PKI cards - PIN and certificates

Question

My company has introduced a PKI some months ago. We are now able to login in our laptops either with our Windows credentials or with a PKI smart card plus a 6 digits numeric PIN. A part from that we can also encrypt and sign e-mails too.

My understanding (Please correct if I am wrong):

• There is a certificate embedded in this card which contains my private key.
• My 6 digit PIN is the key to encrypt my private key

What I don't understand is where exactly is the smart card PIN stored and what kind of security measures are in place to avoid someone from guessing or retrieving my PIN in a lab or something.

Answer 1

The answer by @discreet gives good links, but I want to add my understanding.

Without knowing which vendor you bought your PKI from, it's hard to know exactly what the PIN is doing inside, because unlike EMV bank cards, enterprise PKI systems have no industry standards and each PKI vendor will do things differently. So here's my response to your two points based on how these things usually work:

There is a certificate embedded in this card which contains my private key.

Correct. Usually your PKI smart card will have a mini-computer in in that powers up when you connect it to the card reader. For this reason, your smart card is more than a storage device (like an SD card), rather it is its own computer. Your PC can send requests to the card like give me your public key, sign this data, decrypt this data, etc, the card will do the processing on-board and send the data back. The card can even refuse to do certain requests, such as give me your private key.

One of the operations that all smart cards support is generate a new keypair. The card will generate a new private key (which will never leave your card, if you specify that option), then the corresponding public key will be passes back to the PC to be made into a certificate by a CA, then handed back to the card as a certificate for storage.

My 6 digit PIN is the key to encrypt my private key

Mostly Correct. This is the part that varies by manufacturer. Even though the private key never leaves the card, you still don't want to store it in plaintext because a careful attacker can remove the flash memory chip and extract the data. My guess in that your 6 digit PIN is stretched into a symmetric encryption key which is used to encrypt / decrypt your private key while it is in storage on the card. This means that until you give it your PIN, even the card can't access your private key.

The PIN is never stored anywhere, except for in the card's RAM while it is plugged in. When the card powers up, it will ask for your PIN, if that allows it to properly decrypt your private key then the card can go ahead and do crypto things, if the PIN you gave does not produce the private key which matches the certificate (ie it produces garbage), then the card will throw an Incorrect PIN Error.

--

A quick Google shows that many smart card vendors post on their website a detailed whitepaper on how their smart cards work. I would encourage you to figure out which vendor manufactures your smart cards, and continue your reading on their site.

Answer 2

I am assuming you are Using Chip based Smart cards (PKI Card).Smart Card contains a Secure File System for storing your Private Key and other information. Here is some basic about smart card.

PIN is used to encrypt and decrypt the Private Key.Private Key is encrypted in Smart Card using. So when you try to login PIN is used to decrypt the Private Key and then Private Key is verified.

Here is a good answer about Chip Based Smart Card Security.