How encryption keys should be distributed?

Giganews Newsgroups
Subject: How encryption keys should be distributed?
Posted by:  mauricio.cadi…@gmail.com
Date: 8 May 2007

Several software applications needs to encrypt and decrypt data,
requiring either a single key in symmetrical encryption algorithms or
public/private keys in asymmetrical algorithms, but how these keys
should be distributed?
Embed the key(s) within the application executable is a very
vulnerable approach, since an attacker may trace API calls, or run
the
application under a debugger and simply halt the program when the
keys
has been reconstructed.
And what about the risk to distribute the key in every exeucutable
copy embedded within, if some attacker gets this key it can make it
public, and every user of this application may use it to break its
own
installation.

Can anyone give me any suggestion? Or point me in the correct
direction to avoid these problems?

Replies