Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate.

Similar presentations


Presentation on theme: "Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate."— Presentation transcript:

1

2

3

4

5

6

7

8

9 Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate issuance and management

10 Deployment complexityManaged virtual smart cardsUnmanaged virtual smart cards Server side virtual smart card management Policy enforcement modules PIN management components Certificate server Browser plugin or client app

11

12 FeaturePhysical smart card Virtual smart card Query and monitor smart card readers (together with Windows.Devices.Enumeration) List available smart cards in a reader, retrieve the card name, and retrieve card ID Verify if the admin key of a card is correct Provision (or reformat) a card with a given card ID Change PIN by entering the old PIN and then specifying the new PIN Change admin key, reset PIN, unblock smart card using challenge/response Create virtual smart card Delete virtual smart card PIN policies

13 Forget PIN PIN Reset Change PIN

14 1.) Delete Card Create virtual smart card with a default admin key known to the server Card lifecycle Server backend Windows Store app Receive key diversification information from the server Diversify admin key and update server inventory Delete card and update server inventory Send certificate request to server along with any required additional proofs PIN management (change, reset, unblock), certificate management (renewal) Receive certificate and install it on the card

15 Virtual smart card creation API Class SmartCardProvisioning Method RequestVirtualSmartCardCreationAsync Input Friendly Name, AdminKey, GUID for CardID – an overload available without CardID PIN policy

16 C# code snippet for card creation using Windows.Devices.SmartCards; public async void ScenarioCreateTpmVirtualSmartCard() { IBuffer adminKey = Windows.Security.Cryptography.CryptographicBuffer.CreateFromByteArray( new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 }); SmartCardPinPolicy pinPolicy = new SmartCardPinPolicy() { MinLength = 8, LowercaseLetters = SmartCardPinCharacterPolicyOption.Allow, UppercaseLetters = SmartCardPinCharacterPolicyOption.RequireAtLeastOne, Digits = SmartCardPinCharacterPolicyOption.Allow, SpecialCharacters = SmartCardPinCharacterPolicyOption.Disallow }; SmartCardProvisioning cardProvisioning = await SmartCardProvisioning.RequestVirtualSmartCardCreationAsync( "Contoso Virtual Smart Card", adminKey, pinPolicy, Guid.NewGuid()); if (cardProvision == null) return; }

17

18 Smart card provisioning APIs Class SmartCardProvisioning Methods GetChallengeContextAsync, Class SmartCardChallengeContext Method ProvisionAsync, ChangeAdministrativeKeyAsync

19 C# code snippet for card provisioning public async void ScenarioProvisionCard(SmartCard card, IBuffer oldAdminKey, IBuffer newAdminKey, Guid newCardId) { var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card); // Change card admin key after challenge/response authentication using (var context = await cardProvision.GetChallengeContextAsync()) { var response = RetrieveResponseForChallengeFromServer(card, context.Challenge); await context.ChangeAdministrativeKeyAsync (response, newAdminKey); }

20 C# code snippet for card provisioning (contd) // Provision card file system after challenge/response authentication using (var context = await cardProvision.GetChallengeContextAsync()) { var response = CalculateResponse(newAdminKey, context.Challenge); await context.ProvisionAsync (response, true, newCardId); } // The card has been provisioned and is ready for certificate enrollment }

21

22 Certificate enrollment APIs Class CertificateRequestProperties CertificateEnrollmentManager Methods CreateRequestAsync InstallCertificateAsync

23 C# code snippet for certificate request creation using Windows.Devices.SmartCards; using Windows.Security.Cryptography.Certificates; SmartCardProvisioning cardProvision = await SmartCardProvisioning.RequestVirtualSmartCardCreationAsync( "Contoso Virtual Smart Card", adminKey, pinPolicy, Guid.NewGuid()); if (cardProvision == null) return; CertificateRequestProperties requestProperties = new CertificateRequestProperties() { Subject = "Toby", KeySize = 2048, KeyStorageProviderName = KeyStorageProviderNames.SmartcardKeyStorageProvider, SmartcardReaderName = cardProvision.SmartCard.Reader.Name }; string request = await CertificateEnrollmentManager.CreateRequestAsync(requestProperties); // submit the request (can wrap in an XML and provide more information to the server) HttpContent content = new StringContent(certificateRequest); HttpClient cli = new HttpClient(); HttpResponseMessage response = await cli.PostAsync(url, content); string certResponse = await response.Content.ReadAsStringAsync(); // Install the returned cert await CertificateEnrollmentManager.InstallCertificateAsync(certResponse, InstallOptions.None);

24 Locating a card Class SmartCardReader SmartCardProvisioning Method GetDeviceSelector GetIDAsync Input None

25 C# code snippet for locating a card public async Task ScenarioLocateCard(Guid targetCardId) { // Enumerate to find the matching card var selector = SmartCardReader.GetDeviceSelector(); var devices = await DeviceInformation.FindAllAsync(selector); foreach (var device in devices) { var reader = await SmartCardReader.FromIdAsync(device.Id); var cards = await reader.FindAllCardsAsync(); foreach (var card in cards) { // Find a card by reading its ID from its cardid file var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card); var cardId = await cardProvision.GetIdAsync(); // Compare cardId if (cardId == targetCardId) { // Find the card return card; }

26 Change PIN Class SmartCardProvisioning Method RequestPinChangeAsync Input None

27 C# code snippet for PIN change public async void ScenarioChangePin(SmartCard card) { var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card); // Request to change PIN and the user will be prompted to enter the old and new PINs bool result = await cardProvision.RequestPinChangeAsync(); if (!result) { // The request is cancelled }

28 Reset PIN/unblock smart card Class SmartCardProvisioning Method RequestPinResetAsync Input None

29 C# code snippet for PIN reset public async void ScenarioResetPin(SmartCard card) { var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card); var cardId = await cardProvision.GetIdAsync(); // Request the user to enter a new PIN and reset the PIN using challenge/response bool result = await cardProvision.RequestPinResetAsync(async (sender, request) => { var deferral = request.GetDeferral(); try { IBuffer response = await RetrieveResponseForChallengeFromServer(cardId, request.Challenge); request.SetResponse(response); } finally { deferral.Complete(); } }); if (!result) { // The request is cancelled }

30 Virtual smart card deletion API Class SmartCardProvisioning Method RequestVirtualSmartCardDeletionAsync Input SmartCard

31 C# code snippet for card deletion public async void ScenarioDeleteTpmVirtualSmartCard(SmartCard card) { if (card.Reader.Kind != SmartCardReaderKind.Tpm) { // This is not a TPM virtual smart card return; } bool result = await SmartCardProvisioning.RequestVirtualSmartCardDeletionAsync(card); if (!result) { // The request is cancelled }

32

33

34

35

36

37


Download ppt "Managed virtual smart cardsUnmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate."

Similar presentations


Ads by Google