Key used for decryption when using PKI credentials to encrypt SSO data

PKI credentials used to encrypt SSO data

Determining which PKI key is used to encrypt / decrypt SSO data

There are a number of encryption options in version 6 and later of SecureLogin. By default, SecureLogin encrypts data using either a user defined passphrase key or a randomly generated key. In addition, PKI credentials (asymmetric) or (symmetric) key generated and stored on the smart card can be used to encrypt SSO data.

If SSO data is encrypted using PKI credentials, a symmetric user key is used to encrypt SSO data. In turn, the user key is encrypted with the user’s (PKI) public key. SSO data can only be decrypted using the user’s (PKI) private key which is stored in a PIN protected container of the smart card.

The private key is used to decrypt the user key, and the user key decrypts the SSO data. This hybrid approach takes advantage of the speed provided by symmetric keys and the strong security provided by PKI.

There are a number of options available if the smart card (and therefore private key) is lost including passphrases and/or key escrow/recovery.