RSA keys keys static generation

Question

I'm guiding myself with this answer over here, which explains how to use both AES and RSA.

I managed to successfully implement the AES part with an util class in which I use a passphrase to generate keys. This passphrase will not change, the purpose of this is to encrypt a password before encoding it and saving it to a database. Then whenever I need to decrypt this password I can do it with the same passphrase, which should generate the same key. I've got this working.

Now my question begins with RSA. I have to send via JSON through a Java JAX-RS web service the info to register an user. HTTPS/SSL is out of the question for... "tech" reasons. So instead I'm trying to at the very least, send the password encrypted with a public key. and decrypt it with the private key on the server.

I then encrypt it with AES and store it in the database.

How would my client (android) know the public key before any of this even happens if I have to generate different keys every time?

Answer 1

You don't have to generate new RSA keys every time. You can simply encrypt with the public key each time. If the data is too large then you should try and use hybrid encryption (i.e. generate a random AES key each time, encrypt the message with it and then encrypt the AES key with the public key of the RSA key pair).

You can simply distribute the public key within your Android app.

It's probably best not to use symmetric encryption at the server, if you want to store passwords for authentication, generate a salt on the server and perform PBKDF2 on the password. Then store the salt and the result of PBKDF2. Then whenever an authentication attempt is made, retrieve the salt, perform the PBKDF2 function again and compare the result with the value in the database.