PKI credentials used to encrypt SSO data
Determining which PKI key is used to encrypt / decrypt SSO data
If SSO data is encrypted using PKI credentials, a symmetric user key is used to encrypt SSO data. In turn, the user key is encrypted with the userâs (PKI) public key. SSO data can only be decrypted using the userâs (PKI) private key which is stored in a PIN protected container of the smart card.
The private key is used to decrypt the user key, and the user key decrypts the SSO data. This hybrid approach takes advantage of the speed provided by symmetric keys and the strong security provided by PKI.
There are a number of options available if the smart card (and therefore private key) is lost including passphrases and/or key escrow/recovery.