Understanding and Evaluating Virtual Smart Cards

8/18/2019 Understanding and Evaluating Virtual Smart Cards

1/52

Understanding and Evaluating VirtualSmart Cards

Version 1.2


2/52

Virtual Smart Card Whitepaper 2

Copyright information

This document is provided “as-is”. Information and views expressed in thisdocument includin! "#$ and other Internet we%site references ma&chan!e without notice.

Some examples depicted herein are provided for illustration onl& and are'ctitious. (o real association or connection is intended or should %einferred.

This document does not provide &ou with an& le!al ri!hts to an& intellectualpropert& in an& )icrosoft product. *ou ma& cop& and use this document for&our internal reference purposes.

+ 2, )icrosoft Corporation. /ll ri!hts reserved.)icrosoft /ctive 0irector& 1it$oc er Internet 3xplorer Windows WindowsServer and Windows Vista are either re!istered trademar s or trademar sof )icrosoft Corporation in the "nited States and4or other countries.

/ll other trademar s are propert& of their respective owners.

+ 2, )icrosoft Corporation. /ll ri!hts reserved.


3/52




4/52


Contents

Introduction.................................................................................. 7urpose.................................................................................... . 8verview............................................................................ .2 /udience...........................................................................

.2 8ptions for authentication.......................................................2. 7asswords...........................................................................2.2 8ne-time passwords 98T7s:................................................2.5 Smart cards.......................................................................2

.5 Virtual smart cards as an option.............................................22 Comparin! virtual smart cards with conventional smart cards....6

2. Technical.................................................................................62.2 ;unctional................................................................................6

2.5 Securit&...................................................................................2.6 Cost.........................................................................................<2. Smart card vs. virtual smart card summar&............................<

5 $a% setup.....................................................................................=5. >oal.........................................................................................=5.2 7rere?uisites...........................................................................=5.5 Step one@ Create the certi'cate template...............................=5.6 Step two@ Create the T7) virtual smart card......................... 25. Step three@ 3nroll for the certi'cate on the T7) VSC............ 6

6 Virtual smart card use............................................................... <6. Version of T7) supported...................................................... <6.2 "sin! Tpmvscm!r.exe........................................................... <6.5 7ro!rammatic mana!ement of virtual smart cards............... A6.6 0istin!uishin! T7) virtual smart card from ph&sical smart cards =6. (um%er of virtual smart cards on a computer...................... =6.< (um%er of certi'cates on a virtual smart card...................... B6.A 7I( 7" and admin e& re?uirements................................. B6.= Chan!in! the 7I(.................................................................. B6.B /uthentication....................................................................... B

6.B. "se case@ Two-factor authD%ased remote access............ B6.B.2 "se case@ Client authentication....................................... B6.B.5 "se case@ Virtual smart card redirection for remote des topconnections...............................................................................2,6.B.6 Windows To >o and virtual smart cards...........................2,

6. , Con'dentialit&....................................................................2,6. ,. "se case@ S4)I)3 email encr&ption..............................2,6. ,.2 "se case@ 1it$oc er for data volumes...........................2,

6. Inte!rit&..............................................................................26. . "se case@ Si!nin! data.................................................20eplo&ment of virtual smart cards............................................22

. Creation and personaliEation.................................................22. . T7) readiness.................................................................22



5/52

Virtual Smart Card Whitepaper

. .2 Creation........................................................................... 25

. .5 7ersonaliEation................................................................26.2 7rovisionin!...........................................................................2

.5 )aintenance..........................................................................2


6/52

Virtual Smart Card Whitepaper A

1 Introduction

1.1 Purpose1.1.1 Overview

The !oal of this document is to present an overview of Trusted 7latform)odule 9T7): virtual smart cards 9VSCs: as an option for stron!authentication. It is intended not onl& to provide the means for evaluatin!VSC use in an enterprise deplo&ment %ut also to provide the informationnecessar& to deplo& and mana!e.

1.1.2 Audience This document is intended for those who ma& %e interested in deplo&in!

virtual smart cards within their or!aniEation. /dditionall& information a%outthe deplo&ment of VSCs is included for those who have decided to proceedwith deplo&ment.

1.2 Options for aut entication The followin! sections present several commonl& used options forauthentication and their respective stren!ths and wea nesses.

1.2.1 Passwords/ password is a secret strin! of characters tied to a userFs identi'cationcredentials 9e.!. a user name: which esta%lishes the userFs identit&. Themost commonl& used form of authentication passwords is also thewea est form. In a s&stem where passwords are used as the sole method of user authentication onl& individuals who now their passwords areconsidered valid users. 7assword authentication places a !reat deal ofresponsi%ilit& in the hands of the user@ chosen passwords must %esuGcientl& complex so as not to %e easil& !uessed %ut simple enou!h to %ecommitted to memor& and not stored in an& ph&sical location. 3ven if this%alance is successfull& achieved a wide variet& of attac s exist where%& anadversar& can ac?uire a userFs password and ta e over that personFsidentit& such as %rute force attac s eavesdroppin! and social en!ineerin!tactics. 8nce a password is compromised a user will often not realiEe thisand therefore it is eas& for an attac er to maintain access to a s&stemonce a valid password has %een o%tained.

1.2.2 One!time passwords "O#Ps$/ one-time password is similar to a traditional password %ut it is moresecure in that it can %e used onl& once to authenticate a user. The methodfor determinin! each new password varies %& implementationH howeverassumin! secure deplo&ment of each new password 8T7s have severaladvanta!es over the classic password model of authentication. )ost



7/52

Virtual Smart Card Whitepaper =

importantl& if a !iven 8T7 to en is intercepted in transmission %etweenthe user and the s&stem he or she is accessin! the interceptor cannot useit for an& future transactions. Similarl& if an adversar& o%tains a valid

userFs 8T7 he or she will have much more limited access to the s&stem9onl& one session: than with a traditional password.

1.2.% Smart cardsSmart cards are ph&sical authentication devices which improve on theconcept of a password %& re?uirin! that users actuall& have their smartcard device with them to access the s&stem in addition to nowin! the 7I(which provides access to the smart card. Smart cards have three e&properties that help maintain their securit&@

• Non-exportability: Information stored on the card such as theuserFs private e&s cannot %e extracted from the device and used inanother medium.

• Isolated cryptography: /n& cr&pto!raphic operations related tothe card 9such as secure encr&ption and decr&ption of data anotherfeature of smart cards: actuall& happen in a cr&pto processor on thecard so malicious software on the host computer cannot o%serve thetransactions.

• Anti-hammering: To prevent %rute-force access to the card a setnum%er of consecutive unsuccessful 7I( entr& attempts will causethe card to %loc itself until administrative action is ta en.

Smart cards provide !reatl& enhanced securit& over passwords as it ismuch more diGcult for an unwelcome individual to !ain and maintainaccess to a s&stem. )ost importantl& access to a smart card protecteds&stem re?uires that users %oth have a valid card and now the 7I( thatprovides access to that card and it is extremel& diGcult for a thief toac?uire %oth of these thin!s 9this is nown as two-factor authentication ortwo-factor auth :. ;urther securit& is achieved %& the sin!ular nature of thecard@ since onl& one cop& of the card exists onl& one individual can use hisor her lo!on credentials at a time and will ?uic l& notice if the card has%een lost or stolen. This reduces the ris window of credential theft hu!el&when compared to passwords.

"nfortunatel& this additional securit& comes with added material andsupport costs. Traditional smart cards are expensive to purchase 9%othcards and readers must %e supplied to emplo&ees: and the& can also %eeasil& misplaced or stolen.

1.3 Virtual smart cards as an option To address these issues )icrosoft has developed a technolo!& thatprovides the securit& of smart cards while reducin! material and supportcosts. Virtual smart cards 9VSCs: emulate the functionalit& of traditional



8/52

Virtual Smart Card Whitepaper B

smart cards %ut instead of re?uirin! the purchase of additional hardwarethe& utiliEe technolo!& that users alread& own and are more li el& to havewith them at all times. Theoreticall& an& device that can provide the three

e& properties of smart cards 9non-exporta%ilit& isolated cr&pto!raph& andanti-hammerin!: can %e commissioned as a VSC thou!h the )icrosoftvirtual smart card platform is currentl& limited to the use of the Trusted7latform )odule 9T7): chip on%oard most modern computers. Thisdocument will mostl& concern T7) virtual smart cards.

Virtual smart cards utiliEin! a T7) provide the three main securit&principles of traditional smart cards 9non-exporta%ilit& isolatedcr&pto!raph& and anti-hammerin! as discussed a%ove: while also %ein!less expensive to implement and more convenient for users. Since man&corporate computers will alread& have a T7) %uilt in there is no costassociated with purchasin! new hardware and the userFs possession of a

computer is e?uivalent to the possession of a smart cardH a userFs identit&cannot %e assumed from an& other computer without administrativeprovisionin! of further credentials. Thus two-factor auth is achieved@ theuser must %oth have a computer set up with the virtual smart card and

now the 7I( necessar& to use the VSC.

In the rest of this document &ou will 'nd further technical and functionaldetails of virtual smart cards and associated ris s as well as presentin!!uidelines and scenarios for the use and deplo&ment of T7) VSCs.



9/52

Virtual Smart Card Whitepaper ,

2 Comparing virtual smart cards wit conventional smart cardsVirtual smart cards expose the cr&pto!raphic capa%ilities of devices alread&in possession of users for use with stron! two-factor authentication. TheVSC platform is desi!ned to ma e VSCs operate with the same functionalit&and application-level /7Is as conventional smart cards. This sectionprovides an overview of the technical and functional similarities anddiJerences %etween smart cards and their virtual counterpart as well asaddress the relative securit& and cost of the two options.

2.1 #ec nicalVirtual smart cards function much as conventional smart cards %ut diJer inthat the& protect private e&s %& usin! the T7) of the computer instead ofsmart card media. The T7) is utiliEed throu!h a virtualiEed smart card and

reader and so appears to applications as a conventional smart card.7rivate e&s on the virtual smart card are protected not %& isolation ofph&sical memor& %ut rather %& the cr&pto!raphic capa%ilities of the T7)@all sensitive information stored on a smart card is encr&pted %& usin! the

T7) and then stored on the hard drive in its encr&pted form. Since allcr&pto!raphic operations occur in the secure isolated environment of the

T7) and the unencr&pted private e&s are never used outside of thisenvironment the& remain secure from an& malware on the host 9as withconventional smart cards:. /dditionall& if the hard drive is compromised insome wa& an attac er will not %e a%le to access e&s stored on the VSC asthe& are securel& encr&pted %& usin! the T7) and ma& %e further protected%& 1it$oc erK drive encr&ption.

Virtual smart cards maintain the three e& properties of conventional smartcards@

• Non-exportability: Since all private information on the VSC isencr&pted %& usin! the host machineFs T7) it cannot %e used on adiJerent machine with a diJerent T7). /dditionall& T7)s aredesi!ned to %e tamper-resistant and non-exporta%le themselves soan adversar& cannot reverse en!ineer an identical T7) or install thesame one on a diJerent machine.

• Isolated cryptography: T7)s provide the same properties of

isolated cr&pto oJered %& conventional smart cards and this isutiliEed %& VSCs. When used unencr&pted copies of private e&s areloaded onl& within the T7) and never into memor& accessi%le %& theoperatin! s&stem. /ll cr&pto!raphic operations with these private

e&s occur inside the T7).• Anti-hammering: If a user enters a 7I( incorrectl& the virtual

smart card responds %& usin! the anti-hammerin! lo!ic of the T7)



10/52


which reLects further attempts for a period of time instead of%loc in! the card. This is also nown as lockout .

2.2 &unctional The )icrosoft virtual smart card s&stem has %een desi!ned to closel& mimicthe functionalit& of actual smart cards. The most stri in! diJerence to theend user however is that the virtual smart card is essentiall& a smart cardthat is always inserted into the computer. There is no methodolo!& forexportin! the userFs virtual smart card for use on other machines 9thus thesecurit& of VSCs: %ut should a user re?uire access to networ resources onmultiple machines multiple virtual smart cards can %e issued for that useron diJerent machines. /dditionall& a machine that is shared amon!multiple users can host multiple virtual smart cards for diJerent users.

The %asic user experience of a virtual smart card is as simple as usin! apassword to access a networ Msince the smart card is loaded %& defaultall the user must do to !ain access is enter the 7I( tied to the card. "sersare no lon!er re?uired to carr& with them the cards and readers or ta eph&sical action to use the card. /dditionall& thou!h the anti-hammerin!functionalit& of the VSC is e?uall& secure to that of the smart card a VSCuser will never %e re?uired to contact an administrator to un%loc the cardand will instead Lust have to wait some period of time 9dependent on thespeci'c T7): %efore reattemptin! the 7I( entr&. /lternativel& theadministrator can reset the loc out %& providin! owner authentication datato the host machineFs T7).

2.3 Securit'

Conventional smart cards and T7) virtual smart cards oJer compara%lelevels of securit&. The& %oth implement two-factor auth to provide stron!authentication for the use of networ resources and oJer the same %ene'tsand !uarantees related to two-factor auth. Nowever the& diJer in certainaspects related to their form factors includin! the ph&sical securit& of thedevice and the practicalit& of issuin! an& sort of attac on the device.

Smart cards in their traditional form factor oJer little opportunit& forac?uisition %& a potential adversar&. 0ue to their compact and porta%le

desi!n smart cards are most fre?uentl& ept close to their intended userand an& sort of interaction with the card is diGcult without committin! tosome variet& of theft. T7) VSCs however reside on a userFs computer thatma& fre?uentl& %e left unattended providin! an adversar& ampleopportunit& to hammer the device. Thou!h virtual smart cards are Lust asfull& protected from hammerin! as are conventional smart cards thisaccessi%ilit& ma es the lo!istics of an attac somewhat simpler./dditionall& as mentioned a%ove the anti-hammerin! %ehavior of a T7)



11/52


smart card diJers in that it onl& presents a time dela& in response torepeated 7I( failures as opposed to a full %loc .

)iti!atin! these sli!ht securit& de'cits however are several advanta!esprovided %& virtual smart cards. )ost importantl& a virtual smart card ismuch less li el& to %e lost or misplaced compared to a conventional smartcardH since VSCs utiliEe devices that the user alread& owns for otherpurposes the&Fre no lon!er a sin!le-purpose accessor& and are insteadinte!rated into an otherwise useful device that the user will have moreincentive to eep trac of. Should the device hostin! the VSC %e lost orstolen a user will more immediatel& notice its loss than would he or shenotice the loss of a conventional smart cardMemplo&ees are much moreli el& to use their corporate laptop over a lon! wee end than a smart cardfor example. 8nce the device has %een identi'ed as lost the user cannotif& the administrator of the s&stem who can revo e the certi'cateassociated with the VSC on that device and thus preclude an& futureunauthoriEed access from that machine 9should the 7I( for the VSC %ecompromised:.

2.4 CostIn a traditional smart card situation a compan& that wants to deplo& thetechnolo!& will need to purchase %oth smart cards and smart card readersfor all emplo&ees. Thou!h relativel& cheap options for smart cards can %efound those that ensure the three e& properties of smart card securit&9most nota%l& non-exporta%ilit&: are more expensive. T7) virtual smartcards however can %e deplo&ed with no additional material cost as lon!as emplo&ees have computers with %uilt-in T7)sH these machines arerelativel& common on the modern mar et.

/dditionall& the maintenance cost of virtual smart cards is reduced overthat of the conventional option. Where traditional smart cards are easil&lost stolen or %ro en from normal wear and tear T7) virtual smart cardsare onl& lost or %ro en if the host machine is lost or %ro en which in mostcases is much less fre?uentl&.

2.5 Smart card vs. virtual smart card summar'

Conventional smart cards TPM virtual smart cards7rotect private e&s %& usin! the%uilt-in cr&pto functionalit& of thecard.

7rotect private e&s %& usin! thecr&pto functionalit& of the T7).

Store private e&s in isolated non-volatile memor& on the card accessthem onl& from the card and never

Store encr&pted private e&s on thehard drive. The encr&ption ensuresthat these e&s can onl& %e



12/52


allowin! operatin! s&stem access. decr&pted and used on the T7)itself not in operatin! s&stemDaccessi%le memor&.

(on-exporta%ilit& !uaranteed %& thecard manufacturer who can claimthe isolation of private informationfrom operatin! s&stem access.

(on-exporta%ilit& !uaranteed %& the T7) manufacturer who can claimthe ina%ilit& of an adversar& toreplicate or remove the T7).

Cr&pto!raphic operations areperformed with and isolated withinthe %uilt-in capa%ilities of the card.

Cr&pto!raphic operations areperformed on and isolated upon the

T7) of the userFs computer.

/nti-hammerin! is provided %& thecard itself@ after a certain num%er offailed 7I( entr& attempts the cardwill %loc itself to further accessuntil administrative action.

/nti-hammerin! is provided %& the T7)@ successive failed attemptsincrease the device loc out or thetime the user has to wait %eforetr&in! a!ain. This can %e reset %& anadministrator.

"sers must carr& their smart cardand smart card reader with them foraccess to networ resources.

"sers never needs more than their T7)-ena%led computer for stron!authentication into the networ .

Credential porta%ilit& is achieved %&insertin! the smart card into smartcard readers attached to othercomputers.

Credentials cannot %e exported froma !iven computer %ut virtual smartcards can %e issued for the sameuser on multiple computers %& usin!additional certi'cates.

)ultiple users can access networresources throu!h the samecomputer %& each insertin! theirpersonal smart card.

)ultiple users can access networresources throu!h the samecomputer %& each %ein! issued a

T7) virtual smart card on thatcomputer.

Card is ept on the person of userma in! it more diGcult for anattac er to access the device andlaunch a hammerin! attempt.

Virtual smart card is stored on theuserFs computer which ma& %e leftunattended allowin! a !reater riswindow for hammerin!.

Smart card device is !enerall& asin!le-purpose device carriedexplicitl& for the purpose of

Virtual smart card is installed on adevice that has other purposes tothe user and thus the user has



13/52


authentication and easil& misplacedor for!otten.

!reater incentive to %e responsi%lefor the device.

If lost or stolen a user will onl&notice the a%sence of the card whenhe or she needs to lo! on.

Since the VSC is installed on adevice that the user li el& needs forother purposes he or she will noticeits loss much more ?uic l& thusreducin! the associated ris window.

To deplo& a conventional smart cards&stem a compan& must invest insmart cards and smart card readersfor all emplo&ees.

To deplo& T7) virtual smart cards acompan& must onl& ensure that allemplo&ees have T7)-ena%ledcomputers which are relativel&common.

Smart card removal polic& can %eused to aJect s&stem %ehavior whenthe smart card is removed. ;orexample the polic& can dictate ifthe userFs lo!on session is loc ed orterminated 9si!n-oJ: when the userremoves the card from the user.

Since a T7) virtual smart card isalwa&s inserted and cannot %eremoved from the reader the smartcard removal polic& does not appl&to T7) virtual smart card.



14/52


% (a) setup

3.1 *oal This section descri%es how to set up a %asic test environment for T7)virtual smart cards. /t the end of this la% the reader will have con'!ured asin!le T7) smart card to experiment with.

Important: This %asic test con'!uration is for test purposes onl& and notintended for use in a production environment.

3.2 Prere+uisites To participate in this la% &ou will need@

• / computer runnin! WindowsK = with an installed and full&functional T7).

• / full& read& domain setup with a Windows = client connected to thedomain.

• /ccess to an& domain server with a full& installed and runnin!certi'cation authorit& 9C/:.

3.3 Step one, Create t e certificate template8n &our domain server &ou will need to create a template for thecerti'cate that &ou will re?uest for the virtual smart card. To do so@

: 8n &our server open )icrosoft )ana!ement Console 9))C:. *ou cant&pe mmc from the tart menu to access the ))C.

2: Select !ile -O Add"#emove nap-in .



15/52

Virtual Smart Card Whitepaper <

5: In the availa%le snap-ins list clic Certi$cate Templates and add

it.6: Certi'cate Templates is now located under Console #oot in the ))C

window. 0ou%le clic it to view all availa%le certi'cate templates.: #i!ht-clic the martcard %ogon template and clic &uplicate

Template .



16/52

Virtual Smart Card Whitepaper A


17/52

Virtual Smart Card Whitepaper =

is located pro%a%l& %ocal Computer .

5: In the left panel of the ))C expand Certi$cation Authority4%ocal5 and then expand &our C/ within the Certi'cation /uthorit&list.

6: #i!ht-clic Certi$cate Templates and then clic Ne( -OCerti$cate Template to Issue .

: ;rom the list select the new template that &ou Lust created9TPM irtual mart Card %ogon : and then clic 23 . (ote that itma& ta e some time %efore &our template replicates to all servers



18/52

Virtual Smart Card Whitepaper B

and %ecomes availa%le in this list.


19/52

Virtual Smart Card Whitepaper 2,

: 8n a domain-Loined computer runnin! Windows = open a commandshell with administrative privile!es. To do so t&pe cmd on the tart menu ri!ht-clic the command prompt pro!ram icon and then clic

#un as administrator .2: /t the command prompt t&pe the followin! and then press 3(T3#@

tpmvscmgr7exe create "name tpmvsc "pin default "admin6eyrandom "generate

This will create a virtual smart card with the name Test C omittin!the unloc e& and !eneratin! the 'le s&stem on the card. 9;orfurther use of Tpmvscm!r.exe see step 3rror@ #eference source notfound .:

5: *ou will %e prompted for a 7I(. 3nter a 7I( that is at least =characters in len!th and con'rm.



20/52


6: Wait several seconds for the process to 'nish. "pon completion Tpmvscm!r.exe will notif& &ou of the device instance I0 for the T7)

VSC. Store this I0 for later reference as &ou will need it to mana!eor remove the VSC.

3.5 Step t ree, Enroll for t e certificate on t e#P- VSC

To %ecome full& functional the virtual smart card must %e provisioned witha lo!on certi'cate. To do so@

: 8pen the Certi'cates console 9t&pe certmgr7msc on the tart menu:.

2: #i!ht-clic Personal and then clic All Tas6s -O #e.uest Ne(

Certi$cate .5: ;ollow the prompts and when oJered a list of templates select the

TPM irtual mart Card %ogon chec %ox 9or whatever &ou



21/52


named the template in step one:.

6: If prompted for a device select the )icrosoft virtual smart cardcorrespondin! to the one &ou created in the previous section. Itwould show as Identity &evice 4Microsoft Pro$le5 .

: 3nter the 7I( for the T7) smart card that &ou entered when &oucreated the VSC and then clic 23 .


22/52


Virtual smart card use

4.1 Version of #P- supported/n& T7) that adheres to Trusted Computin! >roup 9TC>: speci'cationversion .2 and later is supported for use as a virtual smart card. ;or moreinformation see the T7) )ain Speci'cation .

4.2 Using #pmvscmgr.e/e To allow end user creation and deletion of T7) virtual smart cards includedin-%ox with Windows = is the Tpmvscm!r.exe utilit&. ;ollowin! is a %riefusa!e !uide for this tool.Tpmvscmgr7exe P allows creation and deletion of T7) virtual smart cards.

)ust %e run with administrative privile!es. ;or alphanumeric inputsthe full 2A character /SCII set is allowed.

create P sets up a new virtual smart card on the userFs s&stem.#eturns the instance I0 of the newl& created card for laterreference in deletion. The instance I0 is of the format#22T8 MA#TCA#A&1#8*** n where n starts from , and isincreased %& each time &ou create a new virtual smart card.

"name P parameter indicates the name of the new virtualsmart card. The 4name parameter is a re?uired 'eld for

the create command."Admin3ey P parameter indicatin! desired administrator e&

that can %e used to reset the 7I( of the card if the userfor!ets the 7I(.

&1!A9%T speci'es the default value of, ,2,5,6, ,


23/52


"PIN P parameter indicatin! desired user 7I( value.

&1!A9%T speci'es the default 7I( of 256


24/52


4.3 Programmatic management of virtual smartcards

Virtual smart cards can also %e created and deleted %& usin! /7Is. ;or moreinformation see the TpmVirtualSmartCard)ana!er and#emoteTpmVirtualSmartCard)ana!er classes andITpmVirtualSmartCard)ana!er andIT7)VirtualSmartCard)ana!erStatusCall1ac interfaces.

*ou can use /7Is introduced in Windows =. and Windows Server 2, 2 #2in the Windows.0evice.SmartCards namespace to %uild Windows Storeapps to mana!e the full lifec&cle of virtual smart cards. ;or information howto %uild an app to do this see Stron! /uthentication@ 1uildin! /pps That$evera!e Virtual Smart Cards in 3nterprise 1*80 and Consumer

3nvironments Q 1uild 2, 5 Q Channel [email protected], 542-,6 :.

The followin! ta%le descri%es these features which can %e developed in aWindows Store app@

Feature Physical smart card Virtual smart card

Query and monitor smart cardreaders

Yes Yes

List availablesmart cards in a

reader, retrieve the card name,and retrieve card ID

Yes Yes

Verify if the admin key of acard is correct

Yes Yes

Provision (or reformat) a cardwith a given card ID

Yes Yes

Change the PIN by enteringthe old PIN and thenspecifying the new PIN

Yes Yes

Change the admin key, resetthe PIN, unblock the smartcard using achallenge/response

Yes Yes

Create a virtual smart card Not applicable Yes


http://msdn.microsoft.com/en-us/library/windows/desktop/hh707171(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/desktop/hh707166(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/desktop/hh707160(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/desktop/hh707161(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/desktop/hh707171(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/desktop/hh707166(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/desktop/hh707160(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/desktop/hh707161(v=vs.85).aspx


25/52

Virtual Smart Card Whitepaper 2<

Delete a virtual smart card Not applicable Yes

Set PIN policies No Yes

;or information a%out these Windows /7Is see@• Windows.0evices.SmartCards namespace 9Windows:

[email protected]%rar&4windows4apps4windows.devices.smartcards.aspx :

• Windows.Securit&.Cr&pto!raph&.Certi'cates namespace 9Windows:[email protected]%rar&4windows4apps4windows.securit&.cr&pto!raph&.certi'cates.aspx

4.4 0istinguis ing #P- virtual smart card fromp 'sical smart cards

The T7) virtual smart card has an icon that is diJerent from a re!ularsmart card. This helps the user visuall& distin!uish the T7) virtual smartcard from ph&sical smart cards. The followin! icon is displa&ed durin! lo!onand various other screens that re?uire the user to enter the 7I( for T7)virtual smart card.

The T7) virtual smart card is la%eled ecurity &evice in the userinterface.

4.5 um)er of virtual smart cards on a

computer Windows supports a maximum of , smart cards connected to a computerat a time. This includes ph&sical and virtual smart cards com%ined. *ou cancreate more than virtual smart cardH however after creatin! more than 6virtual smart cards &ou ma& start to notice performance de!radation.Since all smart cards appear as alwa&s inserted if more than personshare a computer each person will %e a%le to see all virtual smart cards


http://msdn.microsoft.com/library/windows/apps/windows.devices.smartcards.aspxhttp://msdn.microsoft.com/library/windows/apps/windows.devices.smartcards.aspxhttp://msdn.microsoft.com/library/windows/apps/windows.security.cryptography.certificates.aspxhttp://msdn.microsoft.com/library/windows/apps/windows.security.cryptography.certificates.aspxhttp://msdn.microsoft.com/library/windows/apps/windows.devices.smartcards.aspxhttp://msdn.microsoft.com/library/windows/apps/windows.devices.smartcards.aspxhttp://msdn.microsoft.com/library/windows/apps/windows.security.cryptography.certificates.aspxhttp://msdn.microsoft.com/library/windows/apps/windows.security.cryptography.certificates.aspx


26/52

Virtual Smart Card Whitepaper 2A

created on that computer. If the user nows the 7I( values for all smartcards the user will also %e a%le to use them.

4.6 um)er of certificates on a virtual smartcard/ sin!le T7) virtual smart card can contain 5, distinct certi'cates alon!with the correspondin! private e&s. "sers can continue to renewcerti'cates on the card until the total num%er of certi'cates on a cardexceed B,. The reason wh& the total num%er of certi'cates is diJerent fromthe total num%er of private e&s is that sometimes the renewal can %e donewith the same private e& in which case a new private e& is not!enerated.

4.7 PI PU3 and admin 4e' re+uirements The 7I( and the 7" must %e a minimum of = characters. It need notcontain onl& di!its thou!h the name su!!ests that it is a 7ersonalIdenti'cation (um%er. *ou can enter di!its letters and special characters.

The admin e& must %e entered as 6= hexadecimal characters. It is a 5- e&triple 03S with IS84I3C BABA paddin! method 2 in C1C chainin! mode.

4.8 C anging t e PI The 7I( for T7) virtual smart card can %e chan!ed %& pressin!CtrlR/ltR0el and then selectin! the T7) virtual smart card under igninoptions if it is not alread& selected.

4.9 Aut entication

.5.1 Use case, #wo!factor aut D)ased remote access/fter a user has a full& functional T7) virtual smart card provisioned with alo!on certi'cate the lo!on certi'cate is used to !ain stron!l& authenticatedaccess to corporate resources. With the proper certi'cates provisioned onthe virtual card the user need onl& provide the 7I( to the VSC as if it werea conventional smart card to %e lo!!ed on to the domain.

In practice this is as eas& as enterin! a password to access the s&stem. Technicall& it is far more secure. "sin! the virtual smart card to access thes&stem proves to the domain that the user re?uestin! authentication %oth

nows the VSC 7I( and has possession of the personal computer uponwhich the card has %een provisioned. Since this re?uest could not havepossi%l& ori!inated from a s&stem other than the s&stem certi'ed %& thedomain for this userFs access and the user could not have initiated the



27/52

Virtual Smart Card Whitepaper 2=

re?uest without nowin! the 7I( stron! two-factor authentication isesta%lished.

.5.2 Use case, Client aut enticationVirtual smart cards can also %e used in client authentication over SS$ orsome similar technolo!&. Similar to domain access with a VSC anauthentication certi'cate can %e provisioned to the virtual smart card andprovided to a remote service as re?uested in client authentication. Thisa!ain adheres to the principles of two-factor authentication %ecause thecerti'cate is onl& accessi%le from the computer hostin! the VSC and theuser is re?uired to enter the 7I( for initial access to the card.

.5.% Use case, Virtual smart card redirection for remote des4top connections

The concept of two-factor authentication associated with virtual smartcards relies on the proximit& of the user to the computer he or she isaccessin! domain resources throu!h. Therefore when a user remotel&connects to a computer that is hostin! virtual smart cards the VSCslocated on the remote computer cannot %e used durin! the remote session.Nowever the VSCs stored on the connectin! computer 9which is under

physical control of the user: are loaded onto the remote computer and can%e used as if the& were installed usin! the remote computerFs T7). Thisextends a userFs privile!es to the remote computer while maintainin! theprinciples of two-factor authentication. To support this functionalit& the

minimum version of Windows on the remote server must %e Windows AS7 Server 2,,= #2 S7 or later versions.

.5. 6indows #o *o and virtual smart cardsVirtual smart cards wor well with Windows To >o where a user ma& %ootinto Windows = from a compati%le "S1 drive. / virtual smart card can %ecreated for the user in this case and will %e tied to the T7) on the ph&sicalhost computer to which the "S1 drive is connected. When the user %ootsthe operatin! s&stem from a diJerent ph&sical computer the virtual smartcard will not %e availa%le. This can %e used for scenarios where a sin!leph&sical computer is shared %& man& users. 3ach user can %e !iven aWindows To >o "S1 drive that has the virtual smart card provisioned for theuser. This wa& the user will onl& %e a%le to access his or her virtual smartcard.



28/52

Virtual Smart Card Whitepaper 2B

4.10 Confidentialit'

.17.1 Use case, S8-I-E email encr'ption

Conventional smart cards are desi!ned to hold private e&s that can %eused for email encr&ption and decr&ption and this functionalit& carries overto virtual smart cards as well. 1& encr&ptin! emails usin! S4)I)3 with auserFs pu%lic e& the sender of an email can %e assured that onl& theperson with the correspondin! private e& will %e a%le to decr&pt the email.

This assurance is a result of the non-exporta%ilit& of the private e&Mitnever exists within reach of malware or an& adversar& and remainsprotected %& the T7) even durin! decr&ption.

.17.2 Use case, 9it(oc4er for data volumes

)icrosoft 1it$oc er technolo!& ma es use of s&mmetric- e& encr&ption forprotectin! the content of a userFs hard drive ensurin! that if the ph&sicalownership of a hard drive is compromised an adversar& will not %e a%le toread data oJ the drive. The e& used to encr&pt the drive can %e stored ona virtual smart card which necessitates not onl& nowled!e of the VSC 7I(to access the drive %ut also possession of the computer hostin! the T7)virtual smart card. If the drive is o%tained without access to the T7) thathosts the virtual smart card an& %rute force attac will %e ver& diGcult.

1it$oc er can also %e used to encr&pt porta%le drives a process in whiche&s stored on virtual smart cards can also %e emplo&ed. In this scenario

unli e usin! 1it$oc er with a traditional smart card the encr&pted drive canonl& %e used when connected to the host of the VSC used to encr&pt thedrive %ecause the 1it$oc er e& is onl& accessi%le from this computer.Nowever this can %e useful for ensurin! the securit& of %ac up drives andpersonal stora!e purposes outside the main hard drive.

4.11 Integrit'

.11.1 Use case, Signing data To verif& oneFs authorship of certain data the user can si!n it %& usin! aprivate e& stored on the virtual smart card. 0i!ital si!natures assert non-repudiation or con'rmation of inte!rit& and ori!in of the data. This non-repudiation is as easil& compromised as is an individualFs private e&Hhowever if the e& is stored in operatin! s&stemDaccessi%le memor& itcan %e ac?uired %& malware and used %& adversaries to modif& alread&si!ned data or even spoof the identit& of the e&Fs owner. Nowever if this

e& is stored on a virtual smart card it can onl& %e used to si!n data on the



29/52


host computer and not exported 9either intentionall& or unintentionall& aswith malware theft: to other s&stems ma in! di!ital si!natures far moresecure than with other methods for private e& stora!e.



30/52


: 0eplo'ment of virtual smart cards Traditional identit& devices such as conventional smart cards follow apredicta%le lifec&cle in an& deplo&ment as shown in the followin! dia!ram.

With ph&sical devices the device itself is created %& a dedicatedmanufacturer and then purchased %& the corporation that will ultimatel&deplo& it. The device then passes throu!h the personaliEation sta!e whereits uni?ue properties are setMin the case of smart cards these propertiesare the admin e& 7I( and 7" of the card as well as its ph&sicalappearance. In device provisionin! the identit& device is loaded withwhatever certi'cates are re?uired for use 9such as a lo!on certi'cate:. /fterprovisionin! the device it is read& for use and the deplo&ment mustsimpl& %e maintainedMcards must %e replaced when lost or stolenH 7I(smust %e reset when for!otten %& the userH and so on. ;inall& devices must%e retired upon exceedin! intended lifetime or when an emplo&ee leavesthe compan&.

In the followin! sections the lifec&cle of identit& devices is discussed inthe context of T7) virtual smart cards includin! the process andre?uirements for each sta!e. )an& phases are %est executed %& usin! acard mana!ement solution and these sections will discuss this process andwhat is accomplished with either an in-house or provided solution.

5.1 Creation and personali;ation

:.1.1 #P- readiness1ecause the securit& provided %& a T7) virtual smart card relies on theproper functionin! of the computerFs T7) this must %e full& provisioned on



31/52


the intended host of the VSC. The T7) 7rovisionin! WiEardMlaunched fromthe T7) )ana!ement Console 9tpm.msc:Mwill ta e the user throu!h allsteps to read& the T7) for use. ;or the 'nal state of the T7) as it applies

to virtual smart cards several thin!s are important@

• 1nabled"Activated: T7)s come %uilt in with man& industr&-read&computers currentl& on the mar et %ut the& are often not ena%ledand activated %& default. In some cases the T7) must %e ena%ledand activated throu!h the 1I8S.

• 2(nership Ta6en: /s a part of provisionin! the T7) an ownerpassword is set to mana!e the T7) in the future as well as theStora!e #oot e& 9S# : is esta%lished. To %e a%le to reset the anti-hammerin! for VSC use either the user or a corporate 9domain:administrator must have access to the T7) owner password. ;orcorporate use of T7) virtual smart card we recommend that thecorporate domain administrator restrict access to the T7) ownerpassword %& disallowin! stora!e of it in the local re!istr&. Instead itshould %e stored in /ctive 0irector&K. ;or more information see

Trusted 7latform )odule Technolo!& 8verview . ;or cases where the T7) ownership is ta en in Windows VistaK the T7) will need to %ecleared and reinitialiEed.

• Managed: 1& usin! this owner password it is possi%le to chan!e

the owner password 9mana!e ownership: and reset the loc out ofthe chip 9mana!e anti-hammerin! lo!ic for VSCs:.

Sometimes a T7) ma& present itself in reduced functionalit& mode. Thiscould occur for example when the operatin! s&stem is not a%le todetermine if the owner password is availa%le to the user or not. In thosecases the T7) ma& %e used for creatin! a virtual smart card %ut it isstron!l& recommended to %rin! the T7) to a full& read& state so that an&unexpected circumstances will not leave the user %loc ed from usin! thecomputer.

;or smart card deplo&ment mana!ement tools that want to chec thestatus of a T7) %efore attemptin! to create a T7) virtual smart card the&can do so usin! the T7) W)I interface.

0ependin! on the setup of the computer desi!nated for T7) VSCinstallation it ma& %e necessar& to provision the T7) %efore continuin!with the virtual smart card deplo&ment. ;or more information a%outprovisionin! see the “Trou%leshootin!” section of this document.


http://technet.microsoft.com/library/jj131725.aspxhttp://technet.microsoft.com/library/jj131725.aspx


32/52


;or more information a%out mana!in! T7)s %& usin! %uilt-in tools inWindows = see Windows = T7) >roup 7olic& Settin!s .

:.1.2 Creation/ T7) virtual smart card is created as a simulation of a ph&sical smart cardwhich uses the T7) to provide the same functionalit& as conventionalsmart card hardware. It appears within the operatin! s&stem as aconventional smart card that is alwa&s inserted. Windows = presents avirtual card reader and virtual card to applications with the same interfaceas conventional smart cards %ut messa!es to and from the VSC aretranslated to T7) commands which ensures the inte!rit& of the virtualsmart card throu!h the three properties of smart card securit&@

• Non-exportability: /ll information stored on the VSC is encr&ptedwith the T7).

• Isolated cryptography: Cr&pto!raphic operations can %e executedon the T7) itself so private information used forencr&ption4decr&ption is never revealed to an& applications.

• Anti-hammering: The anti-hammerin! lo!ic of the T7) protectsvirtual smart cards from %rute-force attac s.

There are several options for creatin! virtual smart cards dependin! on thesiEe and %ud!et of the deplo&ment. The lowest cost option is usin!

Tpmvscm!r.exe to create cards individuall& on usersF computers asdescri%ed in the “Virtual smart card use” section. /lternativel& a virtualsmart card mana!ement solution can %e purchased to more easil&accomplish VSC creation on a lar!er scale and aid in further phases ofdeplo&ment. VSCs can either %e created on computers that have &et to %ehanded oJ to the emplo&ee or on those alread& in emplo&eesF possession.In either approach there should %e some central control overpersonaliEation and provisionin!. If a computer is intended for use %&multiple emplo&ees multiple virtual smart cards can %e created on acomputer.

:.1.% Personali;ation0urin! virtual smart card personaliEation the values for the admin e& 7I(and 7" are assi!ned. /s with a conventional card recordin! the admin

e& is important for %ein! a%le to reset the 7I( or wipe the card in thefuture. If a 7" is set however the admin e& can no lon!er %e used toreset the 7I(.


http://technet.microsoft.com/library/jj679889.aspxhttp://technet.microsoft.com/library/jj679889.aspx


33/52


1ecause the admin e& is critical to the securit& of the card it is importantto consider the deplo&ment environment and decide upon the properadmin e& settin! strate!&. 8ptions for these strate!ies include@

• 9niform: /dmin e&s for all virtual smart cards deplo&ed are thesame. While this ma es the maintenance infrastructure eas& 9onl&one e& needs to %e stored: it is hi!hl& insecure. This strate!& ma&%e suGcient for ver& small or!aniEations %ut if the admin e& iscompromised all cards usin! this e& must %e re-issued.

• #andom not stored: /dmin e&s are assi!ned randoml& for allvirtual smart cards and not recorded. This is a valid option if thedeplo&ment administrators do not re?uire the a%ilit& to reset 7I(sand instead prefer to delete and re-issue cards to achieve this. Thiscould also %e a via%le strate!& if the admin prefers to set the cardsF7" values and use this to reset 7I(s if necessar&.

• #andom stored: /dmin e&s are assi!ned randoml& and stored insome central location. This is secure on a lar!e scaleMunless theadmin e& data%ase is compromised each cardFs securit& isindependent of the othersF.

• &eterministic: /dmin e&s are the result of some function onnown information. ;or example the user I0 the card I0 values

could %e used as seeds for randoml& !eneratin! some data that can%e further processed throu!h a s&mmetric encr&ption al!orithm %&usin! a secret to !enerate an admin e&. This admin e& can %esimilarl& re-!enerated when needed and not need stora!e. Thesecurit& of this method relies on the securit& of the secret used.

Thou!h the admin e& and 7" can %oth provide unloc in!4resettin!functionalit& the& do so in diJerent wa&s. The 7" is a 7I( that mustsimpl& %e entered on the computer to ena%le user 7I( reset while theadmin e& methodolo!& ta es a challen!e response approach. In the lattersituation the card provides a set of random data that the user reads 9afterveri'cation of identit&: to the deplo&ment admin. The admin then encr&ptsthe data with the admin e& 9o%tained as a%ove: and !ives the encr&pteddata %ac to the user. If the encr&pted data matches that produced %& thecard durin! veri'cation the card will allow 7I( reset. Since the admin e& isnever in the hands of an&one other than the deplo&ment administrator itcannot %e intercepted or recorded %& an& other part& 9includin! the



34/52


emplo&ee: and thus has si!ni'cant securit& %ene'ts %e&ond usin! a 7" Man important consideration durin! the personaliEation process.

T7) virtual smart cards can %e personaliEed on an individual %asis durin!creation with the Tpmvscm!r.exe tool or a purchased mana!ementsolution could incorporate personaliEation into an automated routine. /further advanta!e of such a solution is the automated creation of admin

e&sMTpmvscm!r.exe allows users to create their own admin e&s whichcan %e detrimental to the securit& of the VSC 9as discussed a%ove:.

5.2 Provisioning7rovisionin! is the process of loadin! speci'c credentials onto a T7) virtualsmart card. These credentials consist of certi'cates created to !ive users

access to a speci'c service such as domain lo!on. / maximum of 5,certi'cates is allowed on each virtual smart card. /s with conventionalsmart cards several decisions must %e made re!ardin! the provisionin!strate!& %ased on the environment of the deplo&ment and the desired levelof securit&.

/ hi!h assurance level of secure provisionin! re?uires a%solute certaint& ofthe individualFs identit& who is receivin! the certi'cate. Therefore onemethod of hi!h assurance provisionin! is utiliEin! previousl& provisionedstron! credentials such as a ph&sical smart card for validation of identit&durin! provisionin!. In-person proo'n! at enrollment stations is anotheroptionMas an individual can easil& and securel& prove his or her identit&with a passport or driverFs licenseMthou!h this can %ecome infeasi%le on alar!er scale. To achieve a similar level of assurance a lar!e deplo&mentcan implement an enroll-on-%ehalf-of 93818: strate!& in which eachemplo&ee is enrolled with his or her credentials %& a superior who canpersonall& verif& the personFs identit&. This creates a chain of trust thatensures that each individual is chec ed a!ainst his or her proposed identit&in person %ut without the administrative strain of provisionin! all VSCs froma sin!le central enrollment station.

;or deplo&ments in which a hi!h assurance level is not a primar& concernself-service solutions can %e utiliEed. These can include !oin! to an onlineportal to o%tain credentials or simpl& enrollin! for certi'cates %& usin!Certm!r.msc 9as in the la%: dependin! on the deplo&ment. It must %e eptin mind however that VSC authentication will onl& %e as stron! as themethod of provisionin!Mif wea domain credentials 9such as a passwordalone: are used to re?uest the authentication certi'cate VSC



35/52


authentication will %e e?uivalent to usin! the password itself and thus the%ene'ts of two-factor authentication are lost.

1oth hi!h assurance and self-service solutions approach VSC provisionin!assumin! that the userFs computer has %een issued prior to the VSCdeplo&ment %ut this is not alwa&s the case. If virtual smart cards are %ein!deplo&ed with new computers the& can %e created personaliEed andprovisioned on the computer all %efore the user comes into contact withthat computer. In this situation provisionin! %ecomes relativel& simple %utchec s must %e put in place to ensure that the recipient and user of thecomputer is the individual expected durin! provisionin!. This can %eaccomplished %& re?uirin! the emplo&ee to set the initial 7I( undersupervision of the deplo&ment admin or mana!er.

/ further consideration %e&ond methods of provisionin! is the lon!evit& ofcredentials supplied to virtual smart cards. This choice must %e %ased onthe ris appetite of the or!aniEation. While lon!er lived credentials aremore convenient the& are also more li el& to %ecome compromised durin!their !reater lifetime. To decide upon the appropriate lifetime ofcredentials the deplo&ment must ta e into account the vulnera%ilit& oftheir cr&pto!raph& 9how lon! it can ta e to crac the credentials: as wellas the li elihood of attac .

Should a !iven virtual smart card %e compromised as with a lost or stolen

laptop the or!aniEation should also %e a%le to revo e the associatedcredentials. This re?uires some record of which credentials match whichuser and computer functionalit& that does not exist nativel& in Windows.0eplo&ment admins ma& want to consider add-on solutions to maintainsuch a record.

5.3 -aintenance)aintenance is %& far the lar!est portion of the virtual smart card lifec&cleand one of the most important considerations from a mana!ementperspective. 8nce created personaliEed and provisioned VSCs can %e

used for convenient two-factor auth %ut deplo&ment administrators must%e aware of several common administrative scenarios. 3ach of these can%e approached with a purchased virtual smart card solution oraccomplished on a case-%&-case %asis with in-house methods.

#enewal of virtual smart card credentials is a re!ular tas necessar& topreserve the securit& of a VSC deplo&ment. #enewal is the result of asi!ned re?uest from the user in which he or she speci'es the e& pair



36/52


desired for the new credentials. 0ependin! on user choice or deplo&mentspeci'cation the user can re?uest credentials with the same e& pair as%efore or choose a newl& !enerated e& pair. When renewin! with a

previousl& used e& no extra steps are re?uired %ecause a certi'cate withthis e& was issued stron!l& durin! the initial provisionin!. Nowever whenrenewin! with a new e& the same steps ta en durin! provisionin! toassure the stren!th of the credential 9in person proo'n! 3818 etc.: must%e ta en. #enewal with new e&s should occur periodicall& to countersophisticated lon!-term crac in! attempts %ut when this is done stepsmust %e ta en to ensure that the new e&s are %ein! used %& the expectedindividual on the same virtual smart card as %efore.

#esettin! virtual smart card 7I(s is also a fre?uent necessit& should an

emplo&ee for!et his or her 7I(. There are two wa&s to accomplish thisdependin! on choices made earlier in deplo&ment@ usin! a 7" if the 7"is set or usin! challen!e4response with the admin e& 9each discussed inthe earlier “7ersonaliEation” su%section:. 1efore resettin! the 7I( howeverthe userFs identit& must %e veri'ed %& usin! some means other than thecard li el& most easil& the veri'cation method used durin! initialprovisionin! 9e.!. in person proo'n!:. This is necessar& in user-errorscenarios when the 7I( has %een for!otten %ut it should never %eemplo&ed if the 7I( is compromised. /s a%ove the level of vulnera%ilit&after exposure of the 7I( is diGcult to identif& so the entire card should %e

reissued./ fre?uent precursor to 7I( reset is the necessit& of T7) loc out reset asthe T7) anti-hammerin! lo!ic will %e en!a!ed with multiple 7I( entr&failures for a virtual smart card. This is currentl& device-speci'c.

The 'nal aspect of virtual smart card mana!ement is retirin! cards whenthe& are no lon!er needed. When an emplo&ee leaves the compan& it isdesira%le to revo e domain access and revo in! lo!on credentials from thecerti'cation authorit& 9C/: accomplishes this !oal. Nowever the cardshould also %e reissued if the same computer is to %e used for other

emplo&ees without operatin! s&stem reinstall. #eusin! the former card ma&allow the ex-emplo&ee to chan!e the 7I( post-emplo&ment and4or hiLacthe certi'cates %elon!in! to the new user for unauthoriEed domain access.Should the emplo&ee ta e the VSC-ena%led computer however it is onl&necessar& to revo e the certi'cates stored on his or her card.



37/52


:.%.1 Emergenc' preparedness

5.3.1.1 Card re-issuance The most common scenario is the reissuance of virtual smart cards whichcan %e necessar& if the operatin! s&stem is reinstalled or the card iscompromised in some manner. #eissuance is essentiall& the recreation ofthe card from the !round upMesta%lishin! a new 7I( and admin e& andprovisionin! a new set of associated certi'cates. This is an immediatenecessit& when a card is compromised for example if the VSC-protectedcomputer is exposed to an adversar& who ma& have access to the correct7I( as reissuance is the most secure response to an un nown exposure ofthe cardFs privac&. /dditionall& reissuance is necessar& after an operatin!

s&stem reinstallation %ecause the virtual smart card device pro'le isremoved with all other user data upon reinstall.

5.3.1.2 Blocked virtual smart card The anti-hammerin! %ehavior of a T7) virtual smart card is diJerent from aph&sical smart card. /s previousl& mentioned a ph&sical smart card %loc sitself after the user enters the wron! 7I( a few times. / T7) virtual smartcard however %ehaves diJerentl&. It !oes into a timed dela& after the userenters the wron! 7I( a few times. 8nce the T7) is in the timed dela&

mode when the user attempts to use the T7) virtual smart card the useris noti'ed that the card is %loc ed. ;urthermore if inte!rated un%loc isena%led the user ma& %e shown the user interface to un%loc the virtualsmart card. "n%loc in! the virtual smart card 083S (8T reset the T7)loc out. The user will need to perform an extra step to reset the T7)loc out or wait for the timed dela& to expire.

Introduced in Windows =. and Windows Server 2, 2 #2 the virtual smartcard wor s with the %ehavior of the T7) to allow for multiple wron! 7I(attempts without tri!!erin! the anti-hammerin! protection of the T7). Ifthe user enters the wron! 7I( consecutive times for a virtual smart cardthe card !ets %loc ed. 3ach wron! 7I( is still chec ed a!ainst the T7).8nce the card is %loc ed it has to %e un%loc ed usin! the admin e& or the7" . T&picall& the un%loc process is mana!ed %& a virtual smart cardmana!ement s&stem.



38/52


;or more information a%out the T7)Fs anti-hammerin! protectioncapa%ilities see “=.6 Virtual smart card anti-hammerin! details” in thisdocument.



39/52


< #rou)les ooting/ T7) virtual smart card can fail durin! its creation or use for a few reasonsdescri%ed in the followin! sections.

6.1 #P- not provisioned;or a T7) virtual smart card to function properl& a provisioned T7) must%e availa%le on the s&stem. If the T7) is disa%led in the 1I8S or is notprovisioned with full ownership ta en and the Stora!e #oot e& 9S# :esta%lished the T7) virtual smart card creation will fail.

;urthermore if the T7) is reinitialiEed after creatin! a virtual smart cardthe card will no lon!er function and will need to %e re-created.

If the T7) ownership was esta%lished from a Windows Vista installation the T7) will not %e read& for use as a virtual smart card. The s&stemadministrator will need to clear and reinitialiEe the T7) in order for it to %esuita%le for creatin! a T7) virtual smart card.

If the operatin! s&stem is re-installed an& prior T7) virtual smart cards willno lon!er %e availa%le and will need to %e re-created. If the operatin!s&stem is up!raded an& prior T7) virtual smart cards will %e availa%le touse in the up!raded operatin! s&stem.

6.2 #P- in loc4outSometimes due to fre?uent incorrect 7I( attempts from a user the T7)ma& enter the loc out state. To resume usin! the T7) virtual smart card itwill %e necessar& to either reset the loc out on the T7) %& usin! the ownerpassword or to wait for the loc out to expire. "n%loc in! the user 7I( alonedoes not reset the loc out on the T7). While the T7) is in loc out the T7)virtual smart card will appear as if it is %loc ed. T&picall& when the T7)enters the loc out state %ecause the user entered an incorrect 7I( tooman& times it ma& %e necessar& to also reset the user 7I( %& usin! thecard mana!ement tools.

Sometimes it ma& %e necessar& to contact )icrosoft Technical Supportwhen there are issues preventin! &ou from usin! the virtual smart card.

The )icrosoft Technical Support representative ma& re?uest that &ouena%le tracin! or that &ou loo at event lo!s on the s&stem to dia!nose andrepair the issues.



40/52


= Summar'Virtual smart cards are a new technolo!& from )icrosoft that oJerscompara%le securit& %ene'ts in two-factor authentication with conventionalsmart cards %ut more convenience to users and cost durin! deplo&ment. 1&utiliEin! T7) devices that provide the same cr&pto!raphic capa%ilities astraditional smart cards VSCs accomplish the three e& properties of smartcards@ non-exporta%ilit& isolated cr&pto!raph& and anti-hammerin!.

Virtual smart cards are functionall& similar to conventional smart cards andeven appear within Windows = as alwa&s-inserted smart cards which can%e used for authentication to external resources protection of data %&secure encr&ption and inte!rit& throu!h relia%le si!nin!. The& are easil&deplo&ed %& usin! in-house methods or a purchased solution and can%ecome a full replacement for other methods of stron! authentication in acorporate settin! of an& scale.

This document has reviewed the main technical and functional diJerences%etween smart cards and VSCs hopin! to aid in the decision to adopt thistechnolo!&. / la% setup was provided for the evaluation of virtual smartcards and pointers and scenarios for VSC use. ;inall& scenarios for issuin!and maintainin! a deplo&ment of virtual smart cards have %een considered."pon 'nishin! this document &ou will have a %etter idea a%out whethervirtual smart cards are the %est choice for &our %usiness and will %e a%le toproceed with deplo&ment nowin! how to %est approach a successfulimplementation of virtual smart card technolo!&.



41/52


> Appendi/

8.1 *lossar'T(o-factor auth ; Two-factor authentication or “what &ou have and what

&ou now.” /llows authentication %ased on %oth ph&sical possession ofsome o%Lect 9for example a smart card: and the nowled!e of secretinformation necessar& to use that o%Lect 9for example a 7I(:.

/ammering ; The attempt to !uess the 7I( of a smart card with repeatedtrial and error. To maintain their securit& all smart cards 9virtual andotherwise: must implement anti-hammerin! or some form of protectiona!ainst this.

PIN ; 7ersonal Identi'cation (um%er. In the context of smart cards the 7I(is not necessaril& a “num%er ” %ut rather an& /SCII character seriesused to !ain access to the card.

P93 ; 7I( "nloc e&. "sed 9if ena%led: to chan!e a userFs 7I( or toun%loc the smart card.

TPM ; Trusted 7latform )odule. The isolated secure cr&pto!raphicprocessor %uilt into man& modern computers and the %asis of virtualsmart card securit&.

C ; Virtual smart card. )icrosoftFs new smart card technolo!& whichuses some preexistin! cr&pto!raphicall& secure device to simulate aconventional smart card.

8.2 #raditional smart card )asicsIn its ori!inal form a smart card is a computin! device most often aGxedto an I0 card or similarl& siEed o%Lect 9this siEe is re!ulated %& internationalstandards: . The smart card itself contains a processor and a small amountof stora!e which is tamperproof and isolated from external use or access.

This isolated memor& ma es it possi%le for the card to !enerate and4orstore some secrets such as private e&s associated with certi'cates held

on the card separate from stora!e which is pu%lic to an& applicationaccessin! the card.

1e&ond its function as a stora!e device a smart card also has an internaloperatin! s&stem and it can perform cr&pto!raphic operations on%oard thedevice as well as host custom applications for further functionalit&.

Smart cards have several capa%ilities@



42/52


• Authentication: 1efore distri%ution smart cards are provisionedwith a certi'cate veri'ed %& a certi'cation authorit& 9C/: whichesta%lishes their validit& on a domain. This certi'cate can then %e

used for lo!on to the domain. Smart cards can %e similarl& used forclient authentication over SS$.

• Protection: 1& usin! the on%oard cr&pto!raphic capa%ilities asmart card can decr&pt data for example it can allow secure emailcommunication with S4)I)3. 1ecause the userFs e& pair is stored onthe card and all cr&pto operations are performed %& usin! the cardFsC7" these transactions are completel& secure even from malwareon a the userFs computer.

• Integrity: /pplications can utiliEe private e&s stored on the smartcard device to si!n information such as emails and4or documents.

In Smart Cards for Windows this functionalit& is accessi%le from an&application to an& smart card throu!h either the Cr&pto/7I 9C/7I: or themore recent Cr&pto (ext >eneration 9C(>: /7I collectivel& referred to asCr&pto/7I 2., 9C/7I2:. The customiEation of the s&stem to respond todiJerences in hardware occurs at a lower level the preferred method %ein!a “mini-driver” written %& the card manufacturer which ultimatel& sends itscommunication throu!h a device-speci'c reader driver to the card itself.

8.3 Virtual smart card non!e/porta)ilit' details/ crucial aspect of T7) VSCs is their a%ilit& to securel& store and use secret

data. Nere “secure” means that the data is non-exporta%le@ it can %eaccessed and used within the virtual smart card s&stem %ut it ismeanin!less outside of its intended environment. In T7) VSCs this isensured with a secure e& hierarch&Mseveral chains of encr&ptionori!inatin! from the T7) Stora!e #oot e& 9S# : which is !enerated andstored within the T7) and never exposed outside the chip. This e&hierarch& is desi!ned to allow encr&ption of user data with this e& %ut itauthoriEes decr&ption with the user 7I( in such a wa& that chan!in! the 7I(doesnFt re?uire re-encr&ption of the data.



43/52


This dia!ram illustrates the e& hierarch& and the process of accessin! the

user e&. Stored on the hard dis are the user e&s and the “smart carde&” 9encr&pted %& the S# : and the authoriEation e& for user e&

decr&ption 9the “auth e&”: encr&pted %& the pu%lic portion of the smartcard e&. When the user enters a 7I( the use of the decr&pted SC e& isauthoriEed with this 7I( and if this authoriEation succeeds the decr&ptedSC e& is in turn used to decr&pt the auth e&. The auth e& is thenprovided to the T7) to authoriEe the decr&ption and use of the user e&9s:stored on the virtual smart card. This auth e& is the onl& sensitive datathat is used as plaintext outside the T7) %ut its presence in memor& isprotected %& the )icrosoft 0ata 7rotection /7I 907/7I: such that %efore

%ein! stored in an& wa& it is encr&pted. /ll data other than the auth e& isprocessed onl& as plaintext within the T7) which is completel& isolatedfrom external access.

8.4 Virtual smart card anti! ammering details The anti-hammerin! functionalit& of virtual smart cards relies on the anti-hammerin! functionalit& of the T7) ena%lin! the VSC. Nowever the T7)



44/52


v .2 speci'cation 9as desi!ned %& the Trusted Computin! >roup: providesver& exi%le !uidelines for respondin! to hammerin! re?uirin! onl& thatthe T7) implement some sort of protection a!ainst trial-and-error attac s

on the user 7I( 7" and challen!e4response mechanism. The TrustedComputin! >roup 9TC>: also speci'es that if the response to attac sinvolves suspension of proper function of the T7) for some period of timeor until administrative action the T7) must prevent the execution ofauthoriEed T7) commands and ma& prevent the execution of any T7)commands until the termination of the attac response. 1e&ond time dela&and re?uirement of administrative action a T7) could also force re%ootwhen an attac is detected %ut the TC> allows manufacturers a certainlevel of creativit& in their choice of implementation. Whatever methodolo!&chosen %& T7) manufacturers will determine the anti-hammerin! response

of T7) virtual smart cards. Some t&pical aspects of protection fromdictionar& attac s include@

: /llowin! onl& a limited num%er of wron! 7I( attempts %eforeena%lin! a loc out that enforces a time dela& %efore an& furthercommands are accepted %& the T7). (ote@ Introduced inWindows =. and Windows Server 2, 2 #2 if the user enters thewron! 7I( consecutive times for a virtual smart card which wor sin conLunction with the T7) the card !ets %loc ed. 8nce the card is%loc ed it has to %e un%loc ed usin! the admin e& or the 7" .

2: 3xponentiall& increase the time dela& as the user enters the wron!7I( so that an excessive num%er of wron! 7I( attempts will ?uic l&tri!!er lon! dela&s in acceptin! commands.

5: Nave a failure lea a!e mechanism to allow the T7) to reset thetimed dela&s over a period of time. This is useful in cases where avalid user has entered the wron! 7I( occasionall& 9for example dueto complexit& of the 7I(:.

/s an example it will ta e 6 &ears to !uess an =-character 7I( for a T7)that has the followin! %ehavior@

: (um%er of wron! 7I(s allowed %efore enterin! into loc out9threshold:@ B

2: Time the T7) is in loc out once the threshold has reached@ ,seconds



45/52


5: ;or each wron! 7I( after the threshold has %een reached the timeddela& dou%les.



46/52


5 Virtual smart cards on consumer devices for corporate access This section descri%es a few techni?ues that can %e used to allow anemplo&ee to provision a virtual smart card and enroll for certi'cates thatcan %e used to authenticate the user when the user attempts to access acorporate resource from a device that is not Loined to the corporatedomain. ;urthermore this section focuses on those devices that do notallow the user to download and run applications from sources other thanthe Windows Store 9such as Windows #T:.;or the purpose of this document two t&pes of virtual smart cards exists onconsumer devicesMmana!ed and unmana!ed. These cards have thefollowin! important diJerences.

2peration Managed card 9nmanaged cardPIN reset (hen the userforgets the PIN

*es (o the card has to %edeleted and createda!ain.

Allo( user to change thePIN

*es (o the card has to %edeleted and createda!ain.

*ou can use /7Is introduced in Windows =. and Windows Server 2, 2 #2to %uild Windows Store apps to mana!e the full lifec&cle of virtual smartcards. ;or more information see section “6.5 7ro!rammatic mana!ementof creation and deletion of virtual smart cards” in this document.

9.1 #P- ownerAut in registr'In non-domain Loined cases the T7) owner/uth is stored in the re!istr&9N $):. This exposes some threats. )ost of the threat vectors areprotected %& 1it$oc er. The threat vector that is not protected is thescenario is@

• / thief !ets hold of a device with an active local lo!on session %eforethe device loc s itself. The thief could tr& to %rute-force the VSC 7I(and !et hold of the corporate secrets.

• / thief !ets hold of a device with an active V7( session. /ll %ets areoJ in this case.

The proposed miti!ation for the a%ove scenarios is to reduce the auto-loc out time from minutes to 5, seconds in case of inactivit& %& usin!3/S policies. The ri!ht expectation can %e set around auto-loc out whileprovisionin! virtual smart cards. The 3/S polic& con'!uration chan!e canta e care of %oth the a%ove scenarios. If an enterprise wants to !o a step



47/52


further the& can also con'!ure a settin! to remove the owner/uth fromthe local machine.

;or con'!uration information a%out the T7) owner/uth re!istr& e& seethe Con'!ure the level of T7) owner authoriEation availa%le to theoperatin! s&stem section in Windows = T7) >roup 7olic& Settin!s .


48/52


mana!ement tool inside the remote session that can ta e ownership of thecard and provision it for use %& the user. This will re?uire that a user isallowed to esta%lish a remote des top connection from a non-domain-

Loined computer to a domain-Loined computer. This ma& re?uire speci'cnetwor con'!uration 9I7sec policies: that is %e&ond the scope of thisdocument.

When the user is in need to reset the 7I( or chan!e the 7I( the user willneed to use the remote des top session to complete these operations %&usin! either the %uilt-in tools for 7I( un%loc and 7I( chan!e or throu!h thesmart card mana!ement tool.

5.2.% Certificate management

9.2.3.1.1 Certificate issuance"sers can enroll for certi'cates from within a remote des top session thatis esta%lished to provision the card. This process can also %e mana!ed %&the smart card mana!ement tool that the user runs when connected to theremote des top session. This model wor s for deplo&ments that re?uirethat the user si!n the re?uest for enrollment %& usin! a ph&sical smart cardfor %oot-strappin! the enrollment process. The driver for the ph&sical smartcard does not need to %e installed on the client machine as lon! as it isinstalled on the remote machine. This is made possi%le %& smart cardredirection functionalit& introduced in Windows Server 2,,5 that ensuresthat smart cards connected to the client computer are availa%le for use inthe remote session.

/lternativel& on a client computer without esta%lishin! a remote des topsession the user can also enroll for certi'cates from the certi'catemana!ement console 9certm!r.msc: or from within custom certi'cateenrollment applications that can create a re?uest and su%mit to a server9for example a #e!istration /uthorit&: that has controlled access to thecerti'cation authorit& 9C/:. This will re?uire speci'c enterprisecon'!uration and deplo&ments for Certi'cate 3nrollment 7olicies 9C37: andCerti'cate 3nrollment Services 9C3S:.

9.2.3.1.2 Certificate lifec cle mana!ementCerti'cate renewal can %e done throu!h remote des top sessions orC374C3S. #enewal re?uirements could %e diJerent from initial issuancere?uirements %ased upon renewal polic&.

Certi'cate revocation re?uires careful plannin!. ;or cases when theinformation a%out the certi'cate to %e revo ed is relia%l& availa%le thespeci'c certi'cate can %e easil& revo ed. ;or cases when it is not eas& todetermine the certi'cate to %e revo ed 9i.e. when the emplo&ee reports alost4compromised device and information associatin! a device with acerti'cate is not availa%le: all certi'cates issued to the user under thepolic& that was used for certi'cate issuance ma& need to %e revo ed.



49/52

Virtual Smart Card Whitepaper ,



50/52



51/52


/lternativel& instead of a script a modern application 9as a $81 app: can%e installed on the computer to perform enrollment %& !eneratin! are?uest on the client and su%mittin! it to an NTT7 server that can then

forward the re?uest to a #e!istration /uthorit& 9#/:./nother option is to have the user access an enrollment portal availa%lethrou!h Internet 3xplorerK. The we%pa!e can use the scriptin! /7Is toperform enrollment.

9.3.1.1.1.2 'i!nin! t$e re#uest (it$ anot$er certificate/ user can %e provided with a short-lived certi'cate throu!h a 7; 'le thatthe user can import into the )* store which is the userFs certi'cate store.

Then a user can %e oJered a script that can si!n the re?uest with theshort-lived certi'cate to re?uest a virtual smart card. The 7; 'le can %e!enerated for the user %& initiatin! a re?uest from a domain-Loinedcomputer and an& additional polic& constraints can %e enforced on the 7;!eneration to assert the identit& of the user.

;or deplo&ments that re?uire the user to si!n the re?uest with a ph&sicalsmart card 9if ph&sical smart cards are also issued to the user: thefollowin! could %e done@

: "ser initiates a re?uest from the computer.2: "ser then completes the re?uest from a domain-Loined computer

%& usin! the ph&sical smart card to si!n the re?uest.5: "ser then downloads the re?uest to the smart card on the client

computer.

9.3.1.1.1.3 )sin! one-time &ass(ord for enrollment /nother option to ensure that the user is authenticated stron!l& %efore avirtual smart card certi'cate is issued to the user is %& sendin! the user aone-time password throu!h S)S email or phone and then as in! the userto t&pe the one-time password durin! enrollment from an application or ascript on the des top that invo es %uilt-in command-line utilities.

9.3.1.1.2 Certificate lifec cle mana!ement

Certi'cate renewal can %e done from the same tools that are used for initialenrollment. C3S and C37 can also %e used to perform auto renewal.

Certi'cate revocation re?uires careful plannin!. ;or cases when theinformation a%out certi'cate to %e revo ed is relia%l& availa%le the speci'ccerti'cate can %e easil& revo ed. ;or cases when it is not eas& to determinethe certi'cate to %e revo ed 9 i.e. when the emplo&ee reports alost4compromised device and information associatin! a device with a



52/52


certi'cate is not availa%le: all certi'cates issued to the user under thepolic& that was used for certi'cate issuance ma& need to %e revo ed.

Documents

Understanding and Evaluating Virtual Smart Cards