Many IT Professionals claim to be immune to Pass-the-Hash and Pass-the-Ticket attacks. Unfortunately that is not the case since the traditional Windows Smart Card Logon generates an “everlasting” hash thus providing less security than the regular password-only logon process against the Pass-the-Hash attacks.
The above is one reason why our Aloaha Smart Login offers different logon mechanism. While we do support standard kerberos based authentication (basically similar to the standard Windows Smart Card Logon) we do not suggest that for the above reasons. We suggest the following authentication methods:
- Smart Card Logon with any certificate
- Keycard Logon via NFC/Mifare/Desfire/Keycard
- PKCS #11 Logon
- More authentication methods with the new CodeB Credential Provider V2
More details:
All Windows authentication protocols (NTLM and Kerberos) create tokens which are store in memory. They are called NTLM Hash and Kerberos ticket and create to support Single Sign on (SSO).
The memory token are created during the logon process including the traditional Windows Smart Card Logon. So indpendent on how you logon you are always exposed to Pass-the-Hash and Pass-the-Ticket attacks. Those attacks allow the attacker to steal their identity long after the Smart Card has been removed from the infected machine.
The Problem with the traditional Windows Smart Card Logon:
In order to support systems that require NTLM authentication, Windows needs to generate an NTLM hash. Since Smart Card does not have a password to derive the hash from, Windows engineers decided to artificially generate an NTLM hash for Smart Card users.
The problem: this token, which is password equivalent, NEVER EXPIRES.
This is not a implementation bug, as a Microsoft’s official white paper states it explicitly: “If the account has been configured with the attribute Smart Card required for interactive logon, then the NT hash is a random value calculated when that attribute was enabled for the account. This password hash is provided to the client computer during the smartcard logons process by the domain controller. This password hash that is automatically generated when the attribute is set does not change“
Conclusion
A malware that was able to grab the NTLM hash of a Smart Card’s user, steals the identity forever. The victim would have been better off had she used a password to login to the infected machine.
Why Aloaha?
All Aloaha Smart Card Windows Logon methods make additional use of the users password to avoid the above problematic. Tokens which have been generated during Aloaha Smart Card Logon do expire the same way as password based token!