在我的代码中写入RSA私钥是否安全？

Question

I have an important file saving in my app's document directory. I don't allow other to view its content so I encrypt the file with auto-generated AES key and encrypt this AES key with RSA public key, then save the encrypted AES key to NSUserDefaults.

When using the important file, I will fetch the encrypted AES key and decrypt the AES key with RSA public key, then decrypt the file.

But I don't know where to store the RSA private key, is it safe to write it in my code like NSString *rsaPrivateKey = @"%^^&*(())"; , if not, is there a safer solution ?

I know how to generate RSA public and private key using openssl ( This link helps me )

Edit:

The important file is only open to the user himself, you can consider it as a photo with some sensitive content and the photo is saved by the user.

Answer 1

In principle you are trying to solve the DRM problem. As long as you cannot trust the runtime system, there is no complete solution. Your best bet is to store keys in system provided containers and hope those are well protected (ie the iOS key chain as borrrden already mentioned).

If that fails you can encrypt your RSA key with an AES key generated from some static information within the device. This should be thought of as obfuscation rather than encryption as the key is not really secret. You should probably try and use a standard container format such as PKCS#8 to encrypt the keys.

It is possible to generate RSA keys from a static set of data (using a PRNG to feed this data in the RSA key pair generator) but those kind of schemes are not standardized, very brittle and take an unspecified amount of CPU time, so I would strongly recommend not to take that route.