Protecting Keys
To prevent misuse of the private keys, you must ensure that they are stored in a secure place. There are two methods of storing private keys. They are:
- Hardware solutions (for example, smart cards or crypto boxes)
- Software solutions (for example, Personal Security Environments or PKCS#12 format)
Hardware Solutions
The best way to protect SAP System users' private keys is to use smart cards that you issue to each individual user. The keys are saved on the card, and the card is designed to never reveal the private key. Users have to authenticate themselves to their cards, either using biometrics (for example, a fingerprint) or knowledge (for example, a PIN, password or pass phrase entry) and can then use the card to create digital signatures or to encrypt documents. In this case, each user needs to protect his or her smart card from theft or loss.
Do not allow your users to share smart cards or give them to others to use!
On the server, you can use a crypto box instead of a smart card for higher performance.
Software Solutions
As an alternative, you can also use a software solution to store the users' private keys. The software solution is not as safe as the use of crypto hardware, however, it is less expensive to implement. If you use files to store the users' information and private keys, then you need to take extra care in protecting the files from unauthorized access.
If the security product uses an address book to store the public keys instead of certificates, then you need to protect the address book from unauthorized modifications.
As an alternative, you can use certificates that are signed by a trusted Certification Authority (CA) to make sure that the public keys are authentic.