Token FIPS 140-2 level 3 with support for Android, iPhone and Web

Question

I'm testing a SafeNet 5100 token FIPS 140-2 level 3. It comes with programs to access and manage it, but only for desktop machines.

I would like to create applications that use level 3 tokens. Is there any level 3 token that provides access from Android, iPhone and web pages? For example Nano Ledger provides apk library, and web pages access, but it's not FIPS level 3.

I would like to create multiplatform apps using digital signatures from secure tokens.

Thanks in advance

score 2 · Answer 1 · answered Apr 19 '18 at 15:07

The 5100 Token's are small USB sticks which when plugged into a Desktop which be are accessed via SafeNet's Authentication Client. We use them for internal CA Authentication and they ... need to improve upon the Availability in the C-I-A triad.

Phones don't have USB so if you looking for Token-based Authentication for Mobile, 5100 are not the way to go. There are a few ways to try and tackle this they are very similar in nature, but depend on the type of developer you are.

Cloud Based Key Management

AWS has KMS (Key Management Services) and you can look at the details here. They are FIPS 140-2 Level 3 compliant and provide an API for you access the KMS. This is probably the most flexible and easiest to implement, but also requires a higher levels of developer knowledge to do it right.

Cloud-ish Based Key Management

Gemalto, your SafeNet provider, has their Trusted Key Management, which is similar to AWS. Difference being you build out your infrastructure for handling mobile apps. The premise is pretty similar, except your IT team is now responsible for HSM and it's FIPS 140-2 Level 3 implementation. I haven't used this but I believe the mobile Trusted Key Management is just an app on your device that connects back to your infrastructure.

Other in the field I am sure do similar, I figure if your using SafeNet you might have relationship with Gemalto.

DIY Development

Don't do this. I don't need to explain this.

Phone does not have USB, but there are wired connectors that connects USB with phones connectors. Ledger Nano for example has an OTG cable. — Jonathan Barbero, Apr 19 '18 at 15:21
Technically, yes, you could build a wired connection to a tablet/phone, but design wise it's just a burden for the user, the developers, the testers, the team configuring the USB keys, and the team supporting everything. — Shane Andrie, Apr 19 '18 at 15:42
In Argentina the digital signature is as valid as a hand written one if you use a certificate from an specific PKI infraestructure and a hardware token level 2/3 . The effort is worthwhile for the confort of signing from your couch =) — Jonathan Barbero, Apr 19 '18 at 16:02

score 1 · Answer 2 · answered Apr 23 '18 at 09:33

1

Yubico are soon to release a FIPS variant of their Yubikey, which contains a PIV applet that can act as a smart card. The only thing you need is a library which can communicate with this smart card, which is a standard PC/SC one.

https://www.yubico.com/products/yubikey-fips/

There is 3 models I could recommend for a mobile deployment:

1: The USB-C nano variant, which sits "semi-permanently" in the charging port and are Always available. For charging the phone, wireless charging could be used, or the nano could be temporarly removed.
2: The Neo variant, which operates over NFC.
3: The USB-C standard variant, which is carried on a keychain and is used when required.

answered Apr 23 '18 at 09:33

sebastian nielsen

8,779
1
19
33

Good answer. Do you know if they provide libraries to access to the tokens for mobile and web? I didn´t find any info about this in the website. – Jonathan Barbero Apr 24 '18 at 15:59
No libraries, but the interface is standard PC/SC so there should be plenty of third-party libraries to use. – sebastian nielsen Apr 25 '18 at 11:18

score 0 · Answer 3 · answered Apr 19 '18 at 13:42

0

The validation of a device against FIPS 140 indicates that a cryptographic module has the specified level of protection/resistance implemented in that device. A SafeNet eToken 5100 is a specific piece of hardware that securely stores a key or value that can be used in performing authentication. To do similar from a mobile device would require an external token that a user manually enters or a mobile device that is itself validated as compliant with FIPS 140-2 level 3.

answered Apr 19 '18 at 13:42

jth

726
6
10

Yes, that's what I'm asking for. Is there any external token hardware level 3 that provides libraries/support for Android/iPhone and browser access ? – Jonathan Barbero Apr 19 '18 at 13:46

Swapnil Dhadiwal · Answer 4 · 2022-09-20T14:43:09.943

0

If possible try using xorkee APP (IOS / Android/ Windows/ Linux/ macos) - https://www.odysseytec.com/downloads/ I think this would help.

edited Sep 20 '22 at 14:43

answered Sep 17 '22 at 07:04

Swapnil Dhadiwal

1
1

Token FIPS 140-2 level 3 with support for Android, iPhone and Web

4 Answers4