Enterprise Smart Card Deployment in the Microsoft Windows Smart Card Framework

shoulderslyricalΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

71 εμφανίσεις







Enterprise
Smart Card Deployment
in

the


Microsoft
®

Windows
®

Smart Card
Framework




June

2006

Derek Adam

Microsoft Corporation










The information contained in this document represents the current view of
Microsoft Corporation on the issues discu
ssed as of the date of publication.

Because Microsoft must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information presented after the d
ate of
publication.

This White Paper is for informational purposes only.

MICROSOFT MAKES NO
WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user.

W
ithout limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in
any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any
purpose, without the express written permission of
Microsoft Corporation.


Microsoft may have patents, patent applications, trademarks, copyrights, or
other intellectual property rights covering subject matter in this document.

Except as expressly provided

in any written license agreement from Microsoft,
the furnishing of this document does not give you any license to these patents,
trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products
,
domain names, e
-
mail addresses, logos, people, places, and events depicted
herein are fictitious, and no association with any real company, organization,
product, domain name, e
-
mail address, logo, person, place, or event is
intended or should be inferre
d
.

© 2006 Microsoft Corporation. All rights reserved.

Microsoft, Windows, Windows Vista,

and
Windows Server

are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.

All other trademarks are
t
he
property of their respective owners
.




T
able of
C
ontents


INTRODUCTION

................................
................................
................................
................................
........

4

A
UDIENCE

................................
................................
................................
................................
..................

4

P
URPOSE

................................
................................
................................
................................
.....................

4

I
N
T
HIS
D
OCUMENT

................................
................................
................................
................................
....

4

A
DDITIONAL
R
EADING

................................
................................
................................
...............................

4

ARCHITECTURE OVERVIE
W

................................
................................
................................
................

5

C
ARD
M
ODULE
S

................................
................................
................................
................................
.........

5

B
ASE
CSP

................................
................................
................................
................................
...................

6

Base CSP vs
. Monolithic Custom CSP

................................
................................
................................
..

6

S
MART
C
ARD
KSP

................................
................................
................................
................................
.....

7

FEATURE OVERVIEW

................................
................................
................................
.............................

9

C
H
ANGING A
U
SER
PIN

................................
................................
................................
..............................

9

Change a User PIN using Windows Vista

................................
................................
............................
10

S
MART
C
ARD
U
NBLOCK

................................
................................
................................
............................
11

Smart Card Unblock in Windows Vista

................................
................................
...............................
13

Smart Card Administrator Access

................................
................................
................................
........
18

E
LLIPTIC
C
URVE
C
RYPTOGRAPHY
F
EATURE
S

................................
................................
............................
18

DEPLOYMENT CONSIDERA
TIONS

................................
................................
................................
.....
19

M
ANAGING
S
MART
C
ARD
A
DMINISTRATOR
K
EYS

................................
................................
....................
19

C
LIENT
S
OFTWARE
D
EPLOYMENT

................................
................................
................................
.............
19

U
SER
A
CCESS FOR
U
NBLOCK

................................
................................
................................
....................
20

Unblock for “Smart card required logon”

................................
................................
..........................
20

Unblock When Passwords Are Permitted

................................
................................
............................
20

Q
UESTIONS TO
A
SK
Y
OUR
S
MART
C
ARD
V
ENDOR

................................
................................
....................
21

TROUBLESHOOTING

................................
................................
................................
..............................
23

T
OOLS

................................
................................
................................
................................
.......................
23

CertUtil

................................
................................
................................
................................
................
23

Event Viewer

................................
................................
................................
................................
........
23

Registry Editor

................................
................................
................................
................................
.....
23

A
REAS TO
I
NVESTIGATE

................................
................................
................................
............................
24

Smart Card Services

................................
................................
................................
............................
24

Calais Section of the Registry

................................
................................
................................
..............
24

Card Module

File

................................
................................
................................
................................
.
25

Device Manage
r

................................
................................
................................
................................
...
25

OTHER RESOURCES

................................
................................
................................
...............................
26



Introduction

Microsoft’s Base Smart Card Cryptographic Service Provider
(Base CSP)

and Smart Card Key
Storage

Provider
(Smart Card KSP
)

are part of Microsoft’s ongoing commitment and evolution of
smart card infrastructure support for the
Microsoft
®

Windows
®

platform
.


The new architecture is meant to simplify deployment, bring consistency to smart card interface
implementations, and make

it simpler to access
end user
smart card management features in the
platform.

Audience

It is assumed that the audience for this document has s
ome
basic
knowledge of public key
infrastructure (PKI) and smart card

concepts.

For more information
about

these

topics, see
Other
Resources
.


This document was written for
e
nterprise information technology
professional
s

who are
plann
ing

or
implement
ing

a
smart card deployment
.

This
includ
es

I
nformation
T
echnology (IT)

d
irec
tors
and IT personnel
.



Smart card vendors who write
card module
s should also read this document to understand the
scenarios Base CSP
and Smart Card KSP
enable and see how IT departments will plan
deployments

for
card module

smart card
s
.

Purpose

T
his doc
ument
is meant to
help information technology professionals understand
the
smart card
features enabled by the
new
s
mart
card
architecture,
and
help those
planning smart card
deployment
s

to
make
informed decisions
.

I
n
T
his
Document

This
document
provides i
nformation on the value that Microsoft Base Smart Card Cryptographic
Service Provider and Microsoft Smart Card Key Storage Provider infrastructure can bring to
enterprise smart card deployment.

Information is organized into the following sections.


Introd
uction



D
escribes the scope and audience
.


Architecture Overview


Provides a

basic overview of the new
s
mart
c
ard architecture
i
n
Windows.


Feature
s



D
escribes features
that
the
new s
mart
c
ard architecture enables
i
n Windows.


Deployment Considerations



I
dentifies some issues to consider and useful questions to ponder
during the planning phase of a deployment.


Troubleshooting



P
rovides a

short list of tools and
identifies
areas to check when
troubleshooting smart card scenarios
in your deployment.


Ad
ditional

Reading

This
document

can
not cover all aspects of
smart card features,
smart card deployment
, and
cryptography
i
n Windows
. For
links to related articles
about

these topics
, s
ee
Other Resources
.



Architectur
e
Overview

The cryptographic foundation that smart cards rely on in Windows is now layered
,

instead of
monolithic.

Many s
mart card scenarios depend on cryptography and require a fully implemented
cryptographic
service provider

that knows how to
communicate

with
the smart card.

In the past,
smart card vendors ma
d
e and maintain
ed

their own monolithic

cryptographic service providers
(CSPs)
for their different smart cards,
even though only a
fraction of
each CSP had code specific
to the smart card.


The new Wi
ndows smart card architecture leverages the fact that the cryptography required in
common at the top is separate from the unique smart card hardware interfaces at the bottom.

Windows now has a simple smart card interface layer
,

called the
card module
,

whic
h leverages
common cryptographic components now included in the Windows platform.


The cryptography for smart cards has been implemented
both
in the
legacy
Cryptography API
(also called the CryptoAPI or CAPI) as well as the Cryptography
API

Next Generatio
n (CNG)

i
n
Microsoft
Windows Vista

.
The
CSP implementation for
CAPI is called the Microsoft Base Smart
Card Cryptographic Service Provider, and the CNG implementation is called the Microsoft Smart
Card Key Storage Provider.


For application developers, th
e
Microsoft Base Smart Card

Cryptographic Service Provider, the
Microsoft Smart Card Key Storage Provider,

and
the
card module

interface
provide

a common
way to access smart card features, regardless of card type.


For users, the new architecture includes
new smart card features built into the platform for basic
p
ersonal
i
dentification
n
umber (
PIN
)

management

as well as enabling all the previously
supported smart card scenarios
.

Card Module
s


A
smart
card
module

(
also
called a smart card
mini
-
driver
)

is

th
e interface layer between the
vendor’s smart card and the relevant Windows smart card cryptography provider

either the
Base CSP in a CAPI context or the Smart Card KSP in a CNG context
.
Card module
s are
essentially device drivers for smart cards. As such,
smart cards that have
card module
s benefit
from ease of
use

i
n Windows in much the same way as printers
whose

drivers
comply with

standard printer device interface requirements.


Specifically, smart cards with
card module
s benefit from built
-
in Windows
sm
art
card features,
such as PIN change and smart card unblock.
I
n
Microsoft
Windows

2000 SP4,
Microsoft
Windows XP SP2, and
Microsoft
Windows Server
®

2003 SP1 and later,

these features are
provided
with

the PIN Tool
,

which is packaged with the Base CSP
i
n
M
icrosoft
Windows Update
(KB909520)
.
I
n Windows Vista
,

PIN change and smart card unblock are built into the secure
desktop
, commonly thought of as the logon screen
.
For more information, s
ee
Feature Overview
.


It is

important to note that a smart
card module

is loaded as a
D
ynamic
L
ink
L
ibrary (
DLL
)

in
-
process to the calling application. This means that it does not necessarily run in a trusted context.
I
n Windows Vista, it is vital that a
card module

is well
-
behaved
even when running in the context
of the most limited user.


For more information
about
the
card module

interface
,

see

the MSDN reference documentation

at

http://msdn.microsoft.com/library/default.asp?url=/library/en
-
us/seccrypto/security/
smart_card_modules.asp




Base CSP

The
Base CSP

is the preferred means to enable smart card

scenario
s
that use
the
Crypto
graphic
API

(also called Cryp
toAPI or CAPI)
.
Smart card vendors provide a thin middleware component
called a
smart
card module

(described
previously
)

to enable their smart cards to work with Base
CSP.


Base CSP is a core
operating system (
OS
)

component
,

installed with
Windows Vista
.

I
t

is
available

via
Microsoft
Windows Update
as

recommended update KB909520

i
n
Windows 2000
SP4, Windows XP SP2, and Windows Server 2003 SP1 or later
.


The Base Smart Card Cryptographic Service Provider should not be
confuse
d

with

the


Microsoft
Base Crypto
graphic Provider v1.0
”, which is the default, non

smart card software CSP
i
n
Windows.

Base CSP vs.
Monolithic
Custom CSP

Prior to the Base CSP, vendors had to
write
a complete
,

custom
software
CSP
to
enable

smart
card

scenarios
,

for example
,

smart card lo
gon or secure e
-
mail
with
keys on
smart card
.
That is,
e
ach
vendor had to implement
CSP functions
just to provide the interface
for their smart card
,
despite the fact CSP functions themselves have no intrinsic relationship to the
smart card
interface
.


Mic
rosoft recognized that a CSP is unnecessarily complicated
software

to create just
to enable
a
smart card hardware interface layer. Also,
Microsoft noted that
CSP implementation quality varied
from vendor to vendor as the level of cryptographic expertise an
d
the
ability to make quality
control investments varied.


Today
, the Base CSP provides the common software
cryptographic
portions, and vendors
simply
plug into Base CSP with their
card module

to provide access to their
smart
card

specific
hardware and sof
tware.
Figure 1 shows a

side
-
by
-
side comparison of Base Smart Card CSP and
vendor
-
specific custom smart card CSP.


Lastly, it is worth mentioning that a custom monolithic CSP usually
required a
special
deploy
ment
. Windows Update was not an option. Going fo
rward, the Base CSP, updates and
fixes to the Base CSP, as well as certified vendor
card module
s will be available for download
through Windows Update.






Cryptographic Application
#
2
-

using CAPI
(
i
.
e
.
,
Smart Card Logon
)
Cryptographic Application
#
1
-

using CAPI
(
i
.
e
.
,
Secure Email
)
Smart Card Base Cryptographic Service Provider
(
BaseCSP
.
DLL
)
WinSCard API
(
WinSCard
.
DLL
)
Smart Card Resource Manager
Vendor Card Module for
Smart Card
(
implementation of CardMod
.
h
-

CardVendor
1
.
dll
)
Vendor Card Module for
Smart Card
(
implementation of CardMod
.
h

CardVendor
2
.
dll
)
Vendor
-
Specific CSP
Any Cryptographic
Application
Using CAPI
Smart Card
#
1
Smart Card
#
3
Smart Card
#
2


Figure
1
:
Base Smart Card CSP vs. Vendor
-
Sp
ecific Custom Smart Card CSP

Smart Card

KSP

The
Microsoft
Smart Card Key
Storage
Provider (
also called
Smart Card KSP
or
SC
KSP) is
similar to Base CSP, but is implemented in the agile cryptographic architecture called
Crypto
graphic API

Next Generation (CN
G)
. CNG
was introduced
i
n Windows Vista. CNG
supersedes CAPI
. For
backwards compatibility, CAPI is retained
i
n Windows Vista but it is
deprecated.


CNG provides support for new algorithms

not available in CAPI
, such as Elliptic Curve
Cryptography (ECC). EC
C support is
exposed
by
the
Smart Card KSP

so
that
ECC
-
enabled
smart cards with ECC
-
enabled
card module
s can
use
ECC certificates on Windows

platforms that
support
CNG and
version 3 certificate templates
.
For more information, s
ee

Feature Overview
.




All
card module
s that work with Base CSP also work with
the Smart Card KSP
, since the Smart
Card KSP implements a superset of the cryptographic algorithms available through CAPI and the
Base CSP
.

However,
this also means

that
it is possible to implement a
card module

for
the
Smart
Card KSP

that will not work with Base CSP by
not
implementing RSA features. This would be
unusual

for a vendor to do
, since smart card logon requires an RSA certificate
. However, it is
possible
to have
a special purpose
smart
card that is only used for secure e
-
mail with ECC
Secure Multi
-
Purpose Internet Mail Extension (
S/MIME
)

certificates
, for example
.
For more
information, s
ee

Questions to
A
sk
Y
our
Smart C
ard
V
endor
.




Feature Overview

This section covers
the new
features
that
relate to
mini
-
driver

smart cards
that are enabled
either
with the Base C
SP

or
with

Smart Card K
SP
. All
previously supported
smart card features and
scenarios continue to be suppo
rted,
but are not repeated
here.
For more information, s
ee
Other
Resources
.

Changing a
User
PIN

T
he
PIN is the users


password for their smart card
s
.
Users running Windows 2000 SP4,
Windows XP SP2, and Windows Serv
er 2003 SP1 or later can use
the Smart Card
PIN Tool

to
change
their PIN
from a logged in workstation

(Figure 2)
.
Just like changing a logon password,
the user must know the old value to change to a new one.


The
Smart Card
PIN Tool
is

provided with
the Ba
se CSP package in
Windows Update KB909520
and
is
installed in

%windir%/system32/pintool.exe
.





Figure
2
:
Change PIN
T
ab of Smart Card PIN Tool



Change a
User PIN
using
Windows Vista

In

Windows Vista,
users can
change their smart

card user PIN

using the secure desktop.


The secure desktop is the most trusted context in the operating system. It
is often thought of as
the logon screen, since that is the most common task on the secure desktop
.

However, i
t is also
used for
other secur
e
operations
with user credentials, like password changes and now PIN
changes

(Figure 3)
.


To change a PIN

After logging in,
press
Ctrl
-
Alt
-
Delete

to return to the secure desktop
screen
. S
elect the
Change
Password

option. Insert the smart card

in the smart

card reader attached to the machine
, select
the smart card user tile, enter the old PIN,
and then
enter
the
new PIN
.

C
onfirm the new PIN

in
the appropriately named fields
.





Figure
3
:
PIN Change
S
creen on the Windows Vista
S
ec
ure
D
esktop



Smart Card Unblock


I
n Windows 2000 SP4, Windows XP SP2, and Windows Server 2003 SP1 and later, t
he Smart
Card
PIN Tool
described in
User PIN
using
Windows Vista

also
lets

users
unblock their card with

an administrator’s help
,

but only if the user can access a logged on machine and
,

therefore
,

run
the Smart Card PIN Tool
(Figure 4)
application
.
This limitation may be awkward for enterprise
users for whom smart card logon is required
, since they cannot l
og

on to their domain account
while their smart card is blocked
.
In a non

Windows
Vista environment, t
he
user must find some
way to access a logged
o
n machine to launch the Smart Card PIN Tool. Options include
log
ging
on with a
local user account

or
enlist
ing the help of another employee
.


Note


S
mart card unblock requires that smart cards
are

assigned an administrator key
when provisioned
. Also,
the IT infrastructure includes a secure way to store and access
these keys when a user
needs

assistance.
Windows

does not
include back
-
end tools for
PIN

administration.
For more information, s
ee
Smart Card Administrator Access
.




Figure
4
: Unblock T
ab of Smart Card PIN Tool


To use this feature, th
e user must be able to contact someone in the IT department
or access
some service
that can
give the response to
the
administrator
challenge
from
the smart card.
The
following
example
describes a

simple
scenario
.



Example
U
nblock
P
rocedure


1.

With your smart

card in the smart card reader,
click
Unblock
. The Challenge box is then
populated with 16 hexadecimal digits.

2.

Contact

the company technical support line
, so t
he technical support analyst
can
verif
y

your

identity using a company
-
defined procedure.

3.

R
ead the

challenge to

the

technical support analyst.

4.

The technical support analyst reads the
16 hexadecimal digit
response to
you. Type the
response
in the
Response

field.

5.

E
nter a new
PIN
, confirm it, and
then
click
OK
. The card is unblocked and
now you know
the
P
IN.


Other procedure variants are obviously possible, such as using an interactive phone system in
place of a support analyst, and sending a
Short Message Service (
SMS
)

text message of the
response to the user’s company
-
issued phone. Larger organizations
may find a better cost
-
benefit from a more automated unblock system. An organization with a small user group in one
location may find the IT team can support unblock requests in person. The four key items to
consider in defining any unblock procedure are

h
ow to



I
dentify the card that needs unblocking
.



V
erify the user’s identity
.



G
ather the card’s administrative challenge
.



D
eliver the correct response to the user
.


Great care must be taken when unblocking a smart card. If the administrator response is wrong

too many times (
usually
defined at provisioning time), the smart card becomes blocked to the
administrator as well, and all protected information on the smart card is then inaccessible. Note
that
incorrectly
reading the challenge to the technical support
analyst will result in a
n incorrect
response, which is just as
serious
as mistyping a correct response.




Smart Card Unblock
i
n Windows Vista

Smart Card Unblock is integrated into the Windows Vista secure desktop
. However,
it is not
configured by default
and must be
explicitly
enabled with
Group Policy
.
When this feature is
enabled, the user is presented with the
S
mart
C
ard
U
nblock screen

(Figure 5)

when logging on
is
attempted
with a blocked

smart
card.




Figure
5
:

Smart
c
ard
Un
block
screen
in the
S
ecure
D
esktop of Windows Vista


Note


S
mart card unblock requires that smart cards
are

assigned an administrator key
before they are

provisioned
to users
,

and that the IT infrastructure includes a secure way
to store and access these k
eys when a user
needs

assistance.
Windows does not
include
such
back
-
end tools for
PIN

administration.
For more information, s
ee
Smart
Card Administrator Access
.


To enable
unblock
in the secure desktop user interf
ace
, an administrator
can
use the Group
Policy Object Editor
snap
-
in in the
Microsoft Management Console

(MMC)
.


To enable unblock


1.

Open an elevated command window
.
T
o do this
,

click the
Start

button,
point to
All
Programs
,
point to
Accessories
, right
-
clic
k
Command Prompt
,
and then
click
Run As
Administrator

in the context menu
.


2.

When prompted whether to run Command Prompt as an administrator,
click
Allow
.



3.

At the command prompt
,

type
mmc
,

and
then
press
Enter
.

4.

In the
MMC

snap
-
in
, click the
File

menu,
and
th
en
select
Add/Remove Snap
-
in
.

5.

In the
Available snap
-
ins

pane on the
left
-
hand side

of the
A
dd or Remove Snap
-
ins

dialog

box

(Figure 6)
, select
Group Policy Object Editor
,

and
then
click
Add
.




Figure
6
: Add or Remove Snap
-
ins Dia
log Box



6.

To enable unblock on the local machine

(only)
,
you must be an administrator on the local
computer and
s
elect
Local Computer

in the
Group Policy Object

control

(Figure 7)
.



or





Figure
7
: Select Group Policy Object


To

enable unblock on all machines in the domain, you must be a Domain Administrator
logged
o
n

to a Domain Controller and select
Default Domain Policy

in the
Group Policy
Object

control

(Figure 8)
.




Figure
8
: Browse for a Group Pol
icy Object Dialog Box


I
n the
Select Group Policy Object

dialog

box, click
Finish
.
I
n the
Add or Remove
Snap
-
ins

dialog

box, click
OK
.



7.

In the Local Computer Policy node, navigate
to
Computer Configuration
,
click

Administrative Templates
,
click

Windows Comp
onents
,
click

Smart Card
,
and
then
double
-
click
Allow Integrated Unblock screen to be displayed at time of logon

in
the
center
pane

(Figure 9)
.




Figure
9
:

Local Computer Policy
objects for smart cards


7.

Select the
Enabled

option

button
,

and
then
click
OK

(Figure 10)
.





Figure
10
:

Dialog for
Allow Integrated Unblock screen to be displayed at the time of logon


The
Smart Card U
nblock screen can also
be configured
via Group Policy
to
display a custom
strin
g. This string can be used to provide a
deployment
-
specific phone
number
for users
to call to
obtain the response to the smart card administrator challenge.


For an example unblock procedure, s
ee
Smart Card Unblock
.

For more information about this
challenge/response mechanism, s
ee
Smart Card Administrator Access
.
For considerations when
planning the back
-
end infrastructure to support smart card unblock, s
ee
Managing Smart Card
Administrator Keys
.


Administrators
can also
set the unblock display string in the
Local Computer Policy

object.


To set the unblock display string


1.

In the Local Computer Policy node

of the M
MC
, navigate
to
Comp
uter Configuration

click
Administrative Templates
,

click
Windows Components
, and then click
Smart
Card
.


2.

In the right pane, d
ouble
-
click
Display string when smart card
is
blocked

(Figure 9)
.

3.

Select the
Enabled

option

button

(Figure 10)
.

4.

Type
the string to
display on the Unblock screen in the
Display string when smart card
is
blocked

text box, and
then
press
OK
.




Smart Card Administrator Access

All Base CSP
/
Smart Card
KSP

compliant smart cards have an administrator key and a secure
authorization mechanism

i
mplemented
directly

on the
smart
card
for

control
ling

administrative
access

to the card
.
A
dministrative access
is required for
S
mart
C
ard
U
nblock and

changing the
user PIN without providing the current user PIN.


Technical Note


Administrative authenticati
on uses a challenge and response
mechanism
. The card generates a random value and
then triple

D
ata
E
ncryption
S
tandard

(
3DES
)

encrypts it with the smart card’s administrative key to create an 8
-
byte
challenge.
In the
Smart Card U
nblock user interface, this

challenge appears as 16
hexadecimal digits.
The correct response is the value of the challenge re
-
encrypted with
3DES using the same administrative key as on the smart card. This proves that the user
providing the response has the necessary access to the
secret administrative key while
not actually exposing the
key

during authentication.

Elliptic Curve Cryptography

Features

The Smart Card KSP

adds support for
the following
ECC features
.




Elliptic Curve
certificate
enrollment

on
a
smart card

(requires that

ECC PKI
is
deployed in
the enterprise)
.



Cryptographic signing with the
Elliptic Curve Digital Signature Algorithm (ECDSA)

using
an ECC certificate on a smart card
.



Key agreement with the
Elliptic Curve Diffie
-
Hellman (ECDH)

algorithm

using keys
derived on

the smart card
. This may
be used by
Transport Layer Security (
TLS
)

for
client
authentication
.




Support for on
-
card Key Derivation Functions
(KDFs)
for Federal Information Processing
Standard (FIPS) 140
-
2 compliance

for smart cards
.
KDFs are used in key ag
reement
protocols like Diffie
-
Hellman (DH) and ECDH.


T
he Smart Card KSP is implemented in and depends on CNG, so these
ECC
smart card
features
can

only
be exposed

on versions of Windows

with CNG
, and only with
card module
s that
implement them
.
Currently
,
only Windows Vista and Windows Server
c
ode
-
name
d


Longhorn


support CNG.



Deployment Considerations

Managing Smart Card Administrator Keys

Smart card v
endors and distributors preset their smart cards with
a default
administrator key.
However, it would be d
angerous to a deployment to continue using administrator keys known
outside the enterprise
. Administrator keys are important cryptographic secrets that provide
complete control
of
the smart card and any identity
-
related information on it
.
S
erious
consequen
ces for an organization
could result
if this information is compromised.


Prior to giving smart cards to users, the administrator key need
s

to be reset to
a
new

value
on
each
smart card and
that key must be
stored securely within the enterprise’s IT infras
tructure with
access strictly limited.


Large organizations often decide to use Hardware Security Modules (HSM) to store high
-
value
cryptographic
secrets

like these. One model is to store a
single
deployment
-
specific

secret

key
on
the HSM from which the sm
art card administrator keys are derived, and to have a program in the
IT department that uses the HSM to provide responses to challenges on an
audited,
as
-
needed
basis.


Medium


and small
-
sized organizations, depending on security
and access
requirements,
might
opt for a less costly solution, such as keeping keys in a database on a locked down
,

securely

isolated

machine.


The
important
point is to have some kind of card management solution that can securely update
and store the administrator keys for smart
cards in your enterprise. One such option is Microsoft
Certificate Lifecycle Manager

(
http://www.microsoft.com/windowsserversystem/clm/default.mspx
).
R
egardless of the card mana
gement solution

custom or packaged product

consideration
must
be given to how the administrator keys will be securely put on the smart cards, securely stored,
and securely accessed on behalf of users when they call
the
IT
department
for help with tasks
lik
e smart card unblock.

Client Software Deployment

All

card module

smart card
user
s

need
either
the
Base CSP

or the Smart Card KSP
,
as well as
the
card module

DLL
for the
ir

smart card

installed
on their computer
.


As noted
previously
,
the
Base CSP
and the Sm
art Card KSP are
available in
-
box with Windows
Vista,
and
the Base CSP is available
as a
recommended
Windows
Update for Windows 2000
SP4, Windows XP SP2, and Windows Server 2003 SP1 and
later
.
Therefore,
d
eploying Windows
Vista or
requir
ing

users to get th
e Base CSP
update

from Windows Update would be sufficient

to
deploy
the cryptographic software components
.


Microsoft
is

also
planning to
provide smart card vendors
with
the ability to certify their smart card
and
card module
, and

to have the
card module

d
istributed via Windows Update. If your company
chooses a certified
card module
, Windows Update
could
be the way to deploy the selected
card
module

to your users.


However, m
any enterprises do not permit users control
of
the desktop OS components
. Usually,
that means

the
IT
department
manages the components
through
a
product
like
Microsoft System
Management Server

(SMS).
In that case,
SMS
could be used to
deploy
the
card module

and, if
necessary, the Base CSP
.




Finally, i
f your company uses a
company
-
standar
d
ized

desktop image
,

the
card module

should
be
included with
that image.
Also, if the standard OS is not Windows Vista, the Base CSP should
also be included.

User
Access for
Unblock

A number
of smart card users will occasionally enter their PIN incorrect
ly too many times and
block their smart card.
At that point, users need IT help to unblock the card.
The options available
for helping users are affected by whether password authentication is available as well, or if smart
card logon is required.

Unblock
f
or “Smart card required logon”

As noted in
Smart Card Unblock
,


Smart
card logon required” environment
s

prior to Windows
Vista

require providing
users
a
way to access a machine
without
their
smart
card

to unblock a

card
.
Consider which
of the following
methods
may be
suitable
,

given where users work and the
security requirements of the organization.
Choose the method or methods your organization
supports, and then plan
to
educat
e

users
on
PIN Tool and
your selected
procedures
.




Co
-
worker assistance



This
is suitable if users are co
-
located.
It m
ay a
llow for a

layer of
peer
identification
/verification
before
the
IT
department
is called.



Kiosk



If all users work in a common location, a disconnected kiosk
logged
o
n

to

a
Guest account
in the IT department
provides the functionality and could allow face to face
verification of credentials before
the
IT
department
supplies the unblock response.



Local Computer account



Logging
o
n with a local
password
-
based
account
may be

the
best option
for users
who
are remote. These users’ computers need to be configured with
such an account, perhaps a Guest account.

Unblock
W
hen
P
asswords
A
re
P
ermitted

If smart cards are not required for logon,
the
re

is the possibility of self
-
service
PIN unblock over
the
W
eb. Y
ou can consider creating or buying a tool that uses password credentials to
authenticate
users
to an unblock
W
eb
service

that takes information about the card and user
,

including the unblock challenge
,

and provides the response
.



Questions to
A
sk
Y
our
Smart C
ard
V
endor


W
hile w
orking with your smart card vendor(s), the following questions may help you both
understand and mitigate deployment challenges.


Which
of your smart
cards
work with
Base CSP
/
Smart Card
KSP?

(Alternatively:
W
hich
of your smart
cards
has
a
card module
?
)

Smart c
ards without a
card module

cannot use the PIN management capabilities that are built
-
in

to the Microsoft platform, such as
smart card unblock and PIN change.


Has the
card module

been
tested or
certified
by Microsoft?
If not, why not?

Certification assures you of compatibility
and interoperability
with Windows.
If it has not been
certified, the

company

may
not have sent
the
card module

for certification
yet
,

or
it
may
not
have
complete
d

the process. Howeve
r, i
f the vendor has reason
s

for not seeking certification, it is
important to understand
them
since that
may indicate scenarios the vendor is not ready to
support
.


What factory personalization options are available?

Personalization is a term of art when
applied to smart cards; it means preparation steps done to
the card before it is used. This can include setting the number
of
re
-
tries
permitted
before
blocking the card

and
loading
specific
applications on the card.
A vendor may offer custom
preparation o
ptions as a value
-
added service, or it may be
offered free of charge as a
competitive
advantage
.


Can the factory set the default PIN and default administrator key to values we choose?

Vendors set the PIN and administrator key values on smart cards to defa
ult values at the factory
.
O
n request
,

vendors may be willing to set the default PIN and default administrator key to values
specific to your deployment. This can be a defense
-
in
-
depth strategy
, for example
,

to keep
cards
in your deployment from getting ro
gue applets loaded onto them
simply
because the
administrator key is
well
known outside the organization.


Whether the
vendor provide
s

this service, you need to know what default PIN and
administrator
key to use in your deployment tool for personalizing ca
rds prior to distribution to users
, and make
a conscious decision about how to manage administrator keys
.
For more information, s
ee

Smart
Card Administrator Access

and
Managing Smart Card Administrator Keys
.


Are
the
cards formatted for
immediate use with the
card module
? If not, can this be done
at the factory?

Ideally
,

all cards would come from the factory ready to use. However, s
ome vendors provide
smart cards in a state
that requires running a vendor
-
specific preparation tool before they can be
used with their
card module
. This represents extra work for the IT staff. Depending on the
circumstances
,

this may be tolerable, but it is important to consider.
This may be a
pers
onalization option for the vendor, and if they charge extra for
this service
,

you should
compare
that
with the cost of your staff formatting cards instead.


Does the card behave differently
with respect to
the
card module

if the card

is prepared

differentl
y
?

Ideally, this should not happen. The
guidance
from Microsoft
to vendors is to identify each smart
card model with a unique
Attention to Reset

(ATR
)
. This
prevents

the problem of a
card module

sending commands to cards that
they
cannot understand.


It ca
n be a
significant
technical support challenge if two cards with the same ATR behave
differently. Windows chooses the
smart card
CSP to load based on the smart card’s ATR
. F
or
card module

smart
cards,
the
ATR is also used to select the
card module
. If a sm
art card does


not have the right card
-
side software
and
firmware to communicate with the
card module
, the
results will be unpredictable.


However, if your company has an installed base of smart cards
that predates
card module

technology, and updating
smart

card
applets is both necessary and possible to make
those smart
cards
work with a
card module
, this may be acceptable for the time being
.
Knowing this, you can
plan mitigations
,

like internal
W
eb

site help pages, support training, tools for fixing/updatin
g smart
cards that do not have the necessary applets
, and possibly migrating to smart cards that do not
have these challenges
.



Are your
smart
cards
and
card module

RSA
-
only,
ECC
-
only, or
enabled

for both RSA and
ECC certificates
?

This may be of interest
if you deploy an ECC
-
enabled public key infrastructure, for example
,

with
the Certificate Authority
(CA)
available
i
n Windows Server

code
-
name
d


Longhorn

.

ECC
-
only
card module
s cannot be used for Windows smart card logon,
because
only RSA certificates are

supported with the Kerberos protocol used for certificate
-
based logon. However, if it is important
to achieve FIPS 140
-
2 compliance,
such as
in certain government deployments, an ECC
-
enabled
smart card is required

for certain scenarios.
Therefore,
to supp
ort both smart card logon and
FIPS 140
-
2 requires support for both RSA and ECC certificates
.







Troubleshooting

There can be many reasons
that
smart card scenarios do not work as expected

network
problems,
card module

installation errors,
card module

co
nflicts, and user input errors. It is not
possible to cover every possible situation
,

but the following tools and tips
may

prove helpful.

Tools

These tools can be used to help diagnose why a smart card scenario is failing.

CertUtil

CertUtil is a powerful
command
-
line utility for certificate management.
In the context of

smart card
troubleshooting, it can be used to examine the contents of a smart card. CertUtil is
included with
Windows Vista and is
available
in the
Windows Server 2003

Service Pack 1 Admini
stration Tools
Pack
,

which
can
also
be installed on
Windows
XP.


To d
ownload
the Windows Server 2003 Service Pack 1 Administration Tools Pack

http://www.microsoft.com/downloads/details.aspx?FamilyID=e487f885
-
f0c7
-
436a
-
a392
-
25793a25bad7&DisplayLang=en


If this link does not work, search for th
e following
file to install
.

Wi
ndowsServer2003
-
KB304718
-
AdministrationToolsPack.exe


Install
the admin pack, if applicable, and type the following at
a
command prompt while a smart
card is in the card reader
.

certutil
-
scinfo


This tool provides a l
arge amount

of information, including on
-
card certificate details.
Card
module

compatible cards

have

the following in

the Provider line
,
below the card name
.

Provider = Microsoft Base Smart Card Crypto Provider


This can be used to determine if a card is not prepared with certificates,
does not have a
registered crypto provider,
or
is currently
in a stat
e such that its certificate containers are not
readable.
If you receive a hexadecimal smart card error code, certutil may provide the associated
error text detail using the
certutil

error <hex error code>

option.

Event

Viewer

T
he Event Viewer in the Admin
istrative Tools of the Control Panel
may log event
s

about
a

smart
card failure that
help
s

diagnose
the
problem.


Smart Card server service (
SCardSvr
)

events

should be investigated first
, since
SCardSvr
must
be running for smart cards to work.
I
nput/output
or communication errors

c
an indicate hardware
problems
.

If

you cannot access the
smart
card
,

c
heck the details

of any such errors
. Kerberos
events
can be related
if there are logon or unlock problems
. Kerberos errors for smart card logon
are often either r
evocation check failed

(which usually means the PC cannot
reach
the
CA
)

or
cannot
contact the D
omain
C
ontroller

(
which usually means there is a
network problem).

Reg
istry
Edit
or

Some problems with smart cards
are caused by
missing or incorrect registry ent
ries. You can use
the registry editor to check
for such problems
by running
regedit

either from a command
prompt or from
the
Start

button, and then click
Run
.



Caution

Accidentally removing or adding keys
in the registry
can make your system
unstable or un
usable. Before viewing or
manipulating the registry,
make a
backup

copy.
For more information,
see K
nowledge
B
ase

Article #
322756

How to back up, edit, and
restore the registry in Windows XP and Windows Server 2003
” at

http://support.microsoft.com/default.aspx?scid=kb;en
-
us;322756

Areas to Investigate

Checking the system configuration in the following areas may help identify why a smart card
scenario is failing.

Smart Card Ser
vices

As mentioned in
Event

Viewer
,

the SCardSvc is needed to read smart cards.


If the SCardSvc stops
,

t
he Service Control Manager logs an event to the System section of the
Event Viewer that records the fact

that

the

Smart Card service entered the stopped state
. T
he
Services applet in the Control Panel will
also
report that Smart Card service is stopped.
When
the
smart card service is not running,
certutil

scinfo

will
display

a message s
imilar to

the
following:

T
he Microsoft Smart Card Resource Manager is not running.

WaitForSingleObject: Service is in an unknown state.

CertUtil:
-
SCInfo command FAILED: 0x80070102 (WIN32/HTTP: 258)

CertUtil: the wait operation timed out.


I
n Windows Vista, there are other services

to verify.


Smart Card Policy Service (
SCPolicySvc
)

is needed for
smart card
removal policy

to work
.

Th
is
means that
if you want
Group Policy
to
cause
the machine to lock when the smart card is
removed, this service must be running.


Certificate Propagati
on Service (
CertPropSvc
)

puts cert
ificates
in
the
MyStore

certificate store
.
Th
is
i
s
required

for netuse, runas, or any

feature
that uses CredUI
. Without it, applications are
un
able to use smart card cred
ential
s b
e
c
ause

the cert
ificate is not available for

selection.

Calais
S
ection of the
Registry

For a
ny

smart card to work, it

must be registered in the Windows registry
in the Calais section (for
smart cards)

and indicate its associated Crypto

Provider
there
.
For smart
card module

based
smart cards, the min
i
-
driver must also be indicated.


For

32
-
bit
versions of
Windows
,

the
smart card
registry entry must be found
at

HKEY_LOCAL_MACHINE
\
SOFTWARE
\
Microsoft
\
Cryptography
\
Calais
\


SmartCards
\
<smart card model>


For

64
-
bit
versions of Windows
, the 64
-
bit version

of the
card module

must be

registered

in the
registry
location

at

HKEY_LOCAL_MACHINE
\
SOFTWARE
\
Microsoft
\
Cryptography
\
Calais
\


SmartCards
\
<smart card model>


T
he 32
-
bit version of the
card module

must be
registered at

HKEY_LOCAL_MACHINE
\
SOFTWARE
\
Wow6432No
de
\
Microsoft
\
Cryptography
\
Ca
lais
\
SmartCards
\
<smart card model>


Card module

smart
cards have the following n
ame
d v
alue
s

in their
registry
entry
.



80000001


Indicates the smart
card module

DLL file name
.



ATR


Gives t
he attention to reset value that identif
ies the card
.





ATRMask


ATR mask defined by the vendor.



Crypto Provider


Must be
“Microsoft Base Smart Card Crypto Provider
”.



Smart Card Key Storage Provider


This setting is only on

Windows

Vista and must be
“Microsoft Smart Card Key Storage Provider”.


Note that if
by

some unfortunate circumstance

more than one
card module

is

registered for the
same ATR, the
card module

registered
first
alphabetically is selected.


Finally,
ensure
that
the
smart card
reader is registered properly
at

HKEY_LOCAL_MACHINE
\
S
OFTWARE
\
Microsoft
\
Cryptography
\
Calais
\
Readers

Card Module

F
ile

On 32
-
bit platforms,
smart
card module
s must be
located
in
%windir%/system32
/
. The
filename of the
card module

is found in the registry
at

HKEY_LOCAL_MACHINE
\
SOFTWARE
\
Microsoft
\
Cryptography
\

Ca
lais
\
SmartCards
\
<smart card model>
\
80000001


On 64
-
bit platforms, the 64
-
bit version of the
card module
s
must be
installed
in
%windir%/system32
/

and the 32
-
bit version must be
installed
in
%windir%/sys
wow64/
. The
latter is used by
programs that run in 32
-
b
it emulation mode.

Device Manager

Check the Device Manager. If there is a yellow question mark in the
s
mart card readers node of
the tree, the
smart card reader
driver is not installed.


If the device is installed correctly, check
whether

a newer reader wo
rks. Some of the newer smart
cards operate at
higher
interface speeds than

older card readers expect
ed
.



Other Resources

The following articles are helpful resources about smart cards, PKI, and cryptography on
Windows.


TechNet Library for Windows Server
is a valuable source of references and technical articles.



The root of the
TechNet
Library

http://technet2.microsoft.com/WindowsServer/en/Library/




Planning a Smart Card Deployment

http://technet2.microsoft.com/WindowsServer/f/?en/Library/5229033e
-
232b
-
4f91
-
9f86
-
0cbbd7cfc5a81033.mspx



Windows Server 2003 help articles

about smart cards

http://technet2.microsoft.com/WindowsServer/en/Library/b989f4fd
-
febd
-
42e1
-
a130
-
9e0f338007341033.mspx


Get Smart! Boost
Your Network’s IQ With Smart Cards

in TechNet Magazine Winter 2005 (an
excellent article about deploying smart cards)

http://www.microsoft.com/technet/techne
tmag/issues/2005/01/SmartCards/default.aspx



Windows 2000 Advanced Server documentation
has
information
about
Certificate Services and
smart cards under the Security node

http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/adv
anced/help/sag_RRAS
-
Ch1_70.htm



Guidelines for enabling smart card logon with third
-
party certification authorit
ies

http://support.microsoft.com/default.aspx?scid=kb;en
-
us;Q281245



The Smart Card Deployment Cookbook

covers significant background about smart cards on
Windows

(though the

documents are slightly dated)

www.microsoft.com/technet/security/topics/identitymanagement/smrtcdcb/default.mspx



Microsoft Certificate Lifecycle M
anager

is
a feature overview of Microsoft’s new certificate and
smart card management local registration authority product

http://down
load.microsoft.com/download/6/e/f/6ef77742
-
1c5d
-
4ae2
-
a04f
-
2abc66adbd57/CLM%20White%20Paper.doc


Windows Vista SDK documentation for
Cryptography API: Next Generation

on MSDN

http://windowssdk.msdn.microsoft.com/library/default.asp?url=/library/en
-
us/seccrypto/security/cryptography_api__next_generation.asp