Minidriver Version 7.06 Features
The following features are introduced in this version.
Secure Key Injection
This feature is useful if applications, which are running on a computer that is disconnected from a smart card, must import sensitive data to the smart card that is connected to other computers.
One typical scenario for secure key injection is when a certification authority (CA), which is running on a server, must perform the following actions:
- Generate a key pair on the server.
- Archive the user key.
- Import the key pair to the smart card inserted in the user’s computer.
Developers can use the new APIs and data structures that were introduced for secure key injection to provide the following:
- Support for the properties that allow the smart card framework to determine whether the card supports secure key injection.
- Establish symmetric keys for encryption of data such as PINs, administrator keys and asymmetric key pairs. The session keys can then be imported to the smart card.
- Encrypt and encapsulate data into a format that can be imported to and processed on the smart card.
- Decrypt the encrypted data with the session key on the smart card.
The following structures for passing encrypted data are defined in this version of the specification:
- CARD_AUTHENTICATE
- CARD_AUTHENTICATE_RESPONSE
- CARD_CHANGE_AUTHENTICATOR
- CARD_CHANGE_AUTHENTICATOR_RESPONSE
- CARD_ENCRYPTED_DATA
- CARD_IMPORT_KEYPAIR
The following card properties for secure key injection are defined in version 7 of this specification. For more information about these properties, see CardGetProperty.
- CP_KEY_IMPORT_SUPPORT
- CP_ENUM_ALGORITHMS
- CP_PADDING_SCHEMES
- CP_CHAINING_MODES
The following APIs have been added for secure key injection in version 7 of this specification. For more information, see Secure Key Injection.
Server functions:
Shared functions:
- CardDestroyKey
- CardGetAlgorithmProperty
- CardGetKeyProperty
- CardGetSharedKeyHandle
- CardProcessEncryptedData
- CardSetKeyProperty
Client functions:
Support for RSA Padding Removal Operations in the Smart Card
Version 7 of the smart card minidriver interface lets smart card vendors provide support for RSA padding removal operations in the smart card itself. This prevents exposure to a ciphertext attack when the Base CSP/KSP removes the padding. This enhancement also removes the requirement for raw RSA decryption operations by the minidriver.
Version 7 also provides support for older cards that do not support internal (or OnCard) padding removal. This allows these cards to continue to use the padding removal capabilities that the Base CSP/KSP provides.
For more information, see PFN_CSP_UNPAD_DATA and CardRSADecrypt later in this specification.
Smart Card Plug and Play
When a logo-certified smart card is first inserted into a card reader that is connected to a Windows 7 computer, the Plug and Play framework searches for a compatible minidriver that is published in Windows Update. If it finds a minidriver, Plug and Play automatically downloads the minidriver from Windows Update and installs it in the computer.
For more information, see Smart Card Plug and Play.
CardCreateContainerEx
This new API is extends the functionality of the CardCreateContainer API. In addition to creating the key container, this function establishes the PIN association when the container is created.
For more information, see CardCreateContainerEx later in this specification.
New Card Container Property for ECDSA/ECDH Key Association
This new container property associates an Elliptic Curve Digital Signature Algorithm (ECDSA) key with an Elliptic Curve Diffie-Hellman (ECDH) key. Each ECDSA key is paired with an ECDH key, which is used for data encryption and decryption. This association supports scenarios that require encryption when ECDSA keys are used.
When the logon certificate is an ECDSA certificate, the cached logon credentials are encrypted by using the associated ECDH key. During cached logon operations, data from the domain controller is decrypted by using the ECDH key that is associated with the ECDSA key that was used for user logon. In this situation, the smart card can be used for logon operations when the computer is offline or the domain controller is inaccessible.
For more information, see the description of the CCP_ASSOCIATED_ECDH_KEY property in “Card and Container Properties” later in this specification.
Generic Inbox Minidriver that Supports PIV
Beginning with Windows 7, the operating system includes an inbox generic minidriver that can be used with smart cards that support the Personal Identity Verification (PIV) card edge and data model.
For more information about PIV, see the “About Personal Identity Verification (PIV) of Federal Employees and Contractors” Web page.
For more information about the process that Windows follows to identify and pair a PIV card with the inbox driver, see Windows Inbox Smart Card Minidriver.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for