|Subject:||How encryption keys should be distributed?|
|Date:||8 May 2007|
Several software applications needs to encrypt and decrypt data,
requiring either a single key in symmetrical encryption algorithms or
public/private keys in asymmetrical algorithms, but how these keys
should be distributed?
Embed the key(s) within the application executable is a very
vulnerable approach, since an attacker may trace API calls, or run
application under a debugger and simply halt the program when the
has been reconstructed.
And what about the risk to distribute the key in every exeucutable
copy embedded within, if some attacker gets this key it can make it
public, and every user of this application may use it to break its
Can anyone give me any suggestion? Or point me in the correct
direction to avoid these problems?