Windows 10: Windows Security (Smart Card Pin)

Everytime I boot in, Windows Security prompts me to enter my Common Access Card. Even if I boot without my CAC Reader in. It only started doing this after the recent update. I've disabled the CAC Reader Driver, uninstalled DoD Certs and reinstalled, created a new profile and it all seems to be the issue.

I'm running the following:

Asrock 370 sli/ac mobo 32gb ram (g.skill 3000mhz) Nvidia GTX 1070 (ROG OC Edition) x2 on SLI 650PSU Kingston 500 SSD Hitachi 4gb HDD

My CAC reader is: ACR39U ICC Reader

According to Windows Update and DriversCloud, all my drivers are up to date. The popup usually appears 4 times in a row and then disappears until I actually login to an Army website or until I restart the computer. If I just have my card in and use my pin at login, the popup disappears until reboot.

If needed, I can post a full read of my PC via the output from CPU-Z

submitted by /u/Palejonesy
[link] [comments]

:)

 

About the security of Virtual Smart Cards

* Merged

* Original title: About Virtual Smart Card Security

Trying to have a good overview about the security of Virtual Smart Cards relying on TPMs, I read this very short article (the only I found) covering this topic (first part): Evaluate Virtual Smart Card Security (Windows 10) - Microsoft 365 Security.

I well understand there is a key hierarchy (EK ; SRK -> SmartCardK ; SRK -> UserKey) as it is commonly in keys management solutions. However, I don't understand how the authorization process works. Moreover, the article says : "The TPM key hierarchy is designed
to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN in such a way that changing the PIN doesn’t require re-encryption of the data." This explictely means that the PIN is not used at any moment to encrypt/decrypt
any user key, but it is used instead to authorize this description..ok.

Well, what is this process of authorization and what (how) is really encrypted ?

I'm not 100% sure of that but I guess the PINs are not stored in the TPM since there may be a lot of VSC and since the TPM is not suited to store a lot of objects (limited memory). So, taking the first step as an example, how is the SCK decrypted/encrypted
? Regardind the decryption, we can see "ScKey = DsrkPriv(SCKeyBlob) | PIN" which makes me believe the SCK blob is only the SCK encrypted with the public part of the SRK. So what does mean "| PIN" ? And how does the TPM verify the PIN is correct ? It seems
the PIN is involved somewhat here (as well as the "authorization key" for the user keys).

| PIN is obviously not a concatenation since it would make the PIN leak just by looking at the file stored on the disk.

Thanks for your feedback !

Have a nice day

 

Windows Security Smart Card popup

Hi Hoarder,

Disable Smart Card Plug and Play Service

Step 1

Hold down the "Windows" key and press "R" to open the Run dialog. Type "gpedit.msc" at the prompt and press "Enter" to open the Local Group Policy Editor.

Step 2

Expand "Computer Configuration," "Administrative Templates" and "Windows Components" in the tree browser. Double-click the "Smart Card" folder in the main window.

Step 3

Right-click "Turn On Smart Card Plug and Play Service" and select "Edit." In the Properties dialog, select "Disabled" to turn off this service and remove the smart card option from the login screen. Click "Apply" and "OK" to save your changes.

Step 4

Close Local Group Policy Editor and restart Windows to finalize the changes.

Let me know if this will work.

Thanks and regards,

 

About the security of Virtual Smart Cards

Hi Arachnide,

Thank you for writing to Microsoft Community Forums.

Windows 10 uses the TPM to protect the encryption keys for BitLocker Volumes, virtual smart cards, certificates, and the many other keys that TPM is used to generate. TPM is used to securely record and protect integrity-related measurements of select hardware.
The TPM can also be used to generate and store cryptographic keys.

You can refer to this thread in Microsoft TechNet forums on
Does Windows remember PIN of the Virtual Smart Card in memory? and check.

I'd suggest you to post your query in the
TechNet forums where we have a team of experts who are well equipped to answer your query. Queries regarding encryption and decryption are best addressed here.

Regards,

Naveen M

Microsoft Community - Moderator