One of my favorite features of Windows 2000 was its built-in support for smartcards. As Windows has evolved since then, through XP and Server 2003, to Vista and Server 2008, and now with Seven and Server 2008 R2, we have greater and more solid support for smart cards. In this article, I’d like to describe the current support in Windows 7 and Server 2008 R2 for smartcards; a later article will delve into fingerprint reader (biometrics) support.
One of the Windows 7 and Windows Server 2008 R2 changes includes support for the United States Federal Government Employee and Contractor Personal Identity Verification (PIV) extensions to the Common Access Card (CAC) use of smartcards. A vendor of biometrics or other identity verification hardware which is compliant with the PIV standards can issue specialized drivers through Windows Update. When an end user inserts their PIV-compliant smartcard for authentication, the appropriate device drivers can potentially be downloaded to the Windows 7 workstation automatically. This extends the basic smartcard plug and play functionality with support for PIV-compliant systems. There is even a generic driver included with Windows 7 in support of scenarios where a specific driver is not available.
But what if you don’t work for the U.S. Federal government – is there anything else new in the way Windows 7 supports smartcards which could be useful to you?
Since Windows 2000, there has been support for using smartcard public key (PK) authentication for the initial Active Directory-based Kerberos authentication at user logon. As the standards for this have evolved, newer versions of Windows have kept up. Windows 7 and Windows Server 2008 R2 implement the Internet RFC 4556 called PKINIT which describes this public key initial (PKINIT) authentication as an open specification.
Windows Vista introduced an update to the Cryptographic Application Programming Interface (CryptoAPI) used in Windows 2000 and XP – this update is called the Cryptography API: Next Generation (CNG). This CNG has been further enhanced in Windows 7 and Windows Server 2008 R2 for additional plug and play capabilities similar to the PIV driver update ability via Windows Update, but for supporting smartcards in any application software that implements the CNG. Therefore, any line-of-business (LOB) applications which are properly developed could integrate with basic and enhanced smartcard functionality.
Let’s go back to the updates to PKINIT support and smartcard logon. Diffie-Hellman (DH) and Rivest-Shamir-Adleman (RSA) forms of public key cryptography and the classic forms of shared secret key cryptography (e.g. DES, 3DES, RC4) have been supported in Windows for many years. But when the combined with the CNG support of Elliptic Curve algorithms for public key cryptography (e.g. ECDH, ECDSA) and more modern shared secret key algorithms (e.g. AES128 and AES256) and longer key lengths for hashing (e.g. SHA384), the modern versions of the Kerberos and PKINIT in Windows 7 and Windows Server 2008 R2 can provide a solid foundation in your security infrastructure which support PIV extensions as well.
For securing documents, email, and other network traffic, the combination of CNG, PKINIT, and PIV can be extended to IPsec, S/MIME, and XPS for a powerful array of features targeted at deployments requiring defense in depth strategies. What if you want to encrypt whole disk volumes? If you’re using the Enterprise or Ultimate editions of Windows 7, smartcards can be used to unlock BitLocker encrypted disk volumes. Again, if you need PIV support, any specialized device drivers can be downloaded via Windows Update.
It’s a matter of evolution rather than earth-shatteringly new features, however Windows 7 and Windows Server 2008 R2 strongly continue the tradition of Windows support for smartcards which began with Windows 2000. What has changed is the ease of deployment and management of smartcards in Windows, enhancements to security with newer protocols and algorithms, and support for newer multi-factor authentication standards in an authentication, authorization, auditing system. Are you using smartcards yet? Or are you still trusting your systems to password/passphrase security?