Ben Cartwright-Cox has written a blog post about building Yubikey/Smartcard backed TLS/HTTPS servers. Cryptographic hardware tokens such as the Yubikey can hold and verify keys but are set up not to be able to give the key itself back to the system. Although the hardware token's contents can be overwritten, the original key cannot be extracted even if the system it is on gets cracked. Thus moving the keys to the hardware token would make them more or less unstealable. Ben walks through the steps necessary to retrofit a Yubikey to provide for situations roles where keys would normally be in memory such as for an HTTPS server.
A Yubikey is a USB stick that acts like a two factor token, but can also act as a smart card.
Smart cards are neat, since they allow you to store sensitive cryptographic keys on another removable device, and they come with a guarantee that once they are programmed with a key they will not give it back to a system (they can be overwritten though)
This allows someone to separate a cryptographic key from the system it lives on. This is useful for things like SSH, since it means you can have a key that moves on your person, rather than a per machine key in the case that you use multiple machines to access systems.
(Score: 3, Interesting) by Fnord666 on Monday May 21 2018, @11:08PM (11 children)
(Score: 0) by Anonymous Coward on Monday May 21 2018, @11:28PM (2 children)
>How about if I can't retrieve the private key from the YubiKey, how do I set up the other 665 servers in my web server farm to use the same server certificate?
Easy, get 665 other yubikeys that you set to the same key.
(Score: 3, Funny) by LoRdTAW on Monday May 21 2018, @11:29PM
yubikey marketing department must be the b team.
(Score: 2) by qzm on Tuesday May 22 2018, @09:43AM
Right....... and how do I get the cloud server provider to have those plugged in to my VPS's?
(Score: 4, Funny) by LoRdTAW on Monday May 21 2018, @11:29PM
Duh! It's the web! You like build a framework from ten other frameworks using javascript and stuff.
(Score: 3, Informative) by Knowledge Troll on Monday May 21 2018, @11:34PM
I want to tell that guy to get the hell off my lawn too but I don't think your gripe is legitimate.
You can also load certs into the Yubikey and it still won't let them back out. So what's wrong with this?
(Score: 4, Funny) by driverless on Monday May 21 2018, @11:38PM (1 child)
I'm not absolutely certain, but I think it might involve MongoDB.
(Score: 0) by Anonymous Coward on Tuesday May 22 2018, @12:18PM
Yubikey is webscale.
(Score: 4, Interesting) by forkazoo on Tuesday May 22 2018, @04:27AM
If you can program any cert onto the Yubikey, you'd probably generate it elsewhere and then program it onto multiple keys. So you could do the secure provisioning at the main office, and ship a small box of dongles to the remote site with the data center where you can hire a moderately trusted on-site team to do the physical deploy of the servers.
(Score: 2, Interesting) by Anonymous Coward on Tuesday May 22 2018, @09:22AM (1 child)
You place a machine with the Yubikey in a secure enclave of your network, and have the rest of the machines in your server farm try to communicate to it only when they need to use the private key to do anything, like initiate a TLS connection. The private key is only really required for initiating and negotiating new connections, and that’s really the only bottleneck. So you don’t actually need 665 more Yubikeys, just enough that you can mitigate the connection negotiation bottleneck sufficiently for your load. You could set up the machine(s) with a smartcard to run USBIP [sourceforge.net] and run them over a VPN for added security.
(Score: 1) by nitehawk214 on Tuesday May 22 2018, @04:59PM
Serious question, I am not a security professional. What is the point of having yubikey in this scenario if you have to isolate a server anyhow?
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2) by fraxinus-tree on Tuesday May 22 2018, @03:14PM
The scalability nightmare of this "solution" starts long before that. YubiKey cannot sign something more than, say, 3 or 10 times a second. This is the rate you will get for new TLS sessions. Hardly a server solution.