PKCS#11, Encryption and SafeHouse

January 15, 2008 19:47 by pavritch

This is an advanced topic which describes a little-known yet very powerful feature of our SafeHouse software.

Smartcards are in widespread use in larger organizations. They're used to prove identity and to authenticate users into network servers, Cisco firewalls, Citrix applications and a host of other secure resources. Many smartcards adhere to an industry standard known as PKCS#11. This standard allows multiple third-party applications tocommunicate with smartcards using a common protocol.

Our SafeHouse encryption software is PKCS#11-aware and knows how to save the passwords for users' private storage vaults onto a PKCS#11 smartcard. We support ActivIdentity and Aladdin smartcards right out of the box with built-in smartcard detection, and we can support any other compliant product through a simple dialog setting for generic devices. For instance, I just learned SmartID from Deepnet works perfectly with the generic interface (I'll likely add built-in support shortly).

For people who are already using smartcards, eTokens or virtual smartcards on memory sticks, SafeHouse is a good fit because you can use your existing smartcard to store the passwords associated with your encrypted files and folders. The bonus with doing this is that it allows you to choose super long (meaning extra strong) passwords for SafeHouse protected storage areas - because they'll be saved in the smartcard and you'll never need to actually type them.

A prospective customer was recently telling me how he had SafeHouse combined with SmartID on the same memory stick. SmartID from Deepnet is software that emulates a PKCS11 smartcard which can utilize off-the-shelf USB memory sticks. This is similar in concept to the virtual smartcard feature already built into SafeHouse, but the Deepnet product is a full and robust implementation of the PKCS11 specification, whereas in SafeHouse we only implemented a fraction of the full API since we only needed to perform a few specific functions internally for our own needs.

What was interesting about the SafeHouse/SmartID combination is that it really created a very powerful memory stick. Not only can you safely store encrypted files on the memory stick (using SafeHouse), but you can also store the SafeHouse passwords and passwords for corporate intranets, firewalls and the like on the same device (thanks to SmartID). But there's no reason to stop there. SafeHouse also lets you keep encrypted files and folders on your main internal hard drive. Here too, the passwords can be saved to the virtual smartcard memory stick device.

The bottom line to all of this is that by combining SafeHouse with some of these other smartcard products, life in terms of passwords gets really simple. All you need to remember is the single PIN assigned to the virtual smartcard. The software that runs the smartcard will automatically supply your passwords as needed to your various login screens.



Add comment


[b][/b] - [i][/i] - [u][/u]- [quote][/quote]