Ja Ccwerecommend Lv Category Internet Credit Card We Recommend Smart Card Enhancements

In versions of Windows prior to Windows Vista, a custom Microsoft Graphical Identification and Authentication (GINA) dynamic link library (DLL) was used to support customizable user identification and authentication. Beginning in Windows Vista, the functionality formerly in GINA DLLs is distributed among three components:

• Winlogon
  
  
• Logon user interface (UI)
  
  
• Credential providers
  
  

MSGINA.DLL is removed, and custom GINAs are not loaded. The password credential provider and the smart card credential provider are provided by default, and a custom credential provider can be created to support custom authentication mechanisms. After Winlogon launches the logon UI, it loads registered credential providers. The smart card credential provider uses interfaces that are exposed through the credential provider framework to gather the required credentials, package them, and return them to the logon UI. The logon UI then passes the credentials to Winlogon for Kerberos authentication.

Winlogon supports multiple logon certificates and containers on the same smart card. The number of certificates that can be stored and containers that can be created depends on how much space is available on the smart card.

The WinSCard API is extended to provide caching (storage of non-sensitive data on a per-user-basis) at the smart card resource manager level. The smart card resource manager was formerly called the smart card service.

Each smart card must have a cryptographic service provider (CSP). A CSP uses the CryptoAPI interfaces to enable cryptographic operations and the WinSCard APIs to enable communication with smart card hardware. For more information, see Smart Card Subsystem Architecture in the Smart Card Architecture section.

A new CSP in Windows called the Base CSP allows smart card vendors to write smart card–specific modules called smart card minidrivers instead of writing CSPs. Writing a smart card minidriver for a smart card is analogous to writing a printer driver for a printer. A smart card minidriver acts as the hardware interface between the smart card and the Base CSP. Beginning with Windows Vista, the Base CSP is included in the Windows operating system. A Base CSP package can also be downloaded for Windows XP with Service Pack 2 (SP2), Windows 2000 with Service Pack 4 (SP4), and Windows Server 2003 with Service Pack 1 (SP1). For more information and links to the downloadable Base CSP package, see Description of the software update for Base Smart Card Cryptographic Service Provider (fwlink/?LinkId=161161).

To support additional cryptographic algorithms and to provide an extensible architecture, Cryptography API: Next Generation (CNG) was introduced in Windows Vista. Architecturally, CNG is parallel to CryptoAPI. A key storage provider (KSP) in CNG is analogous to a CSP in CryptoAPI. Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 provide a smart card KSP, which uses the same smart card minidriver interface that is available for the Base CSP. Smart card minidriver support for RSA and elliptic curve cryptography (ECC) is available through the smart card KSP.

Windows Vista with SP1 introduced support for smart cards that are customized outside the Base CSP/Smart Card KSP environment and are inherently read-only. Examples of such smart cards include the electronic ID cards used in some European countries. If a smart card is read-only, it must advertise this through the CardGetProperty function. Read-only smart cards must support only a subset of the Version 6 card minidriver interface and are not required to support an administrator PIN. For the complete list of functions that must be supported by a read-only smart card, see the Smart Card Minidriver Specification (fwlink/?LinkId=93343).

Secure PIN channel is a feature in Windows Vista with SP1 that enables a secure PIN prompt followed by establishment of a secure channel between Windows and the smart card for PIN authentication. Secure PIN channel protects the smart card PIN against eavesdropping while the PIN is transmitted through components of the operating system and to a smart card.

With a secure PIN prompt, the user must press CTRL+ALT+DEL and is then prompted for the PIN within a user experience that is identical to Windows logon. Using a secure PIN prompt reduces the risk of stolen PINs.

Secure PIN channel can be enabled by using the Common Criteria Group Policy setting, or by using the PIN_INFO_REQUIRE_SECURE_ENTRY attribute on the PIN object.

An external PIN is one that was not collected via the computer's keyboard; for example, by using a PIN Entry Device (PED). An external PIN mechanism could also be used to link a smart card with a fingerprint reader so that a fingerprint can be used to access a smart card instead of a PIN.

In external PIN mode, whenever PIN authentication to a smart card is required, Windows does not prompt the user for a PIN but rather calls the minidriver's authentication API immediately without any user notification. It is expected that the actual authentication and PIN collection occur without operating system involvement.