Smart Cards Experience before and after Vista

Before Vista:

Smart Card Properties:

1. A smart card could support only one certificate for logon.

2. Only one container on the smart card could be marked default. Additional certificates could be stored on the smart card for other purposes, such as S/MIME.

3. Changing the PIN and unblocking a smart card were not natively supported or integrated. As a result, a user had to log on first with a standard user name and password to perform these tasks.

Certificate Properties:

  1. CDP: The location should be populated and online.
  2. Key Usage : Digital Signature
  3. Basic Constrains :[Subject Type=End Entity, Path Length Constraint=None] (Optional)
  4. EKU :
    • Client Authentication (1.3.6.1.5.5.7.3.2) (The client authentication object identifier is required only if a certificate is used for SSL authentication.)
    • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
  5. SAN: UPN
  6. Subject : DN of user
  7. There are two predefined types of private keys. These keys are Signature Only (AT_SIGNATURE) and Key Exchange (AT_KEYEXCHANGE). Smartcard logon certificates must have a Key Exchange (AT_KEYEXCHANGE) private key type in order for smartcard logon to function correctly.

Starting from Vista:

Smart Card Properties:

1. In Vista, Winlogon supports multiple logon certificates and containers on the same smart card. The number of certificates that can be stored and containers that can be created depends on how much space is available on the smart card.

2. Logon is no longer triggered on smart card insertion. Users are normally required to press CTRL+ALT+DEL to start the logon process.

3. Although ECC is not supported for smart card logon in vista , it is supported in windows 7.

 

Certificate Properties:

1. CDP : Not required

2. Key Usage : Digital Signature

3. EKU : Smart Card Logon Not Required .

4. SAN : Email ID is not required for smart card logon.

5. Key exchange (AT_KEYEXCHANGE field) : Not required.

6. UPN : Not required.

So any certificate with Digital Signature capability can be used for smart card logon If the EKU is not populated at all. But if EKU is populated, then it must contain Smart Card Logon.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s