Sorry if i am posting a generic question that has already been answered. I would appreciate if you can help me to get an answer or direct me to the right resource/forum/topic.
As part of our project, we are using 3des algorithm to encrypt a pin. I am very new to encryption world and was wondering what are my options to securely store this encryption key, so that i can use it in my class for the encryption logic. Do i store it in some kinda repository/database or a encryption key management system?
Appreciate your help and thank you in advance.
Joined: Mar 22, 2005
We need a lot more detail to help you. Where is the PIN stored? Where is the key stored? What is encrypting the key supposed to accomplish? Who (what kind of attack) are you trying to protect against? What kind of application is this - desktop, web app, something else?
This is we-app using flex front-end with Spring framework, where user enters a pin as a password, which is then sent to spring bean which uses a key (question is related to storing this key somewhere) to encrypt this pin into a pin-block which is then sent to another interface via web-service for validation.
Here's the sample code i wrote for 3Des encryption from examples i found online. Please let me know if you see any major issues with the code as well. I have pin hard-coded in this code right now, but will be getting this from the front-end. I am concerned about storing the encryption key. Don't want to keep in the class or in properties files. Please let me know if i still lack details in my description about the issue.
Thank you all for taking out time and looking at my post. Appreciate all your feedback.
Joined: Mar 22, 2005
The big question is still "why does the PIN need to be encrypted?" I'm assuming you're using HTTPS when transferring it from the client, and also for the web service during validation (or -even better- you're using WS-Security encryption). So encrypting the PIN makes a difference only while the PIN is in memory on your servers, - where it's hard to attack.
Encrypting something replaces the problem of protecting some text with the problem of protecting the encryption key - which is not inherently simpler to solve.
Joined: Sep 12, 2004
You have got a number of options with storing the key in a HSM being the most secure. Else you can store it in a key store or even a Key encryption Key (KEK) option can be used.