Re: Re[2]: What's the mean of PIN cache in smart card csp
- From: "Jan Spooren" <jspooren@xxxxxxxxxxxxx>
- Date: Fri, 14 Dec 2007 21:24:21 +0100
Hi Skybird Le,
The PIN cache described by the Smart Card Cryptographic Service Provider
Cookbook is the PIN cache as it should be implemented by (i.e., inside) the
smart card CSP. E.g., during smart card logon, Windows will be passing the
PIN the user provided in the logon screen to the CSP using a
CryptSetProvParam call. Then, e.g. a CPSignHash function is called on the
CSP in order to sign a hash with the card's private key. The CSP will then
fetch the previously received PIN from its cache, because it will be needed
somehow to authenticate to the card to perform the signing operation.
This PIN cache is an internal impelementation of the CSP and is indeed not
shared by different processes. (It does however need to be accessible by
different threads within the same process.)
FYI, another PIN cache exists in Windows. It is the PIN cache that is used
by the Kerberos client to provide the PIN to the smart card CSP when a new
Kerberos TGT needs to be acquired from the Kerberos server. However, this
PIN cache is entirely undocumented. This is not the PIN cache as described
in the Cookbook.
Hope this can clarify things a bit for you.
Cheers,
Jan.
"Skybird Le" <skybird.le@xxxxxxxxx> wrote in message
news:20071212163651.7847.SKYBIRD.LE@xxxxxxxxxxxx
Can any one give me some help?
On Tue, 11 Dec 2007 18:04:49 +0800
Skybird Le <skybird.le@xxxxxxxxx> wrote:
I know how to get logon id by using Windows function OpenProcessToken,
OpenThreadToken
and GetTokenInformation(TokenStatistics), but should SR_Service.exe and
SR_CAPI.exe share the pin cache ?
On Tue, 11 Dec 2007 17:47:31 +0800
Skybird Le <skybird.le@xxxxxxxxx> wrote:
Hi, every one
In "The Smart Card Cryptographic Service Provider Cookbook"
whose URL is http://msdn2.microsoft.com/en-us/library/ms953432.aspx,
there is a "PIN caching" Design Considerations. I read it one time and
again and again, but still can not get its mean. How can I add the PIN
to the cache with the logon ID for the security context of the current
thread?
I notice it is very important, because the "Microsoft Base Smart Card
Crypto Provider"
can behave correctly with "checkpoint SecureClient NGX R60 HFA2" in
vista, but my csp can not work perfectly. Checkpoint SecureClient's
SR_Service.exe is a service, it call csp at first and then create a
child process SR_CAPI.exe with normal user's identity. The SR_CAPI.exe
calls csp to generate rsa key pair and sigh hash, during this progress
the csp will require smart card PIN with prompting PIN dialog, so
SR_CAPI.exe process's csp state is smart card pin provided and the pin
is cached in process. Now the SR_Service.exe will call csp to sign hash
using the generated rsa key bu SR_CAPI.exe, the "Microsoft Base Smart
Card Crypto Provider" does not
prompt PIN dialog as this process's csp state is pin provided and
cached,
but my csp will prompt to require smart card PIN.
According to smart card csp cookbook, the pin cache is
per-process, so the pin cache should not shared by two process, but why
"Microsoft Base Smart Card Crypto Provider" can share the pin cache in
two different process?
I expect your help!
Skybird Le
.
- Follow-Ups:
- Re: What's the mean of PIN cache in smart card csp
- From: Skybird Le
- Re: What's the mean of PIN cache in smart card csp
- References:
- What's the mean of PIN cache in smart card csp
- From: Skybird Le
- Re: What's the mean of PIN cache in smart card csp
- From: Skybird Le
- Re[2]: What's the mean of PIN cache in smart card csp
- From: Skybird Le
- What's the mean of PIN cache in smart card csp
- Prev by Date: Provider Types (PROV_REPLACE_OWF and PROV_STT_*)
- Next by Date: Re: What's the mean of PIN cache in smart card csp
- Previous by thread: Re[2]: What's the mean of PIN cache in smart card csp
- Next by thread: Re: What's the mean of PIN cache in smart card csp
- Index(es):
Relevant Pages
|
