0

I'm looking for USB token solution for asymmetrical decryption purpose. The server has encrypted sensitive data with periodically rotating data encryption key (DEK), which is stored alongside with the encrypted data, encrypted itself with pre-distributed public key of the USB token (KEK).

The user (web browser client) logins to the single page application with username and password. User then inserts the USB token, which will trigger the following sequence:

  1. Retrieve the encrypted DEK's from the server
  2. Decrypt the DEK's with USB token private key
  3. Retrieve the data from the server with the DEK's

I have looked into solutions like Yubikey, but it seems to be more focused on the user authentication than cipher services. What is the correct product to implement hardware based cipher in portable format? Expensive HSM is out of question, as multiple users should posses an instance of the portable token. Also, each instance should contain the same private key.

Tuomas Toivonen
  • 21,690
  • 47
  • 129
  • 225

1 Answers1

1

Nice idea, however you are having a few issues

Decrypt the DEK's with USB token private key

Currently no browser supports using decrypting by pkcs#11 (smart card or usb token keystore protocol) directly.

The browsers can use a stored keypair to authenticate and that's it. (if I missed something, please correct me).

Though you could use some local utility(non-web) to decrypt using a smartcard (gpg, openssl,...)

Also, each instance should contain the same private key.

Most of the serious smart cards allow generating a new private key, but you not importing own key material (at least the ones I had). So it is difficult to create multiple smart cards with the same keypair

What you could do is encrypt the DEK for a set of public keys

gusto2
  • 11,210
  • 2
  • 17
  • 36