Reputation: 1546
Javacard security design: all smartcards the same public and private key a good idea?
I am designing a concept where a system should communicate securely with a smartcard.
The design is like this:
[smartcard] <-> [software on a pc in a store] <-> [server in the cloud]
The smartcard should communicate securely with the cloud and should prevent eavesdropping on the connection, as well the software on the pc in the store.
My question: is it a good idea to use the same public/private key for all smartcards? Or should I use a new one for each card?
Of course it's easy to implement one card so the cloud knows which public keys it should use for the various encryption schemes.
Upvotes: 1
Views: 71
Answers (1)
Reputation: 201437
Using the same public key on all of the cards is a terrible idea; if someone compromises one (through theft or other means) then all of the transactions for all stores are compromised. If each store uses a unique key, a compromised key is limited in scope to one store.
tl;dr Use a unique public/private key per store.
Upvotes: 4
Related Questions
- How to create .pfx file from certificate and private key?
- Secure hash and salt for PHP passwords
- What is the difference between public, protected, package-private and private in Java?
- Differences between "BEGIN RSA PRIVATE KEY" and "BEGIN PRIVATE KEY"
- Trust Store vs Key Store - creating with keytool
- Making a private method public to unit test it...good idea?
- How to store public/private key securely
- How to store public/private key in MS SQL Server?