Search code examples
smartcardusb-drivefipspkcs#11

Looking to store encrypted files on PKCS#11 Compliant Hardware Token

My C# .NET4 program has been storing data in encrypted files on the regular Windows file system and one of our customers has requested that we integrate the program with a PKCS#11 token (henceforth known as the 'token'). After a bit of researching, I discovered NCryptoki and I believe that will provide the necessary interface between my program and a compliant token.

I've got a couple of questions that I can't seem to find answers for that I hope the experienced people here can help me with. I'm still new with PKCS#11 and cryptography principles in general so some of these questions may seem a little juvenile.

  1. My theory is that the token will be able to be inserted into a computer and, using methods in my program that implemented the NCryptoki library, the encrypted files will be able to be saved directly onto it. The files would only be able to be accessed through a wizard in my program. I should be able to continue saving files on the drive as long as the token has space. Is all of this correct?
  2. I will need at least 64K memory on the token and the token must be a minimum of FIPS 140-2 Level 2, preferably level 3. I've looked and have only come across the SafeNet iKey 4000. I KNOW there must be more PKCS#11 compliant tokens that have at least 64K storage. I've spent hours going through the FIPS 140-1/2 Validated Crypto Modules looking for USB Storage PKCS#11 tokens but haven't had much luck. Does anyone know of any other companies that sell what I'm looking for? This could be a USB device or even a Smart Card. We want to be able to provide multiple options for the customer.
  3. Has anyone had any experience with this sort of implementation before that could provide me with some "lessons learned" or things to be aware of?

Also, if this isn't the correct place to put this, please let me know where to repost. I appreciate all of the help!

Solution

  • While PKCS#11 supports storing of application data on the devices, the devices themselves (I am talking about USB cryptotokens and smartcards now) are designed for a different purpose. In particular, they are designed to hold small pieces of secret or sensitive data. They are not a data storage. Some vendors provide hybrid tokens, where a USB cryptotoken is combined with a flash disk. But even in this situation these would be two devices in one case.

    It is possible that your scenario can be modified in the following way so that you:

    1. generate a session key (possibly right on the device)
    2. use this key to encrypt your sensitive data.
    3. store the encrypted data elsewhere (on a USB disk part of the hybrid device, for example) and use the USB cryptotoken to encrypt/decrypt the data.

    On a side note: almost all cryptotoken devices require their drivers to be installed to the system. Unlike USB disks and flash cards there's no universal driver in the OS that would let you plug the USB cryptotoken and use it immediately without installing the driver. This is a hassle from user's perspective, so take this into account as well.