projects techreports press lab location staff
citi top.2 top.3
citi mid.3
bot.1 bot.2 bot.3

Projects : Single Signon : NT login with Smart Card

No More Passwords!

    CITI has a vision of a login procedure that starts with Kerberos keys stored securely in a smartcard. On approaching a machine for login, the user inserts the card, which automatically identifies the Uniqname and engages in a Kerberos challenge/response for authentication. A panel on the computer's screen (or a text-based login command) pops up and requests a PIN. Because smartcards have hardware protection for storing data elements such as PINs, guessing (or "dictionary") attacks are thwarted. In contrast, a diligent hacker can obtain hundreds, even thousands of Uniqname/password pairs with an offline dictionary attack over a few days. (I confirmed this a few years ago by "cracking" over 3,000 Uniqname passwords with a few days effort.) At CITI we are experimenting with protocols and procedures along these lines in anticipation of such an information technology infrastructure.

    1. We do not want passwords because ...

    • Easy to steal or compromise.
    • Easy to forget.
    • No way to detect a stolen password.
    • Too short to be secure, or too long to remember.
    2. Smart Cards are better because ...
    • To logon You need something you know (PIN) plus something you have.
    • Physically secure.
    • You know when you've lost it.
    • PIN is short and easy to remember.
    • PIN guessing is thwarted by smart card hardware projects | techreports | press | lab | location | staff Email address
or call +1 734 763 2929
Copyright © 1996-2013
The Regents of the University of Michigan