Securing Private Keys

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Securing Private Keys

Steven Brunasso
I think what you are looking for is a USB Smartcard.  I had a problem
like this when using encryption on ATM (banking) devices.  The keys
were vulnerable to someone coming after them on the filesystem.

I found the solution in USB format smartcards.  The private key is
loaded into the secure memory space, or generated there.  Messages are
then passed into the device to decrypt the symetric key.  The private
key is never exposed and it is very difficult to use voltage
differential to get the key off the smartcard.

The down side is that the operations are slow.  Something on the order
of 1second per transaction.  If you are doing a lot of processes, that
can quickly become a bottleneck.  My application only needed a single
decrypt per hour so overhead wasn't an issue.

GL

Steven

These might be useful

http://www.opensc.org/news.php
http://www.musclecard.com/sourcedrivers.html

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Radu Spineanu wrote:

> Hello
>
> I working on a small project, and i have a problem related to keeping
> gpg private keys stored on usb drives secure when working with them.
>
> My problem is that in case the machine is compromised, if the usb with
> the key is mounted the attacker has access to it.
>
> Has anyone heard of an implementation, or at least a whitepaper
> related to creating some kind of secure zone where i can keep these
> keys ?

It's a logical problem: If somone has compromised your machine there
would be >no< possibility to make a difference between a legitimate
user and an intruder.
So he would possibly be able to read your private key!

The only absolute solution would be a kind of intelligent usb drive
which is accepting a file to decrypt or sign and offer the result.
So somebody could use the key as long as you leave your usb drive in
your machine, but not any longer!
Unfortunatly science fiction at the moment. ;)

Christian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFCwW7oYqkpSde2O/gRAmaDAJ9G7MbEKx+4WGoxBenwOJYG4HgNdwCgzQlq
JT+Ei0XB5OeqdTMwFmtfa2E=
=zWZe
-----END PGP SIGNATURE-----