Re: EFS and Smart Card

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 07/31/03 

Date: Thu, 31 Jul 2003 05:36:42 -0700

Well, the number one is that a CSP cannot prompt for a PIN since the lsass
process suprersses all UI. Other issues are for remote server encryption -
the server has no way to access the key on the card which is on the client.
If the smartcard is not inserted, how does the system prompt the user to
insert the card - since all UI is supressed this is hard. Almost no
smartcard CSP on the available market supports RSA encryption of a symmetric
key that was generated outside of the card - this is required for EFS
obviously. Performance - an actual opening of an encrypted Word document
may perform as many as 4 RSA operations on the card - this is very slow.

There are many others, as I mentioned, we would like to support this in the
future. 

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Ling Tang" <ltang7@hotmail.com> wrote in message
news:eJxMpXwVDHA.1984@TK2MSFTNGP11.phx.gbl...
> Could you briefly outlone what are the 12 others that limit usage of smart
> card in EFS?
> I find it diffcult to understand the limitation, even after reading the
link
> you post. May be I need to read further in the the related link. However I
> would appreciate if you can summarize the reasons.
>
> Thanks,
> Ling
> "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> news:%23Eio9UpVDHA.2364@TK2MSFTNGP09.phx.gbl...
> > Yes, this is one of the major reasons and there are about 12 others.
> please
> > take our word as authoritative on this subject.  We would like to
support
> > this functionality in the future.
> >
> >
>
http://www.microsoft.com/WindowsXP/pro/techinfo/administration/recovery/default.asp
> >
> > -- 
> >
> >
> > David B. Cross [MS]
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > http://support.microsoft.com
> >
> > "John Banes [MS]" <jbanes@online.microsoft.com> wrote in message
> > news:eTcc1GfVDHA.2288@TK2MSFTNGP12.phx.gbl...
> > > EFS is mostly implemented in the lsass.exe process, which doesn't
> directly
> > > have access to the user desktop. So when the smartcard CSP attempts to
> > > display its PIN dialog box, the calling thread hangs forever. So to
> > support
> > > smartcards, some extra code would need to be written to obtain the PIN
> > ahead
> > > of time and plumb it down to the lsass.exe process. There may be
> > additional
> > > reasons, but this is what comes to mind.
> > >
> > > Regards,
> > >
> > > John Banes
> > > [Microsoft Security Developer]
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > Please do not send email directly to this alias. This alias is for
> > newsgroup
> > > purposes only.
> > >
> > > "Ling Tang" <ltang7@hotmail.com> wrote in message
> > > news:OwFzorWVDHA.1316@TK2MSFTNGP12.phx.gbl...
> > > > Thanks David and again Mike. I noticed these questions have been
> > discussed
> > > > for several times, but since I still got different answer from
> different
> > > > parties. I guess properly because they quoted from different white
> > paper.
> > > >
> > > > I am still very curious why EFS does not support smart card. If I
> > replace
> > > > the default CSP (MS Base Cryptographic Provider) with my own smart
> card
> > > CSP
> > > > which implement according to the spec, I can't understand why this
> does
> > > not
> > > > work.
> > > >
> > > > Cheers,
> > > > Ling
> > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > > > news:eOfxOJQVDHA.2224@TK2MSFTNGP09.phx.gbl...
> > > > > I will try to get the windows 2000 paper corrected:  EFS does not
> > > support
> > > > > smartcards currently and will not work with smartcards in current
> > > versions
> > > > > of Windows.
> > > > >
> > > > > -- 
> > > > >
> > > > >
> > > > > David B. Cross [MS]
> > > > >
> > > > > --
> > > > > This posting is provided "AS IS" with no warranties, and confers
no
> > > > rights.
> > > > >
> > > > > http://support.microsoft.com
> > > > >
> > > > > "Miha Pihler" <miha.pihler@Atlantis-N0Spam.si> wrote in message
> > > > > news:%23VWRu5OVDHA.2004@TK2MSFTNGP10.phx.gbl...
> > > > > > Hi,
> > > > > >
> > > > > > this question has been asked quite a few times on last Tech-Ed
in
> > > Dallas
> > > > > and
> > > > > > even before on one of T-Preps that I was attending. Answer was
> > always
> > > > no.
> > > > > I
> > > > > > am not sure why at this moment. I will have to check some of my
> > notes.
> > > > > >
> > > > > > File System. Here is
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/support/DataProt.asp
> > > > > > a white paper on Data Protection and Recovery on WinXP.
Microsoft
> > here
> > > > > > states:
> > > > > > "Smart card-based certificates and keys are not currently
> supported
> > > with
> > > > > the
> > > > > > Encrypting"
> > > > > >
> > > > > > I am sorry I can't give more details at the moment, but I will
> look
> > > into
> > > > > > it...
> > > > > >
> > > > > > -- 
> > > > > > Mike
> > > > > > MCSA 2K, MCSE 2K, MCT, ...
> > > > > >
> > > > > > "Ling Tang" <ltang7@hotmail.com> wrote in message
> > > > > > news:u4cK7gOVDHA.2368@TK2MSFTNGP09.phx.gbl...
> > > > > > > Thanks Mike, but it is mention in the white paper from
Microsoft
> > > that
> > > > > EFS
> > > > > > > does support smart card.
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/deploy/nt5efs.asp
> > > > > > >
> > > > > > > Besides, do you have any idea why it does not support smart
> cards.
> > > > From
> > > > > my
> > > > > > > limited knowledge, EFS always make use of CryptoAPI, so as
long
> as
> > > the
> > > > > CSP
> > > > > > > support smart card, it should has no big difficulty in usage
of
> > > smart
> > > > > card
> > > > > > > in EFS... please comment and elaborate.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Ling
> > > > > > >
> > > > > > > "Miha Pihler" <miha.pihler@Atlantis-N0Spam.si> wrote in
message
> > > > > > > news:uMjs$lNVDHA.1368@TK2MSFTNGP11.phx.gbl...
> > > > > > > > Hi Ling,
> > > > > > > >
> > > > > > > > it is not possible to use EFS with Smart Cards... Microsoft
> was
> > > > > thinking
> > > > > > > > about this for Windows 2003 server, but it is still not
> > supported
> > > > and
> > > > > it
> > > > > > > > will not work...
> > > > > > > >
> > > > > > > > -- 
> > > > > > > > Mike
> > > > > > > > MCSA 2K, MCSE 2K, MCT, ...
> > > > > > > >
> > > > > > > > "Ling Tang" <ltang7@hotmail.com> wrote in message
> > > > > > > > news:%23Sh5PYNVDHA.2104@TK2MSFTNGP10.phx.gbl...
> > > > > > > > > I found different comment on support of smart card or
other
> > > > hardware
> > > > > > > token
> > > > > > > > > in Encrypting File System (EFS). May be they are referring
> to
> > > > > > different
> > > > > > > > > version of windows or based on some assumption. May I be
> > excused
> > > > to
> > > > > > ask
> > > > > > > > the
> > > > > > > > > same question again. And I would appreciate if you can
> provide
> > > > > > pointers
> > > > > > > of
> > > > > > > > > information on your comment about whether EFS supports
usage
> > of
> > > > > smart
> > > > > > > > card.
> > > > > > > > > I know a few article that have high level description on
> > whether
> > > > EFS
> > > > > > can
> > > > > > > > > support hardware token, but it is not detail or technical
> > > enough.
> > > > It
> > > > > > > will
> > > > > > > > be
> > > > > > > > > grateful if you have pointers to some really technical
> > articles
> > > > > about
> > > > > > > EFS
> > > > > > > > > with smart card.
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > > Ling
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: EFS and Smart Card
    ... the number one is that a CSP cannot prompt for a PIN since the lsass ... Other issues are for remote server encryption - ... the server has no way to access the key on the card which is on the client. ... There are many others, as I mentioned, we would like to support this in the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS and Smart Card
    ... the number one is that a CSP cannot prompt for a PIN since the lsass ... Other issues are for remote server encryption - ... the server has no way to access the key on the card which is on the client. ... There are many others, as I mentioned, we would like to support this in the ...
    (microsoft.public.win2000.security)
  • RE: CryptSignHash with SHA2, hash size and OID
    ... sign with a hash algorithm that the card CSP does not support. ... ..NET I wanted to use the native counterpart (CSP). ... and again the problem is same, how am I going to modify hash algorithms. ...
    (microsoft.public.platformsdk.security)
  • Re: CF vs SD?
    ... And they support SDIO for peripherals. ... Right now Windows XP does not support the SD encryption in the OS itself. ... > the capacities have increased dramatically and there appears to be> significant differeneces in card speed due to a number of factors in> both the device and on the card. ... in fact all slots> in PPC's are "technically" MMC slots and will not handle SD protected> content. ...
    (microsoft.public.pocketpc)
  • Re: Outlook Sequence of CSP procedure call
    ... Encryption is handled by the ... and doesn't involve the smart card at all. ... CSP Design & Development Consulting ... routine is called with the key handler that is supposed to be T-DES but ...
    (microsoft.public.platformsdk.security)