• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Tim Cooke
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Jeanne Boyarsky
Saloon Keepers:
  • Stephan van Hulst
  • Carey Brown
  • Tim Holloway
  • Piet Souris
Bartenders:

How/Where to store encryption key?

 
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

Sorry if i am posting a generic question that has already been answered. I would appreciate if you can help me to get an answer or direct me to the right resource/forum/topic.

As part of our project, we are using 3des algorithm to encrypt a pin. I am very new to encryption world and was wondering what are my options to securely store this encryption key, so that i can use it in my class for the encryption logic. Do i store it in some kinda repository/database or a encryption key management system?

Appreciate your help and thank you in advance.

Sachin
 
Rancher
Posts: 43076
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We need a lot more detail to help you. Where is the PIN stored? Where is the key stored? What is encrypting the key supposed to accomplish? Who (what kind of attack) are you trying to protect against? What kind of application is this - desktop, web app, something else?
 
Sachin Deokar
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for your response.

This is we-app using flex front-end with Spring framework, where user enters a pin as a password, which is then sent to spring bean which uses a key (question is related to storing this key somewhere) to encrypt this pin into a pin-block which is then sent to another interface via web-service for validation.

Here's the sample code i wrote for 3Des encryption from examples i found online. Please let me know if you see any major issues with the code as well. I have pin hard-coded in this code right now, but will be getting this from the front-end. I am concerned about storing the encryption key. Don't want to keep in the class or in properties files. Please let me know if i still lack details in my description about the issue.

Thank you all for taking out time and looking at my post. Appreciate all your feedback.

 
Ulf Dittmer
Rancher
Posts: 43076
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The big question is still "why does the PIN need to be encrypted?" I'm assuming you're using HTTPS when transferring it from the client, and also for the web service during validation (or -even better- you're using WS-Security encryption). So encrypting the PIN makes a difference only while the PIN is in memory on your servers, - where it's hard to attack.

Encrypting something replaces the problem of protecting some text with the problem of protecting the encryption key - which is not inherently simpler to solve.
 
Ranch Hand
Posts: 290
Oracle Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You have got a number of options with storing the key in a HSM being the most secure. Else you can store it in a key store or even a Key encryption Key (KEK) option can be used.

Aryan
 
I am mighty! And this is a mighty small ad:
The Low Tech Laboratory Movie Kickstarter is LIVE NOW!
https://www.kickstarter.com/projects/paulwheaton/low-tech
reply
    Bookmark Topic Watch Topic
  • New Topic