Managed virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate issuance and management Unmanaged virtual smart cards.
Download ReportTranscript Managed virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate issuance and management Unmanaged virtual smart cards.
Managed virtual smart cards
Inventory management
PIN reset and unblock
PIN change
Policy enforcement
Certificate issuance and management
Unmanaged virtual smart cards
Deployment complexity
Server side virtual smart card
management
Policy enforcement modules
PIN management components
Certificate server
Browser plugin or client app
Managed virtual smart cards
Unmanaged virtual smart cards
Feature
Query and monitor smart card readers (together with Windows.Devices.Enumeration)
List available smart cards in a reader, retrieve the card name, and retrieve card ID
Verify if the admin key of a card is correct
Provision (or reformat) a card with a given card ID
Change PIN by entering the old PIN and then specifying the new PIN
Change admin key, reset PIN, unblock smart card using challenge/response
Create virtual smart card
Delete virtual smart card
PIN policies
Physical
smart card
Virtual
smart card
PIN Reset
Change
PIN
Windows Store app
Server backend
Create virtual smart card with a default admin key known to the server
Receive key diversification information from the server
Diversify admin key and update server inventory
Card lifecycle
Send certificate request to server along with any required additional proofs
Receive certificate and install it on the card
PIN management (change, reset, unblock), certificate management (renewal)
Delete card and update server inventory
Virtual smart card creation API
Class
SmartCardProvisioning
Method
RequestVirtualSmartCardCreationAsync
Input
Friendly Name,
AdminKey,
GUID for CardID – an overload available without CardID
PIN policy
C# code snippet for card creation
using Windows.Devices.SmartCards;
public async void ScenarioCreateTpmVirtualSmartCard()
{
IBuffer adminKey = Windows.Security.Cryptography.CryptographicBuffer.CreateFromByteArray(
new byte[] {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
});
SmartCardPinPolicy pinPolicy = new SmartCardPinPolicy()
{
MinLength = 8, LowercaseLetters = SmartCardPinCharacterPolicyOption.Allow, UppercaseLetters = SmartCardPinCharacterPolicyOption.RequireAtLeastOne,
Digits = SmartCardPinCharacterPolicyOption.Allow, SpecialCharacters = SmartCardPinCharacterPolicyOption.Disallow
};
SmartCardProvisioning cardProvisioning = await SmartCardProvisioning.RequestVirtualSmartCardCreationAsync(
"Contoso Virtual Smart Card", adminKey, pinPolicy, Guid.NewGuid());
if (cardProvision == null)
return;
}
Smart card provisioning APIs
Class
SmartCardProvisioning
Methods
GetChallengeContextAsync,
Class
SmartCardChallengeContext
Method
ProvisionAsync, ChangeAdministrativeKeyAsync
C# code snippet for card provisioning
public async void ScenarioProvisionCard(SmartCard card, IBuffer oldAdminKey, IBuffer
newAdminKey, Guid newCardId)
{
var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card);
// Change card admin key after challenge/response authentication
using (var context = await cardProvision.GetChallengeContextAsync())
{
var response = RetrieveResponseForChallengeFromServer(card,
context.Challenge);
await context.ChangeAdministrativeKeyAsync (response, newAdminKey);
}
C# code snippet for card provisioning (cont’d)
// Provision card file system after challenge/response authentication
using (var context = await
cardProvision.GetChallengeContextAsync())
{
var response = CalculateResponse(newAdminKey,
context.Challenge);
await context.ProvisionAsync (response, true, newCardId);
}
// The card has been provisioned and is ready for certificate
enrollment
}
Certificate enrollment APIs
Class
CertificateRequestProperties
CertificateEnrollmentManager
Methods
CreateRequestAsync
InstallCertificateAsync
C# code snippet for certificate request creation
using Windows.Devices.SmartCards;
using Windows.Security.Cryptography.Certificates;
SmartCardProvisioning cardProvision = await SmartCardProvisioning.RequestVirtualSmartCardCreationAsync(
"Contoso Virtual Smart Card", adminKey, pinPolicy, Guid.NewGuid());
if (cardProvision == null)
return;
CertificateRequestProperties requestProperties = new CertificateRequestProperties()
{
Subject = "Toby", KeySize = 2048, KeyStorageProviderName = KeyStorageProviderNames.SmartcardKeyStorageProvider, SmartcardReaderName =
cardProvision.SmartCard.Reader.Name
};
string request = await CertificateEnrollmentManager.CreateRequestAsync(requestProperties);
// submit the request (can wrap in an XML and provide more information to the server)
HttpContent content = new StringContent(certificateRequest);
HttpClient cli = new HttpClient();
HttpResponseMessage response = await cli.PostAsync(url, content);
string certResponse = await response.Content.ReadAsStringAsync();
// Install
the returned cert
await CertificateEnrollmentManager.InstallCertificateAsync(certResponse, InstallOptions.None);
Locating a card
Class
SmartCardReader
SmartCardProvisioning
Method
GetDeviceSelector
GetIDAsync
Input
None
C# code snippet for locating a card
public async Task<SmartCard> ScenarioLocateCard(Guid targetCardId)
{
// Enumerate to find the matching card
var selector = SmartCardReader.GetDeviceSelector();
var devices = await DeviceInformation.FindAllAsync(selector);
foreach (var device in devices) {
var reader = await SmartCardReader.FromIdAsync(device.Id);
var cards = await reader.FindAllCardsAsync();
foreach (var card in cards) {
// Find a card by reading its ID from its cardid file
var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card);
var cardId = await cardProvision.GetIdAsync();
// Compare cardId
if (cardId == targetCardId) {
// Find the card
return card;
}
}
}
Change PIN
Class
SmartCardProvisioning
Method
RequestPinChangeAsync
Input
None
C# code snippet for PIN change
public async void ScenarioChangePin(SmartCard card)
{
var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card);
// Request to change PIN and the user will be prompted to enter the old and new PINs
bool result = await cardProvision.RequestPinChangeAsync();
if (!result)
{
// The request is cancelled
}
}
Reset PIN/unblock smart card
Class
SmartCardProvisioning
Method
RequestPinResetAsync
Input
None
C# code snippet for PIN reset
public async void ScenarioResetPin(SmartCard card)
{
var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card);
var cardId = await cardProvision.GetIdAsync();
// Request the user to enter a new PIN and reset the PIN using challenge/response
bool result = await cardProvision.RequestPinResetAsync(async (sender, request) =>
{
var deferral = request.GetDeferral();
try
{
IBuffer response = await RetrieveResponseForChallengeFromServer(cardId, request.Challenge);
request.SetResponse(response);
}
finally
{
deferral.Complete();
}
});
if (!result)
{
// The request is cancelled
}
}
Virtual smart card deletion API
Class
SmartCardProvisioning
Method
RequestVirtualSmartCardDeletionAsync
Input
SmartCard
C# code snippet for card deletion
public async void ScenarioDeleteTpmVirtualSmartCard(SmartCard card)
{
if (card.Reader.Kind != SmartCardReaderKind.Tpm)
{
// This is not a TPM virtual smart card
return;
}
bool result = await SmartCardProvisioning.RequestVirtualSmartCardDeletionAsync(card);
if (!result)
{
// The request is cancelled
}
}
http://www.microsoft.com/download/details.aspx?id=29076
http://msdn.microsoft.com/library/windows/apps/windows.devices.smartcards.as
px
http://msdn.microsoft.com/library/windows/apps/windows.security.cryptography.
certificates.aspx
http://code.msdn.microsoft.com/windowsapps/Smart-card-sample-f9befda4
http://msdn.microsoft.com/library/windows/apps/br212099.aspx