Hardware Cryptographic Tokens

Cryptographic keying material (cert and private key) can be kept in two different schemes:

soft token – material is stored in a file on the computer – in theory someone who obtains access to your computer could use or copy your private key. Microsoft allows some protection (e.g. entering a passphrase) to use a private key, but a hacker could have been capturing your keystrokes and would know the passphrase.

hard token – a hard token is a smartcard or USB device (looks a lot like a thumb drive) that contains protected storage and a small crypto engine that can do various algorithms (a bit slower than your main cpu). You can import existing key material into a hard token, or create the keying material inside the hard token from the beginning. Once the keying material is in the hard token there is no way to get it back out, but you can use the keying material in the token via the PKCS11 api.

There are many kinds of hard tokens. One of the most common is the ePass2003 USB token from Feitian. You can insert this token in a regular USB-A socket and use it from various applications (after running the installer that comes with it).

There is a simple tool provided by Feitian to manage certificates in the token. Our SixWallet app for Windows has far more complete support. There is a Token Manager form that allows you to view any certificates in it, import certificates, delete certificates, etc.

You can even create key material inside the token (so that the private key never exists outside the token). This is fine for digital signing and authentication, but is not advised for encryption (since there is no way to backup the keying material if it is created inside a token).

If you want a backup, you can create key material in soft token form, back that up (e.g. in PKCS12 form), then import it into the hard token. You can then put the backup in a safe (e.g. in a thumbdrive or cdrom), and delete any local copies of the soft token.

There are also credit card format smartcards with the same functionality. For these you will need a smartcard reader. Some computers or keyboard come with these. If your computer doesn’t have a built-in reader, you can get an inexpensive smart card reader that connects to your computer via USB-A.

There are also contactless PKI smartcards, which require a different kind of reader. There are many kinds of smartcards, not all have PKI capability.

I will be reselling various hardware tokens in the near future. These will come with a complementary copy of SixWallet. Please contact me if you are interested.

Use of Hardware Tokens in Windows

Once you install the drivers for a given hardware token, Windows will automatically allow access to them via the Certificate Store. When you insert a hard token, the certs in it will appear in the Certificate Store as if local, but in reality the keying material is in the token and is accessed via PKCS11. If you remove the token, those certs disappear (you may need to do a refresh in SixWallet to see them appear or disappear).

The cert for Alice Liddel is actually in a hard token that has been inserted in a USB socket, but the cert appears in your Personal folder, and can be used like any soft token cert. The private key exists, but is non-exportable, of course (you can still export the cert if you like).

FIPS 140-2

FIPS-140-2 is a standard from the Federal Information Processing Standards from NIST that specifies various levels of protection in hard token devices. Simple devices meet Level 2, better devices meet Level 3. Only fairly expensive devices meet Level 4. Anything below Level 2 is not generally suitable for real PKI. Any “virtual” (software) token cannot be granted anything over Level 1 – starting with Level 2, hardware protection mechanisms are mandatory.

HSM – Hardware Security Module

An HSM is like a grown up hard token. They usually costs thousands of dollars, and are suitable for storing private keys for a Certification Authority. Some connect over Ethernet, some plug into a computer backplane via PCI. An HSM can hold thousands of keys and is far faster than a USB hard token.

There are many vendors of HSM devices at various prices. For example:

HSMs all support PKCS11 as well, and you can use SixWallet to manage certs in them the same as the USB tokens. Sixscape has a full blown PKI called ID Central that supports various HSMs. It is not currently Common Criteria certified. We also can graft a “front end” (proxy) version of this onto any CA to add IRP support. We have already grafted IRP onto the following:

    • GlobalSign CA
    • EntrustDatacard CA
    • EJBCA
    • PKI-In-A-Box (from PrimeKey)
    • Microsoft Certificate Services

PKI product vendors! I will be glad to put ads for your products on this site at reasonable rates – please contact me for details.