*
The moose likes Java in General and the fly likes How/Where to store encryption key? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Java in General
Bookmark "How/Where to store encryption key?" Watch "How/Where to store encryption key?" New topic
Author

How/Where to store encryption key?

Sachin Deokar
Ranch Hand

Joined: May 09, 2008
Posts: 41
Hi All,

Sorry if i am posting a generic question that has already been answered. I would appreciate if you can help me to get an answer or direct me to the right resource/forum/topic.

As part of our project, we are using 3des algorithm to encrypt a pin. I am very new to encryption world and was wondering what are my options to securely store this encryption key, so that i can use it in my class for the encryption logic. Do i store it in some kinda repository/database or a encryption key management system?

Appreciate your help and thank you in advance.

Sachin
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41125
    
  45
We need a lot more detail to help you. Where is the PIN stored? Where is the key stored? What is encrypting the key supposed to accomplish? Who (what kind of attack) are you trying to protect against? What kind of application is this - desktop, web app, something else?


Ping & DNS - my free Android networking tools app
Sachin Deokar
Ranch Hand

Joined: May 09, 2008
Posts: 41
Thanks for your response.

This is we-app using flex front-end with Spring framework, where user enters a pin as a password, which is then sent to spring bean which uses a key (question is related to storing this key somewhere) to encrypt this pin into a pin-block which is then sent to another interface via web-service for validation.

Here's the sample code i wrote for 3Des encryption from examples i found online. Please let me know if you see any major issues with the code as well. I have pin hard-coded in this code right now, but will be getting this from the front-end. I am concerned about storing the encryption key. Don't want to keep in the class or in properties files. Please let me know if i still lack details in my description about the issue.

Thank you all for taking out time and looking at my post. Appreciate all your feedback.

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41125
    
  45
The big question is still "why does the PIN need to be encrypted?" I'm assuming you're using HTTPS when transferring it from the client, and also for the web service during validation (or -even better- you're using WS-Security encryption). So encrypting the PIN makes a difference only while the PIN is in memory on your servers, - where it's hard to attack.

Encrypting something replaces the problem of protecting some text with the problem of protecting the encryption key - which is not inherently simpler to solve.
Aryan Khan
Ranch Hand

Joined: Sep 12, 2004
Posts: 290

You have got a number of options with storing the key in a HSM being the most secure. Else you can store it in a key store or even a Key encryption Key (KEK) option can be used.

Aryan


OCP/MCP/SCJP/SCWCD/IBM XML/SCMAD/SCEA-1
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: How/Where to store encryption key?
 
Similar Threads
How to get key from decrypted byte[]
About JSSE.
OO class design
Load my private key to keystore(problem in loading private key to key store)
Store and load a RSA key pair