![Page 1: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/1.jpg)
![Page 2: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/2.jpg)
Strong authentication: building apps that manage virtual smart cards in enterprise, BYOD and consumer environments
Himanshu SoniSenior Program Manager2-041
![Page 3: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/3.jpg)
2 factor authenticationSmart cardsVirtual smart cardsWinRT APIsDemo
Agenda
![Page 4: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/4.jpg)
What you know – e.g. PINWhat you have – e.g. smart card, devices
2 factor authentication
What We know
What we have
2 Facto
r Authentication
![Page 5: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/5.jpg)
Why 2 factor authentication
“In 2013 more than 90% of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking” – Deloitte
“The age of the password is over. We just haven’t realized it yet.” – Wired
“73% of users share the passwords which they use for online banking, with at least one nonfinancial website.” – Trusteer Inc. Reused Login Credentials 2010
2 Factor Authentication
![Page 6: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/6.jpg)
Introduced in Windows 8Uses TPM module on the PC for• isolated crypto operations• generation of non-exportable
keys• dictionary attack prevention
(wrong PIN)Exposed as smart cards to applications and OS
Virtual smart cards
PIN is what you know, the device is what you have.
![Page 7: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/7.jpg)
Where can virtual smart cards be used
• Remote access using VPN or DirectAccess• BYOD (Bring Your Own Device)• Logon to PC• SSL client authentication• Secure email• Document protection (signing, encryption)• BitLocker drive encryption for data volumes
2 factor authentication
![Page 8: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/8.jpg)
• User selected PIN• Auto generated admin key for PIN reset or
unblock (some cards have PUK)
• Unique ID (card ID, serial number, etc.) for inventory management
• Certificates and private keys
Important aspects of a smart card
![Page 9: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/9.jpg)
Deployment types
Managed virtual smart cards Unmanaged virtual smart cards
Inventory management
PIN reset and unblock
PIN change
Policy enforcement
Certificate issuance and management
![Page 10: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/10.jpg)
Deployment complexity
Deployment complexity Managed virtual smart cards Unmanaged virtual smart cards
Server side virtual smart card management
Policy enforcement modules
PIN management components
Certificate server
Browser plugin or client app
![Page 11: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/11.jpg)
• New APIs to manage virtual smart card• New APIs to manage physical smart
cards• PIN policies for virtual smart card• New ways for certificate enrollment• New APIs for using certificates for
cryptographic operations
Windows Store apps can now manage complete lifecycle of virtual smart cards
What’s new in Windows 8.1 for smart cards
![Page 12: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/12.jpg)
Namespace: Windows.Devices.SmartCards
Smart card API featuresCapability required:SharedUserCertificates, enterpriseAuthenticationFeature Physical
smart cardVirtual smart card
Query and monitor smart card readers (together with Windows.Devices.Enumeration)
List available smart cards in a reader, retrieve the card name, and retrieve card ID
Verify if the admin key of a card is correct
Provision (or reformat) a card with a given card ID
Change PIN by entering the old PIN and then specifying the new PIN
Change admin key, reset PIN, unblock smart card using challenge/response
Create virtual smart card
Delete virtual smart card
PIN policies
![Page 13: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/13.jpg)
Virtual smart card lifecycle
Create
Provision
Use
Delete
Forg
et
PIN
PIN Reset
Change PIN
![Page 14: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/14.jpg)
Windows Store app – sample flow
Create virtual smart card with a default admin key known to the server
Card lifecycle
Server backendWindows Store app
Receive key diversification information from the server
Diversify admin key and update server inventory
Delete card and update server inventory
Send certificate request to server along with any required additional proofs
PIN management (change, reset, unblock), certificate management (renewal)
Receive certificate and install it on the card
![Page 15: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/15.jpg)
Virtual smart card creation API
Class
SmartCardProvisioning
Method
RequestVirtualSmartCardCreationAsync
Input
Friendly Name,
AdminKey,
GUID for CardID – an overload available without CardID
PIN policy
![Page 16: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/16.jpg)
C# code snippet for card creation
using Windows.Devices.SmartCards;
public async void ScenarioCreateTpmVirtualSmartCard()
{
IBuffer adminKey = Windows.Security.Cryptography.CryptographicBuffer.CreateFromByteArray(
new byte[] {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
});
SmartCardPinPolicy pinPolicy = new SmartCardPinPolicy()
{
MinLength = 8, LowercaseLetters = SmartCardPinCharacterPolicyOption.Allow, UppercaseLetters = SmartCardPinCharacterPolicyOption.RequireAtLeastOne,
Digits = SmartCardPinCharacterPolicyOption.Allow, SpecialCharacters = SmartCardPinCharacterPolicyOption.Disallow
};
SmartCardProvisioning cardProvisioning = await SmartCardProvisioning.RequestVirtualSmartCardCreationAsync(
"Contoso Virtual Smart Card", adminKey, pinPolicy, Guid.NewGuid());
if (cardProvision == null)
return;
}
![Page 17: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/17.jpg)
Windows Store APIs – PIN policy
PIN policy is an input to the Create API with the following options : • Minimum length (minimum length allowed 4)• Maximum length (maximum length allowed 128)• Uppercase letters• Lowercase letters• Digits• Special characters
Default PIN policy is: 8 characters minimum length (same as Windows 8)Note : PIN can be only from the printable ASCII key range.
![Page 18: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/18.jpg)
Smart card provisioning APIs
Class
SmartCardProvisioning
Methods
GetChallengeContextAsync,
Class
SmartCardChallengeContext
Method
ProvisionAsync, ChangeAdministrativeKeyAsync
![Page 19: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/19.jpg)
C# code snippet for card provisioning
public async void ScenarioProvisionCard(SmartCard card, IBuffer oldAdminKey, IBuffer newAdminKey, Guid newCardId)
{
var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card);
// Change card admin key after challenge/response authentication
using (var context = await cardProvision.GetChallengeContextAsync())
{
var response = RetrieveResponseForChallengeFromServer(card, context.Challenge);
await context.ChangeAdministrativeKeyAsync (response, newAdminKey);
}
![Page 20: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/20.jpg)
C# code snippet for card provisioning (cont’d)// Provision card file system after challenge/response authentication
using (var context = await cardProvision.GetChallengeContextAsync())
{
var response = CalculateResponse(newAdminKey, context.Challenge);
await context.ProvisionAsync (response, true, newCardId);
}
// The card has been provisioned and is ready for certificate enrollment
}
![Page 21: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/21.jpg)
• Domain username and password• Challenge questions• OTP sent to mobile phone or email• Corpnet connection with user
name and password• Sign with a physical smart card• Visit to an IT office/kiosk
Additional proofs
Certificate enrollment
![Page 22: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/22.jpg)
Certificate enrollment APIs
Class
CertificateRequestProperties
CertificateEnrollmentManager
Methods
CreateRequestAsync
InstallCertificateAsync
![Page 23: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/23.jpg)
C# code snippet for certificate request creation using Windows.Devices.SmartCards;
using Windows.Security.Cryptography.Certificates;
SmartCardProvisioning cardProvision = await SmartCardProvisioning.RequestVirtualSmartCardCreationAsync(
"Contoso Virtual Smart Card", adminKey, pinPolicy, Guid.NewGuid());
if (cardProvision == null)
return;
CertificateRequestProperties requestProperties = new CertificateRequestProperties()
{
Subject = "Toby", KeySize = 2048, KeyStorageProviderName = KeyStorageProviderNames.SmartcardKeyStorageProvider, SmartcardReaderName = cardProvision.SmartCard.Reader.Name
};
string request = await CertificateEnrollmentManager.CreateRequestAsync(requestProperties);
// submit the request (can wrap in an XML and provide more information to the server)
HttpContent content = new StringContent(certificateRequest);
HttpClient cli = new HttpClient();
HttpResponseMessage response = await cli.PostAsync(url, content);
string certResponse = await response.Content.ReadAsStringAsync();
// Install the returned cert
await CertificateEnrollmentManager.InstallCertificateAsync(certResponse, InstallOptions.None);
![Page 24: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/24.jpg)
Locating a card
Class
SmartCardReader
SmartCardProvisioning
Method
GetDeviceSelector
GetIDAsync
Input
None
![Page 25: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/25.jpg)
C# code snippet for locating a card
public async Task<SmartCard> ScenarioLocateCard(Guid targetCardId)
{
// Enumerate to find the matching card
var selector = SmartCardReader.GetDeviceSelector();
var devices = await DeviceInformation.FindAllAsync(selector);
foreach (var device in devices) {
var reader = await SmartCardReader.FromIdAsync(device.Id);
var cards = await reader.FindAllCardsAsync();
foreach (var card in cards) {
// Find a card by reading its ID from its cardid file
var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card);
var cardId = await cardProvision.GetIdAsync();
// Compare cardId
if (cardId == targetCardId) {
// Find the card
return card;
}
}
}
![Page 26: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/26.jpg)
Change PIN
Class
SmartCardProvisioning
Method
RequestPinChangeAsync
Input
None
![Page 27: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/27.jpg)
C# code snippet for PIN change
public async void ScenarioChangePin(SmartCard card)
{
var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card);
// Request to change PIN and the user will be prompted to enter the old and new PINs
bool result = await cardProvision.RequestPinChangeAsync();
if (!result)
{
// The request is cancelled
}
}
![Page 28: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/28.jpg)
Reset PIN/unblock smart card
Class
SmartCardProvisioning
Method
RequestPinResetAsync
Input
None
![Page 29: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/29.jpg)
C# code snippet for PIN reset
public async void ScenarioResetPin(SmartCard card)
{
var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card);
var cardId = await cardProvision.GetIdAsync();
// Request the user to enter a new PIN and reset the PIN using challenge/response
bool result = await cardProvision.RequestPinResetAsync(async (sender, request) =>
{
var deferral = request.GetDeferral();
try
{
IBuffer response = await RetrieveResponseForChallengeFromServer(cardId, request.Challenge);
request.SetResponse(response);
}
finally
{
deferral.Complete();
}
});
if (!result)
{
// The request is cancelled
}
}
![Page 30: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/30.jpg)
Virtual smart card deletion API
Class
SmartCardProvisioning
Method
RequestVirtualSmartCardDeletionAsync
Input
SmartCard
![Page 31: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/31.jpg)
C# code snippet for card deletion
public async void ScenarioDeleteTpmVirtualSmartCard(SmartCard card)
{
if (card.Reader.Kind != SmartCardReaderKind.Tpm)
{
// This is not a TPM virtual smart card
return;
}
bool result = await SmartCardProvisioning.RequestVirtualSmartCardDeletionAsync(card);
if (!result)
{
// The request is cancelled
}
}
![Page 32: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/32.jpg)
Demo – setup virtual smart card
![Page 33: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/33.jpg)
Demo – use virtual smart card
![Page 34: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/34.jpg)
Summary and key takeaways
Windows 8.1 makes it easier than ever for Windows Store apps to manage physical and virtual smart cards.
You learned about using virtual smart cards when you need strong authentication, including both enterprise Bring Your Own Device (BYOD) environments, as well as consumer scenarios that require strong authentication such as banking.
You learned what virtual smart cards are, what scenarios they can enable, and how new Windows Runtime APIs make it easy to write apps to manage both real and virtual smart cards.
![Page 35: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/35.jpg)
Virtual smart card white paperhttp://www.microsoft.com/download/details.aspx?id=29076
MSDN links for WinRT APIshttp://msdn.microsoft.com/library/windows/apps/windows.devices.smartcards.aspxhttp://msdn.microsoft.com/library/windows/apps/windows.security.cryptography.certificates.aspx
Samples linkhttp://code.msdn.microsoft.com/windowsapps/Smart-card-sample-f9befda4http://msdn.microsoft.com/library/windows/apps/br212099.aspx
Resources
![Page 36: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/36.jpg)
Evaluate this session
Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize!
![Page 37: Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate](https://reader036.vdocuments.site/reader036/viewer/2022081417/551756845503460e6e8b45fa/html5/thumbnails/37.jpg)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.