configuration - Storing encryption keys for desktop application(Email Client)[Duplication] -
there many articles on stack-overflow , security.stackexchange on storing encryption keys, still confused, that's why decided ask again here.
basically, creating email client education purpose, in users can create account enter there email-id , password. looking secure way save information.
i
- encrypting email-id , password
- and storing encryption key on user pc because don't want user type in password every time sends , email
from reading have understood that,
- i need store encryption key in separate location, difficult find hacker, problem here application written in python , open source application, hacker can view source code , path of directory key stored.
- second solution can have master password used key, when user opens application first time after starting computer, application ask master password, can store key in ram.
looking @ articles on internet on topic repetition, sill learning make applications , last 2 days going in loop no success.
os: linux ubuntu 14.04
programming language/framework: python/gtk+
your understanding correct.
it's impossible prevent attacker access local key accessing password. obscuring path stored provides virtually 0 additional security - attacker know-how necessary perform decryption bypass such mechanism.
the secure way storing key (or key key) out of computer - in user's mind, in case of master password mechanism.
if end using master password, don't forget use proper key derivation function, ideally key-stretching mechanism, such pbkdf2 or bcrypt. never use password key directly (or simple hash of password.
Comments
Post a Comment