During the last weeks I’ve been asked several times “Should we as an organization choose a Microsoft Minidriver card or a PKCS#15 card?”. I suspect someone is out advertising for Microsoft Minidriver.

For me, working closely with the cards, that’s like getting the question if they should choose Office or Windows.

The term PKCS#15 card seems to stick to everyones minds, even though they mean ISO/IEC 7815-15. In the picture above you can see the structure how an application will use a smart card. The blue box represents APIs, while the green box represents the content of the smart card.

As you can see, Minidriver (yellow) belongs to the blue box while ISO/IEC 7816-15 (yellow) is in the green box.

Simple, right? But if it’s that simple, why is the confusion so great it even involves bright people who have been in the industry for a long time?

We need to dig deeper…

What is PKCS#15 and ISO/IEC 7816-15?

RSA developed PKCS#15 and the administration was taken over by ISO and was baptized ISO/IEC 7816-15. The ISO variant is simply version 2 of PKCS#15.

PKCS#15 was developed as a “crypto file system”, which means a structured way to store certificates, pin codes and RSA keys as files. The information needed to perform crypto operation was stored in the file system. It was natural to use a file system at this time since all smart cards had a file system.

Modern smart cards, for example java cards, doesn’t have a file system at all. The applet for ISO/IEC 7816-15 therefore needs to implement it’s own virtual file system. The result is that the current implementations more and more uses objects instead of files, for example for RSA keys.

What is Minidriver?

For a long time we have been able to extend Microsoft CryptoAPI by installing a Cryptographic Service Provider, CSP. Typical example on the Swedish market is SecMaker Net iD or Nexus Personal (which eventually became known as “BankID säkerhetsprogram”).

After some time it became evident that is was really hard to build a working CSP and it crashed a lot of Windows boxes. By the normal standard, that “of course” wasn’t the fault of the CSP-provider, but Microsofts. *irony*

Microsoft responded by building a special CSP for smart cards, Microsoft Smart Card Base Cryptographic Service Provider. In spite of it’s name, it doesn’t know anything about smart cards and need another piece of code for each card. That piece of code is called a Minidriver and was thought to be developed by the card manufacturers.

Imagine the Minidriver as a driver for your smart card.

Minidriver, or more formally “Smart Card Minidriver Specification” is the specification for the interface to be implemented by that piece of code.

Within this API, there is a virtual file system which MS Smart Card Base CSP assumes the Minidriver will supply.

A card manufacturer may choose to make the virtual file system to a physical file system by writing the files directly to the card, eventually by converting the file names. Gemalto .Net and Gemalto IDPrime MD are like this. Then you end up in the red box, which is a competitor to ISO/IEC 7816-15.

You can also choose to convert from the virtual file system to some other objekt or file system, for example PIV or ISO/IEC 7816-15. The PIV and Oberthur ECC card are like this.

SecMaker Net iD kan be installed as a Minidriver and will support most of the cards on the Swedish market, like Gemalto .Net, Gemalto IDPrime MD and Oberthur ECC.

Minidriver is installed from Windows Update, right?

One common misunderstand is that the Minidrivers are always installed from Windows Update. As Net iD is an example of, its perfectly possible to implement “Smart Card Minidriver Specification” without publishing the software for free on Windows Update.

It is, however, a very slick delivery model and is supported for example by Gemalto .Net och Oberthur ECC.

My advice

Lets go back to the original question; should we as an organization choose a Microsoft Minidriver card or a PKCS#15 card?

Since Minidriver is a Microsoft specification, you can’t be totally sure about the support on other platforms. The risk of getting into trouble with the increased range of client with a pure Minidriver model is high.

Therefore, my advice is to choose a ISO/IEC 7816-15 card with Minidriver support.