Re: Service caching Smart Card credentials

From: Edson E. W (e_at_e.w)
Date: 10/07/03 

Date: Tue, 7 Oct 2003 13:13:31 -0700

You must check your CSP documentation. If your CSP
supports Windows Smartcard Logon, it must support
PP_SIGNATURE_PIN/PP_KEYEXCHANGE_PIN. If it does not
support it, please check alternative ways (for instance,
some versions of Datakey RSA CSP require passing the
DK_EXT_LOGOUT to CryptSetProvParam in order to 'log out'
the card, i.e., forget the password. Some CSPs do not like
NULL passwords etc.) (I have learned it the hard way...)

>-----Original Message-----
>May I ask which CSP you are using?
>Does the PIN prompt happen from the service? How?
>
>If you load a CSP in a service, you should specify
CRYPT_SILENT in
>CryptAcquireContext.
>That will prevent the CSP from displaying its own UI.
>
>PIN caching behavior is not absolutely standard.
>In any case, your service can call CryptSetProvParam for
PP_SIGNATURE_PIN or
>PP_KEYEXCHANGE_PIN with a NULL PIN.
>This should cause the CSP to flush the cached PIN.
>
>--
>Eric Perlin [MS]
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>---
>
>
>"Nitesh Mehrotra" <news@nitesh.net> wrote in message
>news:#FjN0kDjDHA.1004@TK2MSFTNGP09.phx.gbl...
>> Hi!
>>
>> It seems like windows is caching the private key handle
if you have a
>> service (or I am doing something wrong). I am not sure
how to fix this.
>Here
>> is what I am doing:
>>
>> 1. I call CryptAcquireContext from my service.
>> 2. I open the private key for a cert.
>> 3. The private key lives on smart card, so user is
prompted for the PIN --
>> as expected
>> 4. I use the private key, then close the cert handle
>> 5. I call CryptReleaseContext(....)
>> 6. Next time when I repeat this process, the user is
not being prompted
>for
>> the PIN. If I stop the service, and then restart, the
user does get
>prompted
>> for the PIN. It seems like the PIN is cached for the
lifetime of the
>> process.
>>
>> Does windows/smart card cache the PIN for the private
key? Is there
>> something I can do to make sure that the user is re-
prompted for the PIN?
>I
>> don't think I have a handle leak.
>>
>> thanks
>> Nitesh
>>
>>
>
>
>.
>

Relevant Pages

  • Re: Service caching Smart Card credentials
    ... May I ask which CSP you are using? ... Does the PIN prompt happen from the service? ... PIN caching behavior is not absolutely standard. ... I open the private key for a cert. ...
    (microsoft.public.platformsdk.security)
  • Re: [SmartCard CSP] How can I obtain a PIN to sign HASH ?
    ... CRYPT_IMPL_HARDWARE implies that all crypto functions are implemented with ... CRYPT_IMPL_MIXED implies that some functions are implemented in hardware ... > "CRYPT_IMPL_MIXED" means not call other CSP. ... > the user's PIN by myself. ...
    (microsoft.public.platformsdk.security)
  • Re: Re[2]: Whats the mean of PIN cache in smart card csp
    ... The PIN cache described by the Smart Card Cryptographic Service Provider ... smart card CSP. ...
    (microsoft.public.platformsdk.security)
  • Re: Caching PIN
    ... I know how a CSP name associated with a card be identified.But after getting ... The usual approach taken by smart card CSP's implementors is to cache the ... PIN in the context of the CSP dll, thus you don't need to care about the ... I had a list of available readers on the system and the PIN is ...
    (microsoft.public.platformsdk.security)
  • Whats the mean of PIN cache in smart card csp
    ... How can I add the PIN ... I notice it is very important, because the "Microsoft Base Smart Card Crypto Provider" ... but my csp can not work perfectly. ...
    (microsoft.public.platformsdk.security)