Strong authentication: building apps that manage virtual smart cards in enterprise, BYOD and consumer environmentsHimanshu SoniSenior Program Manager2-041

2 factor authenticationSmart cardsVirtual smart cardsWinRT APIsDemo

Agenda

What you know – e.g. PINWhat you have – e.g. smart card, devices

2 factor authenticationWhat We know

What we have

2 Facto

r Authentication

Why 2 factor authentication“In 2013 more than 90% of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking” – Deloitte

“The age of the password is over. We just haven’t realized it yet.” – Wired

“73% of users share the passwords which they use for online banking, with at least one nonfinancial website.” – Trusteer Inc. Reused Login Credentials 2010

2 Factor Authentication

Introduced in Windows 8Uses TPM module on the PC for• isolated crypto operations• generation of non-exportable

keys• dictionary attack prevention

(wrong PIN)Exposed as smart cards to applications and OS

Virtual smart cards

PIN is what you know, the device is what you have.

Where can virtual smart cards be used

• Remote access using VPN or DirectAccess• BYOD (Bring Your Own Device)• Logon to PC• SSL client authentication• Secure email• Document protection (signing, encryption)• BitLocker drive encryption for data volumes

2 factor authentication

• User selected PIN• Auto generated admin key for PIN reset or

unblock (some cards have PUK)• Unique ID (card ID, serial number, etc.) for

inventory management• Certificates and private keys

Important aspects of a smart card

Deployment types

Managed virtual smart cards Unmanaged virtual smart cards

Inventory managementPIN reset and unblockPIN changePolicy enforcementCertificate issuance and management

Deployment complexity

Deployment complexity Managed virtual smart cards Unmanaged virtual smart cards

Server side virtual smart card managementPolicy enforcement modulesPIN management componentsCertificate serverBrowser plugin or client app

• New APIs to manage virtual smart card• New APIs to manage physical smart

cards• PIN policies for virtual smart card• New ways for certificate enrollment• New APIs for using certificates for

cryptographic operations

Windows Store apps can now manage complete lifecycle of virtual smart cards

What’s new in Windows 8.1 for smart cards

Namespace: Windows.Devices.SmartCards

Smart card API featuresCapability required:SharedUserCertificates, enterpriseAuthenticationFeature Physical

smart cardVirtual smart card

Query and monitor smart card readers (together with Windows.Devices.Enumeration)List available smart cards in a reader, retrieve the card name, and retrieve card IDVerify if the admin key of a card is correctProvision (or reformat) a card with a given card IDChange PIN by entering the old PIN and then specifying the new PINChange admin key, reset PIN, unblock smart card using challenge/responseCreate virtual smart cardDelete virtual smart cardPIN policies

Virtual smart card lifecycleCreate

Provision

Use

Delete

Forg

et

PINPIN

ResetChange

PIN

Windows Store app – sample flow

Create virtual smart card with a default admin key known to the server

Card lifecycle

Server backendWindows Store app

Receive key diversification information from the server

Diversify admin key and update server inventory

Delete card and update server inventory

Send certificate request to server along with any required additional proofs

PIN management (change, reset, unblock), certificate management (renewal)

Receive certificate and install it on the card

Virtual smart card creation APIClass

SmartCardProvisioningMethod

RequestVirtualSmartCardCreationAsyncInput

Friendly Name, AdminKey,GUID for CardID – an overload available without CardIDPIN policy

C# code snippet for card creation    using Windows.Devices.SmartCards;

     public async void ScenarioCreateTpmVirtualSmartCard()

    {

        IBuffer adminKey = Windows.Security.Cryptography.CryptographicBuffer.CreateFromByteArray(

            new byte[] {

                0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,

                0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,

                0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08

            });

        SmartCardPinPolicy pinPolicy = new SmartCardPinPolicy()

        {

            MinLength = 8, LowercaseLetters = SmartCardPinCharacterPolicyOption.Allow, UppercaseLetters = SmartCardPinCharacterPolicyOption.RequireAtLeastOne,

            Digits = SmartCardPinCharacterPolicyOption.Allow, SpecialCharacters = SmartCardPinCharacterPolicyOption.Disallow

        };

         SmartCardProvisioning cardProvisioning = await SmartCardProvisioning.RequestVirtualSmartCardCreationAsync(

            "Contoso Virtual Smart Card", adminKey, pinPolicy, Guid.NewGuid());

        if (cardProvision == null)

            return;

    }

Windows Store APIs – PIN policyPIN policy is an input to the Create API with the following options : • Minimum length (minimum length allowed 4)• Maximum length (maximum length allowed 128)• Uppercase letters• Lowercase letters• Digits• Special characters

Default PIN policy is: 8 characters minimum length (same as Windows 8)Note : PIN can be only from the printable ASCII key range.

Smart card provisioning APIsClass

SmartCardProvisioningMethods

GetChallengeContextAsync, Class

SmartCardChallengeContextMethod

ProvisionAsync, ChangeAdministrativeKeyAsync

C# code snippet for card provisioningpublic async void ScenarioProvisionCard(SmartCard card, IBuffer oldAdminKey, IBuffer newAdminKey, Guid newCardId){ var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card);

// Change card admin key after challenge/response authentication

using (var context = await cardProvision.GetChallengeContextAsync()) { var response = RetrieveResponseForChallengeFromServer(card, context.Challenge); await context.ChangeAdministrativeKeyAsync (response, newAdminKey); }

C# code snippet for card provisioning (cont’d)// Provision card file system after challenge/response authentication using (var context = await cardProvision.GetChallengeContextAsync()) { var response = CalculateResponse(newAdminKey, context.Challenge); await context.ProvisionAsync (response, true, newCardId); } // The card has been provisioned and is ready for certificate enrollment}

• Domain username and password• Challenge questions• OTP sent to mobile phone or email• Corpnet connection with user

name and password• Sign with a physical smart card• Visit to an IT office/kiosk

Additional proofs

Certificate enrollment

Certificate enrollment APIsClass

CertificateRequestPropertiesCertificateEnrollmentManager

MethodsCreateRequestAsyncInstallCertificateAsync

C# code snippet for certificate request creation    using Windows.Devices.SmartCards;    using Windows.Security.Cryptography.Certificates;    SmartCardProvisioning cardProvision = await SmartCardProvisioning.RequestVirtualSmartCardCreationAsync(        "Contoso Virtual Smart Card", adminKey, pinPolicy, Guid.NewGuid()); if (cardProvision == null)        return;     CertificateRequestProperties requestProperties = new CertificateRequestProperties()    {        Subject = "Toby", KeySize = 2048,  KeyStorageProviderName = KeyStorageProviderNames.SmartcardKeyStorageProvider, SmartcardReaderName = cardProvision.SmartCard.Reader.Name    };    string request = await CertificateEnrollmentManager.CreateRequestAsync(requestProperties);    // submit the request (can wrap in an XML and provide more information to the server)    HttpContent content = new StringContent(certificateRequest);    HttpClient cli = new HttpClient();    HttpResponseMessage response = await cli.PostAsync(url, content);    string certResponse = await response.Content.ReadAsStringAsync();     // Install  the returned cert    await CertificateEnrollmentManager.InstallCertificateAsync(certResponse, InstallOptions.None);

Locating a cardClass

SmartCardReaderSmartCardProvisioning

MethodGetDeviceSelectorGetIDAsync

InputNone

C# code snippet for locating a cardpublic async Task<SmartCard> ScenarioLocateCard(Guid targetCardId){ // Enumerate to find the matching card var selector = SmartCardReader.GetDeviceSelector(); var devices = await DeviceInformation.FindAllAsync(selector); foreach (var device in devices) { var reader = await SmartCardReader.FromIdAsync(device.Id); var cards = await reader.FindAllCardsAsync(); foreach (var card in cards) { // Find a card by reading its ID from its cardid file var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card); var cardId = await cardProvision.GetIdAsync(); // Compare cardId if (cardId == targetCardId) { // Find the card return card; } }}

Change PINClass

SmartCardProvisioningMethod

RequestPinChangeAsyncInput

None

C# code snippet for PIN changepublic async void ScenarioChangePin(SmartCard card){ var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card);  // Request to change PIN and the user will be prompted to enter the old and new PINs  bool result = await cardProvision.RequestPinChangeAsync();  if (!result) { // The request is cancelled }}

Reset PIN/unblock smart cardClass

SmartCardProvisioningMethod

RequestPinResetAsyncInput

None

C# code snippet for PIN resetpublic async void ScenarioResetPin(SmartCard card){ var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card); var cardId = await cardProvision.GetIdAsync();  // Request the user to enter a new PIN and reset the PIN using challenge/response  bool result = await cardProvision.RequestPinResetAsync(async (sender, request) => { var deferral = request.GetDeferral();  try { IBuffer response = await RetrieveResponseForChallengeFromServer(cardId, request.Challenge); request.SetResponse(response); } finally { deferral.Complete(); } });  if (!result) { // The request is cancelled }}

Virtual smart card deletion APIClass

SmartCardProvisioningMethod

RequestVirtualSmartCardDeletionAsyncInput

SmartCard

C# code snippet for card deletionpublic async void ScenarioDeleteTpmVirtualSmartCard(SmartCard card){ if (card.Reader.Kind != SmartCardReaderKind.Tpm) { // This is not a TPM virtual smart card return; }  bool result = await SmartCardProvisioning.RequestVirtualSmartCardDeletionAsync(card);  if (!result) { // The request is cancelled }}

Demo – setup virtual smart card

Demo – use virtual smart card

Summary and key takeawaysWindows 8.1 makes it easier than ever for Windows Store apps to manage physical and virtual smart cards.

You learned about using virtual smart cards when you need strong authentication, including both enterprise Bring Your Own Device (BYOD) environments, as well as consumer scenarios that require strong authentication such as banking.

You learned what virtual smart cards are, what scenarios they can enable, and how new Windows Runtime APIs make it easy to write apps to manage both real and virtual smart cards.

Virtual smart card white paperhttp://www.microsoft.com/download/details.aspx?id=29076MSDN links for WinRT APIshttp://msdn.microsoft.com/library/windows/apps/windows.devices.smartcards.aspxhttp://msdn.microsoft.com/library/windows/apps/windows.security.cryptography.certificates.aspxSamples linkhttp://code.msdn.microsoft.com/windowsapps/Smart-card-sample-f9befda4http://msdn.microsoft.com/library/windows/apps/br212099.aspx

Resources

Evaluate this session

Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize!

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.