Protect a symmetric key in an application

Question

I have a secret key that is used by both a server and my application. This key is used for being sure the requests come from the application. Server has not registered users but with this application users may send requests.

I cannot find another solution... I thought about asymmetric keys, Diffie-Hellman... but nothing solves my problem apart from the symmetric key... But the problem is: how to store that key in my java code and protect it?

Answer 1

It is impossible to do this without getting a shared secret (ex: password) from an outside source (ex: user, SMS, etc).

Everyone has access to your entire program. If no outside information is used, it will always be possible for someone to send a forged packet that looks like it came from your application.

Typically you can send a single verification string to the user via email or SMS that they can then enter into the application. If the string is only valid for a short amount of time (say 5 minutes) then it does not have to be extremely long.

To create a temporary key from this string you hash it. You then use this temporary key to prove to the server that you are who you say you are, and obtain a long-term key from the server and store it in a safe place.