Reputation: 73
How to store crypto password safely
I am working on a Java RCP application. A user needs to authenticate himself with his SmartCard to get access to the application. Inside this, he can open/save files which need to be stored encrypted.
Currently, I'm using a password-based AES encryption with a hard-coded password. This is obviously not secure, so I need a different approach to encrypt/decrypt files.
What arouses this problem is that there are a few requirements to be met:
- no guaranteed network connection (must be usable in offline-mode)
- multiple users must have access to the files (so no public/private key encryption)
- there should not be one "master"-key used for all files
Edit: I doesn't need to have a very high level of security. It should just be a little bit harder for an attacker to get the key as to just open the distributed JAR file and get the key in plain text.
Any hints would be appreciated.
Upvotes: 3
Views: 704
Answers (2)
Reputation: 269627
For each file, create a new key. Encrypt the file with that key (using AES).
Then, for each user that is allowed to read the file, encrypt the new key with their public key (one that corresponds to a private key on their smart card). Store these encrypted keys with the file.
When a user wants to read a file, the software uses his smart card to recover the content encryption key used for the file.
The file format could use PKCS #7's Cryptographic Message Syntax or OpenPGP.
Upvotes: 1
Reputation: 1833
Caveat: I am not well-versed in security and this is just something that crossed my mind.
As a suggestion, make the password for each file be a hash containing a known salt that is randomly generated for each file, and a single passphrase that is encrypted individually for each user. You can safely store the random salts locally, because these are not the key to the file, and no user knows the passphrase to unlock the file. By encrypting and signing the passphrase with public key encryption, you can authenticate users and control access on a per-user, per-file basis.
This way, you could use public key encryption from each user to deliver the passphrase, which is not stored anywhere in the system, secure the files independently of each other of each other, and not be dependent on outside sources.
Upvotes: 0
Related Questions
- how to securely store encryption keys in android?
- Java - Storing Keypairs in KeyStore
- How can I store passwords securely in Operating Systems "default" Key-Store?
- What is the best practice for securely storing passwords in Java
- Where to store keysytore password?
- Java keystore for passwords
- How do I store a Java KeyStore password?
- Store a key or password securely locally on android
- Storing key using Keystore
- How Can I Securely Store a SecretKey?