1 2 Previous Next 15 Replies Latest reply on Jul 11, 2012 7:43 AM by gimbal2

    Securing Keys from Myself

    Umer
      Hi all,

      We have a scenario in which we need to generate sensitive keys from one of our telecom operator. I have written a tool which takes input a range of serial numbers and then creates output files for that range. We encrypt these keys and encode the plain ones in the cards and send the encrypted ones to the customers. These keys are very sensitive and nobody should see them. For time being I am the only person who can see these keys but the customer wants that these keys should be hidden from everyone including me.
      From the above scenario please suggest me some solution by which i could be able to encode my plain keys to card and encrypted keys to customers without actually knowing about them.

      Thanks
        • 1. Re: Securing Keys from Myself
          sabre150
          Umer wrote:

          We have a scenario in which we need to generate sensitive keys from one of our telecom operator. I have written a tool which takes input a range of serial numbers and then creates output files for that range. We encrypt these keys and encode the plain ones in the cards and send the encrypted ones to the customers.
          These keys are very sensitive and nobody should see them. For time being I am the only person who can see these keys but the customer wants that these keys should be hidden from everyone including me.
          It is not obvious how these keys are being used but from a security point of view this seems very very wrong. If the keys pass though your hands in the clear (not encrypted) before going to your customers then from your customers point of view the keys are compromised before they get them. It does not matter how they are processes (encoded or encrypted) after you get them they are compromised since you had access to them prior to any encryption.

          There is an implication that the keys you are sent are actually (public,private) key pairs. If so then why does your customer not generate the keys.
          From the above scenario please suggest me some solution by which i could be able to encode my plain keys to card and encrypted keys to customers without actually knowing about them.
          As I said you can't unless your customer generates the keys or if the keys never pass in the clear though your hands.
          1 person found this helpful
          • 2. Re: Securing Keys from Myself
            Umer
            Yes I agree with you sir. That is the real problem that customer do not want to generate anything but still want that kind of security.
            No they are not public private key pairs. They needed encrypted ones so we send them encrypted keys and we need to program/store these plain ones into cards so we have to access these keys even if the customer generate these keys. I could not find any solution yet.
            • 3. Re: Securing Keys from Myself
              rp0428
              >
              we need to program/store these plain ones into cards
              >
              Please explain what that means. You should NOT need access to the passwords or your architecture is seriously flawed. There are thousands or tens of thousands of companies that provide services like yours and they don't need access to the passwords of their customers.
              • 4. Re: Securing Keys from Myself
                gimbal2
                rp0428 wrote:
                >
                we need to program/store these plain ones into cards
                >
                Please explain what that means. You should NOT need access to the passwords or your architecture is seriously flawed.
                Uhm... you're the first person in this thread to use the word 'password' you know.
                • 5. Re: Securing Keys from Myself
                  sabre150
                  Umer wrote:
                  Yes I agree with you sir. That is the real problem that customer do not want to generate anything but still want that kind of security.
                  No they are not public private key pairs. They needed encrypted ones so we send them encrypted keys and we need to program/store these plain ones into cards so we have to access these keys even if the customer generate these keys. I could not find any solution yet.
                  There is not and cannot be a solution when you have access to the unencrypted keys at some point !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! End of story !!!!!!!!!!!!!!!!

                  Why cannot your customers generate the keys themselves? You could provide the software to do that.

                  Edited by: sabre150 on Jul 10, 2012 5:15 PM

                  It does sound to me like you are trying to solve a problem that has already been solved but since I know little if anything about your system and it's requirements I can't really help.
                  1 person found this helpful
                  • 6. Re: Securing Keys from Myself
                    Umer
                    A very good suggestion sir. I thing we should provide them a tool to generate keys by themselves. But again we need these keys to store on smart cards.
                    • 7. Re: Securing Keys from Myself
                      sabre150
                      Umer wrote:
                      But again we need these keys to store on smart cards.
                      Then you are stuck with the same problem! If your customers generate the keys themselves then send the unencrypted keys to you for you to put on the smart card then they are compromised! Your customers must write the keys to the smart card maybe using software you supply them with.
                      • 8. Re: Securing Keys from Myself
                        EJP
                        I have written a tool which takes input a range of serial numbers and then creates output files for that range.
                        Lose it. Lose the file immediately. Change it to generate the key directly on the card on demand.
                        • 9. Re: Securing Keys from Myself
                          Umer
                          EJP wrote:
                          I have written a tool which takes input a range of serial numbers and then creates output files for that range.
                          Lose it. Lose the file immediately. Change it to generate the key directly on the card on demand.
                          Actually we store these keys via machine which can store keys + personalize 14000/hour cards and we generate these keys by a tool on a different dedicated workstation therefore we have to put out these keys to place into the machine's dll for bulk production.

                          According to your suggestion if we generate these keys and all personalization data via dll on the machine then after the production again we will need to send encrypted keys to the customer and again the same situation.

                          What about if we generate all keys and data on machine directly and encrypt the encrypted keys with their public key and then provide them a tool to decrypt all these keys by providing a valid private key. In this scenario we will not store plain keys on file and destroy them after storing on cards. Can you see any flaw in this ?

                          I am very thankful for the above discussion it is helping me a lot to reach towards a solution.
                          • 10. Re: Securing Keys from Myself
                            sabre150
                            Umer wrote:
                            What about if we generate all keys and data on machine directly and encrypt the encrypted keys with their public key and then provide them a tool to decrypt all these keys by providing a valid private key. In this scenario we will not store plain keys on file and destroy them after storing on cards. Can you see any flaw in this ?
                            If you have access, directly or indirectly, at any point to the unencrypted keys then they are compromised. YOU CANNOT GENERATE SECRET KEYS FOR A THIRD PARTY WITHOUT THE KEYS BEING COMPROMISED SINCE YOU WILL HAVE ACCESS TO THE UNENCRYPTED KEYS. Even if, as you propose, you generate the keys and encrypt them with your client's public key then destroy the keys after storing them on cards since immediately after generation they are in memory in the clear on your computer the keys are compromised.

                            Would you want to have to go to court and defend the key generation system when one of your clients sues you?
                            • 11. Re: Securing Keys from Myself
                              Umer
                              If you have access, directly or indirectly, at any point to the unencrypted keys then they are compromised. YOU CANNOT GENERATE SECRET KEYS FOR A THIRD PARTY WITHOUT THE KEYS BEING COMPROMISED SINCE YOU WILL HAVE ACCESS TO THE UNENCRYPTED KEYS. Even if, as you propose, you generate the keys and encrypt them with your client's public key then destroy the keys after storing them on cards since immediately after generation they are in memory in the clear on your computer the keys are compromised.
                              It means there is no way. :- (
                              Would you want to have to go to court and defend the key generation system when one of your clients sues you?
                              Only one customer is asking this. And Going to court will decide my company not me ;- )

                              Thanks by the way sir.
                              • 12. Re: Securing Keys from Myself
                                sabre150
                                Umer wrote:
                                Only one customer is asking this. And Going to court will decide my company not me ;- )
                                No - the client will decide to sue and you will be prime suspect since you will be the person with access to the keys.

                                Several year ago I worked for a big credit card company and the company hired a security consultant to audit the security code I was creating. One day the consultant took me to one side and advised me to make sure I never ever ever had access to the production encryption keys since this would make me prime suspect in any fraud investigation.

                                Protect your backside - advise your company of the security problem, advise them to hire a security consultant and then run away. The system has a major security flaw.

                                Edited by: sabre150 on Jul 11, 2012 4:56 AM

                                One possibility to remove the flaw - you might get away with this system if the key generation and encryption with your client's public key was performed in a tamper proof HSM with the key never ever ever exposed in the clear outside of the HSM.
                                1 person found this helpful
                                • 13. Re: Securing Keys from Myself
                                  Umer
                                  Such a mature and nice words. I never think that way. You are absolutely right. Thank you very much for the advice.
                                  • 14. Re: Securing Keys from Myself
                                    EJP
                                    Very wise words. I would immediately ask your employers for an indemnity for work carried out so far as a condition of even attending further meetings on the topic. Cite this thread and if they quibble take private legal advice.
                                    1 person found this helpful
                                    1 2 Previous Next