Smart Card Concepts
This paper is part of a series of white papers known as " The Smart Card Deployment Cookbook."
On This Page
This paper covers the key technical concepts of smart cards. The purpose is to provide readers with a foundation for understanding the aspects of planning and deployment that are covered in later papers.
After reading this paper, you should be able to answer the following questions:
What is a smart card?
What is Microsoft's strategy for supporting smart cards?
How do Microsoft products support smart cards?
What Is a Smart Card?
Most people have an image of smart cards as rectangular pieces of plastic that resemble credit cards. Although this is often the case, smart cards can take several forms, including:
SIM chips in GSM cellular phones
Smart cards contain a built-in processor and are programmable. Smart cards have secure storage for data, including private keys and public key certificates.
Smart Card Processing Capabilities
Today's smart cards contain 8-bit micro controllers and hold a minimum of 4KB of information. While the card has processing capability, it must be connected to a PC device to be useful for purposes such as smart card logon to a Microsoft Windows 2000 domain. This connection is achieved by placing the card in a smart card reader that is connected to the computer. There is another type of smart card, called a contactless card, that transfers data over radio waves. At this time, however, this type of card is not covered by the PC/SC specification that defines smart cards and readers integrated with Windows.
Smart Card Programmability
Smart cards run embedded operating systems, such as Microsoft Windows for Smart Cards, and in many cases a form of file system in which data can be stored. For features such as Windows 2000 smart card logon, the smart card must be programmable so that it can:
Store a user's key pair.
Store an associated public key certificate.
Retrieve the public key certificate.
Complete private key operations on behalf of the user.
Increasingly, smart cards are generating the key pairs automatically.
A key feature of smart cards is that they provide secure storage for data. Smart cards must support authentication and authorization: the card holder is authenticated through a Personal Identification Number (PIN) or other mechanism, and can be authorized to access only particular data on the card, or carry out a particular range of activities with the card.
Strategy for Supporting Smart Cards
Microsoft views smart cards as a key component of its Public Key Infrastructure (PKI) support. Smart cards enhance software-only solutions, such as client authentication, interactive logon, and secure e-mail. Smart cards are a point of convergence for public-key certificates and associated keys because they:
Provide tamper-resistant storage for protecting private keys and other forms of personal information.
Isolate security-critical computations involving authentication, digital signatures, and key exchanges from other parts of the system.
Enable portability of credentials and other private information between computers at work, at home, or for mobile users.
Smart cards will be increasingly integrated with the Windows operating system for future releases. Ultimately, any operation that currently requires a password can be enabled to use a smart card.
Approach to Supporting Smart Cards
Microsoft encourages the adoption and use of smart cards for several reasons, including:
Hardware interoperability–Encourage a standard model for interfacing smart-card readers and cards with computers.
Application interoperability–Provide reader and card-independent APIs for enabling applications that support smart cards.
Developer support–Provide familiar tools for software development.
Universal support for Windows–Provide smart card support for all Windows operating systems.
The emergence of a standard model that determines the way in which readers and cards interface with a computer enforces interoperability among cards and readers from different manufacturers. In the past, lack of interoperability has been a major reason for the slow adoption of smart cards outside of Europe.
The main standard in the area of smart card and reader interoperability is the International Standards Organization (ISO) 7816 standards for integrated circuit cards with contacts. These specifications focus on interoperability at the physical, electrical, and data-link protocol levels. These standards have been incorporated into the following key initiatives:
Europay, MasterCard, and VISA (EMV)—In 1996, EMV defined an ISO 7816-based smart card specification with a focus on the financial services industry.
Global System for Mobile Communications (GSM)—The European telecommunications industry adopted the ISO 7816 standards for their smart card specification to enable identification and authentication for mobile phone users.
Although these specifications were a step in the right direction, each was either too low-level or application-specific to gain widespread support, and failed to address application interoperability issues. The PC/SC Workgroup was formed in 1996 by computer and smart card companies including Microsoft, Hewlett-Packard, Schlumberger, and Gemplus, to develop specifications that address these issues.
Version 1.0 of the specification was released in December of 1997 and has gained broad industry support. Microsoft assisted by releasing the smart card base components for free Web download for Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows Millennium Edition (Me) and Microsoft Windows NT 4.0. The smart card components are included with Windows 2000.
Device-independent APIs insulate application developers from differences between current and future implementations. From the perspective of the application developer, there are three possible mechanisms for programming to smart cards:
The Microsoft Win32 API
The mechanism chosen depends on the type of application and the capabilities of a specific smart card.
Win32 APIs are the base-level APIs for accessing smart cards. Effective use of Win32 APIs requires a thorough understanding of the Windows operating system and smart cards. These APIs provide the most flexibility for the application to control readers, cards, and other related components. For developers that require maximum control over the way in which an application uses smart cards, this extension to the base Win32 API provides the necessary interfaces for managing interactions with smart card devices.
CryptoAPI is the Microsoft cryptographic API. CryptoAPI is designed to abstract the details of cryptographic functionality, such as encryption algorithms, so that applications can utilize "pluggable" cryptography. This is achieved by layering the APIs above replaceable cryptographic modules called Cryptographic Service Providers (CSPs). CSPs can be software-only or they can be part of a hardware-based solution in which the cryptographic engine resides on a smart card, or another piece of hardware that is attached to the computer.
In the Microsoft model for accessing smart cards, a smart card CSP is associated with a specific type of smart card, providing the mapping between cryptographic functions exposed through CryptoAPI and the low-level commands accessible through the Win32 smart card APIs. Therefore, the smart card CSP can instruct the smart card to complete specific cryptographic operations. In Windows 2000, Microsoft provides two smart card CSPs to support a variety of Gemplus and Schlumberger smart cards. Other vendors have developed smart cards CSPs for their own smart cards.
SCard COM is a non-cryptographic interface implementation provided by Microsoft for accessing generic smart card-based services from applications that are written in different languages, such as C, Microsoft Visual C++, Java, and Microsoft Visual Basic.
SCard COM exposes the non-cryptographic services of a smart card to an application through service providers that support specific interfaces. A smart card interface consists of a predefined set of services, the protocols necessary to invoke the services, and any assumptions regarding the context of the services. This is similar in concept to the ISO 7816-5 Application Identifier, but differs in scope.
A smart card can register support for an interface through association with the interface's globally unique identifier (GUID). This binding between a card and an interface is done when the card is first introduced to the system, typically when the service provider is installed. After the card is introduced to the system, applications can search for smart cards based on a specific interface or GUID. For example, a cash card could be available to Windows-based applications by registering interfaces to access its purse scheme.
As part of the Smart Card Base Components 1.0 release, Microsoft shipped several base-level service providers for performing generic operations, such as card location, command and reply APDU (Application Protocol Data Unit) management, and card file system access. The service providers supplied by Microsoft are implemented as COM interface objects to enable software developers and card providers to develop higher-level service providers and applications.
The software developer can use standard development tools, such as Visual C++ and Visual Basic, to develop applications and service providers that are enabled for smart cards.
Support for CryptoAPI, Win32, and especially SCard COM enables the development of smart card and reader-independent applications and service providers. These applications and service providers are enabled for smart cards by using standard development tools, such as Visual C++ and Visual Basic.
Universal Support for Windows
As previously mentioned, Microsoft Smart Card Base Components 1.0 is available for free Web download for Windows 95, Windows 98, Windows Me, and Windows NT 4.0. Support is also available in Microsoft Windows CE 3.0. Integration of the base components in the Windows 2000 operating system enables support for public-key services, such as logon.
Smart Card Support in Microsoft Products
This section covers the architecture of the smart card subsystem, and smart card features in Windows 2000.
Smart Card Subsystem Architecture
The smart card subsystem consists of the following components:
Service Providers—Smart card CSPs and SCard COM service providers
Reader Driver Library
All smart cards must have at least one service provider in order for Windows-based applications to access card-based services. There can be multiple service providers depending on the type of card and the card issuer. In general, there are two categories of service providers: cryptographic and non-cryptographic.
The smart card Resource Manager runs as a trusted service in a single process. All requests for smart card access are routed through the Resource Manager and then to the smart card reader that contains the requested card. Therefore, the Resource Manager is responsible for managing and controlling all application access to any smart card inserted into any reader that is attached to a Windows-based computer. The Resource Manager provides a given application with a virtual direct connection to the requested smart card.
The Resource Manager performs three basic tasks in managing access to multiple readers and cards. First, it identifies and tracks resources. Second, it controls the allocation of readers and resources across multiple applications. Finally, it supports transaction primitives for accessing services available on a specific card. This is important because current cards are single-threaded devices that often require execution of multiple commands to complete a single function. Transaction control allows multiple commands to be executed without interruption, ensuring that intermediate state information is not corrupted.
A device driver for a specific reader maps the functionality of the reader to the native services provided by the Windows operating system and the smart card infrastructure. The reader device driver communicates card insertion and removal events to the Resource Manager and provides data communications capabilities to and from the card by either the T=0 or the T=1 protocols.
Reader Driver Library
A common driver library is included with Smart Card Base Components 1.0 for use by developers to simplify device driver development. This shared library supports ISO 7816 and common system functions required for data communication between a smart card and a reader. This is a significant improvement over how smart card reader device drivers were developed in the past because there are now standard interfaces for developers to rely upon. These common interfaces enable a smart card reader device driver to be developed in a uniform manner and be accessible to all Windows applications, as opposed to only a select few applications that know how to communicate with a specific reader.
Smart Card Features in Windows 2000
By enhancing software-only solutions such as client authentication and secure messaging, smart cards in Windows 2000 enable applications for future opportunities in the emerging global digital economy. Smart cards offer application developers a secure mechanism for enhancing solutions for enterprise and the consumer.
Client authentication involves identification and validation of a client to a server to establish a secure communications channel. A secure protocol, such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS), is typically used in conjunction with a trusted public-key certificate that is provided by the client. This certificate identifies the client to the server. For example, the client could be Microsoft Internet Explorer running on a Windows operating system, and the server could be Internet Information Server or another Web server that supports SSL/TLS.
The secure session is established by using public-key authentication with key exchange to derive a unique session key that can then be used to ensure data integrity and confidentiality throughout the session. Additional authentication can be achieved by mapping the certificate to a user or group account with previously established access-control privileges. The smart card enhances the public-key authentication process by serving as a secure store for the private-key material, and as a cryptographic engine for performing a digital signature or key-exchange operation.
Public Key Interactive Logon
In the past, interactive logon meant the ability to authenticate a user to a network by using a form of shared credential, such as a hashed password. Windows 2000 supports public-key interactive logon by using a X.509 version 3 certificate stored on a smart card with the private key. Instead of a password, the user types a Personal Identification Number (PIN) to the Graphical Identification and Authentication (GINA), and the PIN authenticates the user to the card.
The user's public-key certificate is retrieved from the card through a secure process and verified to be valid and from a trusted issuer. During the authentication process, a challenge based on the public key contained in the certificate is issued to the card. This challenge verifies that the card in possession of and can successfully use the corresponding private key.
After successful verification of the public-private key pair, the user's identity contained in the certificate is used to reference the user object stored in the Active Directory to build a token and return a Ticket-Granting Ticket (TGT) to the client. Public key logon has been integrated with the Microsoft implementation of Kerberos version 5 that is compatible with the public-key extension specified in the IETF draft RFC-1510.
Secure e-mail is one of the more exciting public-key-enabled applications because it allows users to share information confidentially and to trust that the integrity of the information was maintained during transit. By using Microsoft Outlook Express or Microsoft Outlook, a user can select a public-key certificate issued by a trusted certificate authority to use for digitally signing and decrypting secure messages. By publishing the user's certificate to a public directory in the enterprise or on the Internet, other users in a company or on the Internet can send encrypted e-mail to the user, and visa-versa.
A smart card adds a level of integrity to secure e-mail applications because it stores the private key on the card, protected by a PIN. To compromise the private key and send signed e-mail as someone else, the user would have to obtain the smart card and PIN.
Microsoft Enterprise Services
Glenn Pittaway: Program Manager, Microsoft Security
For information about Enterprise Services, see http://www.microsoft.com/es/.
Companies, organizations, products, people, and events depicted in examples in this paper are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.
Java is a registered trademark of Sun Microsystems.