Skip to content

Key Management

links: AC1 TOC - Secret sharing - Index


PSE

The Personal Security Environment (PSE) is used in information security to describe the part of a storage medium in which the secret keys are stored.

There are 2 different types of PSE: "software based" or "hardware based".

Software Based

PKCS#12 is the most widely used format for software PSEs. It is described as follows:

  • File container format used to store and transport private keys
  • Content (data) is protected with a private key, e.g. a password.
  • The security of PKCS#12 is based solely on the strength of the password.

Hardware Based

There are several hardware crypto tokens/cards on the market (e.g. Yubikey, Smartcards). They all have the following characteristics:

  • Ability to be a secure container for secret data.
  • A platform for the execution of cryptographic algorithms
  • "Black box" from the outside, some operations can only be used through a very restrictive hardware and software interface. Enforcement of specific security policies.
  • Access to sensitive data (i.e. private keys) is made physically "impossible" from the outside.

Yubikey

  • Provides Smart Card functionality based on the Personal Identity Verification (PIV) interface specified in NIST SP 800-73
  • Performs sign/ decrypt operations using the private key stored on the token via a common interface such as PKCS#11
  • Supports RSA 2048 or ECC 256/384 key sizes
  • "Universal Smartcard Minidriver" provides smart functionality and certificate/ PIN management capabilities.
  • Some "special" Yubikeys have obtained FIPS 140-2 security level certification.

Hardware Security Modules (HSM)

HSMs are specialized security hardware devices with the following characteristics Common functionality:

  • Key pair generation
  • Random number generator
  • Digital signing
  • Secure storage and use of key material
  • Key archiving
  • Acceleration for cryptographic schemes

They are designed to protect keys from:

  • Mechanical attacks
  • Temperature attacks
  • Voltage manipulation
  • Chemical attacks

links: AC1 TOC - Secret sharing - Index