Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is there a good way to ship AES keys together with the application, but still make them safe enough?
I don’t quite fond regarding the idea of hard-coding the keys (as the app can be de-compiled), but other alternative, saving them on remote server, looks quite dangerous to me in case the server goes down or the network cuts off.
I know that Java provides mechanism called key-store, but AFAIK, if the code is de-compiled, this key-store can be opened as well?
Any idea?
Thanks in advance!
You cannot trust your application to keep your key safe. You cannot trust that the application is really yours.
You can transport the key securely all you like, it’s the fact that there is no hardware protecting your key at the application end that means you loose, anyone with a hex editor or debugger can get the key out of your application.
If an application “needs” a key I would be tempted to have each user (or license) simply be a private key and certificate.
You could then use signature checking and Diffie-Hellman key-exchange to ‘give’ each licensed instance of your application a key from a networked server at runtime. This would also let you make sure only one instance of a license is running at once.