Yubico Forum
https://forum.yubico.com/

Protecting secrets on servers
https://forum.yubico.com/viewtopic.php?f=22&t=668
Page 1 of 1

Author:  Fredrik-at-Yubico [ Mon May 02, 2011 9:26 pm ]
Post subject:  Protecting secrets on servers

The YubiHSM product page says "YubiHSM - Securing secrets on servers".

This refers to cryptographic secrets that can be secured by being moved to the isolated environment of the YubiHSM, where they can be used to perform cryptographic operations in the secure environment, with only the result being made available outside the secure environment.

A number of applications to the YubiHSM beta program seems to be about protecting arbitrary data stored on servers (credit card numbers, medical records etcetera).
We've interpreted this use case such as you want to store the secret data in a way that you can access it online, but an attacker can not.

We are currently not aware of a way to protect non-cryptographic data with the YubiHSM that would not let an attacker just extract all the data if they gained access to the server with the YubiHSM. We would be very interested to talk more about how the YubiHSM could help in this scenario, so please talk to us if you can think of a way.

The Yubico Team

Author:  mike007 [ Wed May 04, 2011 9:54 am ]
Post subject:  Re: Protecting secrets on servers

Yes, I'm not that great at cryptography. I just know how to hash and encrypt in PHP.
But I'm assuming, SOMEHOW, the YubiHSM is capable of storing keys, not data though, in a fully secure way that even someone with physical access can't get to it.

SO, why not take what the YubiSHM IS capable of, make a PHP module and then let it loose to people like me that need to store sensitive information on a sever.
A PHP module would not only be able to control the YubiSHM PHY but also introduce yubishm_() functions into PHP that I can then use very easily.
An example would be to initialize and have the SHM generate a key. I can then use yubishm_encrypt() and give it some data. I would then get the data back encrypted and ready to store. Then when I need it, I do yubishm_decrypt().

If you deliver a ready to go PHP module (and maybe other systems), all of developers would install it, buy a YubiSHM that we can have our data center plug in the tiny USB key into our dedi and we are good to go with much better security.

Again, I'm not sure what a SHM is or is capable of. But it seems capable of doing something really secure that nothing else can. Now give us an easy way to use it.

Author:  mike007 [ Wed May 04, 2011 11:29 am ]
Post subject:  Re: Protecting secrets on servers

I'm going to move my database to Amazon RDS soon and this would be very useful. SSL can protect data in transit but I need to secure data store in the database. Amazon can get hacked, employees can read everything and another user might be able to penetrate my instances.

Author:  Fredrik-at-Yubico [ Thu May 05, 2011 8:42 am ]
Post subject:  Re: Protecting secrets on servers

mike007 wrote:
...
SO, why not take what the YubiSHM IS capable of, make a PHP module and then let it loose to people like me that need to store sensitive information on a sever.
A PHP module would not only be able to control the YubiSHM PHY but also introduce yubishm_() functions into PHP that I can then use very easily.
An example would be to initialize and have the SHM generate a key. I can then use yubishm_encrypt() and give it some data. I would then get the data back encrypted and ready to store. Then when I need it, I do yubishm_decrypt().

The problem is that if someone hacks your server, they can just decrypt all the data just like your application would and then steal it.

foreach my $encrypted (get_all_encrypted_records()) {
yubihsm_decrypt($encrypted)
}

You don't get any additional security from using the YubiHSM in this case.

/Fredrik

Author:  mike007 [ Thu May 05, 2011 3:24 pm ]
Post subject:  Re: Protecting secrets on servers

I see, what is the SHM capable of then? WHEN would it be able to protect keys as it is intended to do?

Author:  marcusw [ Fri Jul 29, 2011 9:51 pm ]
Post subject:  Re: Protecting secrets on servers

mike007 wrote:
I see, what is the SHM capable of then? WHEN would it be able to protect keys as it is intended to do?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The YubiHSM doesn't give any data back to the computer it's attached to. All it does is take a OTP and give back a yes/no answer which says whether or not the OTP was valid. It can't (in theory) give the symmetrical keys to the computer.

Another way to implement this would be with a device such as an arduino or especially a raspberry pi. But as these are < 1/10 the price of the device which yubico is planning to produce, I should probably not talk about them here.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJOMx0SAAoJEHkZLCwtmxuJ6+QP/RqWThmduOjfR9c3TgtYpQ3y
loaIYlAo0PSZ3qrxRoNgSgUgjoTYglRuYwQ7JWBTLKiWuM+eh/2OobOuc5NDIrVV
E7Ckcq6O/8d6WcRyuFA1YVrCevmFZNzIJPDyhIGr1IxlFo7Ni6QFi84UTdAVp407
sFzNQtwMzpzFiB4FGmem4Y+TLza+nh/d/tyGmT1574nAvN2ReleTO1minfN2f8kk
pZc6RC3mHEKp54z0BdaEPKaUdQe64CBHzABs0Knp8x4nRpgbDyKZE1jsM6WnOkSZ
A9NJ0j4/Qbnw+NYnTUvm2jjPsLBXc9O5OoDF+Q659lgEge33wFLc7/eZOxp4oGzQ
+tseWdWbY6xi13FIrb9h8jRxmGJjYC0HV1OG4HilnBsy/vlYfFR8hpSwWHs1kVNU
gbtWO6MC2QPoBIZjGbem0vHHZ4q8BUKJ8ADjqATzYoUpfvbIE2xEwOBbyEvLjxXX
Cplq/Teb9SonUtzmGizOm9Lb5GBtzp00XmV1sOUQLJP77jbwOl4rUy5Z86BdaeJX
ZVuRAyZ1giI6nXLcbhwHGomjVsR9IM8/418tfgoO4xdaRY9wDsYxkI1uJAnRKLQU
rghvlVU8ca2kT2pAvYlv7m17GzE3zpAqxhk48wKaGhZhlzRmcz/pRL6fYnyUEbYX
k+Fk0faW4c/Oy/hwHyTX
=/FSy
-----END PGP SIGNATURE-----

Author:  ferrix [ Fri Jul 29, 2011 11:03 pm ]
Post subject:  Re: Protecting secrets on servers

Well I can't officially speak for Yubico, but I think it's OK to talk about other solutions at least in passing. Interesting thought to "roll your own" with the increasing amount of maker hardware out there. I like the fact that the module is purposely dedicated and limited from performing other kinds of operations; it reduces the attack surface. You could certainly do something like that with an arduino. I'm not so sure about the pi, we'll have to see.

Once you include everything into a turn-key solution, I have not seen another one that compares to yubihsm price-wise. But I think the yubihsm is not meant to sell a billion units; they developed it because they needed a solution like that, and hey it's useful for others too so why not sell it :)

Author:  dreamss [ Wed Oct 09, 2013 2:13 am ]
Post subject:  Re: Protecting secrets on servers

honestly the way i see it, you need to separate/encrypt the data depending on who actually needs the info. dongles wont do much as long ur database/software has access to the unecrypted data

databases should be able to intregate and use crypto devices transparently, passwords should not be able to be able to read from the database and databases should provide native functions to check if the password matches the one stored in the database

all payment information should be stored using public keys from payment services so only they can read it, stores do not need to know the users cc number do they?

personal info is really the only issue i havent been able to solve, trying to implement security for tax preparation offices

authorizing the user issue been solved by now, protecting the data from the authorized user is the next step :/ hopefully we will see better suport for pk11 in tax software cause its a mess out there

for now my plan is to try to setup mssql/ad network with neo PIV applet for crypto

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/