Sign in with
Sign up | Sign in
Your question

question about private certificate stored on smart card

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
February 20, 2005 8:37:25 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi all,

in our organization users must logon using smart cards.
Certain confidential documents can only be decrypted (encrypted using
a third party PKI integrated encryption software) using the private
certificate stored in the smart card. If a user forgets his/her smart
card at home, we can allow the user to logon to the domain using
traditional user and password scheme however, encrypted documents are
not available.

I was wondering, is it possible to issue a secondary smart card with
the same private certificate so that it could be stored in a safe
place and be used in case the "primary" smart card cannot be used ?

Thank you in advance for your attention,
Bar
Anonymous
a b 8 Security
February 20, 2005 10:57:33 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <8ec33ba5.0502200537.1ec83a97@posting.google.com>, barabba72
@hotmail.com says...
> Hi all,
>
> in our organization users must logon using smart cards.
> Certain confidential documents can only be decrypted (encrypted using
> a third party PKI integrated encryption software) using the private
> certificate stored in the smart card. If a user forgets his/her smart
> card at home, we can allow the user to logon to the domain using
> traditional user and password scheme however, encrypted documents are
> not available.
>
> I was wondering, is it possible to issue a secondary smart card with
> the same private certificate so that it could be stored in a safe
> place and be used in case the "primary" smart card cannot be used ?
>
> Thank you in advance for your attention,
> Bar
>
It depends on the Registration Authority, and the smart card middleware
that you are implementing in your organization. The solution is specific
to the smart cards and the CSP (whether they would allow archival of the
private key material for encryption certificates)

Brian
Anonymous
a b 8 Security
February 20, 2005 5:59:32 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

With Windows 2003 CA there is an option to archive user's private key.
Archival is done automatically when certificate is issued. As far as I was
able to find out there are no smart card CSP available today that would
support this feature. So what you would have to do is issue a certificate
that would enable users file encryption on a hard drive and later import it
on a smart card.
In general smart card archival was designed to prevent data loss. After user
loses his private key, you are able to recover it from certificate database,
but you should also revoke the certificate (user is still able to decrypt
all his information) and issue user a new certificate.

You have to know that doing all this (and storing smart card with user's
private keys) in a safe practically destroys the whole concept of deploying
PKI. If there is a security breach on my documents I can always blame it on
people who have access to the safe with the smart cards (and if I was the
administrator I wouldn't want such responsibility).

Situation that you describe should be addressed when you were deploying your
CA architecture and should have a written procedure on what to do when users
come into the office without the smart card. There is also user education
part of deploying PKI where I usually explain to the end user to consider
smart card as a passport. You don't get very far on your trip without it
(and the customs don't issue temporary passports).

On the other hand I usually try to deploy integrated smart cards (smart
cards that are also proximity cards) for my customers. These cards enable
users to access their office and register their arrival time. In this case
it is less likely they will forget it at home.

--
Mike
Microsoft MVP - Windows Security


"barabba" <barabba72@hotmail.com> wrote in message
news:8ec33ba5.0502200537.1ec83a97@posting.google.com...
> Hi all,
>
> in our organization users must logon using smart cards.
> Certain confidential documents can only be decrypted (encrypted using
> a third party PKI integrated encryption software) using the private
> certificate stored in the smart card. If a user forgets his/her smart
> card at home, we can allow the user to logon to the domain using
> traditional user and password scheme however, encrypted documents are
> not available.
>
> I was wondering, is it possible to issue a secondary smart card with
> the same private certificate so that it could be stored in a safe
> place and be used in case the "primary" smart card cannot be used ?
>
> Thank you in advance for your attention,
> Bar
Related resources
Anonymous
a b 8 Security
February 20, 2005 5:59:33 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <ODFkoR1FFHA.1260@TK2MSFTNGP12.phx.gbl>, mihap-
news@atlantis.si says...
> Hi,
>
> With Windows 2003 CA there is an option to archive user's private key.
> Archival is done automatically when certificate is issued. As far as I was
> able to find out there are no smart card CSP available today that would
> support this feature. So what you would have to do is issue a certificate
> that would enable users file encryption on a hard drive and later import it
> on a smart card.
> In general smart card archival was designed to prevent data loss. After user
> loses his private key, you are able to recover it from certificate database,
> but you should also revoke the certificate (user is still able to decrypt
> all his information) and issue user a new certificate.
>
> You have to know that doing all this (and storing smart card with user's
> private keys) in a safe practically destroys the whole concept of deploying
> PKI. If there is a security breach on my documents I can always blame it on
> people who have access to the safe with the smart cards (and if I was the
> administrator I wouldn't want such responsibility).
>
> Situation that you describe should be addressed when you were deploying your
> CA architecture and should have a written procedure on what to do when users
> come into the office without the smart card. There is also user education
> part of deploying PKI where I usually explain to the end user to consider
> smart card as a passport. You don't get very far on your trip without it
> (and the customs don't issue temporary passports).
>
> On the other hand I usually try to deploy integrated smart cards (smart
> cards that are also proximity cards) for my customers. These cards enable
> users to access their office and register their arrival time. In this case
> it is less likely they will forget it at home.
>
>
Just as an FYI, I do work with a product that does allow the recovery of
encryption certificate private keys (if they are archived) to smart card
devices. The software in question is the registration authority idNexus
(see www.alacris.com for details).

The software does allow recovery of smart card encryption certificates.
This is accomplished through the use of smart card middleware (PKCS #11
libraries typically). The software allows both the duplication and
recovery operations.

Brian
Anonymous
a b 8 Security
February 20, 2005 11:36:23 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for the FYI. I will take a look :-)

Mike

"Brian Komar (IdentIT Inc)" <bkomar@nospam.identit.ca> wrote in message
news:MPG.1c8298d475832157989686@msnews.microsoft.com...
> In article <ODFkoR1FFHA.1260@TK2MSFTNGP12.phx.gbl>, mihap-
> news@atlantis.si says...
>> Hi,
>>
>> With Windows 2003 CA there is an option to archive user's private key.
>> Archival is done automatically when certificate is issued. As far as I
>> was
>> able to find out there are no smart card CSP available today that would
>> support this feature. So what you would have to do is issue a certificate
>> that would enable users file encryption on a hard drive and later import
>> it
>> on a smart card.
>> In general smart card archival was designed to prevent data loss. After
>> user
>> loses his private key, you are able to recover it from certificate
>> database,
>> but you should also revoke the certificate (user is still able to decrypt
>> all his information) and issue user a new certificate.
>>
>> You have to know that doing all this (and storing smart card with user's
>> private keys) in a safe practically destroys the whole concept of
>> deploying
>> PKI. If there is a security breach on my documents I can always blame it
>> on
>> people who have access to the safe with the smart cards (and if I was the
>> administrator I wouldn't want such responsibility).
>>
>> Situation that you describe should be addressed when you were deploying
>> your
>> CA architecture and should have a written procedure on what to do when
>> users
>> come into the office without the smart card. There is also user education
>> part of deploying PKI where I usually explain to the end user to consider
>> smart card as a passport. You don't get very far on your trip without it
>> (and the customs don't issue temporary passports).
>>
>> On the other hand I usually try to deploy integrated smart cards (smart
>> cards that are also proximity cards) for my customers. These cards enable
>> users to access their office and register their arrival time. In this
>> case
>> it is less likely they will forget it at home.
>>
>>
> Just as an FYI, I do work with a product that does allow the recovery of
> encryption certificate private keys (if they are archived) to smart card
> devices. The software in question is the registration authority idNexus
> (see www.alacris.com for details).
>
> The software does allow recovery of smart card encryption certificates.
> This is accomplished through the use of smart card middleware (PKCS #11
> libraries typically). The software allows both the duplication and
> recovery operations.
>
> Brian
!