Looking for a secure Single Sign-On solution fitting the company’s needs, SecurIntegration decided to implement a PKI on Windows 2000 Server basis with smart cards and X.509 certificates. This article describes the users’ experiences with the implemented PKI during productive usage over three months.
The public key infrastructure
SecurIntegration decided to implement their PKI mainly on Windows 2000 basis as described in previous article “Implementing a public key infrastructure @ SecurIntegration”
The following services and applications have been integrated in the PKI:
– User logon to Windows operating system based on digital certificates (Microsoft Smart Card Logon)
– Secure eMail featuring encryption and signature with X.509 certificates on S/MIME basis
– Secure storage of local and centrally stored files using utimaco SafeGuard Private Disk
Furthermore the following guidelines have been issued:
– Every eMail that is addressed to internal recipients (*@SecurIntegration.de) has to be encrypted and signed.
– Every document not publicly available (i.e. downloadable from the Internet) has to be stored in a secure storage place (data safe).
– Users have to use their smart cards to log on, passwords are not known to users and not functional within the SecurIntegration network.
The users and their experiences
Most users have a technical background and are working within the addressed field of security and technical integration on a day to day basis. But still there are users such as assistance, administration, HR and finance that do not have the technical background of the security consultants. The introduction and the handbook for the implemented PKI have been designed to address mainly these users. This has been successfully accomplished for there were no problems with registering the users and configuring the necessary services for the first time usage.
Nevertheless a few problems have been reported after using the PKI integrated services on a productive day-to-day business.
Smart card logon to operating system
– If a user forgets the smart card (Aladdin eToken), there is no means to log on to the operating system. We covered that in two ways. Users mainly located at our office have a backup eToken stored in a safe. They can request the backup eToken and work as usual. Mobile users like our consultants can not get hold of the backup that fast and have to work without the PKI services through a local logon to their notebooks. This means no encrypted / signed eMails, no decryption of received eMails and no Single Sign-On access to the secure storage. But still every user is able to complete the day-to-day work without the smart card.
– There have been single incidents of failure of the smart card driver reported. A user who locks his workstation by simply unplugging the eToken occasionally is unable to unlock afterwards with his eToken. This leads to a system state where an administrative logon is required. An administrative logon cancels the current session and unsaved documents or other work is lost.
S/MIME eMail with Microsoft Outlook
– One phenomenon of S/MIME encrypted eMails is, that they add a yet unknown factor in size. Sometimes an eMail can become twice as large as the unencrypted version. This leads to a larger amount of data to be transferred over the network and to higher storage capacity needed for storing the eMail.
– The private key required for the intended eMail signature has to be known to the operating system prior to the start of the eMail client. Within our setup this is not a problem because users have to use their smart card to logon to the system and therefore the private key for eMail signature is already present before Outlook starts. But for other environments this issue can become problematic. – In some cases an unexpected shutdown of Outlook has been spotted when trying to forward a message encrypted. The reason for this behaviour could not be identified by now.
– The chosen software (utimacoSafeGuard Private Disk) is reliable and once the data safe is created, users do not have to configure or administer the secure storage. Therefore most users are not very familiar with the software and need to consult the provided documentation for the data safe usage within SecurIntegration, which was developed during the introduction phase of the PKI.
The start of the productive usage of the newly introduced PKI went very smoothly. All users were content with the provided features and the enhancements in security level, which is not always to be expected. Most security enhancements are correlated with a loss of previously known comfort. The PKI features Single Sign-On and data protection are highly welcomed by our users and offer at least the same comfort as before.