EFS and Smart Card

  • Thread starter Thread starter Ling Tang
  • Start date Start date
L

Ling Tang

I found different comment on support of smart card or other hardware token
in Encrypting File System (EFS). May be they are referring to different
version of windows or based on some assumption. May I be excused to ask the
same question again. And I would appreciate if you can provide pointers of
information on your comment about whether EFS supports usage of smart card.
I know a few article that have high level description on whether EFS can
support hardware token, but it is not detail or technical enough. It will be
grateful if you have pointers to some really technical articles about EFS
with smart card.

Thanks,
Ling
 
Hi Ling,

it is not possible to use EFS with Smart Cards... Microsoft was thinking
about this for Windows 2003 server, but it is still not supported and it
will not work...
 
Thanks David and again Mike. I noticed these questions have been discussed
for several times, but since I still got different answer from different
parties. I guess properly because they quoted from different white paper.

I am still very curious why EFS does not support smart card. If I replace
the default CSP (MS Base Cryptographic Provider) with my own smart card CSP
which implement according to the spec, I can't understand why this does not
work.

Cheers,
Ling
David Cross said:
I will try to get the windows 2000 paper corrected: EFS does not support
smartcards currently and will not work with smartcards in current versions
of Windows.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Miha Pihler said:
Hi,

this question has been asked quite a few times on last Tech-Ed in Dallas and
even before on one of T-Preps that I was attending. Answer was always
no.
I
am not sure why at this moment. I will have to check some of my notes.

File System. Here is
http://www.microsoft.com/technet/tr...net/prodtechnol/winxppro/support/DataProt.asp
a white paper on Data Protection and Recovery on WinXP. Microsoft here
states:
"Smart card-based certificates and keys are not currently supported with the
Encrypting"

I am sorry I can't give more details at the moment, but I will look into
it...
http://www.microsoft.com/technet/tr...prodtechnol/windows2000serv/deploy/nt5efs.asp From
and
it to
ask EFS
can
 
It's an architecture limitation. Maybe smartcards will be supported in
Longhorn. Meanwhile, you're free to try to replace the default CSP.
 
EFS is mostly implemented in the lsass.exe process, which doesn't directly
have access to the user desktop. So when the smartcard CSP attempts to
display its PIN dialog box, the calling thread hangs forever. So to support
smartcards, some extra code would need to be written to obtain the PIN ahead
of time and plumb it down to the lsass.exe process. There may be additional
reasons, but this is what comes to mind.

Regards,

John Banes
[Microsoft Security Developer]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.

Ling Tang said:
Thanks David and again Mike. I noticed these questions have been discussed
for several times, but since I still got different answer from different
parties. I guess properly because they quoted from different white paper.

I am still very curious why EFS does not support smart card. If I replace
the default CSP (MS Base Cryptographic Provider) with my own smart card CSP
which implement according to the spec, I can't understand why this does not
work.

Cheers,
Ling
David Cross said:
I will try to get the windows 2000 paper corrected: EFS does not support
smartcards currently and will not work with smartcards in current versions
of Windows.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Miha Pihler said:
Hi,

this question has been asked quite a few times on last Tech-Ed in
Dallas
and
even before on one of T-Preps that I was attending. Answer was always
no.
I
am not sure why at this moment. I will have to check some of my notes.

File System. Here is
http://www.microsoft.com/technet/tr...net/prodtechnol/winxppro/support/DataProt.asp
with
the that
EFS
http://www.microsoft.com/technet/tr...prodtechnol/windows2000serv/deploy/nt5efs.asp
From the
CSP smart
card and
enough.
 
Yes, this is one of the major reasons and there are about 12 others. please
take our word as authoritative on this subject. We would like to support
this functionality in the future.

http://www.microsoft.com/WindowsXP/pro/techinfo/administration/recovery/default.asp

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

John Banes said:
EFS is mostly implemented in the lsass.exe process, which doesn't directly
have access to the user desktop. So when the smartcard CSP attempts to
display its PIN dialog box, the calling thread hangs forever. So to support
smartcards, some extra code would need to be written to obtain the PIN ahead
of time and plumb it down to the lsass.exe process. There may be additional
reasons, but this is what comes to mind.

Regards,

John Banes
[Microsoft Security Developer]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.

Ling Tang said:
Thanks David and again Mike. I noticed these questions have been discussed
for several times, but since I still got different answer from different
parties. I guess properly because they quoted from different white paper.

I am still very curious why EFS does not support smart card. If I replace
the default CSP (MS Base Cryptographic Provider) with my own smart card CSP
which implement according to the spec, I can't understand why this does not
work.

Cheers,
Ling
David Cross said:
I will try to get the windows 2000 paper corrected: EFS does not support
smartcards currently and will not work with smartcards in current versions
of Windows.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi,

this question has been asked quite a few times on last Tech-Ed in Dallas
and
even before on one of T-Preps that I was attending. Answer was
always
no.
I
am not sure why at this moment. I will have to check some of my notes.

File System. Here is
http://www.microsoft.com/technet/tr...prodtechnol/windows2000serv/deploy/nt5efs.asp
supported
and excused
to whether
EFS enough.
 
Could you briefly outlone what are the 12 others that limit usage of smart
card in EFS?
I find it diffcult to understand the limitation, even after reading the link
you post. May be I need to read further in the the related link. However I
would appreciate if you can summarize the reasons.

Thanks,
Ling
David Cross said:
Yes, this is one of the major reasons and there are about 12 others. please
take our word as authoritative on this subject. We would like to support
this functionality in the future.

http://www.microsoft.com/WindowsXP/pro/techinfo/administration/recovery/default.asp

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

John Banes said:
EFS is mostly implemented in the lsass.exe process, which doesn't directly
have access to the user desktop. So when the smartcard CSP attempts to
display its PIN dialog box, the calling thread hangs forever. So to support
smartcards, some extra code would need to be written to obtain the PIN ahead
of time and plumb it down to the lsass.exe process. There may be additional
reasons, but this is what comes to mind.

Regards,

John Banes
[Microsoft Security Developer]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.

Ling Tang said:
Thanks David and again Mike. I noticed these questions have been discussed
for several times, but since I still got different answer from different
parties. I guess properly because they quoted from different white paper.

I am still very curious why EFS does not support smart card. If I replace
the default CSP (MS Base Cryptographic Provider) with my own smart
card
CSP
which implement according to the spec, I can't understand why this
does
not
work.

Cheers,
Ling
I will try to get the windows 2000 paper corrected: EFS does not support
smartcards currently and will not work with smartcards in current versions
of Windows.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no
rights.

http://support.microsoft.com

Hi,

this question has been asked quite a few times on last Tech-Ed in Dallas
and
even before on one of T-Preps that I was attending. Answer was always
no.
I
am not sure why at this moment. I will have to check some of my notes.

File System. Here is
http://www.microsoft.com/technet/tr...net/prodtechnol/winxppro/support/DataProt.asp
supported
with look
into
http://www.microsoft.com/technet/tr...prodtechnol/windows2000serv/deploy/nt5efs.asp
 
Well, the number one is that a CSP cannot prompt for a PIN since the lsass
process suprersses all UI. Other issues are for remote server encryption -
the server has no way to access the key on the card which is on the client.
If the smartcard is not inserted, how does the system prompt the user to
insert the card - since all UI is supressed this is hard. Almost no
smartcard CSP on the available market supports RSA encryption of a symmetric
key that was generated outside of the card - this is required for EFS
obviously. Performance - an actual opening of an encrypted Word document
may perform as many as 4 RSA operations on the card - this is very slow.

There are many others, as I mentioned, we would like to support this in the
future.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Ling Tang said:
Could you briefly outlone what are the 12 others that limit usage of smart
card in EFS?
I find it diffcult to understand the limitation, even after reading the link
you post. May be I need to read further in the the related link. However I
would appreciate if you can summarize the reasons.

Thanks,
Ling
David Cross said:
Yes, this is one of the major reasons and there are about 12 others. please
take our word as authoritative on this subject. We would like to support
this functionality in the future.
http://www.microsoft.com/WindowsXP/pro/techinfo/administration/recovery/default.asp
--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

John Banes said:
EFS is mostly implemented in the lsass.exe process, which doesn't directly
have access to the user desktop. So when the smartcard CSP attempts to
display its PIN dialog box, the calling thread hangs forever. So to support
smartcards, some extra code would need to be written to obtain the PIN ahead
of time and plumb it down to the lsass.exe process. There may be additional
reasons, but this is what comes to mind.

Regards,

John Banes
[Microsoft Security Developer]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.

Thanks David and again Mike. I noticed these questions have been discussed
for several times, but since I still got different answer from different
parties. I guess properly because they quoted from different white paper.

I am still very curious why EFS does not support smart card. If I replace
the default CSP (MS Base Cryptographic Provider) with my own smart card
CSP
which implement according to the spec, I can't understand why this does
not
work.

Cheers,
Ling
I will try to get the windows 2000 paper corrected: EFS does not
support
smartcards currently and will not work with smartcards in current
versions
of Windows.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no
rights.

http://support.microsoft.com

Hi,

this question has been asked quite a few times on last Tech-Ed in
Dallas
and
even before on one of T-Preps that I was attending. Answer was always
no.
I
am not sure why at this moment. I will have to check some of my notes.

File System. Here is
http://www.microsoft.com/technet/tr...net/prodtechnol/winxppro/support/DataProt.asp
Microsoft
here
http://www.microsoft.com/technet/tr...prodtechnol/windows2000serv/deploy/nt5efs.asp long
as usage
of
 
Back
Top