0

I would like to store my RSA private key, which app uses to sign its data before sending to the server, somewhere safely, so that it would be much harder to steal the key than just copy it from app folder.

I know that Java KeyStore could be used to store keys and load them by runtime, but how can I load the key from KeyStore without a password for a signed jar?

For example, I've loaded a key "mykey" into KeyStore, and I signed App.jar. I want to load the key in runtime from KeyStore automaticly, without specifying a password to KeyStore, if the app which requested it is signed.

Perhaps, I don't understand the principles of the KeyStore correctly. But the task is to sign data which is sent to server and store the key safely. (The app is a POS application, so it should be loaded automaticly, without any password given by startup).

Boris the Spider
  • 59,842
  • 6
  • 106
  • 166
12sd
  • 11
  • 5
  • 3
    You can't. Where would you store the password? In the code? Decompile! In the file system? Then you can just as easily store the unencrypted private key in the same place. This is impossible. – Boris the Spider Nov 29 '14 at 00:54
  • I though KeyStore can be configured to only give private keys to apps, signed by a specified certificate. So that only application written and signed by me would be able to get the key from KeyStore without password. Is there any another way to accomplish the task of signing app data before sending it? – 12sd Nov 29 '14 at 00:59
  • 1
    If that was a featre: I would simply take that certificate of your app (because that is not encrypted, it's open information in your app), hand it over to keystore and let it extract the key for me. Keystore could not know where the certificate came from, me or some app signed with that certificate. You can IRL protect keystores with passwords, but that leaves this password the new secret with no place to put. – zapl Nov 29 '14 at 01:09
  • Well, how then Java knows who signed this app? And how then no one could sign their code with other companies signature? – 12sd Nov 29 '14 at 01:11
  • @zapl beautifully explained! This is a dead end that so many have gone down. – Boris the Spider Nov 29 '14 at 01:23
  • Because the **public** key is stored inside the app. The **private** key is used to sign the app. Everyone has access to the **public** key and can verify the signature against it. Only the owner of the **private** key can sign things. This is public key cryptography 101. – Boris the Spider Nov 29 '14 at 01:25
  • Then I can write a separate program, launched by root, for example, and it will have access to a text file with KeyStore password. That file won't be readable by other users. – 12sd Nov 29 '14 at 11:28
  • UP:Then I can write a separate program, launched by root, for example, and it will have access to a text file with KeyStore password. That file won't be readable by other users. Then the main app will talk to the small app by system sockets, small app will check it with jarsigner by a special public key in KeyStore(pre-saved on installation),and if it matches, it will return the private key from KeyStore. Probably, I should mention: nobody except trusted people will have access to root user.Or, for example, small app will just run my app if signature mathces, passing the private key via args. – 12sd Nov 29 '14 at 11:34

1 Answers1

0

As others have pointed out, you cannot really prevent someone who has the app (and therefore has the private key) from extracting the private key. You can obfuscate the key, which might be reasonable depending on what you're trying to accomplish. In that case, you can hide the key password in various spots in the code and use the KeyStore as you've mentioned. That's not really secure, but it might be "good enough" for your purposes.

Any key that's distributed to the end user cannot be considered secret.

More importantly, if your server is trusting any client code, signed or not, you probably have a security issue with your server. You have to find a different way to enforce your security properties than trusting the client.

Isaac Potoczny-Jones
  • 357
  • 2
  • 5