In the previous article, we advised to make sure that the chip OS on a smart card or token is compatible with the CSP you want to use. Before we get started with a deployment sample, it would be a good idea to briefly cover what a CSP is and why it’s such an important component when working with multifactor authentication in Windows.
Basically, a Cryptographic Service Provider (CSP) is a piece of middleware that lies between the security device and the Windows OS. Figure 1 below illustrates how this is done in Windows XP and Windows Server 2003:
Figure 1: The role of the CSP in Windows XP and Windows Server 2003
As you can see in the above illustration, the communication between an application that uses multifactor authentication and the crypto device is done through the CryptoAPI functions. Some vendors handle various advanced functions and features in their own CSP, while others take advantage of the functions and features that are already included in Windows. This is an important concept to understand, since this is where things differ between Windows XP / Server 2003 and Windows Vista / Server 2008, as we’ll explain in our next article of this series.
For example, the Windows versions that are currently supported by Microsoft already include built-in support for various smart cards. This means that you don’t need to install a separate CSP. All communication to/from the smart card is done through the CryptoAPI as mentioned before. However, if your preferred smart card solution is not on this list, then you simply need to make sure that you have implemented a CSP that’s supported by the card vendor, so that you can use your smart card solution with Windows. What’s important to note however, is that CSP functionality is always needed, no matter whether you use built-in supported features or use vendor specific features that are included with the security device.
Now that you have learned the basics of a CSP, it’s time for us to take a quick look at how this could be done in real life.
Microsoft, Windows XP, Windows Vista, Windows Server 2003, Multifactor, Authentication, Devices, Knowledgebase, Article