Omegapoint

2013-04-25

Mapping Multiple Accounts to a Single Smart Card


I was recently pointed to a well-written blog article that sparked a bit of interest here in the PKI lab: https://blogs.technet.com/b/askds/archive/2009/08/10/mapping-one-smartcard-certificate-to-multiple-accounts.aspx

In a smart card enterprise environment, you still have administrators or other users with privileged accounts. How do you eliminate the need to issue separate smart cards to these accounts? The article describes how to map a single certificate to different accounts. Thereby one certificate could be used to authenticate two different accounts using the same private key and the same PIN on the same smart card. 

Now this is an interesting and unconventional way of solving the need for having several accounts connected to one smart card. However this “user impersonation” presents the standard trade off between usability and security:
  • Pro: having a single smart card is convenient for administrators
  • Con: this presents a lower level of security
The back-end configuration and the minimal hassle of configuring a GPO is not an issue in an enterprise environment, but the fact that you have one smart card with a single certificate, a single private key and therefore a single PIN code, is a security concern and could constitute a security policy breach.

So how do we solve this problem, while staying secure and compliant? - Our recommendation would of course be the standard way, which is to have one certificate per connected account on the smart card, but with a twist; multiple certificates, individual PINs, one smart card

Pros:
  1. No change to the back-end
  2. Security and compliance maintained
  3. You can have separate polices on individual accounts. Examples:
    • Individual PIN with individual PIN policies and requirements. 
    • The certificates can be issued from separate CAs and have different characteristics such as key length. 
  4. The users don't have to enter their user names when logging in.
  5. If a user’s role changes, individual certificates can be revoked. Say for instance an administrator is promoted to manager; his/her admin certificate can be revoked while keeping the user identity intact.
This is all taken care of in a swift way if you use a modern smart card management system, like vSEC:CMS from Versatile SecurityIssuance of certificates is usually done during the card issuance processConfiguring issuance of certificates to different accounts onto the same card, which is called Roles, is done in the following way.

The PKI team at Omegapoint has put together an offer for an entry level system: products and services. The Omegapoint PKI-Smart Card Offer is available here.


Peter Swedin
CTO Omegapoint Inc.

Inga kommentarer:

Skicka en kommentar

Om Omegapoint

Omegapoint AB är ledande rådgivare och experter inom Systemarkitektur, Säkerhet och IT-ledning.

Twitter uppdateringar

Omegapoints kvitterström:

    Andra Omegapointbloggar