Smart Card Base Cryptographic Service Provider (Base CSP)

Downloading Base CSP for Windows

Today, the Smart Card Base Cryptographic Service Provider (Base CSP) is available as a free download from the Windows Update site (  If you are using Windows Update tool, then check out the hirearchy “Windows Update, Custom, optional software, Base CSP”. 

About Base CSP architecture

Smart Card support exists in W2K, W2K3 and XP.  With this users are able to logon, digitally sign and encrypt email.  Also, scenarios such as Terminal Server Logon, RunAs, NetUse using Smart Cards are supported.  The smart card supports only a single certificate on the card and only one container which is marked default.  Card life cycle management like, pin change and ability to unblock a card via self service is achievable only after a user logged on.  This means that the user had to have standard user name password based logon available to perform these tasks.

Vendors and Partners are very important for the success of Smart Card based scenarios.  Vendors provide Smart Cards and Card Readers and in many cases the card and reader vendors are different.  Reader drivers are written to the PC/SC standard.  For each Smart Card there must exist a Cryptographic Service Provider (CSP) which will use the CAPI interfaces on the top and the WinSCard APIs at the bottom.  Added to this, there exists a GINA module which provides the relevant LogonUI to capture the credentials and marshal it appropriately to the LSALogonUser for authentication.

Writing a Smart Card CSP has not been trivial.  This has been addressed by splitting the CSP architecture to a Base CSP and Card Module architecture.  The Base CSP is provided by Microsoft as a part of the platform (with this Base CSP release).  Card Module is a interface supported by Microsoft for card vendors to write their implementations for the same to their card.  This is analogous to writing a printer driver for a printer. 

It is this new Card Module architecture that will also be available as a part of Windows Vista.  With this release, one of the goals that we want to accomplish is that the same card module works on older platforms and also Vista.

Stay tuned on more information on writing a Card Module.


Comments (24)

  1. loewis says:

    It’s great to hear that CSP writing has become simpler. But how can we do that? Where is the documentation for the Card Module interface?

  2. shivaram says:

    This will be available soon on Please stay tuned. Also, when Vista Beta2 SDK ships, you will be able to use the same.

  3. yucca04 says:

    Any further updates on the schedule for the Card Module code? I need to start work on a redirected card implementation and don’t want to reinivent the wheel.

  4. yucca04 says:

    Further – any clues on how to implement  remote smart card support? Is there a concept of a virtual smart card for redirection or do we need to implement our own CSP?


  5. says:

    I write a simple Card Module.

    When i insert a smartcard to my reader, my card moudule receive two command. They are ReadFile cardid and ReadFile cardcf. But i cann’t find any document about these files: cardid and cardcf. Can you give me some document?

  6. philippot says:

    I write a card module.

    All the microsoft tools work with if (testcard, pintool and cmodtestsuite). Nevertheless when I use CryptAcquireContext and I use Smart Card Base Cryptographic Service Provider, I don’t work :  In the "Insert Smart Card" dialogue I

    can only see the message "The card is available for use.  However, the card is not the one being requested, and cannot be used for the current operation."

    My card module receive a first CardAcquireContext and after 3 CardReadFile (cardid, cardcf , cmapfile)

    But after I receive a other CardAcquireContext and the Insert Smart Card displays the strange message.

    Can you help me ?


  7. yucca04 says:

    Where is cardmod.h and other files? I have the 2003 Server SDK, but it’s not there…

    Any chance someone could mail me the files/libraries?

  8. says:

    You can find cardmod.h in vista sdk.

  9. yucca04 says:

    Are we talking Vista Beta 1? If so, I had it installed and it wasn’t present on my system. Are you referring to a newer version of the Vista SDK?

    It’s also not in the PSDK 2003 R2.

  10. iksiloev says: asked already on Monday, March 13, 2006 12:01 about documentation of the Files cardid and cardcf.

    Hey Microsoft, where have you described these Files?

    The API is described in the SDK, but this is not enough. You also have to give us the rest of the documentation. Or a sample where we can see how to do it.

    It would be really nice to be able to use this new CSP! Thanks

  11. Wing says:


    I’ve developed a card module and pintool or CA call CardReadFile(‘cardid’) & CardReadFile(‘cardcf’) after CardAcquireContext(). What should I generate the file blob for them to step next?

    Thank for your help in advance.

  12. glogli says:

    Hi everybody,

    I have started implementing a smart card module. I’d like to try it, but I am having some problems. I have implemented the ‘dllregister’ function, which calls the ‘ScardIntroduceCardType’ and the

    ‘SCSetCardTypeProviderName’ functions, as explained in the msdn documentation. Do I have to do anything to register my smart card module so so that it is invoked whenever I

    try to request a certificate?

    Any help would be appreciated.

  13. VoleMax says:

    Does anybody know what should I do in response to  

    CardReadFile("cardid"), CardReadFile("cardcf") and CardReadFile("cmapfile") ?

    Thanks in advance.

  14. bcbarnes says:

    I am seeing this error as well while developing a smart card cardmodule minidriver, and using the sample application from the MSDN article by Dan Griffin. I have a smart card initialized with the files described in the minidriver spec 5.05 (cardid, cardcf, cardapps, and mscpcmapfile). I see reads of cardid, cardcf, and mscpcmapfile, but then the error indicated in the title. Any clues from anyone on what the smart card base crypto csp is looking for would be appreciated.

    Brian C. Barnes

  15. normann says:

    I’m developing a ‘card mini driver’ for use with Base CSP. The card is recognized and ReadFile() is called on cardid, cardcf and mscp/cmapfile. The cmapfile should be ok, because the IE accepted the card for SSL client authentication. But there was no access to mscp/kxc0 and no usage of the private key.

    I’ve two questions: 1) How to import the certificates into the store and assign the container. I did it as follows: CertCreateCertificateContext(),

    CertSetCertificateContextProperty() and

    CertAddCertificateContextToStore(). In IE the certificate is visible but there is no further access to the driver. In Outlook the certificate is not visible. 2) In debug mode I realized that CardDeleteContext() ist called after DllMain(PROCESS_DETACH). Is that Ok?

    Thanks in advace.


  16. roystonm says:


    Does the CSP export functions that allow you to

    write arbitrary binary data to the card? I mean

    is there a corresponding export in the CSP

    related to CardReadFile or CardWriteFile in the

    card module?



  17. roystonm says:


    I trying to call LsaLogonUser using KERB_SMART_CARD_LOGON. What should I pass for the CspData fields in the structure? Is there any documentation for this by Microsoft?



  18. msturtz says:

    Is there a way to obtain the "Challenge" key for PIN unblock for the BASE CSP without the full blown Certificate Lifecycle Manager?  I would like to be able to unblock user’s cards for a test environment.  Thanks,

  19. rishabh says:

    Hi i have developed a smart card operating system as per iso and pkcs but now i need to test it with real environment i mean along with some CSP.

    could anybody tell me "how can i integrate my card with CSP?"



  20. As a certification authority we are currently detecting the (monolithic) CSP name and limiting the key generation to a certain subset of CSPs (e.g. CSPs related to FIPS certified smart cards).

    With the new Base CSP the name is not related to the smart card anymore.

    How could we detect the smart card type (ATR would be sufficient) using the new Base CSP architecture?

  21. Hi,

    For those trying to use LsaLogonUser with KERB_SMART_CARD_LOGON or KERB_CERTIFICATE_LOGON, I have written two working samples that show how this can be achieved. You can get the source from the following links  :

  22. Luis says:

    Dear Sir,

    It has been some time since our last contact.

    Our company, (ACC) Asia Credit Card Production Co. Ltd. is a well-established

    Smart Card manufacturer, with production facility in Shenzhen, China.

    From our rich experience in making many kinds of RFID cards, we can support you

    with a vast range of RFID inlays.  By utilizing our inlays, you can widen you

    product range immediately.  Time and costs for product design, sampling can

    be much reduced.

    Products we offer:

    – Material : PVC, PETG

    – Antenna  : Automatic wiring (HF), Air Core Coil (LF/HF), Etched Circuit (HF/UHF)

    – Combi     : LF+HF, HF+HF, HF+UHF

    – HF Chips : NXP: Mifare 1k/4k, Desfire EV1 2k/4k/8k, Mifare Plus, Icode, Ultralight.

                   : Infineon: SLE66R35, My-D.

                   : Fudan: FM11RF08

    – LF Chips : Atmel: AT5577, Q-5

                   : EM: EM4200

                   : NXP: Hitag

    – UHF        : Alien Higg3, Impinj Monza

    – Readers  : HF and UHF handheld, desktop and long range readers

    Should you have any requirements for the mentioned products and services

    please feel free to send us your enquiries or sample requests.

    Looking forward to hearing from you. Thank you

    Luis Liu

    Asia Credit Card Production Ltd.

    Tel: +86-755-2978 0288 Ext. 8388

    Fax: +86-755-2953 0336

    Cell: +86-138243 58479