Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Azure Himanshu Soni Senior Program Manager 2-041

Published byEllie Brogdon Modified over 10 years ago

Similar presentations

Presentation on theme: "Windows Azure Himanshu Soni Senior Program Manager 2-041"— Presentation transcript:

1

2 Windows Azure Himanshu Soni Senior Program Manager 2-041
3/31/2017 Strong authentication: building apps that manage virtual smart cards in enterprise, BYOD and consumer environments Himanshu Soni Senior Program Manager 2-041 © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Agenda 2 factor authentication Smart cards Virtual smart cards
Build 2012 3/31/2017 Agenda 2 factor authentication Smart cards Virtual smart cards WinRT APIs Demo © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 2 factor authentication
Build 2012 3/31/2017 2 factor authentication What We know What we have 2 Factor Authentication What you know – e.g. PIN What you have – e.g. smart card, devices © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Why 2 factor authentication
Build 2012 3/31/2017 Why 2 factor authentication “In 2013 more than 90% of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking” – Deloitte “The age of the password is over. We just haven’t realized it yet.” – Wired “73% of users share the passwords which they use for online banking, with at least one nonfinancial website.” – Trusteer Inc. Reused Login Credentials 2010 2 Factor Authentication © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Virtual smart cards Introduced in Windows 8
Build 2012 3/31/2017 Virtual smart cards Introduced in Windows 8 Uses TPM module on the PC for isolated crypto operations generation of non-exportable keys dictionary attack prevention (wrong PIN) Exposed as smart cards to applications and OS PIN is what you know, the device is what you have. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Where can virtual smart cards be used
Remote access using VPN or DirectAccess BYOD (Bring Your Own Device) Logon to PC SSL client authentication Secure Document protection (signing, encryption) BitLocker drive encryption for data volumes 2 factor authentication

8 Important aspects of a smart card
Build 2012 3/31/2017 Important aspects of a smart card User selected PIN Auto generated admin key for PIN reset or unblock (some cards have PUK) Unique ID (card ID, serial number, etc.) for inventory management Certificates and private keys © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Deployment types Managed virtual smart cards
Build 2012 3/31/2017 Deployment types Managed virtual smart cards Unmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate issuance and management © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Deployment complexity
Managed virtual smart cards Unmanaged virtual smart cards Server side virtual smart card management Policy enforcement modules PIN management components Certificate server Browser plugin or client app

11 What’s new in Windows 8.1 for smart cards
Build 2012 3/31/2017 What’s new in Windows 8.1 for smart cards Windows Store apps can now manage complete lifecycle of virtual smart cards New APIs to manage virtual smart card New APIs to manage physical smart cards PIN policies for virtual smart card New ways for certificate enrollment New APIs for using certificates for cryptographic operations © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Smart card API features
Build 2012 3/31/2017 Smart card API features Capability required: SharedUserCertificates, enterpriseAuthentication Namespace: Windows.Devices.SmartCards Feature Physical smart card Virtual smart card Query and monitor smart card readers (together with Windows.Devices.Enumeration) List available smart cards in a reader, retrieve the card name, and retrieve card ID Verify if the admin key of a card is correct Provision (or reformat) a card with a given card ID Change PIN by entering the old PIN and then specifying the new PIN Change admin key, reset PIN, unblock smart card using challenge/response Create virtual smart card Delete virtual smart card PIN policies © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Virtual smart card lifecycle
Create Provision Use Delete Forget PIN PIN Reset Change PIN

14 Windows Store app – sample flow
Server backend Create virtual smart card with a default admin key known to the server Receive key diversification information from the server Diversify admin key and update server inventory Card lifecycle Send certificate request to server along with any required additional proofs Receive certificate and install it on the card PIN management (change, reset, unblock), certificate management (renewal) Delete card and update server inventory 1.) Delete Card

15 Virtual smart card creation API
Class SmartCardProvisioning Method RequestVirtualSmartCardCreationAsync Input Friendly Name, AdminKey, GUID for CardID – an overload available without CardID PIN policy

16 C# code snippet for card creation
using Windows.Devices.SmartCards; public async void ScenarioCreateTpmVirtualSmartCard() { IBuffer adminKey = Windows.Security.Cryptography.CryptographicBuffer.CreateFromByteArray( new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 }); SmartCardPinPolicy pinPolicy = new SmartCardPinPolicy() { MinLength = 8, LowercaseLetters = SmartCardPinCharacterPolicyOption.Allow, UppercaseLetters = SmartCardPinCharacterPolicyOption.RequireAtLeastOne, Digits = SmartCardPinCharacterPolicyOption.Allow, SpecialCharacters = SmartCardPinCharacterPolicyOption.Disallow }; SmartCardProvisioning cardProvisioning = await SmartCardProvisioning.RequestVirtualSmartCardCreationAsync( "Contoso Virtual Smart Card", adminKey, pinPolicy, Guid.NewGuid()); if (cardProvision == null) return; }

17 Windows Store APIs – PIN policy
PIN policy is an input to the Create API with the following options : Minimum length (minimum length allowed 4) Maximum length (maximum length allowed 128) Uppercase letters Lowercase letters Digits Special characters Default PIN policy is: 8 characters minimum length (same as Windows 8) Note : PIN can be only from the printable ASCII key range.

18 Smart card provisioning APIs
Class SmartCardProvisioning Methods GetChallengeContextAsync, SmartCardChallengeContext Method ProvisionAsync, ChangeAdministrativeKeyAsync

19 C# code snippet for card provisioning
public async void ScenarioProvisionCard(SmartCard card, IBuffer oldAdminKey, IBuffer newAdminKey, Guid newCardId) { var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card); // Change card admin key after challenge/response authentication using (var context = await cardProvision.GetChallengeContextAsync()) var response = RetrieveResponseForChallengeFromServer(card, context.Challenge); await context.ChangeAdministrativeKeyAsync (response, newAdminKey); }

20 C# code snippet for card provisioning (cont’d)
// Provision card file system after challenge/response authentication using (var context = await cardProvision.GetChallengeContextAsync()) { var response = CalculateResponse(newAdminKey, context.Challenge); await context.ProvisionAsync (response, true, newCardId); } // The card has been provisioned and is ready for certificate enrollment

21 Certificate enrollment
Additional proofs Domain username and password Challenge questions OTP sent to mobile phone or Corpnet connection with user name and password Sign with a physical smart card Visit to an IT office/kiosk

22 Certificate enrollment APIs
Class CertificateRequestProperties CertificateEnrollmentManager Methods CreateRequestAsync InstallCertificateAsync

23 C# code snippet for certificate request creation
using Windows.Devices.SmartCards; using Windows.Security.Cryptography.Certificates; SmartCardProvisioning cardProvision = await SmartCardProvisioning.RequestVirtualSmartCardCreationAsync( "Contoso Virtual Smart Card", adminKey, pinPolicy, Guid.NewGuid()); if (cardProvision == null) return; CertificateRequestProperties requestProperties = new CertificateRequestProperties() { Subject = "Toby", KeySize = 2048, KeyStorageProviderName = KeyStorageProviderNames.SmartcardKeyStorageProvider, SmartcardReaderName = cardProvision.SmartCard.Reader.Name }; string request = await CertificateEnrollmentManager.CreateRequestAsync(requestProperties); // submit the request (can wrap in an XML and provide more information to the server) HttpContent content = new StringContent(certificateRequest); HttpClient cli = new HttpClient(); HttpResponseMessage response = await cli.PostAsync(url, content); string certResponse = await response.Content.ReadAsStringAsync(); // Install the returned cert await CertificateEnrollmentManager.InstallCertificateAsync(certResponse, InstallOptions.None);

24 Locating a card Class SmartCardReader SmartCardProvisioning Method GetDeviceSelector GetIDAsync Input None

25 C# code snippet for locating a card
public async Task<SmartCard> ScenarioLocateCard(Guid targetCardId) { // Enumerate to find the matching card var selector = SmartCardReader.GetDeviceSelector(); var devices = await DeviceInformation.FindAllAsync(selector); foreach (var device in devices) { var reader = await SmartCardReader.FromIdAsync(device.Id); var cards = await reader.FindAllCardsAsync(); foreach (var card in cards) { // Find a card by reading its ID from its cardid file var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card); var cardId = await cardProvision.GetIdAsync(); // Compare cardId if (cardId == targetCardId) { // Find the card return card; }

26 Change PIN Class SmartCardProvisioning Method RequestPinChangeAsync Input None

27 C# code snippet for PIN change
public async void ScenarioChangePin(SmartCard card) { var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card); // Request to change PIN and the user will be prompted to enter the old and new PINs bool result = await cardProvision.RequestPinChangeAsync(); if (!result) // The request is cancelled }

28 Reset PIN/unblock smart card
Class SmartCardProvisioning Method RequestPinResetAsync Input None

29 C# code snippet for PIN reset
public async void ScenarioResetPin(SmartCard card) { var cardProvision = await SmartCardProvisioning.FromSmartCardAsync(card); var cardId = await cardProvision.GetIdAsync(); // Request the user to enter a new PIN and reset the PIN using challenge/response bool result = await cardProvision.RequestPinResetAsync(async (sender, request) => var deferral = request.GetDeferral(); try IBuffer response = await RetrieveResponseForChallengeFromServer(cardId, request.Challenge); request.SetResponse(response); } finally deferral.Complete(); }); if (!result) // The request is cancelled

30 Virtual smart card deletion API
Class SmartCardProvisioning Method RequestVirtualSmartCardDeletionAsync Input SmartCard

31 C# code snippet for card deletion
public async void ScenarioDeleteTpmVirtualSmartCard(SmartCard card) { if (card.Reader.Kind != SmartCardReaderKind.Tpm) // This is not a TPM virtual smart card return; } bool result = await SmartCardProvisioning.RequestVirtualSmartCardDeletionAsync(card); if (!result) // The request is cancelled

32 Demo – setup virtual smart card

33 Demo – use virtual smart card

34 Summary and key takeaways
Windows 8.1 makes it easier than ever for Windows Store apps to manage physical and virtual smart cards. You learned about using virtual smart cards when you need strong authentication, including both enterprise Bring Your Own Device (BYOD) environments, as well as consumer scenarios that require strong authentication such as banking. You learned what virtual smart cards are, what scenarios they can enable, and how new Windows Runtime APIs make it easy to write apps to manage both real and virtual smart cards.

35 Resources Virtual smart card white paper MSDN links for WinRT APIs
MSDN links for WinRT APIs Samples link

36 3/31/2017 9:46 PM Required Slide *delete this box when your slide is finalized Your MS Tag will be inserted here during the final scrub. Evaluate this session Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize! © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37

Download ppt "Windows Azure Himanshu Soni Senior Program Manager 2-041"

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
Samsung Smart TV is a web-based application running on an application engine installed on digital TVs connected to the Internet.

Samsung Smart TV is a web-based application running on an application engine installed on digital TVs connected to the Internet.
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.

SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
Microsoft ® Official Course Client-Side SharePoint Development SharePoint Practice Microsoft SharePoint 2013.

Microsoft ® Official Course Client-Side SharePoint Development SharePoint Practice Microsoft SharePoint 2013.
Execute Stored Procedure having Output Parameter and returning Result Set in Adeptia Server.

Execute Stored Procedure having Output Parameter and returning Result Set in Adeptia Server.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Customer Service Module Course Contents Table of Contents Enter A Request Search A Request Create Invoice (Funeral home request) Search Invoice Manage.

Customer Service Module Course Contents Table of Contents Enter A Request Search A Request Create Invoice (Funeral home request) Search Invoice Manage.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Web Proxy Server. Proxy Server Introduction Returns status and error messages. Handles http CGI requests. –For more information about CGI please refer.

Web Proxy Server. Proxy Server Introduction Returns status and error messages. Handles http CGI requests. –For more information about CGI please refer.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Digital Certificate Installation & User Guide For Class - 2 Certificates.

Digital Certificate Installation & User Guide For Class - 2 Certificates.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

Similar presentations

Ads by Google