Hacker News new | past | comments | ask | show | jobs | submit login

HSMs generally support import, but not export. Keys generated on the device can't be transferred elsewhere, but you can generate the key separately and import it into the HSM while keeping a backup copy. TOTP apps generally work the same way, except the keys are always imported: you can save the secret used to configure the app (screenshot the QR code, or scan it with a regular QR code reader) and use that to set up the same TOTP on a different device.

> You have one TOTP app generate a key pair, give you the public key, which the other TOTP app uses to generate an encrypted blob out of the stored codes, which only the target TOTP app can decrypt.

Unless you somehow verify that the public key came from a "genuine" TOTP app, that's essentially the same as allowing the keys to be exported in plaintext. (User/attacker generates their own key and presents it to the TOTP app which duly encrypts its secrets in a way the user or attacker can easily decode.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: