Jump to content

Playing with USB for secure PK storage.


Recommended Posts

I've been thinking about ways in which you could potentially secure your private key and then remembered the interview with Richard Harman (S15E25) in which he stated that many/most USB drives are capable of being reprogrammed in such a way that they would appear as a CDROM drive or a combined CDROM and flash drive. Now, when I was working on a project for army a while back they had a Tomcat HTTPS webserver whose private key was stored on a smartcard and Java had a security provider that would decrypt information by sending the data to be decrypted via a cardreader to the smartcard. The card itself would then decrypt the data using the private key and send back the result. This setup was FIPS 140-2 compliant.

(You had to provide the keystore password at the startup of Tomcat which was a bit of a drag, but after that you could request it to encrypt/decrypt your data using the pk contained within)

It would be fair to consider a smartcard as a complete computer with a serial cable attached where the other side of the serial cable is flattened into the shape of the metallic pad you see on the card. Most cards provide just very basic file serving functions over this interface (I've done quite a bit of low-level programming with these so if you want to have a chat about that, feel free to do so), but more expensive ones have these crypto functions in hardware.

So in the setup described above the private key never leaves the card and the card will actually destroy the key when too many failed attempts to access it have occurred. Now I'm wondering if it would be possible for the USB stick to be reprogrammed in such a way that it presents itself as a serial port where any communication with that port could be interpreted by the controller to do its magic. You could then use the surplus space on the card as either regular flash or CDROM which contains the public key and also any drivers for the os or the security provider for java or whatever to enable the system you plug the stick into to work with the private key on the stick.

Am I overlooking anything with this approach?

Obviously I'd have to get up close and personal with an Intel 8051 and see what it can do. I don't expect to find any simple cheap USB drives with the hardware AES-256 capability available but if the concept itself is sound I can imagine people going out to pay $20 for an USB stick that does have this capability to use as their keystore...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...