Private Keys

Question 1

Personal Security Environment

Answer 1

• Stores: Private keys, certificates, other data
• Provides: Compatibility, Portability, Availability, Access protection

Question 2

Secure storage of private keys in software

Answer 2

• Standardized (e.g. PKCS#12)
• OS/language specific (e.g. Java Keystore)
• Application specific (e.g. Firefox)

Question 3

Secure storage of private keys in hardware

Answer 3

• Hardware security module
• USB-Token
• Smartcard

Question 4

PKCS#12 Structure

Answer 4

• Authenticated Safe
• Content Info: Plain data, encrypted data, enveloped data

Question 5

PKCS#12 Exchange Modes: Content Privacy

Answer 5

• Data Mode (plain): No encryption
• Password Privacy Mode (encrypted): Encryption with a symmetric key which is derived from a password
• Public Key Privacy Mode (enveloped): Encryption with a symmetric key which is encrypted with the public key of the receiver

Question 6

PKCS#12 Exchange Modes: Content Integrity & authentication

Answer 6

• Password Integrity Mode: A MAC is calculated with a symmetric key which is encrypted with the public key of the receiver
• Public Key Integrity Mode: Signed with the private key of the issuer

Question 7

Hardware Security Module

Answer 7

• Secure key storage and use
• (Pseudo)random number generation
• Key (pair) generation
• Key archiving
• Encryption / decryption
• Generating / verifying signatures
• Hashing
• Acceleration for cryptographic schemes

Question 8

HSM Protection

Answer 8

• Protect the keys against: mechanical attacks, temperature attacks, manipulation of the voltage, chemical attacks
• Keys are destroyed in case of danger

Question 9

PKCS#11

Answer 9

• “Cryptographic Token Interface”
• Support functions like: Change PIN, Sign, Decrypt, Write certificate
• But: Some functions are not supported, different libs are needed for supporting different cards and readers

Question 10

Smartcards

Answer 10

• Secure key storage and use
• Key pair generation (not all)
• (Pseudo)random number generation (not all)
• Calculation of digital signatures
• Decryption
• Access via: PKCS#11, CT-API, PC/SC

Question 11

PKCS#15

Answer 11

• Specifies the structure of the file system on the chip card
• Pointers to cryptographic objects (ODF)
  -> Private key, public key, certificate

Question 12

Private key lifecycle: Generate

Answer 12

• Appropriate algorithms and parameters
• Secure (P)RNG (Random Number Generator)
• Shielding against eavesdropping

Question 13

Private key lifecycle: Copy

Answer 13

• Usually to be avoided but may be reasonable
• Easy for authorized users
• Impossible for unauthorized users

Question 14

Private key lifecycle: Store/deposit

Answer 14

• Persistent storage
• Deletion from the generator
• Appropriate access protection
• Only deposit special types of keys

Question 15

Private key lifecycle: Restore/recover

Answer 15

• Correct reestablishment
• Easy for authorized users
• Impossible for unauthorized users

Question 16

Private key lifecycle: Deliver/retract

Answer 16

• Correct receiver
• Guaranteed delivery
• Appropriate transport security mechanisms

Question 17

Private key lifecycle: Use

Answer 17

• Easy for the authorized users
• Impossible for unauthorized users
• Shielding against eavesdropping, manipulation

Question 18

Private key lifecycle: Destruct

Answer 18

• Unrecoverable
• All (intended) copies are to be destroyed
• Easy for the authorized users
• Impossible for unauthorized users

Question 19

PSE Comparison: Cost

Answer 19

• PKCS #12: ++
• HSM: –
• Smart Card: 0

Question 20

PSE Comparison: Interoperability

Answer 20

• PKCS #12: ++
• HSM: +
• Smart Card: +

Question 21

PSE Comparison: Portability

Answer 21

• PKCS #12: ++
• HSM: –
• Smart Card: +

Question 22

PSE Comparison: Security

Answer 22

• PKCS #12: -
• HSM: ++
• Smart Card: +

Question 23

PSE Comparison: Speed

Answer 23

• PKCS #12: N/A
• HSM: ++
• Smart Card: –