JavaCard OS

Posted: **Sat Nov 05, 2016 5:20 am**

I need to decrypt AES-encrypted data in my applet. And I have put the key which is used to encrypt data clearly in my applet constructor. Is it safe to have this key obviously in my code? For security, what is a proper way to do this?

Code: Select all

public BWApplet() {

...

byte[] aesKeyArray = {     (byte)0xAA, (byte)0xAA, (byte)0xAA, (byte)0xAA,      
                        (byte)0xAA, (byte)0xAA, (byte)0xAA, (byte)0xAA,
                        (byte)0xAA, (byte)0xAA, (byte)0xAA, (byte)0xAA,
                        (byte)0xAA, (byte)0xAA, (byte)0xAA, (byte)0xAA};
                        
 ...
}

Posted: **Sat Nov 05, 2016 5:36 am**

You can pass it through the install parameters for the applet and use the card DEK key for the secure session. Then you store the byte array in a key object. It would be easier to extract keys if they are stored in an array.

Posted: **Sat Nov 05, 2016 9:19 am**

A more permanent solution that solves all the problem is to have the card own it's own RSA keypair. The card's RSA keypair would be generated via the genKeyPair() method for the RSA 2048 bit key when the applet is installed via it's register() method.

Then you extract the public key and use the public key to wrap your future keys and deposit it within the card. This way neither do you need to hard-code the AES key in the applet nor do you need to leak the key via the applet installation process as applet installation may or may nor run with encryption enabled.

Thus, the safer option is for all applets to own their internally generated keypairs for wrapping and attesting the applet identity.

JavaCard OS

Best way to store key

Best way to store key

Re: Best way to store key

Re: Best way to store key