Re: Share and store RSA - public key in java server and vice versa
Re: Share and store RSA - public key in java server and vice versa
- Subject: Re: Share and store RSA - public key in java server and vice versa
- From: Roland King <email@hidden>
- Date: Thu, 15 May 2014 06:48:45 +0800
I'm just pointing out the advice which is constantly and consistently given by Apple (particularly Quinn) on the developer forum that getting the bits of a private key on iOS is unsupported and subject to change, and to do the job on a server which you trust and return the information. Here's one such thread, there are dozens of them.
https://devforums.apple.com/message/951417#951417
My bug report requesting a CSR generating api point on iOS which leaves the private key in the keychain such that it can be validated against, even if you can't read it, is still open.
On 14 May, 2014, at 10:32 pm, Jens Alfke <email@hidden> wrote:
>
> On May 14, 2014, at 7:15 AM, Roland King <email@hidden> wrote:
>
>> If you ask a similar question to the original poster on any of the Apple Developer Forums you'll be advised not to generate key pairs on a device but to do it on a server (the advice will probably come from Quinn)
>
> That’s a weird idea. If the server creates the key-pair, then the server knows your private key, which I would consider a major security breach. If you’re going to trust the server with your credentials, you might as well skip the fiddly encryption stuff altogether and save yourself a lot of work. Otherwise the public keys and certs are just mumbo-jumbo to give the appearance of security.
>
> Put another way: one of the major purposes of public-key crypto is to put you in charge of your own encryption. You generate a key-pair locally on your device/computer, and the private key is known only to you and never leaves that device (except maybe inside a passcode-protected PKCS12 file.) I think of private keys as being like nuclear fuel rods — you keep them in a heavily shielded container (the Keychain) and never let them be exposed to daylight. If you do that, you have a very secure system.
>
> —Jens
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden