Re: Persistent Key Values

Jan Luehe (Jan.Luehe@Eng)
Tue, 21 Apr 1998 18:35:30 -0700 (PDT)

Date: Tue, 21 Apr 1998 18:35:30 -0700 (PDT)
From: Jan Luehe <Jan.Luehe@Eng>
Subject: Re: Persistent Key Values
To: java-security@web1.javasoft.com, brierchecks@msx.upmc.edu

Scott:

> If I have generated a key and cipher, how do I make them persistent
> (i.e. write them to a file in a way that I can retrieve them later). Is
> it correct to use the IvParameterSpec.getIv() to return the
> Initialization Vector for the cipher? If so, then I'm all set to
> preserve the cipher, but I want to make sure this is the right thing to
> be using.
>
> Second, can I also preserve the key, or is it only possible to preserve
> the cipher?

As you may have noticed, the Cipher class is not serializable
(does not implement the java.io.Serializable interface).
Therefore, it is impossible to preserve an entire Cipher object.
However, you can preserve the session key and iv separately.
It would be a bad idea to store your plaintext session key to a file,
without protecting it against unauthorized access.
You may want to generate an RSA key pair, and "seal" your session
key with your RSA public key (using the "SealedObject" class).
Then you can serialize the SealedObject and store it to a file.
Later, you would deserialize the SealedObject, and unseal the
session key with the corresponding RSA private key. You could
store your RSA keypair in your keystore, where it is protected.

In the upcoming JDK1.2beta4, you will also be able to store your
session key in your keystore (in protected format).

Jan