RE: Password prompts when signing with smartcard

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: jetan@xxxxxxxxxxxxxxxxxxxx ("Jeffrey Tan[MSFT]")
• Date: Tue, 27 Jun 2006 07:07:45 GMT

---

Hi Bill,

Sorry for letting you wait so long.

In your scenario, there are two aspects.

1) The prompt to input the smartcard pin is shown by the Smartcard CSP
while the application code is attempting to access the RSA private key
container for the *first* time either in a call to CPAcquireContext(),
CPGetUserKey (AT_KEYEXCHANGE/AT_SIGNATURE), CPSignXXXX() etc. Once the CSP
has the PIN information, the application code calling Crypto APIs using the
*same* HCRYPTKEY/HCRYPTPROV handle in the *same* process will not get
prompted for the PIN again. The behavior is Smartcard CSP specific.

2) The application code using Crypto APIs such as CryptAcquireContext(),
CryptGetUserKey() should have the capability of re-using the *same*
HCRYPTPROV (provider handle) or HCRYPTKEY (RSA private key handle) for
multiple signing operations. If the application code acquires the RSA
private key container using CryptAcquireContext() for every Crypto
operation, you will get prompted for the PIN each time.

The SN.exe confines to the #2 scenario. Also, based on my review, there is
not an option in SN.EXE that will allow you resign multi-assemblies at the
same time.

Additionally, since Smartcard CSP doesn't provide the feature of exporting
the RSA private key pair from the smartcard for security reasons. The
private key never leaves the smartcard. So, you cannot export the key pair
outside of Smart Card.

I do not think there is a perfect workaround regarding this issue. Hope my
analysis makes sense to you.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

---

• Prev by Date: Re: PEVerify generates improper ERROR
• Next by Date: Re: PEVerify generates improper ERROR
• Previous by thread: Re: Password prompts when signing with smartcard
• Next by thread: RE: Password prompts when signing with smartcard
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Service caching Smart Card credentials ... May I ask which CSP you are using? ... Does the PIN prompt happen from the service? ... PIN caching behavior is not absolutely standard. ... I open the private key for a cert. ... (microsoft.public.platformsdk.security) SmartCard ... to insert a smartcard into the reader, prompt the user for a PIN and ... validate that PIN against what is on the card. ... to specify the smart card store like I could when I used CAPICOM in ... (microsoft.public.dotnet.framework.compactframework) SmartCard ... to insert a smartcard into the reader, prompt the user for a PIN and ... validate that PIN against what is on the card. ... to specify the smart card store like I could when I used CAPICOM in ... (microsoft.public.dotnet.languages.vb) Re: Service caching Smart Card credentials ... You must check your CSP documentation. ... >Does the PIN prompt happen from the service? ... >PIN caching behavior is not absolutely standard. ... I open the private key for a cert. ... (microsoft.public.platformsdk.security) Automatic Logon with Smartcard ... with username, paassword but smartcard? ... A prompt to the pin would be ok, ... windows logon should logon not just when inserted the SC, ... (microsoft.public.platformsdk.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > DotNet  > microsoft.public.dotnet.framework.clr  > 2006-06