2 What is a Microsoft VSC?

A Microsoft VSC is a security feature of Windows operating systems, which uses the hardware TPM chip found in many modern computers. The TPM provides cryptographic key generation and protection that is built into the device, and, when used in conjunction with a PIN, it offers similar levels of security to a physical smart card. TPMs also feature an additional level of protection – the TPM Anti Hammering block – where repeated attempts to authenticate with an incorrect PIN will cause the device to delay further attempts to authenticate and ultimately prevent use of the VSC.

2.1 Glossary

• VSC – Microsoft virtual smart card. A container that can hold credentials such as certificates and cryptographic keys. Stored on a TPM.
• TPM – trusted platform module. A hardware device that may be installed in a variety of computing devices. Located on a device.
• Device – a computing device (for example, desktop PC or tablet) that contains a TPM. A device contains a TPM which contains VSCs.

2.2 VSC capabilities

Once deployed, a Microsoft VSC can:

• Provide two-factor authentication to Windows, VPN or intranet applications.
• Provide a secure container for Email signing and encryption certificates.

MyID will:

• Trigger creation of a VSC on a Windows device with a supported operating system.
  • A VSC container can be created on the device, which is then presented as a smart card.
  • Access to the VSC is restricted by creating an Administrator key for management control and setting a user PIN for authentication.
  • The TPMs key generation capabilities are used to generate cryptographic keys for use in certificate requests.
  • Certificates are written to the VSC, including injecting private keys from certificates generated on the server environment.
• Update the VSC on the device.
  • Add or remove certificates from the device as part of a credential profile change.
  • Re-issue all certificates on the VSC as part of a data re-provisioning process.
  • Recover server generated certificates to the VSC (for example, encryption certificates where the private keys are created within a hardware security module).
  • Renew certificates issued to the VSC.
• Enable the user to unlock and change the PIN on a VSC.
  • When the user PIN becomes locked or is forgotten, provide an unlock capability that is accessible only once additional authentication to MyID has taken place.
  • Facilitate a challenge/response PIN unlock mechanism in conjunction with Windows built in capabilities when the device is not able to communicate with MyID directly.
• Manage revocation of the credentials on the VSC.
  • MyID will revoke the certificates assigned to the VSC, on the certificate authority that issued them.
  • Enable an Administrator to erase the VSC when they are logged onto the device.

Some of these capabilities may vary depending on the Windows operating system in use.