Tuesday, June 16, 2009

Windows Mobile Local Authentication PlugIn

The Local Authentication Plugin (LAP) is a way to identify the user of a mobile phone, while applications need special rights to access features or perform actions. Basically user is prompted for authentication through a password that he previously configure on his mobile. The default LAP provided by Microsoft (see below), is a single PIN password, but you can implement your own if you need.

LAP Implementation
A LAP is a signed DLL share the following entry points :
  • InitLAP : Call by the system to initialise the LAP while loaded.
  • DeinitLAP : Call while LAP is unloaded
  • VerifyUserStart : Call to start the GUI of the LAP
  • VerifyUser : Call to validate the user, with or without a GUI. This functions returns while the user has been authenticated successfully or fails. Multiple calls to this function can be done by the system. Options parameter specifies how the user have to be validated.
    • VU_NO_UI : while the system needs to validate the user, without displaying a window to the user.
  • VerifyUserStop : Call to destroy the GUI and clean up.
  • VerifyUserToTop : Call to bring to top the LAP Window.
  • LAPCreateEnrollmentConfigDialog : Used to display configuration window to configure the pass-phrase of the LAP

To implement your own LAP you can start from scratch or use the sample LAP provided with the Windows Mobile SDK :
  • for pocket PC : %ProgramFiles%\Windows Mobile 6 SDK\Samples\PocketPC\CPP\win32\LAP
  • for smart phone : %ProgramFiles%\Windows Mobile 6 SDK\Samples\Smartphone\CPP\win32\LAP
LAP Installation
The Local Authentication Subsystem (LASS) is in charge of the management of the LAP display and user validation.
To define a new LAP, add a new key in the registry :

To select the current active LAP set the

LAP Configuration
The LAP Configuration should be done by the user through the Enrollment window accessible form the Parameter Menu using the Lock icon. In this window the user should be able to change its pass-phrase (or other if the LAP is not based on pass-phrase authentication).
For security reason this pass-phrase should not be saved in the registry as a clear string, but should be encrypted using a custom algorithm or the Windows MobileCryptoAPI.

Validate a User in your application
To check if user has been authenticated on the device you have two possibilities :
  • ValidateUser is a blocking call to the LASS service, and give a way to provide parameters to the LAP, like an AE Key (specific security policy id), options (like VU_NO_UI to check the user without prompting any Window). Functions will return only after user authentication.
HWND hMyWindow;

DWORD LastError;
GUID AEKeyForFoo = ...;
if (VerifyUser(&AEKeyForFoo,"App A",hMyWindow,
VU_UNTIL_SUCCESS,0)) // Call into LASS;
// This will
CallSecureFunction() // call into active LAP
// and show LAP-specific UI
// display your own UI

  • SHDeviceLockAndPrompt is a non blocking call, but will require user authentication for any activity on the device.

- Nicolas

No comments: