RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Lock Down Vista Security with Smart Cards

Smart cards provide strong security authentication, and single sign-on can be implemented in companies using the cards.

If you've always wondered what a smart card is, here's how to think about it: a smart card, used for authentication, is a mini computer that has a hardware and software component. The hardware component contains a micro chip/integrated circuit (ICC) as a memory card.

Another category of the smart card contains an embedded microprocessor and volatile memory, required for data processing. Regarding software, a smart card has its own operating system, required for communication with it via a card reader. The smart card may also have its own file system. The Smart card reader reads the secure information from the card and passes to the interface (most of the time a desktop or server) to where it is attached.

Figure 1. A smart card block diagram.

Smart card readers are standard devices connected to computers via a USB port. These readers are controlled through software drivers. Smart card readers can be divided into logical groups called reader groups. These groups can be defined by the subsystem, as well as defined by administrators and users. A reader can belong to more than one reader group.

Smart cards can provide strong security authentication, and single sign-on can be implemented in large companies using smart cards only. To control access of multiple, related, but independent software systems, a smart card is a great choice. With this, a user can log in once and gain access to all systems without being prompted to log in again at each of them.

Versions of Windows Supported

Developers need to have a basic knowledge of public key infrastructure (PKI) for implementing smart card authentication. Smart cards are supported in Windows 2000, Windows Server 2003, Windows XP, Windows Vista, and Windows ME. To support smart card authentication, Windows 95, Windows 98, and Windows ME have optional components called smart card service (SCardSvr.exe); WinSCard API.Smart cards services are integrated into Windows 2000, XP, Win 2003, and Windows Vista. The smart card registry database is located in the windows registry and the path is HKLM\Software\Microsoft\Cryptography\Calais\SmartCard. This registry key contains smart card and smart card reader information.

In Windows Vista, the login process has been re-architected (Winlogon). Previous versions of Windows used to have a custom GINA dynamic link library (DLL) to support customizable user identification and authentication. On Windows Vista, the GINA functionality has been distributed among three components: Winlogon, logon user interface, and credential providers.

The smart card authentication comes under credential providers. For Vista, Winlogon supports multiple logon certificates and containers on the same smart card. Each smart card must have a cryptographic service provider (CSP). This uses Cryptography Application Programming Interface (CAPI) interfaces on the top and the WinSCard APIs at the bottom. The Base CSP allows smart card vendors to write card-specific modules called smart card mini-drivers. Base CSP can be downloaded as a package, and it exists for Windows XP SP2, Windows 2000 SP4, and Windows Server 2003 SP1.

Smart card mini-driver is also available as an interface that Microsoft supports for smart card vendors that want to write their own implementations for specific smart cards.

Smart Card Authentication Architecture

Windows Vista Smart Card Authentication Architecture has two components.

1. Vista interactive logon architecture

Vista Login begins with secure attention sequence (SAS), the old CTRL+ALT+DEL key combination. For smart card logons, a user's credentials are contained on the smart card's micro chip. The external smart card reader reads the security chip; after that the user enters a personal identification number (PIN) instead of a user name, domain, and password.

Figure 2. Windows Vista Smart Card Authentication

COM objects are used to collect credentials from the card reader in Vista. Credential providers are designed to support single sign-on (SSO), authenticating users to a secure network access points, computer logon, application-specific credential gathering, authentication to network resources, joining computers to a domain, and to provide administrator consent for User Account Control (UAC). Multiple credential providers can co-exist on a computer.

2. Smart card subsystem architecture

The smart card subsystem has the following components:

* Smart card service providers are physical DLL components that help access specific services available in the physical smart card device. Using these Dlls, service providers can access specific capabilities of their target smart cards.

* The Smart Card Resource Manager uses an API (Application Programming Interface) to manage access to multiple readers and smart cards. The Smart Card Resource Manager coordinates application access to specific smart cards and provides the service providers with what appears to be a direct connection to the target smart card.

* The Smart Card Reader Driver maps the conceptual driver services to the specific hardware reader device. There may be hierarchies of specific drivers.

Vista Smart Card Services

For Smart Card Management in Windows Vista, there are three services enabled.

1. Smart card resource manager service

The basic infrastructure for all smart card components are provided by the smart card resource manager service. It manages smart card readers and application interactions on the computer. The smart card resource manager service is implemented as a shared service of the svchost process.

Before working with the smart card, the reader driver authors must configure the service to start automatically and call a predefined entry point in winscard.dll that will start the service.

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date