Sensitive Data Storage with Smart Cards (Windows Embedded CE 6.0)


You can add a layer of security to a Windows Embedded CE device by using smart cards to store authentication information or a digital signing mechanism. You can write a custom CryptoAPI provider that exploits a smart card's ability to protect information.

The Windows Embedded CE smart card subsystem supports CryptoAPI through smart card service providers (SCSPs), which are DLLs that enable access to specific services. The subsystem provides a link between the smart card reader hardware and the applications. Windows Embedded CE does not provide SCSPs; typically, the smart card vendor provides the appropriate SCSPs.

A typical smart card system consists of applications, a subsystem that handles communication between smart card readers and the applications, readers, and the smart card.

The following list shows why implementing a fraction of the smart card CryptoAPI service provider functionality in a separate hardware keeps the cryptographic keys and operations protected:

  • It provides protected storage for private keys and other forms for personal information.
  • It isolates security-critical computations involving authentication, digital signatures, and key exchange from other parts of the system.
  • It enables portability of credentials and other private information.

In an organization that uses smart cards, users do not have to remember any passwords at all, only a personal identification number, and they can use the same certificate for other security purposes, such as digitally signing e-mail.

Community Additions