How to securely store a private RSA key so that it can be used in a Java application?

1

12sd2014-11-29 03:15:11

Java

12sd, 2014-11-29 03:15:11

It is necessary to have some kind of key storage protected (for example, by a system password), but in order to be able to encrypt something with this key.
Perhaps I misunderstand the principles of encryption.
In general, it is necessary to generate a private / public key pair during the installation of the application and, when sending data to the server, sign them with a private key. At the same time, you need to somehow protect against data forgery by stealing a private key: we are talking about payment terminal software, where they can simply steal the entire terminal along with the hard drive.
PS For example, so that only a signed application can read this key from the java keystore (the certificate is preloaded into the keystore).

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

codecity, 2014-11-29
@12sd

so that only a signed application can read this key from the java keystore (the certificate is preloaded in the keystore)

There is no standard solution.
Try this option: at the first start, the application knocks on the control server and reports on the need for initialization. The operator enters a PIN code that corresponds to this terminal (in doing so, he makes sure that the terminal has not been stolen, for example, using video).
Use the PIN code to decrypt the private key. After that, do not save the PIN or the decrypted key on disk - only in memory. Re-initialization will be required after a power outage.
In addition, a little hardware support will be needed: when the terminal is moved, a shutdown or reboot should occur. It can be realized using a gyroscope or a conventional reed switch + magnet.