Windows Mobile 5.0 Local Authentication Sub System (LASS) - Part 2
In Part 1 we looked at the power-on-password replacement options for Windows Mobile 2003. In this blog I want to take you through the new Local Authentication Sub System (LASS).
This new architecture can be found in Windows CE 5.0 and Windows Mobile 5.0 devices and brings a uniform authentication system to both Smartphone and Pocket PC - prior to Windows Mobile 5.0 it was not possible to replace the PIN lock screen for Smartphone, but with the unified LASS architecture found on both Pocket PC and Smartphone its now (although I haven’t proved it with code yet J) possible.
The MSDN docs for LASS are here.
Architechture
The LASS architecture looks a bit like this:
Taking each of the key components:
LASS:
This is the system module responsible for joining user applications to a specific authentication plug-in. It doesn’t provide any authentication stuff in its own right but relies on the LAP to do the work of capturing and verifying credentials. The LASS module exposes a number of API’s:
LASSReloadConfig
Causes the LASS module to reload registry information.
CreateEnrollmentConfigDialog
Call’s to this API are forwarded to the active LAP to display the enrolment dialog. If you click the Password applet in settings on Pocket PC 2005 this API is called.
VerifyUser
Call’s to this API are forwarded to the active LAP to capture and verify the user credential.
Header file: lass.h
Lib: coredll.lib
LAP:
This module is responsible for capturing and verifying user credentials, either by displaying a form for input or integrating with hardware. A custom LAP must export the following methods:
LAPCreateEnrollmentConfigDialog
Display and capture initialization information – replacement for password control panel app.
VerifyUser
Called to capture and verify credentials.
InitLAP
Called when the LAP is loaded.
DeinitLAP
Called when the LAP is unloaded
The following are optional exports:
VerifyUserStart
Called before verification takes place – can be used to spin up hardware that might be used during the verification process.
VerifyUserStop
Called after verification has completed – use it to close down hardware ect.
VerifyUserToTop
Move the credentials capture to top in the Z-order (I’ve never seen this called on my LAP).
Authentication Events:
These are registry entries identified with a GUID that define certain parameters about how to verify the user through a LAP. For example if the user only needs to enter a password when the device has been unused for a certain period of time.
Values that can be set:
AEFrequencyValue
AEFrequencyType
DisplayText
How it all fits together:
Let’s start with power on. When a password has been configured the shell will check the registry to see which LAP dll is set as active and load the DLL. First InitLAP is called, then VerifyUserStart (if available) and then VerifyUser. The LAP is handed an AE GUID, a tile and a number of options. Based on the options and the AE settings the LAP will then capture and validate the user before returning success or failure. If authentication is successful VerifyUserStop is called, otherwise the LASS will update the Lockout registry information and rerun the LAP appropriately.
The shell still uses the old password registry settings [HKCU\ControlPanel\owner\PowrPass] to decide if authentication is required at power on, and desktop ActiveSync password protection operates in the same way as before using the password string stored in the OS.
Replacing the password control panel application is no longer necessary because the new CPL application simply calls the exported LAPCreateEnrollmentConfigDialog on the active LAP.
Replacing the Active LAP
It’s pretty straight forward although requires native code – you can’t do this in managed code. The one step that caught me out is the signing step: remember Windows Mobile 5.0 brings a one tier security model to Pocket PC, and part of that security means a trusted application can’t load an un-trusted DLL. The LASS components are running trusted so any LAP dll must be signed with a trusted cert.
Here are the basic steps for creating and registering a custom LAP:
- Create a C++ DLL that exports at least LAPCreateEnrollmentConfigDialog, VerifyUser, InitLAP and DeinitLAP. Here is about the most basic one I could come up with .
- Sign it with a cert derived from something that’s in privileged store on the device – the simplest way to do this is to select a cert in VS2005 signing tab and select ‘provision the device’
- Deploy the dll to the windows directory
- Update the registry of the device:
- Create a new key [HKLM\Comm\Security\LASSD\LAP\<mylap>]
- Create a string value under that key: dll=<name of LAP dll>.dll
- Update the default LAP setting [HKLM\Comm\Security\LASSD\LAP] ActiveLap=<mylap>
- Soft reset the device
To test it’s all working go into Settings and select Password to see the LAP enroller display.
SimpleLAP
Here is the code for a very simple LAP I created for Pocket PC. You will need to have Visual Studio 2005 (standard or above) and Windows Mobile 5.0 Pocket PC SDK installed.
This C++ project includes a DEF file exporting the required API’s:
LIBRARY "SimpleLAP"
EXPORTS
LAPCreateEnrollmentConfigDialog
VerifyUser
InitLAP
DeinitLAP
The implementation of each is very simple:
BOOL InitLAP(
InitLap* il
)
{
return TRUE;
}
void DeinitLAP()
{
return;
}
BOOL VerifyUser(const GUID *AEKey,
LPCWSTR pwszAEDisplayText,
HWND hwndParent,
DWORD dwOptions,
PVOID pExtended)
{
return DialogBoxParam( g_hInstance, MAKEINTRESOURCE(IDD_VERIFY_SQUARE), hwndParent,
Verify_DlgProc, (LPARAM)false );
}
BOOL LAPCreateEnrollmentConfigDialog(HWND hwndParent,DWORD dwOptions)
{
DialogBoxParam( g_hInstance, MAKEINTRESOURCE(IDD_ENROLE_SQUARE), hwndParent,
Enrole_DlgProc, (LPARAM)false );
return true;
}
Two dialogs are displayed, one for enrolment:
And one for password validation:
The interesting bits are in the dialog handler routines:
case IDC_ENABLE: // Enabling the password
{
…
// Is a password active? Check with OS
if (GetPasswordActive())
{
// Password is set, change value
// Now check the old password is OK with the system
if (CheckPassword(OldPwd))
{
// Change password values
if (!SetPassword( OldPwd, NewPwd))
{… error handling}
}
}
// Enable for the first time - set OS password
else
{
// Change password value to the new entry
if (!SetPassword( NULL, NewPwd))
{… error handling}
// Now make it active
if (!SetPasswordActive( TRUE, NewPwd ))
{… error handling}
// Now tell OS to use password on power up
HKEY hkey;
RegCreateKeyEx( HKEY_CURRENT_USER, TEXT("ControlPanel\\Owner"), 0, 0, 0, 0, 0, &hkey, 0 );
RegSetValueEx( hkey, TEXT("PowrPass"), 0, REG_BINARY, (CONST BYTE*)"\x01", 1 );
RegCloseKey( hkey );
}
}
break;
case IDC_DISSABLE: // Dissabling password
{
// Check the OLD password is correct
if (CheckPassword(ItemText))
{
// Turn it off
if (!SetPasswordActive(FALSE,ItemText))
{… error handling}
// Change pwd value to null
if (!SetPassword(ItemText,NULL))
{… error handling}
HKEY hkey;
// Dissable power-on dialog.
RegCreateKeyEx( HKEY_CURRENT_USER, TEXT("ControlPanel\\Owner"), 0, 0, 0, 0, 0, &hkey, 0 );
RegSetValueEx( hkey, TEXT("PowrPass"), 0, REG_BINARY, (CONST BYTE*)"\x00", 1 );
RegCloseKey( hkey );
}
EndDialog( hDlg, 1 );
}
Registering and Enabling a new LAP
I’ve been working with the emulator to build my LAP modules as its much easier to hard reset the emulator than a real device when it all goes horribly wrong (which has happened several times!). However the one thing the emulator is not quick at is a soft reset which is a complete pain when that’s what’s needed to update an active LAP.
The good news: there is another way. LASS supports an API LASSReloadConfig that causes the registry information to be reloaded and the active LAP to be unloaded and allow the dll to be updated. So I also built a test hardness to set up the reg key and call the reload api. It’s in C# and requires CF 2.0 to be on the device. Grab the project here.
The UI isn’t pretty but it gets the job done:
These are the important bits of code:
Three imports are used to interact with LASS:
[DllImport("coredll.dll")]
private static extern int LASSReloadConfig();
[DllImport("coredll.dll")]
private static extern int VerifyUser(IntPtr AEKey, string DisplayText, IntPtr ParentWindow, int Options, IntPtr Extended);
[DllImport("coredll.dll")]
private static extern int CreateEnrollmentConfigDialog(IntPtr ParentWindow);
Reload just calls the OS api:
private void Reload_Click(object sender, EventArgs e)
{
bool ok = (0!=LASSReloadConfig());
MessageBox.Show("Reload " + (ok ? "Succeeded" : "Failed"));
}
Reg Clear sets the active LAP back to the default value (for the emulator) and deletes the key used for the custom LAP.
private void ClearReg_Click(object sender, EventArgs e)
{
// Clear the info from HKLM\Comm\Security\LASSD\LAP\ActiveLAP
Registry.SetValue(@"HKEY_LOCAL_MACHINE\comm\Security\LASSD\LAP", "ActiveLAP", "lap_pw");
Registry.LocalMachine.DeleteSubKey(@"Comm\Security\LASSD\LAP\" + DLLName.Text);
}
Set Reg creates the new LAP sub key and sets the active lap to point at it.
private void SetReg_Click(object sender, EventArgs e)
{
Registry.LocalMachine.CreateSubKey(@"Comm\Security\LASSD\LAP\" + DLLName.Text);
Registry.SetValue(@"HKEY_LOCAL_MACHINE\comm\Security\LASSD\LAP\" + DLLName.Text, "Dll", DLLName.Text +".dll");
Registry.SetValue(@"HKEY_LOCAL_MACHINE\comm\Security\LASSD\LAP", "ActiveLAP", DLLName.Text);
}
Verify calls through to the LASS and requests validation from the active LAP
private void CallVerify_Click(object sender, EventArgs e)
{
VerifyUser(IntPtr.Zero, "Called from tool", this.Handle, 0, IntPtr.Zero);
}
Enrole calls through to the active LAP and shows the enrolement dialog.
private void CallEnrole_Click(object sender, EventArgs e)
{
CreateEnrollmentConfigDialog(this.Handle);
}
I think that’s probably enough for this post. In part 3 we will look at porting the LetMeIn SDK sample from Windows Mobile 2003 to WM5.0
Marcus
Comments
Anonymous
March 03, 2006
Hi,
I'm trying to migrate an authentication program I did on WinCE 4.2 to WinCE 5.0 and your articles are very helpful. However, I does not fully understand what to do when you say :
"Sign it with a cert derived from something that’s in privileged store on the device – the simplest way to do this is to select a cert in VS2005 signing tab and select ‘provision the device’"
I had no certificate, so I build one (using makecert). But how can I derive it from "something that’s in privileged store on the device" ??? I'm planning to develop on emulator for the moment, but I'll have to test it under the real Windows Mobile Device.Anonymous
March 06, 2006
The comment has been removedAnonymous
March 07, 2006
Sorry, but I still don't get it.
When I click on "Select Certificate", I just get an window with no certificate. Then if I try to "Manage Certificates", I got plenty of them, but which one to use ????
I created one delivered to my company, from the root agency, but I don't seem to be able to use it.
Do you know where I can get more information on this ? as I searched but didn't find a good documentation.
And speaking of your LASS articles, they are great, it managed to port my authentication to 2005 in a day.Anonymous
March 24, 2006
Sorry for my previous question, i got it. I should have installed SDKSamplePrivDeveloper.pfx provided in the SDK just a you said, but I tought it would be installed with the SDK.
Now I got the key, I can sign bot my dll and the program I use to load LASS.Anonymous
March 27, 2006
The comment has been removedAnonymous
June 13, 2006
As I understand WM5.0 let user implement their own LAP with their way of authentication like biometrics. Do we still need to use password there? i.e is it mandatory to do a setPassword() ?Anonymous
August 06, 2006
Hi,
Thanks for your article.
I have a question or a help.
About introducing AE in your article ,
"For example if the user only needs to enter a password when the device has been unused for a certain period of time.".
How to implement this example using AE?
Do I need implement user idel event by key board monitor?Anonymous
August 07, 2006
I tried simple Lap program on my device. I used Manipulate LAP tool to reload LAP configuration.
Every things works fine. If I do manual soft reset of my device, Simple LAP password applet is not coming up and device hangs and I have to hard reset of device. Please suggest if Sample LAP program need to change for this. I am using I-mate JasJar.Anonymous
August 07, 2006
Thanks for your article about LASS.
I have a question about AE.
In article, mention that "For example if the user only needs to enter a password when the device has been unused for a certain period of time." when you introduced AE.
I hope to know how to implement this function?
Thanks!Anonymous
August 07, 2006
I tried simple Lap program on my device. I used Manipulate LAP tool to reload LAP configuration.
Every thing works fine. If I do manual soft reset of my device, Simple LAP password applet is not coming up and device hangs and I have to do hard reset of the device. Please suggest if Sample LAP program need to change for this.Anonymous
August 08, 2006
Hi !
I've read your three parts and it helps me to understand how the authentication for windows Mobile work. But I'm still asking me something, where is stored the password or the print of the password on the handeld?
So where apply the function setpasswd. I've looked on msdn but I don't find anything
If you have any idea, you'll be welcome.
Thanks for your helpAnonymous
August 30, 2006
I tried simple Lap program on my device. I used Manipulate LAP tool to reload LAP configuration.
Every thing works fine. If I do manual soft reset of my device, Simple LAP password applet is not coming up and device hangs and I have to do hard reset of the device. Please suggest if Sample LAP program need to change for this.
If you have any idea, you'll be welcome.
Thanks for your helpAnonymous
September 12, 2006
bryant and Pradeep : according to what you said, I think this could be due to the AKU 2 update.
Maybe you should try to modify your LAP to include the good exStyle parameters.
DWORD dwExStyle = GetWindowLong( hDlg, GWL_EXSTYLE );
dwExStyle |= WS_EX_ABOVESTARTUP;
SetWindowLong( hDlg, GWL_EXSTYLE, dwExStyle );
Hope this could help, it worked for me.
Edouard Dessioux.Anonymous
November 15, 2006
please , can you advise me in which register and file is located wifi mac adress thanksAnonymous
November 16, 2006
Hi all, I managed to follow the guide to create a custom LAP. On power off/on my LAP dialog is displayed to prompt user for password. However if i do a softreset, my LAP dialog is not displayed and the PDA screen hang with a "Password" toolbar at the top. Anyone has any clue? I appreciate any help. Thanks Thanks.Anonymous
November 19, 2006
I am facing the same problem as Bryant. After a soft-reset my LAP dialog is not displayed and PDA hang. Anyone has any idea? Thanks.Anonymous
March 14, 2007
I am not getting the menubar (the one at the bottom) or SIP to show with the password validation dialog? Am I missing somethingAnonymous
August 20, 2007
I am trying to get existing applications like IE to be launched only after beign authenticated by the password. How do I get the exisiting apps like IE to show the password dialog before launching?Anonymous
August 23, 2007
Hi, Sorry to disturb you all, I am quite new the CE device programming. I want to implement custom LAP on my Windows CE 5.0 based mobile device. I know this sample is for Windows Mobile, but the manufracturer of my device said it supports LASS (though they are not sure on this). I removed some API call for WM and compiled a dll. I followed the instructions and also the comments above to sign the dll and change registry. However, when I use the RefreshSecurity program to change security and press Validate User button, there is no response. (But when I change the LAP to default lap_pw, the validate dialog can pop up when press the button.) Therefore, I want to ask:
- How can I know if my device (CE 5.0) supports LASS or not?
- How to change the sample from WM specific to Windows CE compatible? Thanks for your kindly help.
Anonymous
October 21, 2007
Where can i find sample example for creating a custom LAP in Windows Mobile 5 Pocket PC as well as Windows Mobile 5 Smart Phone? The Sample i got from Marcus Perryman's WebLog does not seem to work on my HP hx6960 WM5 Smart Phone which is using AKU2 (MSFP) OS build of WM5. I wanted the LAP to load everytime i power on / off the PDA, it works for my Pocket PC which is using an older OS build of WM5, however when it comes to Smart Phone it fails to load. I wonder if the cause is due to the different OS builds or due to the differences in Pocket PC and Smart Phone platform.Anonymous
February 21, 2008
Hello. I wrote custom LAP on Windows Mobile 5.0 ppc as you said. The name of my device is Dopod D600. My custom lap is working well on the emulator. On the device, enrollment dialog is displayed, but verify dialog is not displayed after soft reset. So I checked the parameter of verifyuser(LAP) function, and found out the dwOption parameter was always VU_NO_UI on device unlike emulator. Because of this problem, I have spent a lot of time. I can't this solution anywhere. Please help me.!!! Regards.Anonymous
February 21, 2008
Hello. I wrote custom LAP on Windows Mobile 5.0 ppc as you said. The name of my device is Dopod D600. My custom lap is working well on the emulator. On the device, enrollment dialog is displayed, but verify dialog is not displayed after soft reset. So I checked the parameter of verifyuser(LAP) function, and found out the dwOption parameter was always VU_NO_UI on device unlike emulator. Because of this problem, I have spent a lot of time. I can't this solution anywhere. Please help me.!!! Regards.Anonymous
February 29, 2008
The comment has been removedAnonymous
April 03, 2008
Hi All, i have WinCE image on GumStix platform where i am trying to add customized LAP. I have build the dll from SimpleLAP sample and added signing to it. i copied the dll to Windows folder but after reset the windows is not persitent. so i copied the dll to storage card and added registry entry under init so that after booting dll from storage card will be copied to Windows. i also added key 'mylap' under LAP and the value i have given for tis key is SimpleLAP.dll. under LAP i added the string 'ActiveLap' and the value for it is 'mylap'. After doing the above steps i reset the device and observed nothing on the screen. Here my questions are:
- Registry entry under HKLMInit copies the dll once the explorer and autolaunch are loaded. is there any chance that this migth causing the problem?
- Does we need to add any AE for Customizing the LAP?
- After reset does LAP screens comes on the screen automatcally (or) we need to go to settinsPasswordand enable password protection there? can anyone help me in providing the answers for these questions quickly. thanks in advance. bhanurekha.
Anonymous
May 08, 2008
The comment has been removedAnonymous
May 16, 2008
I handled a couple of cases related to this and therefore I think it's worth mentioning it here, to helpAnonymous
June 02, 2008
Is there a way to query the OS to see if the password type is simple 4 digit or strong alphanumeric? If not, is there a registry key to check for the current password type?Anonymous
June 11, 2008
I am not able to download the simpleLap.zip. Can you please rectify this problem.Thanks.Anonymous
January 14, 2009
Hello Marcus. I was wondering, how I can use this LAP. Your article was good, told me a lot of this technology. But I still don't really know, how can I put my application on my device using LAP. I have an application based on "Picture image selection". I wrote it simply as a windows mobile form application to easily verify code etc. Now I am done, but I don't know, how actually fit my application on PDA. Can you please give me any idea or clue which help me with my problem? You can write your answer here or if you'll be interested of this authentication method, you can write me on jan.gerza@gmail.com . Regards, Jan.Anonymous
January 16, 2009
Is it possible to write a LAP in C# code? I have got my whole application in C# and I don't think that rewriting it into a C++ is ideal way.