Lock Down Vista Security with Smart Cards

If you’ve always wondered what a smart card is, here’s how to think about it: a smart card, used for authentication, is a mini computer that has a hardware and software component. The hardware component contains a micro chip/integrated circuit (ICC) as a memory card.

Another category of the smart card contains an embedded microprocessor and volatile memory, required for data processing. Regarding software, a smart card has its own operating system, required for communication with it via a card reader. The smart card may also have its own file system. The Smart card reader reads the secure information from the card and passes to the interface (most of the time a desktop or server) to where it is attached.

Figure 1. A smart card block diagram.

Smart card readers are standard devices connected to computers via a USB port. These readers are controlled through software drivers. Smart card readers can be divided into logical groups called reader groups. These groups can be defined by the subsystem, as well as defined by administrators and users. A reader can belong to more than one reader group.

Smart cards can provide strong security authentication, and single sign-on can be implemented in large companies using smart cards only. To control access of multiple, related, but independent software systems, a smart card is a great choice. With this, a user can log in once and gain access to all systems without being prompted to log in again at each of them.

Versions of Windows Supported

Developers need to have a basic knowledge of public key infrastructure (PKI) for implementing smart card authentication. Smart cards are supported in Windows 2000, Windows Server 2003, Windows XP, Windows Vista, and Windows ME. To support smart card authentication, Windows 95, Windows 98, and Windows ME have optional components called smart card service (SCardSvr.exe); WinSCard API.Smart cards services are integrated into Windows 2000, XP, Win 2003, and Windows Vista. The smart card registry database is located in the windows registry and the path is HKLMSoftwareMicrosoftCryptographyCalaisSmartCard. This registry key contains smart card and smart card reader information.

In Windows Vista, the login process has been re-architected (Winlogon). Previous versions of Windows used to have a custom GINA dynamic link library (DLL) to support customizable user identification and authentication. On Windows Vista, the GINA functionality has been distributed among three components: Winlogon, logon user interface, and credential providers.

The smart card authentication comes under credential providers. For Vista, Winlogon supports multiple logon certificates and containers on the same smart card. Each smart card must have a cryptographic service provider (CSP). This uses Cryptography Application Programming Interface (CAPI) interfaces on the top and the WinSCard APIs at the bottom. The Base CSP allows smart card vendors to write card-specific modules called smart card mini-drivers. Base CSP can be downloaded as a package, and it exists for Windows XP SP2, Windows 2000 SP4, and Windows Server 2003 SP1.

Smart card mini-driver is also available as an interface that Microsoft supports for smart card vendors that want to write their own implementations for specific smart cards.

Smart Card Authentication Architecture

Windows Vista Smart Card Authentication Architecture has two components.

1. Vista interactive logon architecture

Vista Login begins with secure attention sequence (SAS), the old CTRL+ALT+DEL key combination. For smart card logons, a user’s credentials are contained on the smart card’s micro chip. The external smart card reader reads the security chip; after that the user enters a personal identification number (PIN) instead of a user name, domain, and password.

Figure 2. Windows Vista Smart Card Authentication

COM objects are used to collect credentials from the card reader in Vista. Credential providers are designed to support single sign-on (SSO), authenticating users to a secure network access points, computer logon, application-specific credential gathering, authentication to network resources, joining computers to a domain, and to provide administrator consent for User Account Control (UAC). Multiple credential providers can co-exist on a computer.

2. Smart card subsystem architecture

The smart card subsystem has the following components:

* Smart card service providers are physical DLL components that help access specific services available in the physical smart card device. Using these Dlls, service providers can access specific capabilities of their target smart cards.

* The Smart Card Resource Manager uses an API (Application Programming Interface) to manage access to multiple readers and smart cards. The Smart Card Resource Manager coordinates application access to specific smart cards and provides the service providers with what appears to be a direct connection to the target smart card.

* The Smart Card Reader Driver maps the conceptual driver services to the specific hardware reader device. There may be hierarchies of specific drivers.

Vista Smart Card Services

For Smart Card Management in Windows Vista, there are three services enabled.

1. Smart card resource manager service

The basic infrastructure for all smart card components are provided by the smart card resource manager service. It manages smart card readers and application interactions on the computer. The smart card resource manager service is implemented as a shared service of the svchost process.

Before working with the smart card, the reader driver authors must configure the service to start automatically and call a predefined entry point in winscard.dll that will start the service. The resource manager service has the following service description:

                                                               keyName="HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSCardSvrParameters"> 
        valueType="REG_EXPAND_SZ" value="%SystemRoot%System32SCardSvr.dll" buildFilter="">
       
       
      
      
    
      

2. Certificate propagation service

The service starts when a user logged into the system inserts a smart card in a reader that is attached to the computer. This action causes the certificate(s) to be read from the smart card. The name of the service is CertPropSvc. The controller notifies CertPropSvc when a user has logged on. This service monitors the smart cards that are visible from the user session and reads all certificates from all inserted smart cards.

3. Smart card removal service

This works when a user has logged in with a smart card and subsequently removes that smart card from the reader.

Debugging Cards and Getting Information

A few tools and services are available in Windows Vista to help developers in debugging.

* The Command to list certificates that are available on the smart card is certutil -scinfo

* For deleting certificate use the following command. Certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" "38f813f2-ec3b-4e96-ba19-38b830923be9" When you delete a certificate on the card, you are actually deleting a container that corresponds to that certificate.

* To enable tracing for NTLM authentication, run the following at the command line. tracelog.exe -kd -rt -start ntlm -guid #5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .
tlm.etl -flags 0x15003 -ft 1To stop tracing for NTLM authentication, run the following at the command line. tracelog -stop ntlm

* To enable tracing for Kerberos authentication, run the following at the command line. tracelog.exe -kd -rt -start kerb -guid #6B510852-3583-4e2d-AFFE-A67F9F223438 -f .kerb.etl -flags 0x43 -ft 1. To stop tracing for Kerberos authentication, run the following at the command line. tracelog.exe -stop kerb.

* To enable tracing for the KDC, run the following at the command line.tracelog.exe -kd -rt -start kdc -guid #1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .kdc.etl -flags 0x803 -ft 1 To stop tracing for the KDC, run the following at the command line. tracelog.exe -stop kdc

To check the status of the smart card service:

    1. Go to Windows Task Manager.
    2. From Windows Task Manager dialog box, click the Services tab.
    3. Check for SCardSvr, and see the Status column to see if the service is running or stopped.
    4. If the service is stopped and want to start again, run the following command from command prompt. Remember you need to Run as Administrator. net start SCardSvr To stop the service run net stop SCardSvr from the command prompt.

Figure 3. A smart card service.

Here's how to check the status of a smart card.

    1. Click on the Start button, right-click Computer, and then click Properties.
    2. Under Tasks, click Device Manager.
    3. In Device Manager, expand Smart card readers, select the smart card reader about which you want information, and then click Properties. If the smart card reader is not listed in Device Manager, in the Action menu, click Scan for hardware changes.

Conclusion

Smart Card usage by businesses will enhance protection and improve productivity. On the other hand, password authentication, the most widely used logon mechanism, is only as infallible as its users. Most of the time users share their personal passwords with friends and some team members. Even the most reliable user may write a password on a slip of paper where another user might later discover and use the same credential. If a user does not safeguard a password, the network may be subject to concurrent usage of a user account or worse, may be unprotected against malicious break-ins.

A Windows-powered smart card can be used by only one person at a time, which makes concurrent secure account usage impossible by other users. Because the card is required to access the network, users are inclined to carry the card with them wherever they go, preventing malicious break-ins and access. Windows for Smart Cards supports multiple authentication mechanisms, such as PIN, fingerprint, or retina (in human eye) recognition. If the card is lost, no one else can use it to access the network because only the owner knows the PIN or has the right fingerprint or retina.

By using the most secure cryptographic-algorithms, like RSA, DES, 3DES and SHA, and by being built on the most reliable chips, Windows-powered smart cards are virtually inviolable.

Share the Post:
Share on facebook
Share on twitter
Share on linkedin

Overview

The Latest

microsoft careers

Top Careers at Microsoft

Microsoft has gained its position as one of the top companies in the world, and Microsoft careers are flourishing. This multinational company is efficiently developing popular software and computers with other consumer electronics. It is a dream come true for so many people to acquire a high paid, high-prestige job

your company's audio

4 Areas of Your Company Where Your Audio Really Matters

Your company probably relies on audio more than you realize. Whether you’re creating a spoken text message to a colleague or giving a speech, you want your audio to shine. Otherwise, you could cause avoidable friction points and potentially hurt your brand reputation. For example, let’s say you create a

chrome os developer mode

How to Turn on Chrome OS Developer Mode

Google’s Chrome OS is a popular operating system that is widely used on Chromebooks and other devices. While it is designed to be simple and user-friendly, there are times when users may want to access additional features and functionality. One way to do this is by turning on Chrome OS