File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How/Where to store encryption key?

 
Sachin Deokar
Ranch Hand
Posts: 41
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

Sorry if i am posting a generic question that has already been answered. I would appreciate if you can help me to get an answer or direct me to the right resource/forum/topic.

As part of our project, we are using 3des algorithm to encrypt a pin. I am very new to encryption world and was wondering what are my options to securely store this encryption key, so that i can use it in my class for the encryption logic. Do i store it in some kinda repository/database or a encryption key management system?

Appreciate your help and thank you in advance.

Sachin
 
Ulf Dittmer
Rancher
Pie
Posts: 42966
73
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We need a lot more detail to help you. Where is the PIN stored? Where is the key stored? What is encrypting the key supposed to accomplish? Who (what kind of attack) are you trying to protect against? What kind of application is this - desktop, web app, something else?
 
Sachin Deokar
Ranch Hand
Posts: 41
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your response.

This is we-app using flex front-end with Spring framework, where user enters a pin as a password, which is then sent to spring bean which uses a key (question is related to storing this key somewhere) to encrypt this pin into a pin-block which is then sent to another interface via web-service for validation.

Here's the sample code i wrote for 3Des encryption from examples i found online. Please let me know if you see any major issues with the code as well. I have pin hard-coded in this code right now, but will be getting this from the front-end. I am concerned about storing the encryption key. Don't want to keep in the class or in properties files. Please let me know if i still lack details in my description about the issue.

Thank you all for taking out time and looking at my post. Appreciate all your feedback.

 
Ulf Dittmer
Rancher
Pie
Posts: 42966
73
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The big question is still "why does the PIN need to be encrypted?" I'm assuming you're using HTTPS when transferring it from the client, and also for the web service during validation (or -even better- you're using WS-Security encryption). So encrypting the PIN makes a difference only while the PIN is in memory on your servers, - where it's hard to attack.

Encrypting something replaces the problem of protecting some text with the problem of protecting the encryption key - which is not inherently simpler to solve.
 
Aryan Khan
Ranch Hand
Posts: 290
Java Oracle Tomcat Server
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You have got a number of options with storing the key in a HSM being the most secure. Else you can store it in a key store or even a Key encryption Key (KEK) option can be used.

Aryan
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic