How/Where to store encryption key?

Hi All,

Sorry if i am posting a generic question that has already been answered. I would appreciate if you can help me to get an answer or direct me to the right resource/forum/topic.

As part of our project, we are using 3des algorithm to encrypt a pin. I am very new to encryption world and was wondering what are my options to securely store this encryption key, so that i can use it in my class for the encryption logic. Do i store it in some kinda repository/database or a encryption key management system?

Appreciate your help and thank you in advance.

Sachin

We need a lot more detail to help you. Where is the PIN stored? Where is the key stored? What is encrypting the key supposed to accomplish? Who (what kind of attack) are you trying to protect against? What kind of application is this - desktop, web app, something else?

Thanks for your response.

This is we-app using flex front-end with Spring framework, where user enters a pin as a password, which is then sent to spring bean which uses a key (question is related to storing this key somewhere) to encrypt this pin into a pin-block which is then sent to another interface via web-service for validation.

Here's the sample code i wrote for 3Des encryption from examples i found online. Please let me know if you see any major issues with the code as well. I have pin hard-coded in this code right now, but will be getting this from the front-end. I am concerned about storing the encryption key. Don't want to keep in the class or in properties files. Please let me know if i still lack details in my description about the issue.

Thank you all for taking out time and looking at my post. Appreciate all your feedback.

import java.io.IOException; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.spec.InvalidKeySpecException; import javax.crypto.Cipher; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.DESedeKeySpec; import org.apache.commons.codec.DecoderException; import org.apache.commons.codec.binary.Hex; public class EncryptTripleDes { private static byte[] encrypt(byte[] inpBytes, SecretKey key) throws Exception { Cipher cipher = Cipher.getInstance("DESede"); cipher.init(Cipher.ENCRYPT_MODE, key); return cipher.doFinal(inpBytes); } private static byte[] decrypt(byte[] inpBytes, SecretKey key) throws Exception { Cipher cipher = Cipher.getInstance("DESede"); cipher.init(Cipher.DECRYPT_MODE, key); return cipher.doFinal(inpBytes); } /** Read a TripleDES secret key from the specified file * @throws DecoderException */ private static SecretKey readKey(String keyStr) throws IOException, NoSuchAlgorithmException, InvalidKeyException, InvalidKeySpecException, DecoderException { // Convert Key Str to bytes byte[] rawkey = Hex.decodeHex(keyStr.toCharArray()); System.out.println("RawKey Size : " + rawkey.length); // Convert the raw bytes to a secret key like this DESedeKeySpec keyspec = new DESedeKeySpec(rawkey); SecretKeyFactory keyfactory = SecretKeyFactory.getInstance("DESede"); SecretKey key = keyfactory.generateSecret(keyspec); return key; } public static void main(String[] args) { String pin = "1234567890123456"; byte[] pinBytes; try { pinBytes = Hex.decodeHex(pin.toCharArray()); System.out.println("Pin Bytes: " + Hex.encodeHex(pinBytes)); System.out.println("Pin Size : " + pinBytes.length); // TODO: Store this key in a secured place. String keyALL = "919EE5FB75B3E337406462648F5404BF0762A2" + "37155BE908089138F743FE94B6673B9765BDC1" + "4045DFE032DC928A610E9E047331D9266B38AE"; SecretKey key = readKey(keyALL); System.out.println("\nKey : " + key.getFormat().toCharArray()); byte[] encryptedRawbyte = encrypt(pinBytes,key); String encodeTxt = new String(Hex.encodeHex(encryptedRawbyte)); System.out.println("Here's the encrypted key : " + encodeTxt); byte[] decryptedRawbyte = decrypt(encryptedRawbyte, key); String dencodeTxt = new String(Hex.encodeHex(decryptedRawbyte)); System.out.println("Here's the decrypted key : " + dencodeTxt); } catch (DecoderException e) { e.printStackTrace(); } catch (InvalidKeyException e) { e.printStackTrace(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (InvalidKeySpecException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } catch (Exception e) { e.printStackTrace(); } } }

The big question is still "why does the PIN need to be encrypted?" I'm assuming you're using HTTPS when transferring it from the client, and also for the web service during validation (or -even better- you're using WS-Security encryption). So encrypting the PIN makes a difference only while the PIN is in memory on your servers, - where it's hard to attack.

Encrypting something replaces the problem of protecting some text with the problem of protecting the encryption key - which is not inherently simpler to solve.

You have got a number of options with storing the key in a HSM being the most secure. Else you can store it in a key store or even a Key encryption Key (KEK) option can be used.

Aryan