Standard and new EV Code-Signing Certificates

[NewsArchive]

>> Once the EV certificate private key is installed on the USB security
>> token, it cannot be extracted or copied from the device, since it is
>
> Somehow it must be read from the stick.

The point is that the private key isn't and cannot be read from the
security token. Signature operation is completed on the token hardware
itself (it has a onboard processor for that) - it is not a normal USB
storage device. Data to be signed (usually a hash) is sent to the USB
security key and signature is generated onboard without the private key
ever leaving the token.

> Those things can be duplicated. Seen it done. Disappearing a USB stick
> isnt's much of a challenge - I manage that all by myself it seems!<bg>

Normal USB storage devices and (some) license dongles can be duplicated.
FIPS 140-2 certified smart card tokens, no, unless you are a state-level
actor having a team of scientists armed with an electron microscope and
a billion dollar budget. To extract the private key, one would need the
physical hardware token at hand and then could try to read the protected
memory area by peeling the memory chips atomic layer at a time. This is
further hindered by cryptographic modules having physical security
mechanisms which erase private keys if tampering is detected.

Cheers,
--
Timo

[NewsArchive]

>unless you are a state-level
>actor having a team of scientists armed with an electron microscope and
>a billion dollar budget.

Jeff Slarve
www.jssoftware.com

Ones and Zeros are my Heroes

[NewsArchive]

>>> Once the EV certificate private key is installed on the USB security
>>> token, it cannot be extracted or copied from the device, since it is
>>
>> Somehow it must be read from the stick.
>
> The point is that the private key isn't and cannot be read from the
> security token. Signature operation is completed on the token hardware
> itself (it has a onboard processor for that) - it is not a normal USB
> storage device. Data to be signed (usually a hash) is sent to the USB
> security key and signature is generated onboard without the private key
> ever leaving the token.
>
>> Those things can be duplicated. Seen it done. Disappearing a USB
>> stick isnt's much of a challenge - I manage that all by myself it
>> seems!<bg>
>
> Normal USB storage devices and (some) license dongles can be duplicated.
> FIPS 140-2 certified smart card tokens, no, unless you are a state-level
> actor having a team of scientists armed with an electron microscope and
> a billion dollar budget. To extract the private key, one would need the
> physical hardware token at hand and then could try to read the protected
> memory area by peeling the memory chips atomic layer at a time. This is
> further hindered by cryptographic modules having physical security
> mechanisms which erase private keys if tampering is detected.
>
> Cheers,

Very interesting and informative discussion Timo. Thanks for chipping
in and sharing.

Andre Labuschagne

[NewsArchive]

>
> Very interesting and informative discussion Timo. Thanks for chipping
> in and sharing.
>
>

+1

Peter Hermansen