Re: Securing an encryption key within software.



without understanding the use, and confidentiality requirements of
your system, the only thing I can suggest is the use of TPM.

Trusted Platform Module 1.2 is a hardware chip comes with most of the
recent computers. The TPM can bind your encryption key, such that they
keys are tied to a particular TPM. Since each TPM has a unique root
key, the wrapped application encryption keys, can not be decrypted on
any other computer.

Generate a unique AES encryption key for each installation of your
software, Wrap/bind that key with the wrapping key from the TPM, and
place the wrapped AES key on the hard drive. Whenever you need to
access your encrypted data, read the encrypted AES key from the hard
drive and get it is decrypted by the TPM, and use the decrypted key to
decrypt other.

So now your application is tied to particular computer. If somebody
steals the AES key from the computer, and try to decipher or some
other computer, they won't be able to.

To further secure this implement, you can probably use cryptographic
ASIC or HSM to perform the encryption, so that the CPU never sees the
decrypted AES key.
--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: Securing an encryption key within software.
    ... Securing an encryption key within software. ... the only thing I can suggest is the use of TPM. ... place the wrapped AES key on the hard drive. ... decrypt other. ...
    (Focus-Microsoft)
  • Re: Securing an encryption key within software.
    ... the only thing I can suggest is the use of TPM. ... Generate a unique AES encryption key for each installation of your ... place the wrapped AES key on the hard drive. ... decrypt other. ...
    (Security-Basics)
  • Re: Bulk encryption capabilities of a TPM
    ... the word "bulk", it means several GB of data to me. ... Now the TPM has to only decrypt / encrypt this bulk ... whatever) and asks TPM to decrypt the blob. ...
    (Security-Basics)
  • Re: Hard disk Encryption
    ... the key (used to decrypt the data) has to be ... transmitted outside of the TPM. ... But this question is actually irrelevant, because an attacker ... hardware attacks: ...
    (Security-Basics)
  • Re: Bulk encryption capabilities of a TPM
    ... kernel, et cetera. ... whatever) and asks TPM to decrypt the blob. ... TPM does not decrypt HDD -- it only extracts the key from the ...
    (Security-Basics)