Question

How to create / embed a CSP into Basiccard, or any smartcard so i can log in a domain

Asked by: andyr998

Hi,

I have a basicard (ZC3.9) smartcard, http://www.basiccard.com/.and an ACR38 card reader

I am very confused as to what i need to do to setup my Basiccard to allow for logon to a windows 2003/2008 domain. I think i could set up the domain certificate authentification side of things by following guides etc..i think you need a trust server that is not on the domain(PKI i think) and then you need to setup a root certificate in Active Directory or something like that, plenty more things as well.

Now for the card side of things!

So the card lets you write the embedded code in ZC-Basic which is almost the same as BASIC as you would guess!  Obvioulsy the ZC-Basic is then compliled into p-code etc before being downloaded to the card.

The terminal program (the program that runs on the PC)side, you can write in C++, VB6, .NET(VB, C#) etc.....as there is a .NET library and an OCX for all of this this.

Now it looks like i need a CSP(not even all that sure what a CSP is) installed onto the card and the maker of basiccard say they don't supply this. It may not even be possible for basicard to have a CSP on it, check out this ambiguous post to see what i mean,  

http://www.basiccard.com/wwwboard/messages/249.html  (did he mean it can't be done or just they don't do it)

So if it is possible to write a CSP for Basiccard and embed it onto it do you know how i would do this, any examples, could i write the CSP in ZC-Basic.

WOW, logging on with a smartcard that windows doesn't by default support is VERY invloved, any info at all would be helpful i am sure.

I a pretty sure the missing thing is this CSP code on the card what i am missing in this whole thing.. But really am  still pretty lost even after tons of searching.

Oh i should say that Basiccard are not by default supported by windows server.

Thanks.



This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-20 at 19:48:26ID24670267
Tags

smartcard

,

basiccard

,

csp

,

logon

,

smartcard logon

,

SmartCards & Readers

Topics

Printers

,

Active Directory

,

Windows 2003 Server

Participating Experts
1
Points
500
Comments
7

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Certificate Maker
    How do I install the Certificate Maker program on Win 98? It worked fine on 3.1, but doesn't work on 98. It is an old Springboard program--1986.
  2. is there any way to embed an ocx in html file ?
    is there any way to embed an ocx in html file ?
  3. is there a way to embed .ocx file to .exe
    Well, i have a program that written in visual basic and it need two .ocx files to work with. they are mswinsck.ocx and comdlg32.ocx. But in my system, those two .ocx didn't get registered. Now i want to register it but he also disabled the regsvr32 :( Is there a way to make ...
  4. Embed Access .mdb file within VB6 .exe
    I have a .mdb file which I want to embed within my VB6 exe. I do not want to provide the .mdb file with the setup. Is this possible to do in Vb6? How do I embed the .mdb file- I don't want to use any resource files either. Thanks maloym

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: ParanormasticPosted on 2009-08-21 at 07:26:57ID: 25152121

The server that is not on the domain (preferably never connected to the network even) is the standalone root CA, installed on standard edition.  You need to deploy that root cert via GPO, manual installation, or some other method to the trusted root certificate store.  There will be a second CA that is online that will need to be enterprise edition OS installed as enterprise subordinate CA that is joined to the domain - this cert is signed by the root that you trusted, so the trust chain is inherited so you normally don't need to deploy this cert too, although some prefer to anyways.  Virtual machines help keep the cost down a bit here.

A CSP is a "Cryptographic Service Provider".  The CSP is not installed on the card - basically it is a DLL that allows the computer's OS (e.g. Windows) to communicate with the card's OS (proprietary, you'll probably never even realize it had an OS).  These are listed in the registry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider

The OS will use basically an abstraction layer called the Cryptographic API, commonly referred to as CryptoAPI, CAPI, or MS-CAPI.  CAPI is a common middleware piece that the CSP and such will talk to from the bottom layer and the applications from the top layer, with CAPI in the middle.  This provides common API structure for crypto calls instead of everyone having to write their own crypto libraries and plug into everyone elses.  

MSCAPI was updated in Vista & 2008 to support Cryptography Next Generation (CNG).  There were a lot of smartcard related changes moving from XP to Vista, this fundamental shift was generally for the better.

http://msdn.microsoft.com/en-us/library/aa380245(VS.85).aspx
http://en.wikipedia.org/wiki/Cryptographic_API

For programming this stuff, you typically use a normal programming language (C++, C#, VB, etc.) and call CAPICOM or .NET for crypto related functions for the smart card and card driver to talk to CAPI when the application is looking for something (e.g. a certificate).
http://msdn.microsoft.com/en-us/library/aa380255(VS.85).aspx

Writing a CSP can be somewhat complicated.  The good news is that this is done by the smartcard manufacturer (basicard)- not you.  When you install their software, the middleware is included which includes the CSP and a few other things.

Very few smartcards are natively supported by windows.  It is expected that whatever vendor you get, you will need to install their middleware.


So, if you are programming something to talk to someone else's card - since most of the middleware stuff is handled by them, how do you extend your wishes and desires for your application to talk to their card when CAPICOM, .Net, and such do not fit the bill?  Try contacting the vendor and see if they have a developer's toolkit - I'm not familiar with that particular company, but they probably will have one.  Some companies charge for their toolkit, which is why it may not be easy to find on their support site.

 

by: andyr998Posted on 2009-08-22 at 04:22:01ID: 25158279

Ok call me stupid but how can you have the CA server not even connected to the network, how then can it be communicated with to verify the certs?

I already said that the Basiccard devs are not prepared to develop a CSP for their card so that is out of the question.

I think the sensible thing to do would be to by another smartcard type i have the reader so do you have any suggestions on what kind of smartcard would allow for all the highest security functionality but also be easy(or relatively easy) to set up, i.e it has the CSP's avaiilable or better still windows 2003/2008 supports it by default, or even better still a card that has a clear walkthough guiade online for setting it up.

cheers

 

by: ParanormasticPosted on 2009-08-28 at 10:34:41ID: 25209851

The root CA should be kept offline for security reasons.  You can't revoke a root cert (since it is self-signed) and re-deploying it is a pain in most cases.

So the root Ca only issues the 2nd tier CA certificates (usually an online subordinate CA, although sometimes additional tiers may exist for specific situtations).   You have to sneakernet the CRL, certificate request files, etc. back and forth to the offline root CA - use a floppy, flash drive, etc.

When you install the root in 2008 the CDP (CRL Distribution Point) and AIA (Authority Information Access) locations are defined as empty so the root cert will not include them.  In 2003, you had to use a capolicy.inf file in c:\windows to define certain settings such as this.  Afterwards, you open the CA MMC and define the CDP and AIA locations that will be used to verify the sub CA cert.  On the sub CA you will do the same after installation to define where "end entity" (users, computers, etc.) certs are validated against.  When the cert is issued, the configured CDP and AIA locations are included into the certificate as URLs.

When the trusting client (end user checking to see if the cert is good or not) then the browser or other app will have a "certificate chaining engine" that will check through all this stuff for you and either give you a warning or display the nice little gold padlock.  

The chaining engine will check the local machine (registry, certificate store, etc.) and the cert's AIA to locate the CA cert that issued the cert it is validating.  That CA's cert will have an AIA that will then be checked and so on up until the root cert.  The root _should_ be trusted by the client already in the Trusted Root Certification Authorities certificate store, if not then a warning pops up about the issuer not being trusted.  Since you trust the root, you  trust everything downline from it.  That's how you make sure it is trusted as being authentic.

Next is to make sure it hasn't been revoked.  Maybe the server was compromised and the private key stolen.  Maybe the employee got fired.  Whatever the reason, you need to make sure you should still trust it.  In the cert is the CDP, which is a URL that points to the CRL (Certificate Revocation List).  This list is signed by the CA that issued that cert and is updated on a predefined interval which varies greatly from hourly/daily/weekly/monthly - depends on the company.  Since it is CA signed, you trust its authenticity.

The CRL contains a list of serial numbers and dates - if the cert's serial number ends up on that list then it has been revoked, otherwise it should be considered still valid.

Then comes validating a few other things like comparing the subject name of the cert to the site you are accessing in the URL (www.domain.com -- doesn't matter what virtual directory or page is listed afterwards), or the email address - to make sure this is the same.  

The program does all this for you.  Aren't we glad:)

So the server cert and CRL are stored in the AIA and CDP locations (respectively) which is usually on a web server.  The offline CA items are usually copied to the online CA, then they are usually copied together via script, or manually using a floppy, etc. to the web server.  They are then accessed there via the cert chaining engine and everything processed and you're all good.


OK - that's a whole bunch of stuff there...  hope your head isn't spinning too fast...

 

by: ParanormasticPosted on 2009-08-28 at 11:01:37ID: 25210089

Yes, getting a different product would be the best idea.  The big players are Gemalto (combined GemPlus and Exalto), SafeNet (they purchased top names Datakey and Aladdin), and ActivIdentity.  There are hundreds of others, and thousands of resellers that will rebrand these.

The card reader should typically work with any of them - the smartcard chip and contacts are standardized under ISO-7816 and it is rare to find a non-standard reader or card.

The rest of it is pretty straightforward.  Set up the CA servers, deploy your root certificate, and issue the smartcards.

The GPO for deploying the root certificate to domain clients:
http://technet.microsoft.com/en-us/library/cc738131(WS.10).aspx

2008 PKI guide for setting up your CA and such:
http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx
(clicking next through the wizard will get it installed, but you might want to change some things, but the post-installation is where more of the work comes in).

After installation and configuration before you issue any certs you want to use the CA MMC to backup the CA - include private and database.  Keep a copy of these and a copy of the CA cert and CRL on a flash drive at a secure (locked up) offsite location - do this even if you do tapes.  This gives you additional recovery options in disaster.

You can create a scheduled task to run a batch script to copy out the .crt and .crl files to the AIA and CDP locations.

certutil -crl
net use z: /delete
net use z: \\server\path /USER:username PaSsWoRd
copy %systemroot%\system32\certsrv\certenroll\*.cr* z:
net use z: /delete

You can also script backing up the CA database once a month or so - grab the path for your cert database during installation (some people put this on another drive/partition, others just leave as default).  The folder cannot be named special, so if you want to keep an old copy or two then rename the \database folder to database1 or something like this:
rd /s /q %systemroot%\system32\certdb\database3
ren %systemroot%\system32\certdb\database2 database3
ren %systemroot%\system32\certdb\database1 database2
ren %systemroot%\system32\certdb\database database1
certutil -backupDB



If you are concerned about the time between revoking a cert and having it show up in a CRL, but don't want the performance impact of the users downloading the CRL every hour or day, then there is also a Delta CRL.  This will look like CAName+.crl.  This is like a differential CRL (everything since last base CRL).  You can use the CRL script above to do this, just change the line to become 'certutil -crl delta' and make a second batch file to run more frequently.

For laptop users and such - treat them like password users - they will need to log in using their card once while connected to the domain so they can get a copy of the CRL, etc.  After that they will be able to use cached CRL that they downloaded.

 

by: andyr998Posted on 2009-08-28 at 11:12:31ID: 25210189

Amazing answers, some of it was way over my head though obvioulsy will give you the points, do i accept a single answer or multple answers, does it matter?

 

by: ParanormasticPosted on 2009-08-28 at 11:56:03ID: 25210573

Doesn't really matter to me - I'm just here to help.  Since they're all mine the points all add up the same either way.

Here's a more streamlined version, not sure if it makes things any better:

root ca signs sub ca
sub ca signs end entity cert
user's program trusts root cert due to user installing the root cert (or installed with software, which you trust the vendor to include trustworthy roots in their product)
program validates cert is signed by sub ca
program validates sub ca is signed by root ca
root is trusted, so all of the certificate chain is now trusted.

program checks CRL to make sure cert is not revoked
program checks cert's subject name to make sure it matches what you are validating

If SSL is involved, cert is used for the handshake to create a "password" (secret key) for the SSL encryption session only known to the computer and server on a per session basis
Data is encrypted and decrypted using the SSL session's key

For SC logon, cert is validated against AD
Kerberos TGT is issued to user logon session.

 

by: andyr998Posted on 2009-08-29 at 05:47:20ID: 31618686

Good job

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...