Smart Card Support
Smart cards are credit card–sized and contain integrated circuit cards (ICCs). They can be used to store certificates and private keys and to perform public key cryptography operations, such as authentication, digital signing, and key exchange. Smart cards offer the following security enhancements and benefits:
They provide tamper-resistant storage for protecting private keys and other forms of personal information.
They isolate security-critical computations involving authentication, digital signatures, and key exchange from other parts of the system that do not have a specific purpose for this data.
They enable the portability of credentials and other private information between work, home, and remote computers.
In addition, smart cards use Personal Identification Numbers (PINs) rather than passwords. The smart card is protected from misuse by the PIN, which is known only to the owner of the smart card. To use the smart card, a user inserts the card in a smart card reader that is attached to a computer and, when prompted, enters the PIN. The smart card can be used only by someone who possesses the smart card and knows the PIN.
PINs offer more protection than standard network passwords. Passwords (or derivations such as hashes) travel on the network and are subject to brute force or dictionary attacks. The strength of the password depends on its length, how well it is protected, and how difficult it is to guess. In contrast, PINs never travel on the network and cannot be sniffed. Furthermore, dictionary attacks or brute force (key search) attacks (where an attacker tries numerous PIN combinations in an attempt to "guess" the PIN) can be attempted only by someone in physical possession of the smart card. And, the smart card locks after only a few failed attempts to guess the PIN.
Windows 2000 supports industry standard Personal Computer/Smart Card (PC/SC)-compliant Plug and Play smart cards and smart card readers that conform to specifications that have been developed by the PC/SC Workgroup. To work under the Windows implementation of the PC/SC 1.0 Specification, a smart card must conform physically and electrically to the International Standards Organization (ISO) 7816-1, 7816-2, and 7816-3 standards.
Smart card readers attach to standard personal computer peripheral interfaces such as RS–232, PS/2, PCMCIA, and Universal Serial Bus (USB). Readers are considered standard Windows 2000 devices, and they carry a security descriptor and a Plug and Play identifier. Smart card readers are controlled through standard Windows device drivers and are installed and removed by using the Hardware wizard.
Windows 2000 includes drivers for various commercially available Plug and Play smart card readers that are certified to display the Windows-compatible logo. Some manufacturers might provide drivers for noncertified smart card readers that currently work with Windows 2000. Nevertheless, to ensure continuing support by Microsoft, it is recommended that you purchase only those smart card readers that display the Windows-compatible logo.
The Windows 2000 CSPs includes smart card CSPs from Gemplus SCA and Schlumberger Limited. These CSPs support smart cards from the respective vendors and work with all smart card readers that display the Windows-compatible logo. The smart card CSPs store the issued certificate and the private key on the smart card.
Each smart card vendor provides software that you must install and use to initialize and configure smart cards before they can be deployed. You can use the vendor's software to configure PINs and to configure the number of PIN attempts that are allowed to occur before the smart card locks. You also can use the vendor's software to return locked smart cards to service.
For more information about smart cards, see "Choosing Security Solutions That Use Public Key Technology" in this book.