Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > Java > Other Java > BOOK: Beginning Cryptography with Java
Password Reminder
Register
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: Beginning Cryptography with Java
This is the forum to discuss the Wrox book Beginning Cryptography with Java by David Hook; ISBN: 9780764596339
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning Cryptography with Java section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old February 10th, 2010, 02:01 AM
Registered User
 
Join Date: Jul 2009
Posts: 2
Thanks: 1
Thanked 0 Times in 0 Posts
Default best practice on managing private key

Hi all,

What is the industry standard/practice on managing the private key? I have a requirement on managing multiple private key in the application. During runtime, the application need to retrieve the private key and perform signing/decrypting on the message content we send out or we received.

I am intending to store the encrypted form of the private key (encrypt using symmetric algo) in the database table. Whenever the application needs the private key, it will decrypt the private key using the password phrase cached in the memory (the application retrieve the password phrase from the file that is accessible for ROOT account).

Will the above design safe guard the private key we store? On paper, the attacker need to break into both database and the application machine to get the private key and the password phrase. To me, this approach can ensure certain degree of security on protecting the private key.

What is ur view on it? Any better approach on safeguard the private key?

Regards
Yangguo
Reply With Quote
  #2 (permalink)  
Old February 10th, 2010, 03:36 AM
dgh dgh is offline
Wrox Author
Points: 864, Level: 11
Points: 864, Level: 11 Points: 864, Level: 11 Points: 864, Level: 11
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2005
Location: , , .
Posts: 206
Thanks: 0
Thanked 20 Times in 20 Posts
Default

You're probably better off to store the private key in a file - using something like PKCS#12. Then you can protect both the key and the password with root access.

If the key is in the database, while it's encrypted, it may be hard to prevent, or detect, someone from fetching it and attempting a dictionary attack offsite. On the other hand if the key is in a file protected by root, there's only one way to get to it.

Regards,

David
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Private key reading richardnesme BOOK: Beginning Cryptography with Java 1 April 28th, 2009 06:56 PM
X509 public/private key signing and mmc ZeeKoei General .NET 1 January 23rd, 2008 03:52 AM
Private Key with Associated Certificate bdblhk3 BOOK: Beginning Cryptography with Java 1 October 22nd, 2007 04:32 PM
prob with certificate's public/private key shiby_chacko1@rediffmail. C# 0 April 5th, 2005 07:18 AM
CryptoAPI Private Key Dialog Box owain Pro VB.NET 2002/2003 1 November 12th, 2004 11:49 AM



All times are GMT -4. The time now is 09:25 PM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.