If you have a symmetric key which is negotiated via SRP protocol between a mobil

Question

If you have a symmetric key which is negotiated via SRP protocol between a mobile device (e.g. smartphone) and a server, what would be a safe way to persist this resulting key on each side?

On the client side you could use PBKDF2 or a similar key derivation function to generate a key to then use to encrypt/decrypt the symmetric key before using it. Would this be considered (acceptably) safe?

What possibilities are there on the server side? What procedure would be considered safe to store such a key in a database?

How does for example Amazon store their symmetric keys used for their query string authentication for S3? (For information: On S3 you can restrict access to stored objects so that only requests with a valid signature (created using HMAC) are granted access to the requested (restricted) object)

Explanation / Answer

Secret keys (symmetric or asymmetric) are typically stored in an encrypted medium of some sort such as a keystore or encrypted database. Specific example of a keystore would be the JKS (Java Key Store), and a database would be SQLCipher. This encrypted medium is secured with a password, which is needed in order to read/write to it. SQLCipher will first churn the password through with PBKDF2.

The question of where that password is stored will of course affect the security of your system. For the client side, expecting the user to remember the password is the best option. For the server side, a common approach is save it in a removable drive that resides in a secure location.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.