About RSA encryption [closed]
want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 3 years ago .
improve this questionHello,
RSA encryption generates a public.key and private.key
However, if I make some application in java, and the "hacker" takes these keys, it can extract the content.
Can camouflage these public.key's private.key that will stay inside the application?
2 answers
Encryption basically works like this:
- (a) What is written using the private key can only be read with the public key.
- (b) what is written using the public key can only be read with the private key.
The idea is that your public key you share, while the private key should be saved and protected in every possible way. if your private key leaks, the full encryption protection guarantee it will be lost.
The RSA algorithm (or any other asymmetric key algorithm) assumes that your private key is secure. It's not part of the algorithm and encryption to say how or what you do to keep that private key, it just uses the key you give to it. The key generation algorithm also doesn't say how you should protect your keys, it just produces them and delivers them to you.
The Case (b) above is used for when someone wants to write a encrypted message that only you can read. Once it is created with your public key, then anyone can write it, after all the key is public. However, only you, who have possession of the private key, will be able to read.
The case (A) above is used for digital signature. If you publish an encrypted message with your private key, everyone can read it using the public key. However, its authorship will be guaranteed and confirmed, since the only way to message be readable with your public key is if it has been generated with your private key that only you have access. This serves to ensure the authenticity of information.
If the hacker has access to your private key, he can take control of your encryption, read your private messages, and also impersonate you. It is more or less the same as when some hacker has access to your password.
If you are tempted to distribute your private key within the application, you are probably doing wrong, as you should never distribute your private key.
If the purpose of the application is to send a message to a central server controlled by you, it will only need the public key used by the server. The private key should be well protected and well kept inside the server and never leave there.
If the application also needs to authenticate the messages generated by it and certify the author identification, you can generate a pair of different public and private keys for each application installation (within the application itself) and send the public key to you or to third parties. Each application should keep guard of its own private key in the best possible way. And again, you should never put the server private key inside the application.
Within the application, private key protection can be done by any means that offers a minimum security, such as putting in some internal file. However, you don't have to kill yourself to make this app private key ultra-secure because each installation will use a different private key. Therefore, if a hacker manages to obtain the private key used in the application installed on installation X, only installation X is compromised, and not all installations and not the server. In this way, your care will only be to ensure that the application does not leak the private key.
RSA encryption uses (does not generate) a key pair, a public key that can be known to everyone, and a private key that must be kept private . That's exactly why it's called private. Any message encrypted using a public key can only be decrypted using its private key.
More details about the RSA algorithm in Wikipedia .