2

....key is normally a string of bits used by a cryptographic algorithm to transform plain text into cipher text or vice versa....

https://www.di-mgt.com.au/cryptokeys.html

Suppose I have a Backend server which stores some public keys user submits using some FrontEnd page.

Presumably the user is going to copy paste the key in some HTML text-field to submit it to the server, which will encrypt the key and store it.

The question is : what is the recommended way of representing/submiting an encryption key?

Should it be converted in byte-array, HEX or Base64 ?

If so, who is responsible for this conversion ? Frontend ? User? Backend?

The scope is to avoid key alteration due different String encodings like UTF-8, UTF-16 etc.

Andrei Amarfii
  • 121
  • 2
  • 1
    Since the public key is an ASCII only string, the encoding doesn't actually matter, since the representation for all ASCII characters will be exactly the same across the UTF encodings. If there's any unicode characters in the input, it's not a valid public key. Since it's ASCII only, it doesn't matter how you store it, as long as you return it the same way to the user. E.G. Store it as base64, then un-base64 it before returning it to the user. – Chris Murray Nov 01 '19 at 10:20

1 Answers1

3

It does not matter how it is represented as long as it is a pure ASCII encoding, i.e. hex, base64, base32 or similar are all fine while pure binary is not. UTF-whatever makes no sense at all since it is not about characters but bytes.

It also does not matter where the transformation is done, i.e. backend, frontend ... . In fact, some backend applications even require ASCII encoded data, like with PEM encoded certificates or keys. But if binary is required the conversation can also be done inside the browser since HTTP by itself has no problems to transfer binary data.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • For sake of principle of least astonishment, I would love that user see later the same characters he/her submitted. – Andrei Amarfii Nov 01 '19 at 09:42
  • That makes me think about validaton / requiring that input is base64 – Andrei Amarfii Nov 01 '19 at 09:43
  • @AndreiAmarfii: Any kind of user input should be validated if missing or insufficient validation can cause harm. There is nothing known about your specific use case to decide this. But even just checking for base64 might not be enough if possible attacks are on other levels, like deliberately malformed certificates or keys which might make the application to crash or even execute code. – Steffen Ullrich Nov 01 '19 at 10:08