CNG calls for ECC smart card logon

Call sequence from lsass.exe / kerberos.dll

The following sequence is executed during ECC smart card logon. Each step corresponds to a CNG/CryptoAPI call observed via reverse engineering.

1

NCryptOpenStorageProvider

NCryptOpenStorageProvider(handle, CSP, 0);
Note: this is the CSP from the smart card definition, not the KSP — there is an alias in the KSP definition for the CSP name.

call1
2

NCryptOpenKey + GetProperty (certificate)

NCryptOpenKey(handle, "\\.\reader\containername", 0, 96);
NCryptGetProperty(handle, "SmartCardKeyCertificate", NULL, 0, &size, 0);
NCryptGetProperty(handle, "SmartCardKeyCertificate", buffer, size, 0);
CertCreateCertificateContext(PKCS_7|X509, buffer, size);
NCryptGetProperty(handle, "Unique Name", buffer, 520, &size, 0);
CertSetCertificateContextProperty(handle, CERT_KEY_PROV_INFO_PROP_ID, 0, handle);
CertSetCertificateContextProperty(handle, CERT_KEY_CONTEXT_PROP_ID, 1, handle);

call2
3

CryptDecodeObjectEx (properties 12 & 24)

Get properties 12 and 24 via CryptDecodeObjectEx.

call3
4

NCryptSetProperty (PIN) + random generation

NCryptSetProperty(handle, "SmartCardPin", pbBin, (pin_length+1)*2, 0);
CryptAcquireContext(&handle, NULL, NULL, PROV_DSS_DH, CRYPT_VERIFYCONTEXT | CRYPT_SILENT);
BCryptGenRandom(32 bytes, BCRYPT_USE_SYSTEM_PREFERRED_RNG);
BCryptGenRandom(40 bytes, BCRYPT_USE_SYSTEM_PREFERRED_RNG);
CryptMsgOpenToEncode(CMSG_SIGNED, 1.3.6.1.5.2.3.1);
CryptMsgUpdate(); CryptMsgClose();

call4
5

Additional CNG calls

call5
6

Additional CNG calls

call6
7

Additional CNG calls

call7
8

NcryptSecretAgreement

NcryptSecretAgreement

call8
9

NCryptDeriveKey

NCryptDeriveKey with KDF = Hash algorithm = SHA1 (default).

call9
A

Final step

calla

Security Expertise articles

← Back to Security Expertise