Windows 10: About the security of Virtual Smart Cards

Discus and support About the security of Virtual Smart Cards in AntiVirus, Firewalls and System Security to solve the problem; Hello all, Trying to have a good overview about the security of Virtual Smart Cards relying on TPMs, I read this very short article (the only I... Discussion in 'AntiVirus, Firewalls and System Security' started by OOlahoop, May 10, 2019.

  1. OOlahoop Win User

    About the security of Virtual Smart Cards


    Hello all,


    Trying to have a good overview about the security of Virtual Smart Cards relying on TPMs, I read this very short article (the only I found) covering this topic (first part): https://docs.microsoft.com/en-us/wi...rt-cards/virtual-smart-card-evaluate-security.


    My understanding

    I well understand there is a key hierarchy :

    - The Endorsement Key (EK) : potentially burned by the manufacturer (may be a ROM in the TPM), this is what could be referenced as the master key of the given TP (RSA key pair e.g.),

    - The Storage Root Key (SRK) : generated when the TPM is initialized/owned, it is stored and used in the TPM only. It is obviously stored in non-volatile memory but can be replaced if the TPM is reinitialized. Don't know if the key is stored encrypted by the EK (given it is stored in the TPM and the TPM should provide tamper-resistance properties...),

    - The SmartCard Key (SCK) : The public part of this key is used to encrypt the AK,

    - The Authorization Key (AK) : The public part of this key is used to "authorize" the decryption of the UK,

    - The User Key (UK) : This is a user key (may be a private RSA key linked to an authentication certificate E.g.).


    The article says : "The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN in such a way that changing the PIN doesn’t require re-encryption of the data."


    This explictely means that the PIN is not used at any moment to encrypt/decrypt any user key.


    Question

    How does the authorization process work ? I'm not sure of that but I guess the PINs are not stored in the TPM since there may be a lot of VSC and since the TPM is not suited to store a lot of objects (limited memory). Is it false ?. So, taking the first step as an example, how is the SCK decrypted ? We can see ScKey = dsrkPriv(SCKeyBlob) | PIN : which makes me believe the SCK blob is only the SCK encrypted with the public part of the SRK. So what does mean "| PIN" ? And why would there be the sentence I quoted and such a key hierarchy if it was that simple ? That's all my topic is about.


    So :

    > PIN stored in the TPM ? Then the OS calls the TPM with a SCK identifier and a PIN. The TPM checks the stored PIN is the right one for the SCK identifier. Then, the SCK is deciphered and allows to decipher the AK.. Then, this AK is somewhat returned to the OS, which calls again the TPM with this key (as a PIN) to authorize the decryption of a user key (with the SRK)... Hm... It means a TPM stores a PIN and an AK in the TPM for each VSC.

    >PIN not stored in the TPM ? The quoted sentence implies that the PIN is somewhere involved in an encryption process. Finally, does this formula "ScKey = dsrkPriv(SCKeyBlob) | PIN" mean that the PIN is used in the decryption process ? But how ? I can't get it. Of course, it cannot be as simple as "ScKeyBlob = EsrkPub(SCKey) | PIN", | meaning concatenation. It would mean you only have to take the last xx bytes of the file on your hard drive and test it as the PIN for the given VSC. In fact, what does mean "|" here ? Is it something like a XOR ? Is the PIN taken as a part of the data to encrypt ? If it is, how does the encryption/decryption process really work ?


    Thanks a lot !

    Arachnide

    :)
     
    OOlahoop, May 10, 2019
    #1
  2. Junaid_A Win User

    Disable PIN caching for Virtual Smart Cards

    Hi,



    Thank you for writing to Microsoft Community forum.



    Pass-through authentication with smart cards work on domain environments. You may want to go through
    Use Virtual Smart Cards to know
    more about the same. As this requires expertise in an environment which has a direct two-way trust relationship, I suggest you to post your query in the
    TechNet forums.



    Regards,
     
    Junaid_A, May 10, 2019
    #2
  3. virtual smart card not found

    I have a "virtual digitalbadge" on my PC, which, I think, is an implementation of virtual smart card technology. I use it to set up a VPN to my partner company.

    When I try to set up the VPN, I often get the message "select a smart cart device". Screenshot:


    About the security of Virtual Smart Cards 44cf132c-b921-4da8-bc10-ccd522f1dbe1.png


    The Japanese text means "insert smart card". I can't proceed, since I don't know how to "insert" a virtual smart card.

    I believe this happens consistently after hibernation; a reboot fixes the problem but is a very poor workaround, since it takes about 15 minutes until my PC becomes usable. Of course I could avoid hibernation, but I hibernate for a reason (i.e. I want to
    have the same programs running when I switch my PC on as when I switch it off).

    The same happens whenever Internet Explorer wants to check the certificate on the smart card.

    Is there a tool, a command, a registry entry, anything that helps me "inserting" the smart card without rebooting? Is there a log file or anything else to find out where the process is broken so that I can fix it?
     
    BerndBausch, May 10, 2019
    #3
  4. About the security of Virtual Smart Cards

    TPM Virtual Smart Card creation

    Hello,

    I'm having an issue regarding TPM Virtual Smart Card creation. I'm using a method from Windows.Devices.SmartCards.dll, SmartCardProvisioning class, RequestVirtualSmartCardCreationAsync(String, IBuffer, SmartCardPinPolicy), and I'm continuously getting an
    error showing:

    Element not found. (Exception from HResult:0x80070490)

    Stack exception is shown below:

    at Windows.Devices.SmartCards.SmartCardProvisioning.RequestVirtualSmartCardCreationAsync(String friendlyName, IBuffer administrativeKey, SmartCardPinPolicy pinPolicy, Guid cardId)

    at POC_VSC.TPMVSC.<ScenarioCreateTpmVirtualSmartCard>d__3.MoveNext() in D:\Projects\POC_VSC\POC_VSC\TPMVSC.cs:line 87

    A line below is responsible for the error:

    Complete method I'm using is:

    I'm using VS 2017 and I'm running this example on Windows 10. Any help or suggestion would be really appreciated...
     
    Tomislav Šimović, May 10, 2019
    #4
Thema:

About the security of Virtual Smart Cards

Loading...
  1. About the security of Virtual Smart Cards - Similar Threads - security Virtual Smart

  2. Windows Security Repeated Smart Card Prompting

    in AntiVirus, Firewalls and System Security
    Windows Security Repeated Smart Card Prompting: When starting/restarting my PC, I get this windows security prompt to connect a smart card. I click cancel or x out of it, and it will show up another 5-10 times. This only happens when the PC is starting up. I searched for online results, and done things people have posted...
  3. windows security smart card problem after update

    in Windows 10 Installation and Upgrade
    windows security smart card problem after update: Hello, i am a win 10 home user. yesterday i updated the latest windows 10 update and after this i keep getting this annoying smart card pop-up wich even after closing restarts immediatly. i am a somewhat experienced user but this problem has baffled me for the past hour...
  4. Smart card subsystem

    in Windows 10 Drivers and Hardware
    Smart card subsystem: I'm running Windows 10 and use a smart card reader to update a security card frequently. Lately when I plug the reader in I get an error message saying "Unable to connect to smartcard subsystem" . The tech support for the card service says this occurred during a Windows...
  5. Windows Security Smart Card popup

    in AntiVirus, Firewalls and System Security
    Windows Security Smart Card popup: When starting my computer I get the popup attached below, it comes up and has to be dismissed a total of four times. This happens on two different Windows 10 devices I use. I use a smart card to access enterprise webmail on occasion and that works without issue. I do not use...
  6. Win 10 Pro Windows Security Smart Card Prompt

    in AntiVirus, Firewalls and System Security
    Win 10 Pro Windows Security Smart Card Prompt: After an update my computer now incessantly asks for a smart card at least 4 times after I login to Win 10. How do I turn this off without disabling the smart card in gpedit?...
  7. Virtual Machine is not reading Smart Card reader and Smart card after Windows update.

    in Windows 10 Drivers and Hardware
    Virtual Machine is not reading Smart Card reader and Smart card after Windows update.: Environment: WIN10 v1607 ENT N 2016 2016 / Virtual Machine - (Physical desktops with updates operate correctly) Since installing latest updates, all VM's will not read the certificates. However both objects "SCR35xx Smart Card Reader" and "Smart Card" -ARE- shown in device...
  8. TPM Virtual Smart Card creation

    in Windows 10 Software and Apps
    TPM Virtual Smart Card creation: Hello, I'm having an issue regarding TPM Virtual Smart Card creation. I'm using a method from Windows.Devices.SmartCards.dll, SmartCardProvisioning class, RequestVirtualSmartCardCreationAsync(String, IBuffer, SmartCardPinPolicy), and I'm continuously getting an error...
  9. Disable PIN caching for Virtual Smart Cards

    in AntiVirus, Firewalls and System Security
    Disable PIN caching for Virtual Smart Cards: We want to store digital certificates for PDF signing in virtual smart cards. Due to regulatory reasons (FDA, we are developing medical devices), I have to assure that the PIN protecting the certificate has to be (re-)entered for each document to be signed. The default...
  10. Connect a Smart Card

    in User Accounts and Family Safety
    Connect a Smart Card: I can't make any changes on my ASUS Laptop, every time I tried "connect a smart card" appear. This is a personal computer and I didn't use any smart card. Please help to sort this out. Thanks in advance. 30636

Users found this page by searching for:

  1. virtual digitalbadge not installing on tpm