Asymmetric encryption for Android using KeyCzar

Question

I want to create an application that encrypts messages for the server with the public key of the server. I thought to use KeyCzar, but if you have better or other good ideas, I will be glad to hear.

My questions:

1. The application has to save the public key. Where should I store it?
2. How can I encrypt messages with this public key? I didn't find asymmetric encryption functions. (The application will encrypt symmetric key, and the data will be encrypted by the symmetric key)

By the way, I must use public key, because messages from the same sender should not be linked by the recipient.

References and examples to such a hybrid encryption, or even just to the use of public key encryption scheme (using KeyCzar or other recommended tools), will be appreciated.

Answer 1

For Keyczar, the hybrid encryption api's are in SessionCrypter.

There is a little more info about it in the C# version docs and should apply to java for the most part.

Keyczar will store all of it's keys in a keyset on disk, that keyset allows for key rotation by default. But I've seen it modified to load keys from jar resources.

Answer 2

I'll answer your questions in order:

1. Where you store the key is up to you. Maybe you never want to update it. In that case you can store it as a resource or even "hard coded". In that case you have to create an update to your application to update it. Public keys are public, so there is no need to keep them safe. On the other hand, you may want to add some code to check if your trust store is not altered. You could also use a Java keystore like JKS, but in that case you need to create a certificate chain. Just sending them to the application is not a good idea; you need a secure path to avoid Man-in-the-Middle attacks.

2. Asymmetric encryption with RSA is certainly defined in the PKCS#1 standards (implemented in the Sun provider, using Cipher in Java. There are two schemes defined, the PKCS#1 v1.5 scheme and OAEP. The latter is more safe.