How to safely store secret key? [closed]

此生再无相见时 提交于 2020-01-06 04:26:09

问题


As I have developed my app using openFL which uses haxe, and I am about to start the activation part of my software, I wonder how would I safely store my encryption secret key? would I just hard code it into my app??!

I will be using this key to encrypt data before sending to server, and I will be using it to de-encrypt data received from server too.

Any one can recommend best practices followed in such case?


回答1:


This sounds like a job for asymmetric encryption.

  1. Create a key pair at your server, store public and private keys. The private key should be kept safe, the key size should be 2048 bits or more;
  2. Include the public key in your application;
  3. The application uses a secure random generator to create an AES key;
  4. The data is encrypted using CBC and PKCS#7 padding, also include a HMAC (possibly with yet another random AES key);
  5. Encrypt the key(s) with the RSA algorithm and the public key;

The server can now decrypt the AES keys using the private key and decrypt the data with the retrieved keys. Then verify the MAC, if you included it in your protocol. Finally decrypt the ciphertext to retrieve the plaintext.

This scheme is called hybrid encryption because it uses both symmetric and asymmetric encryption. Beware of padding oracle attacks (which leak all the plain text to an attacker) if you don't use a MAC. Always verify the MAC before decrypting.

You can store an RSA public key within your application. With this public key you can encrypt an AES key (using PKCS#1 OAEP or v1.5 padding).



来源:https://stackoverflow.com/questions/20741811/how-to-safely-store-secret-key

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!