Having fun with Virtual Smart Cards for S/MIME usage (part 1)

Recently, at one of our larger Premier customers, we designed and implemented (initially in a lab environment) a Certification Authority, mostly for SMIME usage. During initial discussions, we considered virtual smart cards (VSCs) for his Windows 8 computers. The experience was interesting enough to guarantee at least two blog posts ­čÖé
In this first part, we are going to describe the prerequisites and prepare everything for a successful virtual smart card rollout.

Starting from the clients – TPM chips
We are not going to get into details about TPM architecture, as there is abundant information in the internet. We will just mention the details which are important for VSC implementations.
First off, we have to make sure that the computers which are going to be part of the implementation actually contain a TPM chip. I was not planning to mention that at all – however, I found out that there are┬ácomputer (and/or motherboard) manufacturers who claim to support TPM instead of supplying TPM chips within the systems. This is especially true in desktop computers, some of which might have a TPM slot, but no TPM module inside. So, you have to make sure that your systems do actually contain the module before rolling out the VSCs.
After that, make sure to enable TPM support in the BIOS’ settings. This is the most common mistake, as many people fail to understand that even if a computer has a TPM chip, most probably it is not enabled by default in the BIOS. Finally, after initializing TPM on Windows (http://technet.microsoft.com/en-us/library/cc753140.aspx), we are ready to set up our Certification Authority (CA).

Back to the CA – Virtual Smart Card Certificate template
We are not going to describe how to setup a CA, since it is out of the scope of this blog post. However, it is essential that we get into details about how to properly create the needed certificate template for VSC issuance.
Since VSCs are not that much different from a regular smart card (at least from a CA perspective), the steps that we have to perform in order to configure the VSC template are pretty much the same as the ones for a real, hardware smart card deployment. The certificate template that has to be duplicated is, as expected, the Smartcard Logon one and the fields that have to change are in the following tabs:
a) In the General tab, we just have to label the duplicated template
b) In the Request Handling tab we have to change the Purpose to Signature and smartcard logon. If not already selected, we should select Prompt the user during enrollment. Finally, we should click Requests must use one of the following providers and select Microsoft Base Smart Card Crypto Provider.
d) Since we are going to use the resulting virtual smart(s) for S/MIME operations, we should also make sure that the fields in the Subject Name tab include e-mail name in subject name and E-mail name are also checked.

Virtual smart card settings for SMIME
Virtual smart card settings for SMIME

Now we are ready to delve into the wonderful world of virtual smart card deployment. In the next blog post, we are going to visit the client once again, prepare it for VSC issuance, issue the VSC and configure it for Outlook/Exchange S/MIME operations.

Strong key protection for Windows client’s private key encryption operations

During customer visits, I am often asked what is the most secure way to store and handle private key material. As we probably all know, two-factor authentication methods are the ones that are usually described when private key protection is of the utmost importance. So, in case of storing the private key of an Offline or Issuing Certification Authority, a Hardware Security Module (HSM) would be proposed, and for digitally signing emails or documents, a smart card would be ideal to store the key pair. Some companies, however, are reluctant to introduce hardware devices to their environment for two reasons: a) they believe they will add complexity to an already complex IT environment and that would degrade the end-user experience┬áand b) they are not prepared to bear the added cost. In case of smart cards, that would amount to a pretty cheap device (around $20-40 or more, depending on quantity and software used). In both situations, the companies’ IT (or Security) departments do have a point, but they usually still need to have an extra layer of security for their end users. So, is there any “poor man’s added security” for private key usage?

Strong key protection while enrolling a certificate

Strong key protection while enrolling a certificate

Strong key protection password

Strong key protection password window during enrollment

Well, in the client-side of the Windows PKI world, the folks that designed CryptoAPI added an extra security feature called strong key protection. In essence, what strong key protection does, is to force the user to enter a user-defined password which protects the private key whenever (almost, as we are going to see later on) this is going to be used for a cryptographic operation. When such an operation (for example, digitally signing an email) is performed, the user will have to provide this password and only then the underlying client (Outlook, in this case) will be able to have access to they key.


The prerequisites to enable and use this feature are to select the relevant option in the Request Handling tab of the certificate template, and then have the user enter a password during user certificate enrollment. There are two caveats here that are hard to spot: a) there is now way to force a user to select the High security option and b) once you enter the password in Outlook, for example for signing or decrypting, the system will not ask for it again except if you close and re-open the application. Moreover, the password entered by the user if the certificate is generated by a Windows XP client will not conform to the domain policy’s complexity requirements – Windows Vista and later clients, though, will conform to it.

Partly due to the previously mentioned problems, but mainly due to the fact that strong key protection is not an actual two-factor authentication, I do not recommend it as a viable security solution for handling private key material. However, there are organizations where security is not a top priority, and it’s good to have choices ­čÖé

Certificate template settings for strong key protection

Certificate template settings for strong key protection