The physical capture of a mobile device places at risk any cryptographic keys that the device holds, and thus any capabilities that those keys engender (VPN access, file decryption, signing email, etc.). We present a software approach to the protection of a key on a device that may be physically captured, but one that assumes that the device is able to interact with a remote "capture protection server" when it must use its key. The role of the capture protection server is to confirm that the device is presently in the possession of the user who initialized it; only in this case will it permit the device to use its key. At the same time, the server provably learns no useful information about the device's key. An interesting feature of our approach is the ability of the user to dynamically change the capture protection server for her device, via a process we call "delegation". We describe the opportunities this presents for substantially generalizing prior approaches to key protection, new vulnerabilities that delegation introduces, and a lightweight infrastructure for remedying those vulnerabilities. Finally, we describe our implementation of this approach in a JCA-compliant cryptographic service provider, and discuss design choices of the JCA interfaces that had far-reaching ramifications for our implementation.

Portions of this work are joint with Phil MacKenzie, Asad Samar and Chenxi Wang.