[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Re: Token extensions
From:       Scott Cothrell <sac () EPOCH ! NCSC ! MIL>
Date:       1996-10-22 13:49:41
[Download RAW message or body]


Paul,

Not wanting to answer here for Microsoft, but they do have a paradigm for
dealing with tokens.
It is expected that the CSP will interact with the user through a user
interface controlled directly by the CSP.  This is an attempt to cut out
trojan horse attacks (much like the SAS for NT logon) and can also be used
to put some indication on screen when the CSP is being asked to perform
some operation.  Otherwise, rouge software could in theory start using a
CSP in your name any time it wanted to(assuming no checking/notification)
or attempt to acquire your pass phrase(s) in some other way.
Anyway, to this end, a callback function is provided to the CSP's
CryptAquireContext handler to allow the CSP to obtain a handle to the
current application desktop.  This handle can be used for popping up
dialogs etc.

Scott Cothrell

----------
> From: Paul David Paulson <paul@MTKASW.MN.ORG>
> To: CryptoAPI@LISTSERV.MSN.COM
> Subject: Token extensions
> Date: Tuesday, October 22, 1996 8:47 AM
>
> The CSP interface is somewhat lacking in support for token-based
solutions.
> Specifically, there is no support for pass phrases and no token-specific
> error codes (e.g. NTE_TOKEN_NOT_INSERTED).  Two solutions come to mind:
>
>     1. extend the CSP API to support pass phrases and new error codes
>     2. interact with the user through a user interface

[prev in list] [next in list] [prev in thread] [next in thread]