Write/format protected USB flash disk or USB token

Question

I'm developing C# .NET application that will use certificates for signing data to be sent with private key, and verify signature with public key at receiver side. I'm delivering *.p12 (PKCS #12 format) files to users in USB flash disk, but want to prevent users formatting or writing to it. Is there any way to do this?

Some advise me using USB token, but I don't have any experience with it. Is it possible to store *.p12 files in USB token or they contain only some certificate types?

If none of above suitable for this, please advise me some better ways.

Answer 1

The problem with flash disks is not that the user can write to them but that the secret information (a private key) can be copied from it. USB cryptotokens in opposite let you use the key but not copy it.

USB cryptotokens don't store "files" (though some of them let you store "application data" of different size). They store certificates, public keys, private keys and symmetric (secret) keys. PKCS#12 file is a collection of certificates and associated private keys, so you can use a USB token to store contents of the PKCS#12 file in the USB token.

If you want to let users copy and distribute the keys for whatever reason (eg. to install the certificate with a key to Windows certificate storage), then USB cryptotoken won't work for your task well (while it's possible to use it as a flash disk, that would be overkill).

As for write-protecting the USB flash disk - yes, on controller level those devices can be set as read-only, but I am not sure that this is doable from C#.