question about private certificate stored on smart card

[barabba]

Hi all,

in our organization users must logon using smart cards.
Certain confidential documents can only be decrypted (encrypted using
a third party PKI integrated encryption software) using the private
certificate stored in the smart card. If a user forgets his/her smart
card at home, we can allow the user to logon to the domain using
traditional user and password scheme however, encrypted documents are
not available.

I was wondering, is it possible to issue a secondary smart card with
the same private certificate so that it could be stored in a safe
place and be used in case the "primary" smart card cannot be used ?

Thank you in advance for your attention,
Bar

 

[Brian Komar (IdentIT Inc)]

Hi all,

in our organization users must logon using smart cards.
Certain confidential documents can only be decrypted (encrypted using
a third party PKI integrated encryption software) using the private
certificate stored in the smart card. If a user forgets his/her smart
card at home, we can allow the user to logon to the domain using
traditional user and password scheme however, encrypted documents are
not available.

I was wondering, is it possible to issue a secondary smart card with
the same private certificate so that it could be stored in a safe
place and be used in case the "primary" smart card cannot be used ?

Thank you in advance for your attention,
Bar

It depends on the Registration Authority, and the smart card middleware
that you are implementing in your organization. The solution is specific
to the smart cards and the CSP (whether they would allow archival of the
private key material for encryption certificates)

Brian

 

[Miha Pihler [MVP]]

Hi,

With Windows 2003 CA there is an option to archive user's private key.
Archival is done automatically when certificate is issued. As far as I was
able to find out there are no smart card CSP available today that would
support this feature. So what you would have to do is issue a certificate
that would enable users file encryption on a hard drive and later import it
on a smart card.
In general smart card archival was designed to prevent data loss. After user
loses his private key, you are able to recover it from certificate database,
but you should also revoke the certificate (user is still able to decrypt
all his information) and issue user a new certificate.

You have to know that doing all this (and storing smart card with user's
private keys) in a safe practically destroys the whole concept of deploying
PKI. If there is a security breach on my documents I can always blame it on
people who have access to the safe with the smart cards (and if I was the
administrator I wouldn't want such responsibility).

Situation that you describe should be addressed when you were deploying your
CA architecture and should have a written procedure on what to do when users
come into the office without the smart card. There is also user education
part of deploying PKI where I usually explain to the end user to consider
smart card as a passport. You don't get very far on your trip without it
(and the customs don't issue temporary passports).

On the other hand I usually try to deploy integrated smart cards (smart
cards that are also proximity cards) for my customers. These cards enable
users to access their office and register their arrival time. In this case
it is less likely they will forget it at home.

 

[Brian Komar (IdentIT Inc)]

Hi,

With Windows 2003 CA there is an option to archive user's private key.
Archival is done automatically when certificate is issued. As far as I was
able to find out there are no smart card CSP available today that would
support this feature. So what you would have to do is issue a certificate
that would enable users file encryption on a hard drive and later import it
on a smart card.
In general smart card archival was designed to prevent data loss. After user
loses his private key, you are able to recover it from certificate database,
but you should also revoke the certificate (user is still able to decrypt
all his information) and issue user a new certificate.

You have to know that doing all this (and storing smart card with user's
private keys) in a safe practically destroys the whole concept of deploying
PKI. If there is a security breach on my documents I can always blame it on
people who have access to the safe with the smart cards (and if I was the
administrator I wouldn't want such responsibility).

Situation that you describe should be addressed when you were deploying your
CA architecture and should have a written procedure on what to do when users
come into the office without the smart card. There is also user education
part of deploying PKI where I usually explain to the end user to consider
smart card as a passport. You don't get very far on your trip without it
(and the customs don't issue temporary passports).

On the other hand I usually try to deploy integrated smart cards (smart
cards that are also proximity cards) for my customers. These cards enable
users to access their office and register their arrival time. In this case
it is less likely they will forget it at home.

Just as an FYI, I do work with a product that does allow the recovery of
encryption certificate private keys (if they are archived) to smart card
devices. The software in question is the registration authority idNexus
(see www.alacris.com for details).

The software does allow recovery of smart card encryption certificates.
This is accomplished through the use of smart card middleware (PKCS #11
libraries typically). The software allows both the duplication and
recovery operations.

Brian

 

[Miha Pihler [MVP]]

Thanks for the FYI. I will take a look

Mike

Just as an FYI, I do work with a product that does allow the recovery of
encryption certificate private keys (if they are archived) to smart card
devices. The software in question is the registration authority idNexus
(see www.alacris.com for details).

The software does allow recovery of smart card encryption certificates.
This is accomplished through the use of smart card middleware (PKCS #11
libraries typically). The software allows both the duplication and
recovery operations.

Brian