This post was originally published on Medium: https://medium.com/@congruent_tim/signata-release-candidate-2-the-software-keys-edition-38e33234c2a8
One of the biggest barriers to users setting up Signata was the fact that they needed a YubiKey before they could actually use the product. To overcome this we’ve released a new version that now adds a “Software-based” device as an option, so you can start using the product until you can get yourself a YubiKey (or two).
We had toyed with this idea earlier in the product development cycle. In fact we even created a dummy software-based device so that we could develop all of the Device APIs we needed without actually needing a YubiKey connected all the time. But the first iteration of this idea was just too unsafe for us to be willing to release it for public use, and so we removed it.
We know there are quite strong key storage mechanisms built into modern Operating Systems, but we’d have to write something to interact with those from our desktop application.
So, this new Release Candidate of Signata includes a tool that interacts with the Cryptographic Next Generation (CNG) libraries built into Windows to store encryption keys. We effectively do everything the same as we would when we use YubiKeys, but during set up of your device we just inject your key into a Password-enforced and encrypted container embedded inside your Windows profile.
Everything else works basically the same, but any time you need to use this encryption key (e.g. to decrypt a bitcoin key pair to digitally sign a transaction), then a popup will appear asking for your password to use the key instead. This key also won’t follow you around between computers, it’s stuck in your profile on your machine. If someone else logs into their account on your machine, then they can’t use it.
And, if you do have a YubiKey at the same time, we will always default to using the YubiKey first instead of the software-based key.
Isn’t this less secure than YubiKeys?
Correct, it is less secure. The CNG APIs and key protections are good, but are of course vulnerable to the operating system being compromised. Granted so are YubiKeys, but with the keys stored in CNG there’s an underlying risk that your Device could suffer an attack offline and you wouldn’t know about it. YubiKeys allow you at least to disconnect the device entirely from your computer when you aren’t using them for that assurance.
Ultimately, this functionality is only designed as a bridge to obtaining a Hardware device. We will push new features soon too so that if you add a YubiKey after you’ve added the Software-based device, we’ll simply delete the Software-based device to prevent misuse.
We recommend that you only use this feature on trusted machines. Keep your Operating System up to date, make sure Anti-Virus/Anti-Malware is up to date, enable Full Disk Encryption if you can, etc.
What about Mac?
We’re planning to develop the same functionality there too, but instead utilising the Keychain on macOS. We’re still procuring all of the development equipment that we need though to be able to implement this, so please bear with us until we can get this feature out :)
Can you use my Trusted Platform Module instead?
It’s possible, as the way we store the key inside your Windows profile is very similar to how we could store the key in a TPM. They are, however, not universally available on every Windows machine, especially when it comes to older machines or consumer-grade hardware. This idea is in the backlog though, so maybe we’ll add in a future release.
By the time you’re reading this, the RC2 installer should be available for download on the Signata website. If you’re wondering where the download link is, simply sign up to Signata and you should see it in the menu at the top of the page.
p.s. if you’re very keen to see the macOS product, drop us an email at firstname.lastname@example.org and we’ll see if we can prioritise the release for you.
p.p.s. Use the coupon code BETA100 if you want the coupon to sign up for Signata — it’s capped at 100 users, so just email us if it’s expired and we’ll make another one for you. We will open up the Beta to everyone very soon, we just want to make sure no major bugs are in the product that could affect a lot of users.