March 5, 2002
Practical Aspects of Modern Cryptography
23
PKINIT in Windows 2000
| Smart Card Logon -
Kerberos v5 security provider implements the current IETF draft for PKINIT to
support certificate-based authentication |
|
| GINA/Winlogon -
recognizes the card insertion and prompts the user for a PIN rather than a
password |
|
| The certificate is retrieved
from the card and used to identify the user after a challenge-response
requiring a private key operation on the smart card |
|
| KDC - the Key
Distribution Center looks up the user in the Active Directory based on the
identity in the certificate |
|
| The end result is a Kerberos Ticket Granting
Ticket (TGT) that can be used to request access to network resources
including accessing UNIX-based databases using delegation and referral. |
|