Three different types of smart cards are shown and described in this segment. Scott describes the features and use of proximity cards and contact-less smart card technology, contrasted with the most common contact smart cards. The technologies are compared based on relative security features including ease of skimming.
- [Narrator] When you start talking about smart cards, there are several images that come to mind. Let's take a look at some of them and their relative features, and choose the one that best fits our needs. The first technology I want to look at is the least likely candidate for our use. The proximity cards are very common in building access technology. These cards have no visible chip, because the workings are all buried inside the card. Most of the time, this type of card is read only, and has a preassigned code.
It's often used for building access, where a database app that controls the doors lists entry points and security groups that are allowed to access these doors, and in these systems, a preconfigured card number is assigned to one of these security groups. These are arguably not "smart" cards. There are other types of contact list technology, more aptly called smart cards. This technology is defined by ISO standard 7816, and it allows certificates to be written to these cards.
The chief benefit to this technology however, is also its biggest risk. You can transmit information to and from the card, simply by holding it very near the reader. That's convenient and because there is no hard contact, there's virtually no wear and tear on the card. But the downside is the same as magnetic bank cards. The content can be picked up by a reader nearby, up to 25 feet away for some technologies. Contact list cards can be triggered by a reader that's in the purse or backpack of someone near you.
If you're hoping to improve security to the access to your network, you might need to consider the risk of the cards being compromised. Contact cards are the smart cards that look kind of the like the average microchip bank card, or even the SIM card for most mobile phones. The metallic interface on the surface of the card is a connection to the internal processor and storage. Readers for this type of technology usually have a slot to insert the card and maintain contact while the card's being used.
Because a contact card can remain inserted throughout the session, the entire session can be managed by the presence of the card. There's even a policy in active directory that can log off a session or take other action when a card is removed. If we look at the available products and their price tags, we're going to find things in just about every price point. I found in my search that the contact readers are easier to find and cost less than the contact-less readers that are designed for certificates or for access security.
But some of the cards can get pricey, so be aware of the long-term cost of these systems as well. And there are combination cards that contain the visible chip and an RFID proximity for those who want to combine building access with a certificate smart card, but you need to make sure with that type of technology that you know what is accessible from the proximity antenna. It wouldn't do you any good to use a chip for higher security and then find out someone nearby can pick up that certificate.
For the demonstrations in this chapter, I'm going to be using an inexpensive contact reader and writer, along with a couple of PIV cards. The reader is USB, and Windows 10 picked up the drivers automatically, and the cards use a technology that's natively supported by Microsoft Cryptography, which makes this a good choice for us. There is some pretty amazing hardware out there, but let's be honest with each other, using this stuff is a lot more fun than shopping for it, so let's take a look at putting this technology to work.
- Installing root and subordinate certificate authorities
- Revoking certificates
- Configuring an online responder
- Managing certificate templates
- Renewing certificates
- Archiving private keys
- Using smart cards