Smart Card Plug-and-Play and Windows 7

<< Thinking outside-the-box, or loosing your privacy little by little | Home | What registry settings configure PerceivedType for common audio/video formats? >>

Smart Card Plug-and-Play and Windows 7

Plug-and-Play is a feature in Windows that enables the automatic self-configuring of devices.

When you plug a device into your PC and Windows knows the identity of the device and tries to retrieve the driver for the device, that is Plug-and-Play.

One of the smaller features in Windows that will likely never see any press is the support of Plug-and-Play with Smart cards.

Historically Smart cards have been tightly integrated with each application using libraries like PKCS #11 or Cryptographic Service Providers.

There are many problems with this approach, for one they seldom lead to true application interoperability, that is without a ton of scenario and application specific work on behalf of each and every application.

The main reason behind the need for the application specific work is the interface contracts for libraries like this are designed for generic cryptographic extensibility and not the narrow capabilities of a smart card.

In simple terms, a smart card can do a handful of things but one of these libraries must do dozens if not hundred of things.

In the Windows XP SP2 timeframe Microsoft introduced a new provider model for Smart Cards was, its was called a Smart Card Mini driver; support for this concept was made available for Windows 2000 and up platforms via a downloadable package.

In this model smart cards vendors only need to expose the minimal set of things the card can actually do in their middleware, the rest of the work necessary to work well in applications is handled by a higher-layer.

In the Windows VISTA time-frame a certification test-suite was also provided, with this suite vendors could test their cards to get an idea if they would work in common Windows scenarios and ensure they meet a basic quality bar.

As a result of completing that test suite successfully vendors can include the "Designed for.." logo's on their marketing materials and distribute the drivers via Windows Update.

Windows 7 builds on this by being able to automatically detect which drivers are appropriate for a given smart card and install them (with no user interaction!).

For users most users this means when they insert their smart cards they "just work", if they pay close attention when they insert a smart card during a interactive session they will see a bubble:

If they click on that bubble they will see the "Driver Software Installation" dialog, beginning searching for device drivers:

This dialog will change to show the driver was installed:

From that point on when the card is inserted the right driver will be automatically loaded for the device, when the user goes into Device Manager they will see a new Smart Cards node:

Another side affect of this is that Smart cards now can take advantage of the improved driver installation facilities in Windows 7, this means that Smart card drivers can be installed before there is a interactive session and by standard (non-administrative) users.

This feature is important for a number of reasons, one of which is that the number one complaint for Smart card deployments is the need to deploy complex proprietary middleware to use them.

A variation on that middleware deployment problem is relation to National ID cards, its one thing for a enterprise to need to deploy middleware for a smart card its another entirely for a government who wants to use smart cards for citizen to government commerce, now for Windows 7 they have a solution to that problem.

Print | posted on Sunday, November 30, 2008 6:48 PM

Feedback

re: Smart Card Plug-and-Play and Windows 7 3/23/2009 1:21 AM Mike

Is it possible to use a java Applet in order to interact with those mini drivers, do I have all rights to manage de Smart Card?

# re: Smart Card Plug-and-Play and Windows 7 3/23/2009 5:45 AM Ryan M. Hurst

Technically you can call Win32 APIs from Java, its been quite a while since I did any Java but I have done this before; I recall making a wrapper for the APIs that ran, this applet used that wrapper but I think it ran at full trust to do this.

You would not want to call the mini-driver directl with such an approach, think of the MD as a driver; you would want to call the smart card resource manager APIs or even higher level APIs like CNG and CryptoAPI.

re: Smart Card Plug-and-Play and Windows 7 6/17/2009 12:37 AM Sebastian Neff

What can I do, if Windows 7 doesn't find any driver for my Smartcard in Windows Update? Where can I get the driver for my Smartcard?

re: Smart Card Plug-and-Play and Windows 7 6/17/2009 12:37 AM Sebastian Neff

What can I do, if Windows 7 doesn't find any driver for my Smartcard in Windows Update? Where can I get the driver for my Smartcard?

# re: Smart Card Plug-and-Play and Windows 7 6/17/2009 6:49 AM Ryan

You will need to reach out to the issuer of your card looking for a driver, some vendors have drivers but charge for them (crazy I know), others do not yet have drivers but instead have complicated midleware applications they would like applications to be re-writen to (national ID cards often fall into this catagory).

If your card works, and you do not want to see the new device pop-up/no driver on the device node you can disable smart card plug-and-play via group policy (gpedit.msc).

re: Smart Card Plug-and-Play and Windows 7 8/12/2009 11:53 AM andy

Like Sebastian i see the smart card reader which has installed ok in DM and i also see smart card which tells me it can;t find the driver. So being a novice at this smart card stuff, well if i load the Smart card SDK i can still write to the smart card, and i still have my terminal program running on the pc which communicates with the SC so why do i need device manager to install the SC as well, confused.

# re: Smart Card Plug-and-Play and Windows 7 10/19/2009 11:59 AM Scott Thompson

Instead of wasting your money buying smartcards that need drivers and readers; you should really look into the GoldKey. It has everything you need for only $99 each. You can also add data vaults to keep all your proprietary information stored off site and able to access from anywhere you and your GoldKey are. Best of all and just announcing to the public soon...it is the single FIPS approved, HSPD-12 accepted, PKI tool that has AES-256 encryption on the market that is already preloaded into the new Windows 7 operating system.

Never buy Windows 7 without a GoldKey !!

re: Smart Card Plug-and-Play and Windows 7 10/21/2009 8:58 AM Gib

How can I disable the Smartcard plug and play function of Windows 7 so I can use activcard gold (middleware) directly?

re: Smart Card Plug-and-Play and Windows 7 12/8/2009 8:00 PM Peter Grace

Old topic I know, but, I recently purchased a couple ACS ACOS 5 cryptocards to fiddle with smart card login at home. Woe be to those who assume that the CSP will work in Windows 7 x64! Drivers are currently not available.

I am posting because I'd like to query people who are using smart cards currently to let me know what card types they're using and for what purpose. I picked one that sounded good and I'm paying for it now.

I see the blog post mentions the Gemalto .NET smart card. Is this a "good" card insofar as it's worked in every box you've plugged it into?

# re: Smart Card Plug-and-Play and Windows 7 4/9/2010 5:38 PM Ryan Hurst

Andy: Every device implements its own hardware interface, by "writing to the card yourself" you are utilizing some profile of that hardware interface; drivers abstract that out, if you had a driver for the card (assuming you wanted crypto which is what most people do) you could write to an API instead and work with any card that had a driver; do you need it if you act "as the driver" as in your case? No but if you go down that path your solution ends up being locked into that one card edge.

Gib: You dont need to disable it touse activgold, they co-exist but if you want to disable it so you dont see the pop up looking for drivers soo: http://support.microsoft.com/kb/976832

Peter: The .net cards are the cadalac, they are expensive but capable cards, Gemalto is pretty decent about keeping up with their drivers, there are other good choices too just stick to those on the WHQL certification list and you should be fine.

re: Smart Card Plug-and-Play and Windows 7 5/10/2010 5:56 AM Eduardo Alvarenga

Ryan:

Smartcards, generally speaking, obey a very compreheensive set of instructions (APDU), defined by ISO 7816 (parts 4 and up).

I don't see any reason why I would need a windows 7 specific API, instead of using the ISO APDU, which not only allows me to work with any ISO compliant ICC, but also allows easy migration between operating systems.

# re: Smart Card Plug-and-Play and Windows 7 5/10/2010 1:41 PM Ryan Hurst

Eduardo - Thanks for your post, unfortunately 7816 alone isn’t enough to facilitate the interoperability needed, ask any card vendor or middleware provider and they will tell you the same.

As with many multi-part standards driven over long periods of times there are areas that are very detailed and ones that are not, areas where there is one way to do things and others where there are many.

The net of which is picking up a 7816 "compliant card" doesn’t mean the card vendor used the same release of 7816 part N you did, even if they did given how vague the text is you do not know if their interpretation was the same as yours let alone if they implement the commands that you need.

Often times card vendors end up implementing multiple interpretations of 7816 sections as a means to support the more application usages but since there is no "golden rule" that can be used to say, this is all trial and error.

The net of which is if you want to live in a world where you can pick up any card and have it work you need middleware to normalize things.

As a case in point, this is why there are things like the Global Platform, and the numerous card edge specifications (like PIV) exist; each of these claim to be compliant to 7816 many of which do so in their own way.

If 7816 was sufficiently verbose they would not need to exist.

To give you some context look at this specification: http://unmitigatedrisk.com/archive/2010/04/09/227.aspx its 7816 compliant, think of it both as a subset and a superset as all of the commands come from 7816 but there are other elements (like parameters, layouts, etc.) not specified in 7816 that are necessary to create a working deployment.

Additionally it’s great that you feel comfortable enough to write to hardware interfaces but most developers do not or if they are do not understand the internal state machine of the devices they would be interacting with enough to do so in a way that was not impactful to shared usage cases.

This is another reason higher level middleware exists, e.g. if you write code based on software keys (CryptEncryptData ) and later decide you need to support a hardware crypto it’s a change in a parameter to a handle call (CryptAcquireContext) not a re-write of your code.

Ryan

re: Smart Card Plug-and-Play and Windows 7 8/12/2010 10:53 AM GC

This is such a mess. Windows 7 broke almost all the legacy Smart Card Apps with this default mode for Smart Card Plug-and-Play.

Many new computers that come with Windows 7 on them come with the HOME edition. The Home edition CANNOT have Smart Card Plug-and-Play turned of with that stupid Group Policy document but nobody bothers to mention that. How many wasted hours across the world with people trying to do that? The only fix is registry editing to get rid of it on Win7 Home Edition.

After Smart Card Plug-and-play is disabled, now you still have other problems like an 11 second lag for Mifare cards every time you plug one into the reader. Try using Mifare cards for one-trip pass at an event with an 11 second lag on each card insertion!

This Smart Card Plug-and-play behavior should be turned on when needed, it should not be the default behavior, especially when they have made it so rediculously hard to turn it off. Turning it off without permission of the computer owner is also not the correct thing to do. It's the Windows user's option, not the app installer's right to turn it off.

Smart cards that do not generate an ATR like I2c memory cards, Mifare cards, Secure Memory cards etc. don't have a way (AFAIK) to turn off the driver by submitting a WinLogo approved mini driver or null driver. Because the card cannot be identified, you get the 'Generic Smart Card Driver' whether you want it or not. After that, there is no communication with the card.

You must also submit another mini driver for EVERY possible ATR. If your ATR changes, now you are broken again. The whole thing stinks. It really annoys me that people that want to use Gemalto's card for Windows logon are so happy about this new 'feature' in Windows. Now we have people like those posting above telling people that they are buying the wrong kind of cards and that they should buy Gemalto cards because they are the 'good' cards.

Microsoft needs to get this stupid 'feature' back into the optional status, rather than to force it on everybody and not give them a clear path to turn it back off again. Why should tens of thousands of programmers all over the world have to spend many hours trying to figure out a way to get their Smart Card App working again on Win 7?

If your Smart Card App is now broken on Win7, please speak up! We need to get Microsoft to get this fixed.

I am a software engineer for a smart card company. We have to tell our customers that our card applications are not yet supported on Win7 without work-arounds. We don't want or need Windows to do a single thing when we plug a card into a reader.

Windows logon with a Smart Card is just a tiny fraction of the uses for Smart Cards. Breaking everything else just for that one kind of application doesn't make any sense at all.

GC

# re: Smart Card Plug-and-Play and Windows 7 9/13/2010 3:06 PM Ryan Hurst

GC – I wanted to thank you for writing such a well thought out post, though I disagree with some of your conclusions I do “feel your pain”.
I no longer work in this area but if you write me I will put you in contact with the feature team, I think they may be some better solutions for you than you have come to on your own.

Let’s see where to start, your right that my advice to use GPEDIT to disable Smart Card Plug-And-Play doesn’t work on home SKUs as this application isn’t included, as you figured out it is possible to manually edit the registry to disable this feature (see http://technet.microsoft.com/en-us/library/ff404287(WS.10).aspx and EnableScPnP) it can be automated with the following command line:

Reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScPnP\ /v EnableScPnP /t REG_DWORD /d 0

For others, MIFARE is a NXP Semiconductor contact-less smart card technology, think badge readers and disposable tickets. The low end versions of these cards have just memory storage, the higher end ones support varying degrees of cryptography. While these cards are SUPER common, their use on Windows, especially in home environments, is not common at all; I don’t mention this to suggest GCs concerns are not valid, it’s just important context for others.

As for the 11 second lag for Mifare cards every time the card connects with the reader, what are experiencing here may have nothing to with Smart Card plug-and play at all, I strongly suggest you reach out to your Development Support contacts at Microsoft (and again I can help you find the right people if you don’t have them) and explore this further with them.

# re: Smart Card Plug-and-Play and Windows 7 9/13/2010 3:07 PM Ryan Hurst

On the topic of ATR-less cards, for others a ATR is an Answer to Reset – in the ATR is encoded information for how to communicate with the card, ATR-less cards don’t have this information, the use of such cards presumes a dedicated system where no other cards will be used. For example imagine a scenario where two different types of ATR-less cards needed to be used on the same system, the cards do not describe how to talk to them so the system has no way to know which of the two communication protocols it should use to talk to the present card.

GC also asks about why he has to create a separate driver for each ATR, you actually don’t you can have a single driver package match multiple ATRs through the use of the ATRMask or listing multiple ATRs. With a well thought out ATR naming strategy one can create a package that will work with many cards without listing a single explicit ATR.

That takes me to your specific comment about relevancy of the feature and purpose of the platform, Windows Logon is actually not the intent of the smartcard subsystem. The primary goal of the framework is to provide a generic framework for working with general purpose portable cryptographic devices, one use of such cards is in Windows Logon, but it’s not limited to that, for example file encryption, mail signing/encryption and other such scenarios are very commonly built on the exact same framework. These are very common scenarios in enterprise deployments, even where smart cards are not used for logon.

The framework does try to provide support for generic smartcard resource management, but it does so with the goal of not compromising the customer usage scenarios called out above. This is often a difficult challenge given how proprietary and varied the solutions in the other segment is, but for the most part they do both live in harmony.

To the last point, this feature was not developed for Gemalto, nor do I really tell people to buy Gemalto cards; the screenshots were from my corporate badge which happens to be a Gemalto card. What I do recommend is selecting a card and reader that is well integrated with Windows, on the WHQL certification list (winqual.microsoft.com/hcl/default.aspx) and/or compliant with a device specification that is supported out of the box (in the case of smart cards PIV and GIDS are good examples) so no software is needed for basic functionality. There are many vendors who make products that fall in that category.

Ryan

# re: Smart Card Plug-and-Play and Windows 7 10/21/2010 3:52 AM Alex

I think the 11s delay occurs because that's the time it takes for Windows to detect the presence of a new smart card and try to install a driver for it.

I've encountered a similar problem with a program that uses PC/SC to talk to cards. The smart card service reports that a card is inserted, but it is not readable while Windows fiddles with it.

If I wait - the card becomes readable.
If I disable SC PnP - the delay is much smaller and the card can be read sooner.

# re: Smart Card Plug-and-Play and Windows 7 10/26/2010 12:42 AM ugg boots black

does try to provide support for generic smartcard resource management, but it does so with the goal of not compromising the customer usage scenarios called out above. This is often a difficult challenge given how proprietary and varied the solutions in the other segment is, but for the most part they do both live in harmony.

re: Smart Card Plug-and-Play and Windows 7 12/31/2010 1:06 AM ameen

# re: Smart Card Plug-and-Play and Windows 7 4/9/2011 2:46 PM Joel DeRouchey

I am having trouble logging into the air force portal using my smart card on windows 7 with ie8. I configured firefox just fine. I have installed active client 6.2, and when I go to the site, it prompts me for my digital cerificate, however it does not prompt me for my pin. Any clues? Thanks.

re: Smart Card Plug-and-Play and Windows 7 6/21/2011 2:59 AM Abu

Bom dia tudo bem, eu estou tendo problemas em instalar o meu Smart Card no Windonws 7 consigo passar o 1 e 2 step mais quando chega no 3 step tem parado por ai durante muito tempo e nao tem passado agora eu queria saber o que tenho que fazer para poder instalar o Smart no meu laptop agradecia que me ajudassem. Obrigado
Abu

Title
Name
Email
Url
Comments
Remember Me?
Please add 2 and 1 and type the answer here: