Any secure USB dongle/token with internal AES and RSA, with simple API?

Question

• I've my C# NET6 desktop application to send to customers, important functions have been removed and implemented on a server
• I've my public server on which I want to auth desktop app(license, feature...), get its blob, process it, send back

I consider the C# app crackable whatever obfuscator/protector I'll use (but i'll use anyway), server is considered secure, i need a secure point at customer premise. The idea is to use an usb dongle to bring up a secure and authenticated session between desktop app and server.

Requisites for the dongle are:

• Be able to do AES128(at least) and/or RSA1024(at least)
• EAL5+/6+ secure MCU (nothing that could be dumped with glitches or baths in acid)
• dll and API to talk with

So far i've looked at various sw protection dongle, but:

• some are 15years old mcu and not sure if still in business
• most doesn't tell what mcu is inside, some are fast (but silly) stm32, some are slow 8051
• the expensive ones are the most complex ones, i mean it takes days to read unclear documentation and see that i don't need 90% of the package (enveloper, mssql db for my 50customers...)
• i don't need at all their C# enveloper, I want to use a thirdparty/specific protector with VM

So i've looked at usb tokens PKI, FIDO2, PIV....but:

• FIDO2 allows customer to reset pin and cear all certificates, no good as i want to burn keypair inside prior to ship to customer
• PIV not found any cheap PIV only usb token, some FIDO2 expensive has also PIV interface, but...
• to talk to FIDO2 and PIV i would need all the overload bloat of libraries that i very dislike (and also needs admin right, which i want to avoid)
• PC/SC usb token are the most lowlevel to use, mscard lib and do whatever, nice but.....ISO-7816-8,9 are not public, costs like 300bucks to eventually see that my card vendor implemented custom stuff

I've 0x80 blob to send to dongle to powmod() it, that's all, no x509, no pkcs11, no base64, nothing human, just need a powmod(data) or an aes_dec(data).

Any suggestions?

Answer 1

While this is no full answer, I would like to address some issues:

• You may underestimate the complexity required. Obviously necessary is some specification, whether RSA or AES operation is required. This has to show up somewhere, either as command parameter or as a set-up command (between host and connected token).
• Pure modular exponentiation is unlikely to reach the desirable level of security, since RSA depends on padding to exclude some kinds of attack.
• You may not like PKCS 11 interface, but it is proven and known to introduce no security issues. This may require notable effort if done on your own.
• Given the mentioned EAL levels, my guess would be, that you need a smart card chip with USB interface.
• The MCU is pretty irrelevant: to get crypto operations hardened, you need special hardware (as cryptographic coprocessors). It has little influence, how old the architecture of the chip is, which feeds the bytes to those.