What to do with the key store file.  Cryptography.

Posted on 2005-04-12
Last Modified: 2010-03-31
So lets say I implement an example like this for a real life project.  What do I do with the key store file so nobody finds it?  Couldn't they just open it or copy it and have the key?
Question by:turtletimer
    LVL 9

    Expert Comment

    It really depends on how secure the key needs to be.
    For something that needs to be very secure, you could put the key on a smart card and require a pin number to access the data.
    Or if this is only to encrypt your emails from other people at your household, you may only need to burn the key to a cd and hide it under your bed :-p

    It all comes down to what the key is going to be used to encrypt/decrypt.

    Author Comment

    It is going to be for a client/server game.  The client would have to login to my server app in order to play my multiplayer game.  I wanted to encrypt the login details before I sent them over the socket.  If I understand right the client and the server has the key store file.  What do I do with the keystore file on the client side?  

    Or is there a better way to do this whole thing?
    LVL 9

    Expert Comment

    Sorry if I have mis-understood but do you want to use public key cryptography (where both the client and server have their own key pair) or secret key cryptography (where both the client and server would share the secret key)?

    Author Comment

    Which ever is more secure.  That's what I am asking.  What is the best way to remotley authenticate a user on my game server.  I don't have any cryptography experience.  I was under the impression that both the server and client would have an identical key file.  But, I am worried because on the client app won't this key file just be sitting there saying "Hey look at me I the key".  On the client app there will be a login screen

    UserName: blah
    Passwor: blah

    Then I'm am going to send this to the socket on the server as : 10 blah blah

    10 a byte so the server knows what the client wants to do.

    So if I'm sending just like that then it's pretty unsecure, right?  So, what's the industry standard way of doing this.
    LVL 9

    Accepted Solution

    >So if I'm sending just like that then it's pretty unsecure, right?


    Just keep in mind that no matter how secure any system is made, it can always be broken. All you can do is slow down the process.

    Seeing as you don't have much cryptography experience, I'd say the best way to tackle this would be using an SSL connection between the client and server.
    It will save you many hours of stress, liters of coffee and delay you going bald.

    SSL is public key cryptography thats ready to go without you needing to worry about encryption and decryption.
    Public key cryptography is more secure in this situation because having to share a secret key would make it more vulnerable.

    Going back to the keystore...
    You will need a seperate keystore for the server containing its public key and a truststore for the client also containing the server's public key.
    The truststore could be distributed in the clients jar file.

    Have a look at the following examples, it should be enough to get you started.

    One more thing, if you want to learn more about Cryptography, there is a brilliant book written by Jonathan Knudsen called 'Java Cryptography'. I recommend this book to anyone wanting to learn about the subject.
    LVL 15

    Assisted Solution

    I agree with OBCT that SSL is probably a good fit to your needs though if you are looking for a pure
    secure channel without the need to authenticate the two sides then you set SSL to use one of the anon cipher suite.
    Doing so will enable you to have a secure channel without the need of having trust stores and distributing certificates.
    This is an example of how to set your SSL socket with anon cipher:

    String CIPHER_SUITE = new String[]{ "SSL_DH_anon_WITH_RC4_128_MD5" };

    // server
    SSLServerSocket listen = (SSLServerSocket)SSLServerSocketFactory.getDefault().createServerSocket(port);
    SSLSocket socket = (SSLSocket) listen.accept();

    // client
    SSLSocket socket = (SSLSocket)SSLSocketFactory.getDefault().createSocket(

    or for more generic code:
    SLServerSocket server
           = (SSLServerSocket) factory.createServerSocket(port);
          String[] supported = server.getSupportedCipherSuites();
          String[] anonCipherSuitesSupported = new String[supported.length];      
          int numAnonCipherSuitesSupported = 0;
          for (int i = 0; i < supported.length; i++) {
            if (supported[i].indexOf("_anon_") > 0) {
              anonCipherSuitesSupported[numAnonCipherSuitesSupported++] = supported[i];
          String[] oldEnabled = server.getEnabledCipherSuites();
          String[] newEnabled = new String[oldEnabled.length
           + numAnonCipherSuitesSupported];
          System.arraycopy(oldEnabled, 0, newEnabled, 0, oldEnabled.length);
          System.arraycopy(anonCipherSuitesSupported, 0, newEnabled,
           oldEnabled.length, numAnonCipherSuitesSupported);
    LVL 9

    Expert Comment


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    hasOne  challenge 59 66
    count7 challenge 12 53
    nestparen challenge 4 37
    JAVA part two 5 19
    Java functions are among the best things for programmers to work with as Java sites can be very easy to read and prepare. Java especially simplifies many processes in the coding industry as it helps integrate many forms of technology and different d…
    In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
    Viewers learn about the third conditional statement “else if” and use it in an example program. Then additional information about conditional statements is provided, covering the topic thoroughly. Viewers learn about the third conditional statement …
    Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now