I sense a certain hostility and people trying to blame me for asking the question all wrong. I think my question is pretty clear what I was trying to achieve but whatever, I have no interest in engaging in pointless arguments. My problem has been solved so I will answer a few questions and this will be my last post here.

I found several places online which sold Smartcards but I ended up buying it in a large department store which has a good computer department. I suppose I could save some money by buying online if I were to buy large numbers for just for one (and a USB reader I got for another computer) it was not worth the hassle.

I think possibly Smartcard technology is more widespread in Europe than in the USA. Here I have seen Smartcard phone cards, parking cards, public transportation cards, credit cards, health care insurance cards, etc. In Spain for some years now the national ID card is a Smartcard holding the owner's certificate and digital signatures are recognised by law always. For quite some time things like property records have been possible to do via the Internet and beginning this year, by law, all transactions with the Administration must be doable through the Internet if the citizen so chooses.

The method you described is not allowing you to log in. It is allowing you to boot. TPM is a pre boot hardware check and in no way shape or form has anything to do with the way the OS functions.

I understand the distinction but it is without consequence because (1) no preboot authentication means no login, which would be enough for me but also (2) after the preboot authentication is complete I am then automatically logged in to Windows so, yes, it does log me into windows. Again, this seems to me like just trying to catch me in some minor error which, if it was the case would be inconsequential and which, in fact, is not the case as the software does log me into windows.

Well you also asked this in your original post...

I understand that a Smartcard can hold certificate and other info to log in and to digitally sign. How do I get this to work?

That requires PKI, certificates need a CA.

No it doesn't. I am logging into my computer without needing PKI or a CA (unless it is done transparently by the Embassy software and my own computer is the CA). In any case the Wave Embassy software which comes with the Dell laptop does what I need which is to log into my standalone computer using a smartcard.

I guess I'm just confused about you wanting to learn about smartcards but not wanting to use it the way they are 99.99999999999% of the time.

There are two different issues. One is a particular need I have to protect the data on my laptop and a different issue is general knowledge about network security. I am always interested in general knowledge but in this case I was more trying to resolve the particular issue. Whether my problem is unique or fairly common is irrelevant but the fact that TPM chips exist, that Dell sells hundreds of thousands of laptops with this security feature, and that Wave has a software program which directly addresses this question leads me to believe my problem is not unique but rather common. My guess is that there are other programs from other vendors which can do the same thing. The fact that you did not know this existed does not mean it does not exist. Another vendor who offers standalone smartcard logon: www.smartcardfocus.com.

I'm not sure what the point of using one stand alone would be?

You really do not understand the concept of a standalone computer or the point of its use or the point of protecting its data? Really? And how about computers that are part of P2P networks? Are you familar with those?

Paranoid about security?

Are you serious? Are you really questioning the wisdom or need of keeping your confidential data protected? Every individual and enterprise who takes steps to protect their data is "paranoid" to you?

Why do you feel the need to question my motives? Why do you feel entitled to ask my motives? Why do I detect a certain hostility in your post? Does it bother you that I found the solution to my question independently? If so why?

I opened this thread looking for a solution to my particular problem and since I could not find it here I returned only to share the solution with others who might have the same question. I am not getting any further useful information, only pointless quibbles and arguments. I post what I learnt in case it might help others and my posts are met with hostility. I have found my answer. My computer is doing what I want it to do just fine and I only wanted to share. I have no interest in pointless arguments. I am not an expert in how TPM and Wave Embassy Suite and other software work so I recommend those with questions go to the original websites.

I now leave you so you call all bask in your tremendous feeling of superiority which I will no longer disturb with my presence in this thread. Sorry to have bothered you.

 

[Zlash]

I think possibly Smartcard technology is more widespread in Europe than in the USA. Here I have seen Smartcard phone cards, parking cards, public transportation cards, credit cards, health care insurance cards, etc. In Spain for some years now the national ID card is a Smartcard holding the owner's certificate and digital signatures are recognised by law always. For quite some time things like property records have been possible to do via the Internet and beginning this year, by law, all transactions with the Administration must be doable through the Internet if the citizen so chooses.

It probably is more widespread but the concept is still the same, each of those cards will have a way to verify it is valid aka a certificate with a CA...if the cert is revoked then the card won't work. This is what we are trying to tell you that you are not wanting to learn about, you ended up with using a smartcard to preboot authenticate, that's completely different than using it to login or to conduct business in any of the manner of ways you listed.

You have no digital certificate, you can't take advantage of any of the reasons organizations use smartcards. You just set it up so it requires your card to boot. If you wanted to protect your files you should of just encrypted your drive with bitlocker or trucrypt. What's going to stop someone from taking your drive out of your system to get the files?

I don't think anyones really trying to be an ass but to setup an infrastructure and replicate the use of a smartcard is a little complex, I support this crap everyday at work trust me.