Using Virtual Smart Cards with Windows 8
We all know that password protection alone is a poor way to secure access to the computers on our networks. Two factor authentication provides more security, and smart card technology is one of the most used methods of deploying two factor authentication, because it's considered by many to be much less invasive then biometrics such as fingerprint or retina scanning.
However, smart cards have a couple of big drawbacks. One is the cost of implementation; in addition to the cards themselves, you have to purchase smart card reader devices for the systems with which you want to use them. The other problem is that users lose them or leave them at home and are then unable to access their systems.
Windows 8 brings us a number of new capabilities in regard to security, and one of the most interesting new features is support for virtual smart cards. That means that, for computers equipped with a Trusted Platform Module (TPM) chip that meets specification version 1.2, organizations can now get the benefits of smart card logon without making an investment in the hardware and without the possibility of users being without their cards when they need them. In this article, we'll look at how virtual smart cards are created and used in Windows 8.
What's a virtual smart card?
Traditional smart cards are physical objects; they fit in the "something you have" category of authentication means, and are used in conjunction with "something you know" (a password or a PIN) to provide two-factor authentication. Virtual Smart Cards (VSC) creates a software construct that emulates and is represented to the operating system as a smart card, much like a virtual machine emulates a separate computer and OS instance. However, there is a hardware element involved: the TPM. So you still have two factor authentication (TPM plus PIN).
Most new business-grade machines have TPM chips; many consumer-grade computers, especially those a few years old, do not. If the TPM is present, it must be turned on in the system BIOS. On a Windows 7/8 machine, you can find out whether you have a TPM by running tpm.msc. This opens the TPM management console where you'll see information about your TPM or, if you don't have one (or if it's turned off in the BIOS), you'll see a message that says "Trusted Platform Module (TPM) cannot be found on this computer."
Characteristics of VSCs
Virtual smart cards and virtual smart card readers appear to Windows 8 and to the applications the same as physical smart cards, and use the same application-level APIs, but you can tell them apart because the icon is different. The icon that represents the VSC is shown in Figure 1.
As far as the operating system and apps are concerned, they see the VSC as being always inserted in the virtual card reader. Thus you can't set policy (as you can with physical smart cards) to automatically log the user off when the card is removed. To the user, logging on with a VSC is as easy as logging on with just a password; all users have to do is enter their PINs.
VSCs are secure because although the encrypted private keys are stored on the computer's hard drive, those keys are encrypted on the TPM and are only used on the TPM. Thus if the machine becomes infected with malware, the VSC keys are safe. The decrypted keys are never loaded into the operating system's memory or hard drive so they can't be extracted from those locations by attackers. This is called isolated cryptography because other programs running on the computer cannot access the VSC encryption and decryption processes.
Unlike a virtual machine (VM), you can't move a VSC to a different computer, because only the TPM that encrypted the keys are able to use them. That means users can't use the same VSC in multiple machines, but it also means an attacker can't, for example, remove the hard drive from the computer and compromise the VSC. This feature is called non-exportability and it's an important security characteristic of physical smart cards, where the information stored on a physical card cannot be extracted to be used somewhere else.
Although the VSC is specific to one TPM on one machine, administrators can issue a VSC for the same user to use on each machine that he/she needs to access. In addition, just as other users can insert their own smart cards in a reader so that multiple users can use the same machine, other users can be issued separate VSCs for the same machine. This would be appropriate in cases where Windows-To-Go allows different users to use the same physical machine by inserting their USB drives with their own instances of Windows. Up to six VSCs can be created on one computer.
Like physical smart cards, VSCs will lock out a user who enters an incorrect PIN a specified number of times. This is similar to the account lockout feature that can be configured through Windows Group Policy and is designed to thwart brute force attackers who are just trying one PIN after another in hopes of hitting upon the right one. In smart card terminology, this lockout feature is known as anti-hammering.
What are the drawbacks of VSCs in comparison to physical smart cards? The most obvious is that the thing that makes the VSC more convenient to the user is also its weakness - it can't be removed from the device and taken with you. If you leave the computer, the smart card is still "inserted" so if an attacker gains access to the machine and happens to know the PIN, he's in. Thus PIN security is very important.
How VSCs work
Smart cards (virtual or otherwise) are based on digital certificates, which means you need a Public Key Infrastructure (PKI). A Windows Server 2012 certification authority (CA) has two default certificate templates that can be used for issuing smart card certificates. The Smartcard Logon template is appropriate when the card's use will be for logging on only. If you want users to be able to use the certificate for encrypting email, use the Smartcard User template.
You can create customized certificate templates. The Microsoft Base Smart Card Crypto Provider should be used as the CSP (Cryptographic service provider) for the certificates. You can set a certificate's validity period and the minimum key size.
The certificate template will need to be created on the server before you can create VSCs. This is done with the Certificates Templates MMC snap-in. If you're going to allow users to enroll their certificates, you'll need to give "enroll" permissions to the "authenticated users" group. You'll then need to go into the Certification Authority MMC on the CA, and select the newly created template as a new certificate template to issue.
For large scale creation of VSCs, there are VSC management software solutions.
Creating and Issuing VSCs
To create a VSC, use the Tpmvscmgr.exe command line utility shown in Figure 2, which must be run with local administrative privileges on a Windows 8 computer that's a member of your domain.
In a domain, you can create a smart card on a remote computer, using the /machine subcommand. You must be running the utility under an account that is in the local administrators group on the remote computer.
When a card is created, the utility will display an "instance ID" for it. You'll need to know this ID if you ever want to use the /destroy command to delete a VSC from the computer.
If you've worked with smart cards before, you know they must be enrolled before they can be used. This is where the user's credentials are attached to the card. The process is a little different with VSCs because there is no enrollment station. They are enrolled on the local Windows 8 computer, using the Certificate Enrollment wizard in the Certificates Management console (accessed by running certmgr.msc). To start the wizard, do the following, as shown in Figure 3:
- In the left pane, right click the Personal node.
- Select All Tasks.
- Select Request New Certificates.
This starts the Certificate Enrollment Wizard and you can follow the prompts, selecting the template for TPM virtual smart cards and choosing the name that was given to the smart card when it was created. You'll need to enter the PIN.
VSC use and maintenance
The VSC can now be used just like a physical smart card (except that it's never removed from the device). Applications will treat it like a traditional smart card.
You'll recall that during the creation of the VSC, you set a validity period. When it expires, credentials will need to be renewed. The user requests renewal and they can get a new key pair or reuse the same one. A VSC can hold up to 90 certificates with up to 30 private key pairs.
If Windows has to be reinstalled or if the VSC is compromised, the VSC will need to be reissued. This means going through the card creation process again, creating a new PIN and admin key. Also note that if the TPM on the computer should be re-initialized, you'll have to recreate the VSC.
If the incorrect PIN is entered too many times (as in a brute force attack), the VSC may go into timed delay, where it is blocked and must be reset. In addition, the TPM itself may go into lockout mode, and will have to be reset using the TPM owner password. These are two different issues.
For more detailed information, including step by step instructions for using the tools described in this article, download the Understanding and Evaluating Virtual Smart Cards.docx document from the Microsoft Download Center.
Windows 8's support for virtual smart cards provides companies with the ability to implement two factor authentication without the expense associated with traditional smart cards. To the user, the logon experience is basically the same as using traditional password authentication, but under the hood it's more secure - and the user doesn't have to worry about keeping up with a physical card.