If the private key is used in the server for digital signature, once the server is hacked, the private key may be leaked. Is there a way to create a digital signature without exposing the private key?
Asked
Active
Viewed 128 times
0
-
This is a logic error. Creating a signature does not expose the key. It uses the key. Poor key handling exposes the key. – schroeder Dec 03 '20 at 10:03
-
Thank you! What I mean is that if you create a digital signature in the code, you need to read the private key in the code, so I feel that this private key will be at risk of leakage. – wei wang Dec 03 '20 at 10:08
-
1Ok, then you are talking about secure key handling in your code. This is a known problem with many solutions. If you search for this problem, you can find the design patterns to help you. – schroeder Dec 03 '20 at 10:10
-
See https://security.stackexchange.com/questions/12332/where-to-store-a-server-side-encryption-key for info on a variety of solutions to this problem.a the pros and cons of each. – mti2935 Jan 21 '21 at 13:13
1 Answers
1
The solution is to use cryptographic hardware like Hardware Security Module (HSM) or personal device is Cryptographic USB Token or Smartcard. These devices store private key securely on board. Private key never comes out of the device but hash or content to be signed goes in the device and device provides (PKCS11) API to do the cryptographic operations using the key.
Bharat Vasant
- 284
- 1
- 8