Creating a Smart Card Specification

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

A wide variety of smart cards and smart card readers are available to choose from. Windows Server 2003 is designed to work with any cryptographic smart card that has an associated CryptoAPI cryptographic service provider. The physical characteristics of smart cards and readers are governed by published standards. Cards from any manufacturer that adheres to the ISO 7816 standard will likely be compatible with the reader you select. Be sure, however, to test smart cards and smart card readers to verify compatibility before deploying them in your production environment.

For more information about testing smart cards and smart card readers, see "Evaluating Smart Cards and Readers" later in this chapter.

Note

Because smart cards both store and process data, it is important to create a specification for your smart cards. Creating a smart card specification involves making decisions about the following:

  • Smart card hardware type

  • Amount of memory required

  • Intended useful smart card lifetime

  • Intended smart card roles

  • Smart card reader hardware

  • Smart card management software

Table 16.1 lists some of the critical specifications that you need to define when you create your smart card specification.

Table 16.1   Smart Card Hardware Specifications

Specification Description

Memory

How much data you need to store on the smart card.

Life expectancy

The useful lifetime of the smart card.

Reuse

Whether or not the smart card can be configured for use by a second user, if the original user leaves the organization.

Type of card

The type of card that is most appropriate for your organization. You might choose one or more of the following:

  • Credit card or token style

  • Single purpose or dual purpose

Card dimensions

The size, length, and thickness of the card, depending on the type of card that you specify.

Number of cards

How many cards you need.

  • If you have more users than computers, you need fewer readers than smart cards.

  • If you use your smart cards on multiple systems, you need more readers than smart cards.

  • If you specify more than one type of card, indicate the number of each type.

Type of smart card reader

The type of reader that is most appropriate for your organization. Options include:

  • USB

  • PCMCIA

  • Serial

Number of smart card readers

How many readers you need.

  • If you have more users than computers, you need fewer readers than smart cards.

  • If you use your smart cards on multiple systems, you need more readers than smart cards.

  • If administrators use one smart card for user logons and a second smart card for logging on with their administrative credentials, this will also impact the number of smart card readers that you require.

Performance requirements

The type of performance that you can expect. This includes:

  • Minimum acceptable logon times for direct network logons.

  • Minimum acceptable logon times for remote access logons.

  • Ability to handle alternate credentials.

  • Ability to restrict logons by using alternate credentials.

Smart card management tools

The types and quality of the tools provided by the hardware vendor to manage smart cards.

For a worksheet to assist you in preparing a product specification, see "Smart Card Hardware Specification" (DSSSMC_3 .doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Smart Card Hardware Specification" on the Web at https://www.microsoft.com/reskit).

In the beginning of your deployment, you can meet user needs by using a single type of smart card with a single configuration option. However, as you expand your smart card infrastructure, you might need to deploy a variety of smart card types and configuration options.

Smart Card Type

Two types of smart cards are available for use with Windows Server 2003 and Windows XP: conventional credit card–shaped contact cards and smaller token-style cards that plug directly into the USB port of a computer.

Note

  • Another type of smart card, called a contactless smart card, is not supported by Windows XP or Windows Server 2003.

Credit card–shaped contact cards

Credit card–shaped smart cards are available in three-volt and five-volt versions. They are the most common smart card solution, in part because they resemble the corporate card keys or badges that many organizations use.

Note

  • You can specify that your smart cards be screen-printed with your corporate logo and a picture of the user. If you plan to add graphics to smart cards, ask your vendor about the methods available for bulk printing and customizing cards.

If your organization uses card keys or badges, you can apply smart card chips to the existing card key or badge as a sticker or "skin." However, your card keys or badges need to fit into your smart card readers with a minimal amount of friction; therefore, be sure to include the physical thickness of the smart card in your specifications. This is an important factor to consider when you select a vendor to manufacture the stickers, as the material thickness for smart card chips can vary.

Token-style smart cards

Token-style smart cards are typically the size of a house key or automobile key. They plug directly into a USB port, providing a more compact solution than separate cards and readers. Token-style smart cards are ideal for laptop users who want to carry a minimum number of peripherals, or for workers who use a number of different computers. However, you cannot use token-style smart cards if your computers do not have USB connections, or if the USB connections are full or difficult to access.

Memory

Your smart card requires enough memory to store the certificate of the user, the smart card operating system, and additional applications. Smart cards run embedded operating systems, and in many cases, a form of file system in which data can be stored. To enable Windows smart card logon, you must be able to program the card to store a user’s key pair, retrieve and store an associated public key certificate, and perform public and private key operations on behalf of the user.

To calculate the amount of memory that you need, determine the space requirements for:

  • User certificates. A certificate typically requires about 1.5 kilobytes (KB). A smart card logon certificate with a 1,024-bit key typically requires 2.5 KB of space.

  • The smart card operating system. The Windows for Smart Cards operating system requires about 15 KB.

  • Applications required by the smart card vendor. A small application requires between 2 KB and 5 KB.

  • Your custom applications.

  • Future applications.

Figure 16.4 shows the additional space requirements of a typical 32 KB smart card. The smart card operating system requires about 15 KB, leaving 17 KB for the file system, which includes space for the card management software, the certificate, and any other custom applications.

Figure 16.4   Memory Use on a 32 KB Smart Card

Memory Use on a 32 KB Smart Card

It is possible to configure smart card file systems into public and private spaces. For example, you can define segregated areas for protected information, such as certificates, e-purses, and entire operating systems, and mark this data as Read Only to ensure the security of the smart card and restrict the amount of data that can be modified. In addition, some vendors provide cards with sub-states, such as Add Only, which is useful for organizations that want to restrict the ability of a user to revise an existing credential, and Update Only, which is useful for organizations that want to restrict ability of a user to add new credentials to a card.

The data capacity available on smart cards is increasing as smart card technology improves. However, storage space on smart cards is expensive. Card vendors often restrict the amount of storage available to individual applications so that multiple applications or services can be stored on the card. Therefore, in your vendor specification, define all of your anticipated present and future card usage requirements and the memory requirements for each certificate and application that you require. If you plan to use your smart cards for multiple purposes, such as physical access to facilities and user logon, or to store additional data, you must increase your memory requirements. Also, when planning storage space on the chip, allocate space for applications that you are planning for future implementation.

Note

  • Windows Server 2003 and Windows XP do not support the use of multiple certificates on a smart card.

Life Expectancy

You must define the length of time for which you will use a smart card before you replace or upgrade it. Contact your vendor for information about smart card life expectancy based on normal wear and tear.

In addition, you must take into account your current and future space requirements, including the anticipated need for additional applications and certificates with larger keys. Anticipate adding new applications, and potentially issuing new smart cards, over an 18-24 month card lifecycle. In the future, vendors are likely to introduce smart cards with more memory and other enhancements for a lower cost.

Also, determine whether you want your smart cards to be reusable in the event that users leave the organization. Reusing smart cards reduces the costs associated with issuing new ones. However, the cost associated with removing existing data and writing new data and applications is often equal to or more than the cost of preparing and issuing new smart cards.

Smart Card Roles

You can use smart cards for one of three roles. Determine how many smart cards you need to issue for each of the following roles:

  • Enrollment card. Issue enrollment cards to individuals who enroll smart cards on behalf of other users. Enrollment cards have a special enrollment agent certificate. Issue the smallest possible number of enrollment cards that will enable you to enroll all required smart card users. This protects the security of your system.

  • User cards. These are the standard cards that you issue to each user. Two types of user cards are available:

    • Permanent. Permanent user cards are cards that employees carry with them. They contain the cardholders’ credentials, certificates, data, and applications. They might also have a photograph or a decal applied to the card. In a Windows Server 2003 environment, the permanent card points to a permanent certificate server.

    • Temporary. Temporary cards are a limited-use cards that are issued to guests, temporary employees, and users who have forgotten their permanent cards. They point to a temporary certificate server and can have a limited lifetime.

For a worksheet to assist you in documenting the roles for the smart cards that you issue, see "Smart Card Hardware Specification" (DSSSMC_3 .doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Smart Card Hardware Specification" on the Web at https://www.microsoft.com/reskit).

Important

  • To ensure system security, issue master and enrollment cards to the smallest possible number of trusted employees. For more information about issuing enrollment agent cards, see "Establishing Enrollment Agents" later in this chapter.

Smart Card Readers

A variety of types of smart card readers are available. The majority of smart card readers connect to the computer through an RS-232 serial port, a Type II Personal Computer Memory Card International Association (PCMCIA) slot, or a universal serial bus (USB) port.

Although USB-compatible smart readers are the simplest type of reader to connect, the USB ports on some computers might already be used. For this reason, it is best to order a mix of card reader connector types based on the types of connections that are available on your systems.

For a list of Windows-compatible smart card readers, see the Windows Catalog link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

Smart Card Management Tools

You can perform most smart card–related tasks by using the Windows Server 2003 Certificate Services and software tools provided by the smart card vendor. However, it is important to assess the smart card tools that are available to determine whether they are sufficient to meet your needs. You might need to create additional tools for some smart card tasks.

For example, you might require tools to assist you in moving from a limited pilot phase to a full production deployment. Also, developers in your organization might need to create a direct interface between the smart card certificate and your building access systems. You might also choose to write a script that automatically enters critical data into a database when a smart card is created. This includes data such as smart card serial numbers, the names or e-mail names of the users who are assigned smart cards, the types of certificates that are issued to the users, when the certificates are issued, and when they expire.

For more information about creating scripts for Windows Server 2003, see the at https://www.microsoft.com/reskit, or see the TechNet Script Center link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.