SoylentNews

Yubikey/Smartcard Backed TLS/HTTPS Servers

posted by janrinok on Monday May 21 2018, @09:52PM   
from the security-in-your-pocket dept.

canopic jug writes:

Ben Cartwright-Cox has written a blog post about building Yubikey/Smartcard backed TLS/HTTPS servers. Cryptographic hardware tokens such as the Yubikey can hold and verify keys but are set up not to be able to give the key itself back to the system. Although the hardware token's contents can be overwritten, the original key cannot be extracted even if the system it is on gets cracked. Thus moving the keys to the hardware token would make them more or less unstealable. Ben walks through the steps necessary to retrofit a Yubikey to provide for situations roles where keys would normally be in memory such as for an HTTPS server.

A Yubikey is a USB stick that acts like a two factor token, but can also act as a smart card.

Smart cards are neat, since they allow you to store sensitive cryptographic keys on another removable device, and they come with a guarantee that once they are programmed with a key they will not give it back to a system (they can be overwritten though)

This allows someone to separate a cryptographic key from the system it lives on. This is useful for things like SSH, since it means you can have a key that moves on your person, rather than a per machine key in the case that you use multiple machines to access systems.

---

Original Submission

• Millennial solution.... Millennial solution.... (Score: 1, Funny) by Anonymous Coward on Monday May 21 2018, @10:05PM (3 children)

  by Anonymous Coward on Monday May 21 2018, @10:05PM (#682411)

  Just download a TLS/HTTPS gem for Ruby on Rails and you're done... no hardware necessary, grandpa!

  Starting Score:	0		points
  Moderation		+1
  Funny=1, Total=1
  Extra 'Funny' Modifier		0
  Total Score:		1

• Re:Millennial solution.... Re:Millennial solution.... (Score: 2, Touché) by Anonymous Coward on Monday May 21 2018, @10:18PM (1 child)

  by Anonymous Coward on Monday May 21 2018, @10:18PM (#682415)

  I fail to see how your proposed action solves the problem of millennials or what this has to do with the article?

  Parent

  • Re:Millennial solution.... (Score: 0) by Anonymous Coward on Tuesday May 22 2018, @08:44AM

    by Anonymous Coward on Tuesday May 22 2018, @08:44AM (#682568)

    I think it's pointing out that for a certain group of IT people (apparently called "millenials"), the answer always seems to be to download something written by other people, without reading the question and without caring about whether the "solution" actually works, as long as it looks like it works.

    See 90% of Stackoverflow answers. E.g. someone asking for help with a CSS problem that can be solved with one line of CSS, the first several answers all start out with downloading jQuery. If you're lucky, one person actually posted the one line of CSS that answers the question, but in that case the next post is likely to be that it's not possible to solve.

    Parent

• Re:Millennial solution.... (Score: 1, Informative) by Anonymous Coward on Tuesday May 22 2018, @09:03AM

  by Anonymous Coward on Tuesday May 22 2018, @09:03AM (#682573)

  Yeah. And your private keys reside on your server, where anyone who can gain access to it, e.g. by using an attack like Heartbleed [soylentnews.org], can read the keys. It would have been impossible for Heartbleed in particular to have revealed the server’s private keys since if you had such a thing, the keys are NEVER transferred to the server's physical memory. All use of the private keys is performed only by the smartcard. Even if you rooted the machine it would still be impossible to get the keys absent a vulnerability in the smartcard hardware. It should still be difficult to do even if you had physical access to the smartcard itself, as the hardware is generally designed to be tamper-resistant and with countermeasures against side-channel attacks.

  Parent