Are there valid reasons for using a hardware encryption device (e.g. USB encryption dongle/keystore) over using a software library?

views:

272

answers:

+1 Q:

Are there valid reasons for using a hardware encryption device (e.g. USB encryption dongle/keystore) over using a software library?

If your application needs to encrypt/decrypt data (for various reasons), are there any reasons why you would use a hardware device (e.g. a USB encryption device - like a Marx CryptoBox) instead of using a software encryption library (like .net Cryptography or writing your own) and keep your keys in a safe key store?

I am looking for some objective views on this matter.

To narrow down the question posed: what would your opinion be if the system that used the usb encrpytion dongle was housed in a physically secure server vault and there was only one system in existence (i.e. its not a software product that is distributed and run on many desktops) ? In very simplistic terms, the purpose of the above system is to validate (decrypt and compare) a piece of incoming encrypted data.

Thanks so far for your great answers!

+2 A:

It's not about what's more secure because nothing is 100% bullet proof. It's a question on "how to make it as difficult as possible"

You could see it from this point: If you store keys on the computer, they're there 24/7. If my pair of keys is on an external device, the keys are only accessible while attached to the device. ==> You reduce the timeframe in which somebody else can copy your keys. It's much easier to access something if physical access is not needed.

Think of online banking: Many banks have added "external" ways of authentifcation such as Tan / Tac /tanSMS/ tokengenerators etc. etc. Neither of those is secure for itself: I can steal your login password, I can steal your mobile phone, I can steal your Tac/Tan list and so on. But chaces are very low that I can steal all necessary elements at once => All pieces of the puzzle together create a quite secure solution.

Also think of these factors:

money: Do you really need a 70$ token-based-protection for your 100$ app?
time: I would say that software based systems are faster
relevance: Does it make sense to provide my apps with such a complex protection system

Chris 2009-07-29 13:41:15

The $100 app may very well be handling $100.000.000 transactions. If it's Excel, for instance.

MSalters 2009-07-29 13:55:02

"more secure" does in no way imply that it is bullet proof. More secure by definition implies that it's more difficult than the other one. Just saying :)

rein 2009-07-29 14:06:22

What would your opinion be if the software resided in a secure environment (server vault) and used the device purely to store its keys as well as the device's hardware encryption capabilities? The purpose of the system is to validate (decrypt and compare) an incoming encrypted piece of data.

bunn_online 2009-07-29 14:17:12

+1 A:

T.E.D. 2009-07-29 13:42:08

+1 A:

A hardware key allows use to constrain usage of the software to a machine where the key is plugged in.

With software encryption it would be easier to copy the software to many machines and run it many times in parallel.

Mark 2009-07-29 13:44:12

+1 A:

I think it depends on the purpose/usage of your application. If you're developing a product for a high security need, such as banking or government, a hardware addition to your solution could be entirely appropriate. You have to consider the additional costs that a hardware solution would add to the project. Not just in the initial development, but the ongoing hardware maintenance costs that would be required after development is complete. From my perspective, having worked banking in the past, there were very, very few solutions where we felt that a hardware solution was worth the additional costs it would entail.

BBlake 2009-07-29 14:07:10

ansaurus

tags:

views:

answers:

Are there valid reasons for using a hardware encryption device (e.g. USB encryption dongle/keystore) over using a software library?

related questions