The Care and Feeding of Keys

Private keys must be kept secret. This is the whole premise of public key cryptography. Unfortunately, a private key is not something people can memorize. It needs to be stored electronically, whether on fixed media (a hard disk), removable media (a floppy disk), or a hardware device (a smart card). Smart cards are not widely available, so you will most likely store your private key in a disk file of some sort.

Using javakey, there are two possible private key vulnerabilities. If you write your private keys to disk files, those files must be protected. Additionally, private keys are stored in the javakey database file. This file, by default, is identitydb.obj and lives in the JDK installation directory. If you wish to change the location of this file, you can specify the identity.database property in the lib/security/java.security file found beneath the JDK installation directory. Note that the java.security file should also be protected, particularly on a multiuser system.

You can feel safe if these conditions are met:

  • You are the only person who uses your computer.

  • Your computer is in a physically secure location.

  • Your computer is not connected to a network.

This is not a realistic scenario. The last point is the least likely to happen; it’s hard to find a computer that isn’t on a LAN or connected to the Internet in one way or another. You are actually pretty safe if you are not running any server software. Even if you’re not, though, there is always the ...

Get Java Cryptography now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.