Best practices/HOWTO for key storage in small office/home office setting?

Greg Broiles gbroiles at well.com
Mon Oct 1 02:26:13 EDT 2001


Are list members aware of any helpful resources describing best practices 
or HOWTOs for protecting cryptographic keys in a small office/home office 
setting?

I'm aware of the following approaches, given the assumption that good 
physical security is unavailable -

1.      Store keys & etc on hard disk inside a laptop which is kept in a 
safe or similar when not in use
2.      Store keys & etc on -
         a.      hard disk in removable carrier
         b.      3.5" floppy/CD/CD-R[W]/Zip disk
         c.      PCMCIA hard disk
         d.      PCMCIA memory
         e.      Compact Flash hard disk
         f.      Compact Flash memory
         g.      Storage-only smartcard
         .. each of which are stored in safe when not in use
3.      Generate & use keys on crypto smartcard (like Schlumberger's 
Cryptoflex) which is stored in safe when not in use
4.      Generate & use keys in dedicated crypto processor board
5.      Generate & store or generate & use keys stored across network in 
encrypted form

Obviously, much of the above just rewrites a hard problem (protect this 
room) into an easier but not entirely solved problem (protect the interior 
of this safe); and it ignores security for the keys while in active use 
versus hostile or sloppy software which may be running on the host. It also 
ignores the use of keystroke recorders or visual/audio surveillance systems 
to gather content which is available outside of the crypto envelope/tunnel. 
I'm trying to come up with a list of things people can do to improve (not 
perfect) their security, with modest expenditures and a little bit of extra 
effort during operations.

Also, is anyone aware of a currently shipping crypto smartcard 
reader/card/driver bundle which integrates well with any flavor of PGP or 
S/MIME mail software? The only example I'm aware of is Litronic's NetSign 
bundle (Cryptoflex + serial card reader + MSIE/Netscape drivers for $99) 
which apparently doesn't support USB nor PGP.


--
Greg Broiles
gbroiles at well.com
"We have found and closed the thing you watch us with." -- New Delhi street kids




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list