10.2 Smart Cards

Traditionally, Kerberos has relied solely on one of the three factors of authentication, namely, something you know. As discussed early on in Chapter 2, the security of authentication systems can be greatly enhanced by requiring more than one factor to grant authentication. Smart cards provide another factor (what you have), and some Kerberos implementations support the use of smart cards for initial authentication.

The use of smart cards solves one of the most problematic issues with Kerberos; namely its dependence on users to choose (and remember) good passwords. Traditionally, the user's long-term key is a password, which is something the user must choose and memorize. The human brain is notoriously poor at producing and consequently remembering random sequences, so passwords are typically something easily remembered by the user. As a consequence, passwords have low entropy, and most fall to dictionary attacks. The use of pre-authentication in the initial Authentication Server exchange mitigates this risk somewhat, but a determined attacker who can sniff Kerberos protocol exchanges over the network can still obtain encrypted material on which to perform a dictionary attack.

In addition, smart cards limit the exposure of the sensitive cryptographic keys used throughout the Kerberos protocol. Secret keys stored on machine hard disks, such as keytab files, are vulnerable to attack. Even though filesystem protection is designed to prevent unauthorized users from reading sensitive files, software bugs persist that, when exploited, provide attackers with administrative access to the entire computer, including any encryption keys stored within.

Smart cards solve this problem by storing the key material internally on the smart card itself, and never allowing the key material to leave the smart card. Instead, the smart card has enough processing power to perform the cryptographic functions necessary to generate and respond to Kerberos authentication messages. Storing the key material on the smart card and securing the smart card from unauthorized access means that an attacker who has control over the user's workstation can never retrieve the encryption keys stored inside of the smartcard. This also mitigates Trojan horse techniques, where a program masquerading as the Kerberos login program acquires unwitting users' passwords.

Since a smart card is a physical device, it needs an interface to the host computer—the smart card reader. Smart card readers can connect to the host computer through several physical means, including serial, USB, and for laptops, PCMCIA slots. Because of the requirement for specialized hardware connected to the host machine, smart cards are currently only practically deployable in an organization's network.

Attacks on smart cards are difficult, as they are small physical devices designed to resist attack. It requires a determined and well-funded adversary to carry out an attach on a smart card. Analyses of the smart card's power usage and timing have been developed that greatly reduce the search space of possible encryption keys during a brute-force attack on a key stored inside of a smart card. Since the amount of calculations needed to perform encryption algorithms depends on the size and content of the encryption key, these attacks analyze the minute differences in power and time as the smart card performs these operations on various data. Determined attackers can narrow down the possible encryption keys based on this analysis and on detailed knowledge of the algorithms involved.

Incidentally, the timing attack has been demonstrated as a useful against on traditional software-based encryption software as well; a security advisory issued in 2003 warned users that the popular OpenSSL software package exposes timing information that may be enough for an adversary to derive the private encryption keys on a server. This goes to show that you can never be paranoid enough when implementing cryptographic systems.

10.2.1 Smart Cards and the Kerberos Protocol

Smart cards are typically deployed as part of a Public Key Infrastructure. When a new user is enabled, a public key pair is generated for the user, the public key is signed by the certificate authority, and the resulting key pair and certificate are placed onto the smart card's memory. The smart card is then issued to the user.

When the user uses a smart card to authenticate to a Kerberos realm, he inserts the smart card into the smart card reader connected to his computer. The computer prompts the user for a PIN, which is then sent to the smart card. The PIN unlocks the portion of the memory that houses the user's public key pair, to lessen the damage if the smart card is lost or stolen. Once the card has been unlocked in this way, PKINIT is used to obtain initial tickets for the user. The only difference is that the actual decryption of the initial AS response from the KDC is performed on the smart card itself, so that the public key pair is never directly accessible to the host computer.