slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Strong authentication: b uilding apps that manage virtual smart cards in enterprise, BYOD and consumer environments PowerPoint Presentation
Download Presentation
Strong authentication: b uilding apps that manage virtual smart cards in enterprise, BYOD and consumer environments

Loading in 2 Seconds...

play fullscreen
1 / 37

Strong authentication: b uilding apps that manage virtual smart cards in enterprise, BYOD and consumer environments - PowerPoint PPT Presentation


  • 343 Views
  • Uploaded on

Strong authentication: b uilding apps that manage virtual smart cards in enterprise, BYOD and consumer environments. Himanshu Soni Senior Program Manager 2-041. Agenda. 2 factor a uthentication Smart cards Virtual smart c ards WinRT APIs Demo. 2 factor a uthentication.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Strong authentication: b uilding apps that manage virtual smart cards in enterprise, BYOD and consumer environments


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2

Strong authentication: building apps that manage virtual smart cards in enterprise, BYOD and consumer environments

Himanshu Soni

Senior Program Manager

2-041

agenda
Agenda
  • 2 factor authentication
  • Smart cards
  • Virtual smart cards
  • WinRT APIs
  • Demo
2 factor a uthentication
2 factor authentication
  • What you know – e.g. PIN
  • What you have – e.g. smart card, devices
why 2 factor a uthentication
Why 2 factor authentication
  • “In 2013 more than 90% of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking” – Deloitte
  • “The age of the password is over. We just haven’t realized it yet.” – Wired
  • “73% of users share the passwords which they use for online banking, with at least one nonfinancial website.” – Trusteer Inc. Reused Login Credentials 2010

2 Factor Authentication

virtual smart c ards
Virtual smart cards
  • Introduced in Windows 8
  • Uses TPM module on the PC for
  • isolated crypto operations
  • generation of non-exportable keys
  • dictionary attack prevention (wrong PIN)
  • Exposed as smart cards to applications and OS

PIN is what you know, the device is what you have.

where can virtual smart cards be used
Where can virtual smart cards be used
  • Remote access using VPN or DirectAccess
  • BYOD (Bring Your Own Device)
  • Logon to PC
  • SSL client authentication
  • Secure email
  • Document protection (signing, encryption)
  • BitLocker drive encryption for data volumes

2 factor authentication

important aspects of a smart card
Important aspects of a smart card
  • User selected PIN
  • Auto generated admin key for PIN reset or unblock (some cards have PUK)
  • Unique ID (card ID, serial number, etc.) for inventory management
  • Certificates and private keys
what s new in windows 8 1 for smart cards
What’s new in Windows 8.1 for smart cards
  • Windows Store apps can now manage complete lifecycle of virtual smart cards
  • New APIs to manage virtual smart card
  • New APIs to manage physical smart cards
  • PIN policies for virtual smart card
  • New ways for certificate enrollment
  • New APIs for using certificates for cryptographic operations
smart card api features
Smart card API features

Capability required:

SharedUserCertificates, enterpriseAuthentication

  • Namespace: Windows.Devices.SmartCards
virtual smart c ard l ifecycle
Virtual smart card lifecycle

PIN Reset

Change PIN

Forget PIN

windows store app sample f low
Windows Store app – sample flow

Windows Store app

Server backend

Create virtual smart card with a default admin key known to the server

Receive key diversification information from the server

Diversify admin key and update server inventory

Card lifecycle

Send certificate request to server along with any required additional proofs

Receive certificate and install it on the card

PIN management (change, reset, unblock), certificate management (renewal)

Delete card and update server inventory

1.) Delete Card

virtual smart card creation api
Virtual smart card creation API
  • Class
  • SmartCardProvisioning
  • Method
  • RequestVirtualSmartCardCreationAsync
  • Input
  • Friendly Name,
  • AdminKey,
  • GUID for CardID – an overload available without CardID
  • PIN policy
c code snippet for card creation
C# code snippet for card creation
  •     using Windows.Devices.SmartCards;
  •      public async void ScenarioCreateTpmVirtualSmartCard()
  •     {
  • IBufferadminKey = Windows.Security.Cryptography.CryptographicBuffer.CreateFromByteArray(
  •             new byte[] {
  •                 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
  •                 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
  •                 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
  •             });
  • SmartCardPinPolicypinPolicy = new SmartCardPinPolicy()
  •         {
  • MinLength = 8,LowercaseLetters = SmartCardPinCharacterPolicyOption.Allow,UppercaseLetters = SmartCardPinCharacterPolicyOption.RequireAtLeastOne,
  •             Digits = SmartCardPinCharacterPolicyOption.Allow,SpecialCharacters = SmartCardPinCharacterPolicyOption.Disallow
  •         };
  • SmartCardProvisioningcardProvisioning = await SmartCardProvisioning.RequestVirtualSmartCardCreationAsync(
  •             "Contoso Virtual Smart Card",adminKey,pinPolicy,Guid.NewGuid());
  •         if (cardProvision == null)
  •             return;
  • }
windows store apis pin policy
Windows Store APIs – PIN policy
  • PIN policy is an input to the Create API with the following options :
  • Minimum length (minimum length allowed 4)
  • Maximum length (maximum length allowed 128)
  • Uppercase letters
  • Lowercase letters
  • Digits
  • Special characters
  • Default PIN policy is: 8 characters minimum length (same as Windows 8)
  • Note : PIN can be only from the printable ASCII key range.
smart card provisioning apis
Smart card provisioning APIs
  • Class
  • SmartCardProvisioning
  • Methods
  • GetChallengeContextAsync,
  • Class
  • SmartCardChallengeContext
  • Method
  • ProvisionAsync, ChangeAdministrativeKeyAsync
c code snippet for card provisioning
C# code snippet for card provisioning
  • public async void ScenarioProvisionCard(SmartCard card, IBufferoldAdminKey, IBuffernewAdminKey, GuidnewCardId)
  • {
  • varcardProvision = await SmartCardProvisioning.FromSmartCardAsync(card);
  • // Change card admin key after challenge/response authentication
  • using (var context = await cardProvision.GetChallengeContextAsync())
  • {
  • var response = RetrieveResponseForChallengeFromServer(card, context.Challenge);
  • await context.ChangeAdministrativeKeyAsync (response, newAdminKey);
  • }
c code snippet for card provisioning cont d
C# code snippet for card provisioning (cont’d)
  • // Provision card file system after challenge/response authentication
  • using (var context = await cardProvision.GetChallengeContextAsync())
  • {
  • var response = CalculateResponse(newAdminKey, context.Challenge);
  • await context.ProvisionAsync (response, true, newCardId);
  • }
  • // The card has been provisioned and is ready for certificate enrollment
  • }
c ertificate enrollment
Certificate enrollment
  • Additional proofs
  • Domain username and password
  • Challenge questions
  • OTP sent to mobile phone or email
  • Corpnet connection with user name and password
  • Sign with a physical smart card
  • Visit to an IT office/kiosk
certificate enrollment apis
Certificate enrollment APIs
  • Class
  • CertificateRequestProperties
  • CertificateEnrollmentManager
  • Methods
  • CreateRequestAsync
  • InstallCertificateAsync
c code snippet for certificate request creation
C# code snippet for certificate request creation
  •     using Windows.Devices.SmartCards;
  •     using Windows.Security.Cryptography.Certificates;
  • SmartCardProvisioningcardProvision = await SmartCardProvisioning.RequestVirtualSmartCardCreationAsync(
  •         "Contoso Virtual Smart Card", adminKey, pinPolicy, Guid.NewGuid());
  • if (cardProvision == null)
  •         return;
  • CertificateRequestPropertiesrequestProperties = new CertificateRequestProperties()
  •     {
  •         Subject = "Toby", KeySize = 2048,KeyStorageProviderName = KeyStorageProviderNames.SmartcardKeyStorageProvider, SmartcardReaderName = cardProvision.SmartCard.Reader.Name
  •     };
  •     string request = await CertificateEnrollmentManager.CreateRequestAsync(requestProperties);
  •     // submit the request (can wrap in an XML and provide more information to the server)
  • HttpContent content = new StringContent(certificateRequest);
  • HttpClient cli = new HttpClient();
  • HttpResponseMessageresponse = await cli.PostAsync(url, content);
  •     string certResponse = await response.Content.ReadAsStringAsync();
  •     // Install  the returned cert
  •     await CertificateEnrollmentManager.InstallCertificateAsync(certResponse, InstallOptions.None);
locating a card
Locating a card
  • Class
  • SmartCardReader
  • SmartCardProvisioning
  • Method
  • GetDeviceSelector
  • GetIDAsync
  • Input
  • None
c c ode snippet for locating a card
C# code snippet for locating a card
  • public async Task<SmartCard> ScenarioLocateCard(GuidtargetCardId)
  • {
  • // Enumerate to find the matching card
  • var selector = SmartCardReader.GetDeviceSelector();
  • var devices = await DeviceInformation.FindAllAsync(selector);
  • foreach (var device in devices) {
  • var reader = await SmartCardReader.FromIdAsync(device.Id);
  • var cards = await reader.FindAllCardsAsync();
  • foreach (var card in cards) {
  • // Find a card by reading its ID from its cardid file
  • varcardProvision = await SmartCardProvisioning.FromSmartCardAsync(card);
  • varcardId = await cardProvision.GetIdAsync();
  • // Compare cardId
  • if (cardId == targetCardId) {
  • // Find the card
  • return card;
  • }
  • }
  • }
change pin
Change PIN
  • Class
  • SmartCardProvisioning
  • Method
  • RequestPinChangeAsync
  • Input
  • None
c code snippet for pin change
C# code snippet for PIN change
  • public async void ScenarioChangePin(SmartCard card)
  • {
  • varcardProvision = await SmartCardProvisioning.FromSmartCardAsync(card);
  • // Request to change PIN and the user will be prompted to enter the old and new PINs
  • bool result = await cardProvision.RequestPinChangeAsync();
  • if (!result)
  • {
  • // The request is cancelled
  • }
  • }
reset pin unblock smart card
Reset PIN/unblock smart card
  • Class
  • SmartCardProvisioning
  • Method
  • RequestPinResetAsync
  • Input
  • None
c code snippet for pin reset
C# code snippet for PIN reset
  • public async void ScenarioResetPin(SmartCardcard)
  • {
  • varcardProvision = await SmartCardProvisioning.FromSmartCardAsync(card);
  • varcardId = await cardProvision.GetIdAsync();
  • // Request the user to enter a new PIN and reset the PIN using challenge/response
  • bool result = await cardProvision.RequestPinResetAsync(async (sender, request) =>
  • {
  • var deferral = request.GetDeferral();
  • try
  • {
  • IBuffer response = await RetrieveResponseForChallengeFromServer(cardId, request.Challenge);
  • request.SetResponse(response);
  • }
  • finally
  • {
  • deferral.Complete();
  • }
  • });
  • if (!result)
  • {
  • // The request is cancelled
  • }
  • }
virtual smart card deletion api
Virtual smart card deletion API
  • Class
  • SmartCardProvisioning
  • Method
  • RequestVirtualSmartCardDeletionAsync
  • Input
  • SmartCard
c code snippet for card deletion
C# code snippet for card deletion
  • public async void ScenarioDeleteTpmVirtualSmartCard(SmartCard card)
  • {
  • if (card.Reader.Kind != SmartCardReaderKind.Tpm)
  • {
  • // This is not a TPM virtual smart card
  • return;
  • }
  • bool result = await SmartCardProvisioning.RequestVirtualSmartCardDeletionAsync(card);
  • if (!result)
  • {
  • // The request is cancelled
  • }
  • }
summary and key takeaways
Summary and key takeaways
  • Windows 8.1 makes it easier than ever for Windows Store apps to manage physical and virtual smart cards.
  • You learned about using virtual smart cards when you need strong authentication, including both enterprise Bring Your Own Device (BYOD) environments, as well as consumer scenarios that require strong authentication such as banking.
  • You learned what virtual smart cards are, what scenarios they can enable, and how new Windows Runtime APIs make it easy to write apps to manage both real and virtual smart cards.
resources
Resources
  • Virtual smart card white paper
  • http://www.microsoft.com/download/details.aspx?id=29076
  • MSDN links for WinRT APIs
  • http://msdn.microsoft.com/library/windows/apps/windows.devices.smartcards.aspx
  • http://msdn.microsoft.com/library/windows/apps/windows.security.cryptography.certificates.aspx
  • Samples link
  • http://code.msdn.microsoft.com/windowsapps/Smart-card-sample-f9befda4
  • http://msdn.microsoft.com/library/windows/apps/br212099.aspx
evaluate this session

Required Slide

*delete this box when your slide is finalized

Your MS Tag will be inserted here during the final scrub.

Evaluate this session
  • Scan this QR codeto evaluate this session and be automatically entered in a drawing to win a prize!