Secure AES challenge-response.
May 4, 2011 7:21 AM Subscribe
How do I securely implement a cryptographic challenge-response in software if the software needs my AES key to create the challenge?
posted by odinsdream to Computers & Internet (12 answers total)
I have a YubiKey
USB device that supports challenge-response queries [pdf]
Conceptually, I'm under the impression that the cryptographic "challenge" is created with the AES key. Assuming an offline software application needs to challenge the device, how can the AES key be available to the software without compromising system security?
It seems like the AES key needs to be either hard-coded into the application or stored in a local database or config file. I must be missing something, though.
Note: I'm not actually going to be the programmer implementing this, I just need to understand the conceptual framework under which this scenario would be secure.