12

I was wondering how an application that have a private key will keep it secure?

If the private key is outside the binary, then anybody can access it, but store it in the binary doesn't make it more secure (I think). We can try to obfuscate the key but it still can be discovered!

So what is the best practice for that matter?

darkheir
  • 245
  • 1
  • 2
  • 8
  • 1
    Depending on the platform, you might have some secure key storage protected by the operating system. Something like Keystore. – hsnm Feb 13 '13 at 14:25
  • If the private key is outside the code, then it is protected by file permissions, yes? – MCW Feb 13 '13 at 16:24

5 Answers5

7

Expect it to be compromised. There isn't a good way to do anything other than obfuscate a private key. The best bet is probably to store it in the cryptographic library of the system that the software is running on. If you're lucky it might have a TPM or HSM that can store the key securely. What are you trying to accomplish with the private key? That might help give better feedback on the best way to securely accomplish your goal.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110
  • In my case the key is used to decrypt some files, but my question is more global! And no luck there are no HSM or TPM on the system! – darkheir Feb 13 '13 at 14:24
  • 1
    @darkheir - where are the encrypted files coming from? Are they on the computer permanently? Are they sent from a remote server? Is offline decryption necessary? If possible, the safest bet may be to not store the decryption key on the client, but rather store it on the server and only provide it to the client after completing a challenge with the server. A compromised client could still leak the key in that case, but it would prevent a static analysis without the credentials. (Alternately, storing the private key encrypted with a password that the user has to enter would also do a littl – AJ Henderson Feb 13 '13 at 14:27
  • Sadly the encrypted file is coming from the same system and it has to be working offline! I'll investigate the idea of cryptographic library, it seems that microsoft has a key storage architecture, could be interesting. – darkheir Feb 13 '13 at 14:30
  • 2
    @Darkheir - if it is coming from the same system, why use a private key as opposed to a symmetric one? Also, does it need to protect against the legitimate user accessing the protected data or just against attackers trying to access the user's data? – AJ Henderson Feb 13 '13 at 14:37
  • Only one program as to be able to read datas send by multiple other programs so asymetric encryption seems to me the way to go. For the key the best would be that only the program can access the private key, it's better if even the legitimate user can't access it. – darkheir Feb 13 '13 at 14:46
  • @Darkheir - ok, then the cryptographic libraries probably won't be super useful as an admin can still get the keys out of them rather easily. Symmetric keys may still be the way to go for performance reasons unless you have a reason to not want to trust the multiple programs writing to the other one to be able to read the data. Granted, if you encrypt the data with a symmetric key and then encrypt the symmetric key with the public key you get the best of both worlds. – AJ Henderson Feb 13 '13 at 15:03
7

There is no 100% reliable way to hide a secret of any type, be it a RSA private key or any other kind of object, within an application in such a way that it would resist reverse engineering. All those who have tried, have failed. There are good theoretical reasons why it should not be possible: namely, at some point, the CPU will use the secret value and thus have it under its fingers; by running the code in an emulator, attackers can obtain it as well.

(The emulator is the just-drop-a-nuke-on-it kind of solution; it works and is sufficient to demonstrate impossibility of protection, but attackers invariably use a bit more brain in their reverse engineering.)

The best you can have is user-specific secrets, so that, at least, you can manage things server side by shutting down access for offenders (if an access-granting key is compromised, simply inform the server that this specific key shall no longer be accepted). This is what is done in satellite TV: the signal is broadcasted, with encryption with a key K (which changes every few minutes), and the key K is itself encrypted with the secret key which is in the receiver smart card; each receiver has its own smart card. When a card appears to be massively cloned (breaking a card is expensive, but once it is broken, making 3000 copies is cheap), the TV distributor just stops to distribute the version of K encrypted with the key which is in the compromised card, thus effectively blocking access for all copies.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • While there is no 100% reliable way, using an HSM provides good protection against many attacks like emulators or other forms of tampering. HSM are designed to be true black-boxes, so unless you are a government that can deal with vacuum chambers or magnetic traps, HSM are pretty safe. Normally if somebody use HSM, the attack shifts from getting the key to breaking into the HSM, which requires online access. – fernacolo Jan 02 '15 at 21:25
1

If you are using the .Net Framework, have a look on ProtectedData (as mentioned in this stackoverflow answer)

It uses the windows Data Protection API (DPAPI) in order to "provide protection using the user or machine credentials to encrypt or decrypt data". (taken from the docs).

Ioanna
  • 166
  • 1
  • 10
1

Whilst the system you are using doesn't currently have a Hardware Security Module (HSM) in it, you can buy them separately (e.g. as add-in cards, smart cards or separate boxes). Depending on your situation (value of key, exposure, etc), this might be worthwhile.

Correct use of an HSM will ensure that even the application cannot directly access the private key. This moves the problem on to protecting (ab)use of the services offered by the HSM (e.g. decrypting files), where you are assisted by whatever authentication options the HSM provides.

Michael
  • 2,118
  • 17
  • 26
0

For local storage, you might obfuscate your private key by the hash of a nowhere stored password. With assumed irreversibility of the hash function, you retrieve the private key exclusively with the valid password. The security limit is given by the length of a password.

Sam Ginrich
  • 1