[ Pobierz całość w formacie PDF ]
.Thereader may attach to your computer via a standard serial port (often powered by aPS2 pass through adapter), a Type II PC Card or USB port.You can use smart cards for multiple purposes, and they are extensible tothird-party applications.The primary uses for smart cards in Windows XP areuser authentication, the signing and encrypting of e-mail,VPN encryption, andauthentication.The smart card is really just a secure method of storing digitalcertificates and therefore your digital identity in a portable and PIN-protectedformat.When combined with a policy requiring the smart card to log on locallyor via RAS or VPN, you ensure that your user has both his smart card and PIN,which can be an effective deterrent to simple password-guessing or brute-forceattacks.www.syngress.com189_XP_11.qxd 11/12/01 10:40 AM Page 580580 Chapter 11 " Understanding Windows XP SecuritySimply installing the smart card reader enables the smart card to be used byWindows XP.At the Logon Screen, where you would normally be prompted topress Ctrl+Alt+Del to log on, you may now either insert your smart card andenter your PIN to logon, or press Ctrl+Alt+Del and type in your username,password, and  log on to information.Your smart cards are only usable for userauthentication in a domain environment, not in standalone or as part of a work-group.Most of the setup for smart cards is done at the domain level and is beyondthe scope of this book, but let s look at a general overview of the requirementsand setup.First, you will need to create an Enterprise Root CA and one moreEnterprise Subordinate CAs within the domain.Along with the installation ofthe CA, you may also install a Web-based front end for requesting certificates.Anadministrator, who you have created a certificate for as an enrollment agent, mayrequest a certificate on behalf of your users and write the certificate to the smartcard.Certificates may be issued for multiple purposes, including log on.Extensible Authentication ProtocolEAP is an extension to the Point-to-Point Protocol (PPP) and is defined in RFC2284 - PPP Extensible Authentication Protocol (EAP).EAP allows for an arbi-trary authentication method to be used for communicating credentials and arbi-trary length information exchanges.EAP was created in response to demand formore robust authentication methods, which use additional security devices suchas certificates or smart cards as well as standard username and password combina-tions.EAP is now an industry standard method for use of additional authentica-tion methods with PPP.When you use EAP,Windows XP supports specific authentication schemes,which are referred to as EAP types.Standard EAP types may include token cards,one-time passwords, public key authentication using smart cards, certificates, andothers.EAP, in conjunction with strong EAP types, is a critical technology com-ponent for a secured VPN connection.Strong EAP types such as those based oncertificates offer better security against brute-force or dictionary attacks and pass-word guessing than do password-based authentication protocols, such as CHAPor MS-CHAP.Windows XP includes support for two EAP types: EAP-MD5 CHAP(roughly equivalent to the CHAP authentication protocol) and EAP-TLS, whichyou may use for user certificate-based authentication (including certificates storedon smart cards.www.syngress.com189_XP_11.qxd 11/12/01 10:40 AM Page 581Understanding Windows XP Security " Chapter 11 581EAP-MD5 CHAP is a simple username and password authenticationmethod, which is equivalent to the CHAP authentication protocol.EAP-MD5CHAP does not support encryption, so it is not the preferred EAP type.EAP-TLS is a bidirectional authentication method, in which the client and theserver must prove their identities to each other.During the EAP-TLS exchange,the client sends its user certificate, and the remote access server or RADIUSserver sends its computer certificate.If either certificate is not sent or if a certifi-cate is invalid, the connection is terminated.During EAP-TLS authentication, ifencryption is required or requested, shared secret encryption keys for use withMicrosoft Point-to-Point Encryption (MPPE) are generated.MPPE allows forencryption of PPP data with either dial-up networking (DUN) or VPN.EAP-TLS is preferred because it offers support for MPPE as well as certifi-cate-based authentication, including smart card based certificates.Both EAP-MD5 and EAP-TLS are supported for 802.1x authentication as well [ Pobierz całość w formacie PDF ]

zanotowane.pl

doc.pisz.pl

pdf.pisz.pl

nvs.xlx.pl