[pycrypto] Key generation and storage

Mikael Modin micke.modin at gmail.com
Tue Oct 26 15:27:21 CST 2010


Hi,

I'm working on a small time report project and have implemented a
cache mode for offline work, normally it reports to a server. Since
the users shouldn't be able to add 50 hours to their time reports at
will I thought it would be a good idea to encrypt it. I've implemented
a simple solution using a fixed key and AES using pyCrypto, but I'm
having some thoughts regarding the key. I know it will be impossible
to provide any real security since the client will be running on their
machine on hardware I have no control over, but since it will most
likely be mainly 40 year old stay-at-home-moms working in their spare
time I figure some kind of encryption would be enough.

Currently I'm using a hardcoded key but that feels really bad so I'm
wondering how to solve the key generation and storage issue. As I see
it there are two options:
a) secret key, stick with AES. Base the key on a hash of user+password
something similar and store it in a file with a name they likely won't
like to touch, "vs_core.dll" or something. Security by obfuscation.
b) public/private key. the problem here is that since the client need
both to encrypt and decrypt again before sending all the chached time
reports. store the keys similar to a)
c) public/private key. the server generates the pair and send the
public key to the client who uses it to encrypt the cache and then
simply uploads the encrypted data to the server. This has the
disadvantage that it might become a fairly large upload in one chunk,
but could probably be solved in other ways.

Do you have any other suggestions?

Kind regards,
Mikael Modin


More information about the pycrypto mailing list