[16168] in cryptography@c2.net mail archive
Re: pci hardware for secure crypto storage (OpenSSL/OpenBSD)
daemon@ATHENA.MIT.EDU (Thierry Moreau)
Wed Sep 15 19:07:16 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 15 Sep 2004 15:49:12 -0400
From: Thierry Moreau <thierry.moreau@connotech.com>
To: Eugen Leitl <eugen@leitl.org>
Cc: Cryptography List <cryptography@metzdowd.com>
In-Reply-To: <20040914083111.GX1457@leitl.org>
Eugen Leitl wrote:
>I'm looking for (cheap, PCI/USB) hardware to store secrets (private key) and
>support crypto primitives (signing, cert generation). It doesn't have to be
>fast, but to support loading/copying of secrets in physically secure environments, and
>not generate nonextractable secret onboard. Environment is
>OpenBSD/Linux/OpenSSL/gpg.
>
>Any suggestions?
>
If I may put words in your mouth, you would require a server-side public
key cryptography apparatus where the long-term private key value would
be subject to utmost protection available, and the signature capability
is nonetheless available to some "functional area" software on an
general-purpose processor with less stringen protections. Hint: the
software application where a security certificate is authorized is the
Èfunctional areaÈ software. Presumably, some key management scheme must
be provided so that once a "functional area" becomes suspicious, its
usage of the private key can be rovoked through a key renewal, and the
private key is not at stake.
The disclosure of such system is at
http://www.connotech.com/WIRCPATA.HTM. Be reassured that this was a
preventive publication, so this design is in the public domain (and is,
or should have been, prior art to US patent 6,671,804).
Such server-side cryptographic hardware is currently under development.
It should take the form of a 1U operational secure device and a separate
key management console, the latter ensuring that no significant secret
is ever stored on a personal computer. The application is not, however,
certificate signing, as your post implies. I doubt that you will find
products that fits your need as I expressed them. Perhaps with lower
security, notably requiring that you trust the API design and
implementation between the cryptographic hardware and the functional area.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1
Tel.: (514)385-5691
Fax: (514)385-5900
web site: http://www.connotech.com
e-mail: thierry.moreau@connotech.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
