How does IE determine which smartcard to use?

From: Max (mi97ki_at_yahoo.com)
Date: 02/17/04 

Date: 17 Feb 2004 01:46:20 -0800

Hi all,

I have two smartcard readers connected to my computer and a smartcard
inserted in each of them. The logged-on user has been previously
enrolled using both smartcards with the same CSP (Gemplus), so there
is a certificate on each of the smartcards assigned to him. The two
certificates have been propagated to the MY store (when I add the
Certificates snap-in to MMC, I can see that they are there).

When I launch Internet Explorer and try to connect to a secure
website, I am shown a dialog box that lists the two certificates. I
select the first one and the CSP I used to enroll the logged-on user
asks me to enter a PIN. The authentication completes successfully only
if I enter the PIN of the smartcard associated with the selected
certificate. If I enter the PIN of the other smartcard, the CSP tells
me that I entered the wrong PIN. The interesting fact is that I wasn't
ask to select a reader(or smartcard).

>From what I see here, it looks like the CSP knows how to bind to the
right smartcard after selecting a certificate in the MY store. How
does Internet Explorer provides the CSP with this information? Does it
pass the selected certificate (or a hash of it) to the CSP? If that's
the case, which CryptoAPI function is used (perhaps CryptCreateHash)?

>From what I know, CryptoAPI compliant applications (like Internet
Explorer) invoke first CryptAcquireContext (that maps to
CPAcquireContext in the CSP) to acquire a context in a smartcard. As
far as I can tell, it is not possible to pass a (hashed)certificate to
CryptAcquireContext. If, as I suspect, CryptCreateHash (that maps to
CPCreateHash) is used, does that mean that Internet Explorer loops
over all the connected readers to try to match the selected
certificate with the ones stored on the cards (invoking
CryptAcquireContext and CryptCreateHash for each of the cards until
the right card is found)?

Thank you!

Relevant Pages

  • Re: Key archival and smartcard CSP
    ... the first question is that does your smartcard ... CSP allow the public/private key pair to be imported into its own store? ... > - When the certificate has been issued, i get the container name and the ...
    (microsoft.public.platformsdk.security)
  • Smartcard CSP Problem
    ... I am to develop a SmartCard CSP, but with no actual SmartCard behind it, but ... I so far devloped a CSP which wrappes the MS Base CSP for the common ... If I understood the concept of the certificate handling in windows, ... The result of the enrollement would be a new certificate stored on the ...
    (microsoft.public.platformsdk.security)
  • Re: Smartcard CSP Problem
    ... You don't need to emulate a smartcard CSP for it to work with S-MIME. ... But your "simulated" smartcard CSP is not going to work for Windows logon. ... > If I understood the concept of the certificate handling in windows, ... > provide certification handling - Does the enrollement task itsself store ...
    (microsoft.public.platformsdk.security)
  • RE: Relative Security Provided by Cached Domain Credentials?
    ... So when a user logs on the w2k terminal using a smartcard + pin no (rather ... If it does then EFS ... profile currently logged on for the private certificate. ...
    (Focus-Microsoft)
  • Smartcard Issue in 2003? : Problem Solved
    ... When we use the webpages certsces.asp, our CSP is not ... When we create new smartcard templates, ... the certces.asp requires one enrollment certificate for ...
    (microsoft.public.platformsdk.security)