Isolate Sensitive Data in a Smart Card
You can add a layer of security to a Windows CE device by using smart cards to store authentication information or a digital signing mechanism. You can write a custom CryptoAPI provider that exploits a smart card's ability to protect information.
The Windows CE smart card subsystem supports CryptoAPI through smart card service providers (SCSPs), which are DLLs that enable access to specific services. The subsystem provides a link between the smart card reader hardware and the applications. Windows CE does not provide SCSPs; typically, the smart card vendor provides the appropriate SCSPs. However, Windows CE provides the interfaces described in the following table.
Subsystem component | File | Description |
---|---|---|
Resource manager | Scard.dll | Uses the Win32 APIs to manage access to multiple readers and smart cards. |
Resource manager helper library | Winscard.dll | Exposes PC/SC services for using smart cards and smart card readers. |
Smart card reader helper library | Smclib.lib | Provides common smart card driver support routines and additional T=0 and T=1 protocol support to specific drivers as needed. |
Sample smart card reader drivers | Pscr.dllbulltlp3.dllstcusb.dll | SwapSmart PC reader driver. Serial reader driver. Universal serial bus (USB) reader driver. |
A typical smart card system consists of applications, a subsystem that handles communication between smart card readers and the applications, readers, and the smart card.
The following list shows why implementing a fraction of the smart card CryptoAPI service provider functionality in a separate hardware keeps the cryptographic keys and operations protected:
- It provides protected storage for private keys and other forms for personal information.
- It isolates security-critical computations involving authentication, digital signatures, and key exchange from other parts of the system.
- It enables portability of credentials and other private information.
In an organization that uses smart cards, users do not have to remember any passwords at all, only a personal identification number, and they can use the same certificate for other security purposes, such as digitally signing e-mail.
See Also
Last updated on Wednesday, April 13, 2005
© 2005 Microsoft Corporation. All rights reserved.