CAC Smartcard Reauthenticate

Asked 25/11, 2009 at 23:47 Answered 11/5, 2016 at 19:13

Solved security authentication smartcard cac

We have one browser-based application where we want to make the user reauthenticate when they enter it. So when they access that URL we want them to be presented with the PIN prompt so they have to reauthenticate. Is there a reasonable way to do that?

Added info: This is for a CAC card and the workstations have ActivIdentity and Tumbleweed on them. Also, I could add a service to the workstations if necessary. The browsers are all IE7. The web server is IIS 6 and the pages are written in ASP.NET (mostly).

Consentient answered 25/11, 2009 at 23:47 Comment(2)

Please share how this issue got resolved. :) – Allaround 13/5, 2013 at 2:35

@Kevin I pushed back on the requirement by explaining to the customer that the pin timeout on the CAC card is completely independent of the browser. From a security standpoint it is not a good idea to try to interfere with the normal functioning. Their security person agreed that it was not necessary to have the client reenter the pin every time; a better approach is to only reenter if it has expired. – Consentient 29/5, 2013 at 20:43

There's a few different pieces of software involved here.

First is the card itself. To perform a digital signature, the CAC has to be in a "verified" state, meaning a PIN was entered after the card was inserted. Beyond that, each key on the card has a flag that indicates whether the PIN has to be entered every time the key is used. I haven't checked, but I think this is set for the "email" key pair on a CAC. Thus, you'd need to find which keys have this "always verify" flag set, and configure the path validator on the service to accept only those keys. You might be able to require a particular OID in extended key usage, or exclude some of the DoD intermediate certificates from path building (flagging them as revoked, perhaps).

The middleware on the machine talking to the card could also cache the PIN, and provide it to the card whenever the card indicates that it requires a PIN before it will complete an operation. I think that ActivClient was doing this with its PIN caching feature through version 6, but in version 7, this option seems to have gone missing. I haven't found anything like this in Windows built-in PIV support. This "feature" could compromise security, so my guess is that it was deliberately removed and there wouldn't be any registry hacks or otherwise to restore the behavior. This is something you wouldn't have control over, unless you manage the users' machines; there's no HTTP header or TLS option that you can use to enforce PIN entry. But, with newer systems, it should not be an issue.

On the server side, a complete handshake has to occur in order to make the client perform authentication. Client authentication won't happen if there's a valid TLS session. So you'd need to find a way to invalidate the TLS session (not the application session, which is probably tied to an HTTP cookie) before requesting authentication, or direct the authentication request to another interface that doesn't have sessions enabled.

Datary answered 26/11, 2009 at 0:8 Comment(6)

Thanks sylvarking, I think I understand what you are saying. I do have a lot of control over both the servers and the workstations (a few hundred of them) so maybe I could do something in the browser that would cause the smart card to require a PIN? – Consentient 27/11, 2009 at 22:1

That's right. If you administer the workstations, you might be able to configure all of the card reader software to prompt for PIN more often. For example, I've used ActivClient as the card reader software. It's what actually pops up the dialog to ask for the PIN, and there's a setting to control how often a user needs to re-enter it. – Datary 27/11, 2009 at 22:44

I feel fortunate to have found someone with ActivIdentity Experience. Your response prompted me to look at the PIN Caching Service, which I had not seen before. I can see 12 properties and one of them is called "Enable PIN Caching". I'm going to try turning that off. – Consentient 28/11, 2009 at 1:12

PIN Caching Service being a property in the ActivClient configuration manager. – Consentient 28/11, 2009 at 1:14

To not mess with terms - it is the "card software" not "card reader software" By changing PIN cache settings you can't beat the way SSL works in the browser. If you need custom authentication flows, maybe look at OpenID and trustbearer.com openid service. If I remember correctly, they implement a plugin based authentication where there is a custom plugin that talks to the card. Probably that triggers a PIN dialog (as it uses an implicit sign operation? don't know the details..) for every transaction. – Johnny 28/11, 2009 at 10:9

Thanks again Martin, I suspect I'm using the wrong vocabulary in numerous places which makes it hard for people to understand my goal. I appreciate your being so patient. – Consentient 29/11, 2009 at 23:42

There are two ways of doing smartcard client authentication on the web: standard TLS/SSL or custom plugins for the browser. I assume you're talking about standard web browsers (IE/FF/Safari) and SSL authentication.

There are two things that matter for PIN prompts:

SSL session and SSL session cache of the browser
on-card authentication state of the related private key
the way middleware is implemented.

In the end, from security perspective, it is the card that knows when to "ask for” a PIN - some cards and keys require a PIN for every operation with the key, some cards are OK to get a PIN once and leave the keys in authenticated state until it is removed from the reader or reset by an application.

If the session in the cache of the browser can not be re-used or when the connection is being established, smart card middleware (PKCS#11 on Linux, CryptoAPI/BaseCSP module on Windows or Tokend on OSX) needs to talk to the keys on the card. If the authentication state on the card requires a PIN to be entered, a callback is usually triggered by the browser. Or if the middleware knows it will need the PIN, it will ask it before talking to the card.

There is no 1:1 relation between entering a PIN and actually re-authenticating access rights to the private key and re-authenticating the SSL session.

With standard SSL, you depend on the way SSL is implemented in browsers and can not have a 100% reliable "re-authenticate by entering PIN" on the client side.

If you are using Linux, then with OpenSC (which, AFAIK can use CAC cards) you can set "transaction_reset" in opensc.conf to true, which results in the card being reset after every transaction (every SSL session negotiation) and this way you can be sure that whenever you open a new SSL session, user has to enter the PIN again. This is a client side configuration though, not a server-initiated feature.

Johnny answered 26/11, 2009 at 8:51 Comment(7)

Thanks martin for the excellent comment. I see that I should have provided more info but I'm still very ignorant about what is meaningful in this situation. The workstations do have middleware called ActivIdentity or ActivClient. The process is named accoca.exe. They are also running Tumbleweed. – Consentient 27/11, 2009 at 22:2

Also, I get from your comment that my challenge is to somehow convince the card that it needs to ask for a PIN again. I haven't figured out how the middleware works yet but would it be reasonable to say that when the user accesses a URL, I could put something in the web page that would cause the CAC to decide that it needs to ask for a PIN? Maybe I could kill the SSL session? (Sorry if that is dumb idea, I'm a little confused). – Consentient 27/11, 2009 at 22:3

When I clear the SSL state (using IE7-Tools-Internet Options-Content-Clear SSL State, it prompts me for the cert but not the PIN. If I pick the correct cert it works, if I pick the wrong cert, it fails. So why would it prompt me for the cert again, if it isn't going to prompt for the PIN? I don't get it! – Consentient 28/11, 2009 at 1:33

Clearing browser SSL cache removes the session. So probably the middleware does not implement any special PIN tricks and works exactly the way I described - once the card is in authenticated state, the key can be used as long as the application is not restarted or card removed. It asks the certificate to know which private key you want to use and if you choose your smart card one, it can use it to establish a new session because the key on the card is already in the authenitcated state. – Johnny 28/11, 2009 at 9:27

Ah, I see. It is asking for the cert because you could be doing different things with different keys at the same time. I should have thought of that! You might have seen my other question where I found out that exiting IE7 will always cause a PIN prompt the next time IE7 starts. The leads me to believe that IE7 does something on exit that "resets" the card state. If I could figure out what that is I would be a step closer to what I need (I think). – Consentient 29/11, 2009 at 23:48

Yes, acquiring a crypto context from CryptoAPI and releasing it (that's what happens when you start/close an application) does reset the card. It's not "something" that needs to be believed in, as it is a simple SCardConnect() SCardDisconnect() pair that is required to access smart cards. You can't request a card reset from SSL layer. It's like knowing that turning the key starts or stops a card, you can make it stop if you go over 100km/h by hacking some wires to the speedometer but that's not the way a car (or a speed limiter, as that is what you actually want) is supposed to work. – Johnny 30/11, 2009 at 9:43

I think I get it now. Thank you for helping me understand. The PIN doesn't leave the smartcard and the PIN time out is completely independant of the browser SSL session. I have put the idea of using a hack to force a new PIN prompt combined with clearing SSL cache in my "not such a good idea" folder. I'm pushing back to get the requirement changed. Thanks again. – Consentient 1/12, 2009 at 21:19

You can use javascript function to make browser forget the existing SSL cache on few browsers:

function logout() {
    // clear browser authentication cache
    // IE specific
    try
    {
        document.execCommand("ClearAuthenticationCache", "false");
    }
    catch(e)
    {
        // do nothing
    }

    // clear for firefox or any browser that supports window.crypto API
    if (window.crypto && typeof window.crypto.logout === "function") {
        window.crypto.logout();
    }
}

You can use Javascript setTimeout method to call above logout function and possibly redirect them to logout.aspx page to force the client to enter new PIN.

But it uses JavaScript and the code is browser dependent and does not work for all browsers.

Moonstone answered 11/5, 2016 at 19:13 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags