4

What is a reasonable way of storing private keys/certs on an embedded device that doesn't have trust-zone, TPM or write-once storage? Without hardware backing the key-storage the key must be stored in a boot image/persistent storage. So, what tools or strategies can be used to store that key in a manner that is resistant to peering eyes?

*Assume the goal is to make acquiring the key difficult and expensive enough to dissuade most non-state sponsored hackers.

Whome
  • 1,231
  • 11
  • 21

2 Answers2

3

Using a symmetric password-based encryption scheme on the keys. Where you have to "enter your passphrase" before you are allowed to use the key. Since the passphrase is used to decrypt the actual key.

Most of the security concerns about the usage of passphrases are discussed here: Security of passphrase-protected private key

Community
  • 1
kung
  • 1,309
  • 2
  • 8
  • 9
  • In other words, the secure way to store a key is to **not store** the key and have someone enter it. This is the correct answer, but it isn't applicable in typical embedded scenarios. The fact is that if your device is physically out of your control, and it isn't hardened hardware such as a smartcard, then what you store on it isn't secret. – Gilles 'SO- stop being evil' Jul 11 '16 at 12:30
0

I am aware of the option, white-box cryptography. Essentially, keys are embedded a specific implementation of the crypto algorithm.

White-box techniques are typically hardended by code/data obfuscation, which makes debugging more difficult.

ted
  • 9
  • 2
  • White-box cryptography is mostly useless. It makes extracting the key hard, but extracting the key is not the endgoal of the attacker: the endgoal is *misusing* the key, and white-box cryptography does not prevent that. – Gilles 'SO- stop being evil' Jul 11 '16 at 12:30
  • It depends on the context. If it's a DVD player's content key, misuse isn't a big problem (affects one device) but key leak is (affects all devices). White box isn't perfect, but it might be good enough. – Ian Howson Jan 02 '17 at 23:04