Protecting public/private keypair in web app
Question
My application requires a public and private keypair combo in order to create signed URLs to access our assets from Cloudfront. The issue I am having is how to protect this keypair so that an unauthorized user could not simply download the keypair themselves, and generate signed URLs without our permission.
I considered encrypting the keypair, but this seems like it would do no good, as the encryption key would have to be stored in the client side code, which is visible in Javascript. I cannot think of any other way to protect the keypair from someone who is simply able to use Chrome dev tools.
Does anyone know of a way that I can protect my keypair without having to store a secret key in the client side code? I have already considered code obfuscation, but this technique seems very easy to work around. I am looking to find out if anything else is possible.
Thank you.
1 answers
solution1
0 2015-07-21 00:50:15
You don't need to protect your public key because it's public.
You'll need to sign your urls on the server, not in the browser.
The most secure way to protect your private key is with a hardware security module, but they're not cheap.
The next best way is to protect it with access controls on your server.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.