>> Once the EV certificate private key is installed on the USB security
>> token, it cannot be extracted or copied from the device, since it is
>
> Somehow it must be read from the stick.
The point is that the private key isn't and cannot be read from the
security token. Signature operation is completed on the token hardware
itself (it has a onboard processor for that) - it is not a normal USB
storage device. Data to be signed (usually a hash) is sent to the USB
security key and signature is generated onboard without the private key
ever leaving the token.
> Those things can be duplicated. Seen it done. Disappearing a USB stick
> isnt's much of a challenge - I manage that all by myself it seems!<bg>
Normal USB storage devices and (some) license dongles can be duplicated.
FIPS 140-2 certified smart card tokens, no, unless you are a state-level
actor having a team of scientists armed with an electron microscope and
a billion dollar budget. To extract the private key, one would need the
physical hardware token at hand and then could try to read the protected
memory area by peeling the memory chips atomic layer at a time. This is
further hindered by cryptographic modules having physical security
mechanisms which erase private keys if tampering is detected.
Cheers,
--
Timo