CAC智能卡的Reauthenticate [英] CAC Smartcard Reauthenticate

问题描述

我们有我们想要使用户的Reauthenticate当他们进入这一家立足浏览器的应用。因此，当他们访问的网址，我们希望他们能与PIN提示psented所以他们必须重新验证$ P $。有没有一种合理的方式做到这一点？

We have one browser-based application where we want to make the user reauthenticate when they enter it. So when they access that URL we want them to be presented with the PIN prompt so they have to reauthenticate. Is there a reasonable way to do that?

补充信息：这是一个CAC卡和工作站有ActivIdentity和Tumbleweed的他们。另外，我可以根据需要添加一个服务工作站。浏览器都是IE7。 Web服务器是IIS 6的页面都写在ASP.NET（大部分）。

Added info: This is for a CAC card and the workstations have ActivIdentity and Tumbleweed on them. Also, I could add a service to the workstations if necessary. The browsers are all IE7. The web server is IIS 6 and the pages are written in ASP.NET (mostly).

推荐答案

有几个不同的软件这里涉及。

There's a few different pieces of software involved here.

首先是卡本身。要执行数字签名时，CAC已处于验证状态，这意味着卡插入后，进入了一个PIN。除此之外，卡上的每个键都有一个标志，指示是否PIN必须要进入每一个关键是使用的时间。我没有检查，但我认为这是设置在CAC电子邮件密钥对。因此，你需要找出哪些键有这样的永远验证标志设置，并在服务配置的路径只有验证接受这些键。你也许可以要求延长密钥使用特定的OID，或者从路径构建（标记他们作为撤销，也许）。

First is the card itself. To perform a digital signature, the CAC has to be in a "verified" state, meaning a PIN was entered after the card was inserted. Beyond that, each key on the card has a flag that indicates whether the PIN has to be entered every time the key is used. I haven't checked, but I think this is set for the "email" key pair on a CAC. Thus, you'd need to find which keys have this "always verify" flag set, and configure the path validator on the service to accept only those keys. You might be able to require a particular OID in extended key usage, or exclude some of the DoD intermediate certificates from path building (flagging them as revoked, perhaps).

本机谈话的卡上的中间件还可以缓存PIN，它每当卡表示它需要PIN之前前，将完成操作提供到卡上。我认为的ActivClient用其PIN缓存功能，通过6版这样做，但在7版本中，这个选项似乎失踪了。我还没有发现这样的Windows中内置的PIV支持什么。这种功能可能危及安全，所以我的猜测是，它被故意删除，不会有任何注册表黑客或以其他方式恢复行为。这是你不会有控制权，除非你管理用户的机器;有没有HTTP头或TLS选项，您可以使用强制输入PIN。但是，随着新的系统，它不应该是一个问题。

The middleware on the machine talking to the card could also cache the PIN, and provide it to the card whenever the card indicates that it requires a PIN before before it will complete an operation. I think that ActivClient was doing this with its PIN caching feature through version 6, but in version 7, this option seems to have gone missing. I haven't found anything like this in Windows built-in PIV support. This "feature" could compromise security, so my guess is that it was deliberately removed and there wouldn't be any registry hacks or otherwise to restore the behavior. This is something you wouldn't have control over, unless you manage the users' machines; there's no HTTP header or TLS option that you can use to enforce PIN entry. But, with newer systems, it should not be an issue.

在服务器端，一个完整的握手在为了使客户执行认证发生。如果有一个有效的TLS会话不会发生客户端身份验证。所以，你需要找到一个方法来请求无效认证前TLS会话（而不是应用程序会话，这可能是绑在一个HTTP cookie），或直接认证请求到不启用会话另一个接口。

On the server side, a complete handshake has to occur in order to make the client perform authentication. Client authentication won't happen if there's a valid TLS session. So you'd need to find a way to invalidate the TLS session (not the application session, which is probably tied to an HTTP cookie) before requesting authentication, or direct the authentication request to another interface that doesn't have sessions enabled.

这篇关于CAC智能卡的Reauthenticate的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！