什么是存储公钥和主键的安全方式? [英] What is the secure way to store public and primary keys?
问题描述
我使用AES与RSA加密和解密为客户端和服务器的安全通信。我被告知要在Javascript中硬编码一个公共密钥用于登录,其中的关联私钥在Java中进行硬编码。这同样适用于注册过程,但登录和注册的密钥对将有所不同。
现在棘手的部分是,我必须为每个用户生成一个密钥对登录并使用该特定用户的密钥对,直到他注销或其会话超时。假设我有1000多个用户,我必须在每次创建新会话时生成密钥,并为该用户维持相同的密钥对,直到注销或超时。
这些是我如何存储公钥和私钥的想法
1)我们必须定义文件的名称,然后将公钥和私钥保存到文件。我们可以使用登录用户的用户名将其添加到保存的文件,如 - Dan.Public.key和Dan.Private.key,如果是为另一个用户 - Ken.Public.key,Ken.Public.key(Dan和Ken是用户名)
即使用户Dan注销或其会话超时,我的过滤器将重新登录并创建一个新的私钥和公钥再次到Dan.Public.key和Dan.Private.key,所以它会自动覆盖同一用户最后使用的密钥文件。通过定义这样的文件名,我可以管理它为任何数量的用户,而不必担心安全性(我必须完全配置谁可以访问密钥文件夹)。到我的实时问题,我的应用程序是API调用,所以没有任何会话。管理会话的唯一方法是通过生成UUID来处理它,并使用它来维护用户的会话并保留用户的日志。
如果我必须获取每个调用的公钥和私钥,首先我必须检查数据库以找到与当前UUID相关联的用户名。这是一个非常糟糕的方式。另外,我可以使用UUID而不是用户名来命名密钥文件,但它会损坏我的服务器不久,因为没有覆盖已保存的文件,由于唯一的UUID(没有办法覆盖最后使用的密钥文件,coz每个新的UUID是唯一的)
2)我可以简单地将公钥和私钥与生成的UUID一起存储到数据库,所以我可以简单地获取这些键使用 .add(Restrictions.eq(UUID_USER,UUID)); 但是我担心在将其直接存储在DB中时的安全性加密和解密。 / p>
注意:直到现在我还不知道如何将公钥和私钥存储在数据库中。
我使用PBKDF2WithHmacSHA256,迭代计数为100000+,盐的16字节,以防止密码泄露,即使黑客获取数据库。比较密码存储的高安全性和字符串私有和公共密钥的漂亮转储想法直接在DB中,我觉得这两个安全级别之间有很大的差距。
关于在Keystore中存储密钥,但我不知道它是如何工作的。如果我选择将密钥存储在DB中,我可以在java中使用某种硬编码加密和解密这些密钥,但这将减慢每次点击的处理时间,如果更多的用户被记录,这将是服务器的重量级在同一时间。在考虑加密编码时,我甚至没有中级,但我不想为一部分实现高安全系统,为另一部分实现0安全系统。如果任何人曾经在这类应用程序上工作,请分享一下如何处理公钥和私钥的存储方式。
我假设用户密钥用于签署从客户端发送到服务器的数据或加密从服务器发送到客户端的数据。
你真的不应该将用户的私钥存储在服务器上(或为此生成)。最好在客户端上生成密钥对,并将公钥发送到使用服务器公钥加密的服务器。
服务器(和开发人员/操作)从不接收用户私钥,并且不能模拟用户。每次用户登录时,都会生成一个新的密钥对,并在数据库中覆盖该公钥。
请注意,这并不能完全保护您免受攻击,因为基于网络的攻击者可以简单地注入额外的JavaScript来窃取用户私钥或指示客户端将所有信息直接发送给攻击者。解决这个问题的唯一方法是使用SSL / TLS。
I'm using AES with RSA encryption and decryption for client and server's secure communication. I've been told to hardcode a public key in Javascript for Login purposes with its associate private key hardcoded in Java. The same applies for Signup process but the keypair of Login and Signup will be different.
Now the tricky part is, I've to generate a keypair for each user once he logged in and use that keypair for that particular user until he logout or his session timed out. Assuming I'm having 1000+ users, I've to generate the key everytime a new session is created and maintain the same keypair for that user until logout or timeout.
These are my thoughts on how to store the Public and private key
1) We've to define the name for the file before saving the public and private key to a file. We can use the logged in user's username to add it to saved file like - Dan.Public.key and Dan.Private.key , If it's for another user - Ken.Public.key, Ken.Public.key (Dan and Ken are the usernames)
Even if the user "Dan" logout or his session times out, my filter will create a new private and public key once he login again and save the key again to Dan.Public.key and Dan.Private.key, so it'll automatically overwrite the last used key files of the same user. By defining the file names like this, I can manage it for any number of users without have to worry about security (Ofcourse I've to perfectly configure on who can access the keys folder). Coming to my Real-Time issue, my application is API-call, so there is no session at all. The only way to manage session is to handle it by generating a UUID and using that to maintain the user's session and keeping logs of the user.
If I've to fetch the public and private key for every call, first I've to check the DB to find the respective username which associates with the current UUID. This is a very bad way in long run. Also I can give name to key files using UUID instead of username, but it'll damage my server near soon, coz there will no overwriting of already saved files due to the unique UUID (There is no way to overwrite a last used key file, coz every new UUID is unique)
2) I can simple store the public and private key to the database along with the generated UUID, so I can simply fetch those keys for encryption and decryption by using .add(Restrictions.eq("UUID_USER",UUID)); But I'm worried about the security when storing it directly in DB.
Note: Until now I don't know how to store the public and private keys in a database.
I've used PBKDF2WithHmacSHA256 with an iteration count of 100000+ , salt of 16 byte to prevent leakage of passwords even if the hacker gets the database. Comparing the high security for password storage and pretty dump idea of string private and public key directly in DB, I feel a much greated gap between those two security levels.
I've read a little about storing keys in Keystore, but I've no idea how it works. If I've choosen to store the keys in DB, can I use some kind of hardcoded encryption and decryption in java for those keys, but that will slower the process time for every click which will be heavyweight for the server if more users are logged in at same time. I'm not even at a medium level when considering cryptography coding, but I dont want to implement a high secure system for one part and 0 secure system for another part. If anyone have worked on these kind of applications before, kindly share the way of how you're handling the storage of public and private keys.
I assume the user keys are used to either sign the data sent from client to server or encrypt data sent from server to client.
You really shouldn't store the private key of the user on the server (or generate for that matter). It is better to generate the key pair on the client and send the public key to the server encrypted with the public key of the server.
The server (and developers/ops) never receives the user private key and cannot impersonate the user. Everytime the user logs in, a new key pair is generated and the public key is overwritten in the database.
Note that this doesn't entirely protect you from attacks, because a network-based attacker may simply inject additional JavaScript to steal the user private keys or instruct the client to send all information directly to the attacker. The only way to solve this, is to use SSL/TLS.
这篇关于什么是存储公钥和主键的安全方式?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
