How to safely store secret key?

Question

As I have developed my app using openFL which uses haxe, and I am about to start the activation part of my software, I wonder how would I safely store my encryption secret key? would I just hard code it into my app??!

I will be using this key to encrypt data before sending to server, and I will be using it to de-encrypt data received from server too.

Any one can recommend best practices followed in such case?

Answer 1

This sounds like a job for asymmetric encryption.

1. Create a key pair at your server, store public and private keys. The private key should be kept safe, the key size should be 2048 bits or more;
2. Include the public key in your application;
3. The application uses a secure random generator to create an AES key;
4. The data is encrypted using CBC and PKCS#7 padding, also include a HMAC (possibly with yet another random AES key);
5. Encrypt the key(s) with the RSA algorithm and the public key;

The server can now decrypt the AES keys using the private key and decrypt the data with the retrieved keys. Then verify the MAC, if you included it in your protocol. Finally decrypt the ciphertext to retrieve the plaintext.

This scheme is called hybrid encryption because it uses both symmetric and asymmetric encryption. Beware of padding oracle attacks (which leak all the plain text to an attacker) if you don't use a MAC. Always verify the MAC before decrypting.

You can store an RSA public key within your application. With this public key you can encrypt an AES key (using PKCS#1 OAEP or v1.5 padding).