Minidriver Version 6.02 Features
The following features are introduced in this version.
Version 6 of the smart card minidriver specification enhances the support for PINs. This version introduces a new concept of a logical PIN object. A developer can use the PIN object architecture to control PIN prompting in Windows and enable a flexible and wide set of scenarios. The PIN object may or may not correspond to an actual physical PIN on the card and should be viewed as a way for a card minidriver to control PIN-related behavior in Windows.
Through a new set of APIs, a card minidriver developer can now:
- Support cards that use more than 2 PINs (up to 8 PINs in total).
- Return a session PIN to Windows to cache instead of the actual PIN.
- Control what strings appear to the user during a PIN prompt.
- Indicate to Windows to prompt for a PIN when a specific key is requested.
- Allow access to a card or container without a PIN prompt (empty PIN).
For more information, see the "Enhanced PIN Support" section in Developer Guidelines.
For reference information, see Card PIN Operations.
New APIs added in this version include:
Important Not all provisioning systems support multiple PINs; consequently, care must be taken when applying PINs on keys that can be updated in the field by a card provisioning system.
Secure PIN channel is a feature in Windows Vista with Service Pack 1 (SP1) that enables a secure PIN prompt followed by establishment of a secure channel between Windows and the smart card for PIN authentication. Secure PIN channel protects the card PIN against eavesdropping while traveling through operating system component and while transmitted to the card.
Secure PIN prompt means that the user is requested to press ALT+CTL+DEL before prompted for the PIN following a visual experience identical to Windows logon. Secure PIN prompt reduces the risk of PIN harvesting by a spoof PIN prompt dialog box.
Secure PIN channel can be controlled and triggered by Common Criteria group policy setting and also by a specific attribute on the PIN object.
For more information on secure PIN channel, see the “Session PINs" section in Developer Guidelines.
The new API related to this feature includes CardAuthenticateEx.
An external PIN support is a PIN that is collected off the PC from the user. Examples of an external PIN scenario include:
- A PIN is collected on a PIN PAD reader.
- A smart card has a fingerprint reader attached to it and performs a match on a card with a fingerprint template as an alternative to a PIN.
In an external PIN mode, whenever PIN authentication to a smart card is required, Windows does not prompt the user for a PIN but rather calls the minidriver's authentication API immediately without any notification to the user. It is expected that the actual authentication and PIN collection occur without operating system involvement.
Optionally, and subject to specific restrictions, the minidriver is allowed to display its own user interface (UI) to instruct the user to perform specific actions in relationship to PIN collection. It is not expected that such UI will be used to actually collect a PIN from the user, but rather to direct the user that Windows is waiting for a PIN to be collected externally. A minidriver is not allowed to display UI when the context is silent mode and is expected to use a specific window handle to create UI elements. More information can be found in CardAuthenticateEx, and CardSetProperty.
Cards that can return a temporary session PIN may return such a PIN to Windows for subsequent caching. In such a case, Windows presents the session PIN for any further card authentication until the card invalidates the session PIN. For more information, see CardAuthenticateEx.