Best practices/HOWTO for key storage in small office/home office setting?
Greg Broiles
gbroiles at well.com
Mon Oct 1 02:26:13 EDT 2001
Are list members aware of any helpful resources describing best practices
or HOWTOs for protecting cryptographic keys in a small office/home office
setting?
I'm aware of the following approaches, given the assumption that good
physical security is unavailable -
1. Store keys & etc on hard disk inside a laptop which is kept in a
safe or similar when not in use
2. Store keys & etc on -
a. hard disk in removable carrier
b. 3.5" floppy/CD/CD-R[W]/Zip disk
c. PCMCIA hard disk
d. PCMCIA memory
e. Compact Flash hard disk
f. Compact Flash memory
g. Storage-only smartcard
.. each of which are stored in safe when not in use
3. Generate & use keys on crypto smartcard (like Schlumberger's
Cryptoflex) which is stored in safe when not in use
4. Generate & use keys in dedicated crypto processor board
5. Generate & store or generate & use keys stored across network in
encrypted form
Obviously, much of the above just rewrites a hard problem (protect this
room) into an easier but not entirely solved problem (protect the interior
of this safe); and it ignores security for the keys while in active use
versus hostile or sloppy software which may be running on the host. It also
ignores the use of keystroke recorders or visual/audio surveillance systems
to gather content which is available outside of the crypto envelope/tunnel.
I'm trying to come up with a list of things people can do to improve (not
perfect) their security, with modest expenditures and a little bit of extra
effort during operations.
Also, is anyone aware of a currently shipping crypto smartcard
reader/card/driver bundle which integrates well with any flavor of PGP or
S/MIME mail software? The only example I'm aware of is Litronic's NetSign
bundle (Cryptoflex + serial card reader + MSIE/Netscape drivers for $99)
which apparently doesn't support USB nor PGP.
--
Greg Broiles
gbroiles at well.com
"We have found and closed the thing you watch us with." -- New Delhi street kids
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list