I'm trying to communicate using RSA preshared keys and, ideally, without involving truststore shenanigans
The setup is basically like this:
There's an applet on client side and a servlet on server side (duh :) )
The applet has servlet's RSA public key (Spub) hardcoded.
The servlet has it's own RSA private key (Spriv) hardcoded.
They applet generates a random AES 256 key (session key), encrypts it with servlet's public key (which it has hardcoded), connects to the servlet over a TCP socket and sends the RSA-encrypted key to the servlet, which proceeds to decrypt the session key and use it for any further communication with this applet as long as this socket connection lasts.
I would rather do this all without messing with truststore and such (after all, it's a relatively straightforward setup which allows for a pre-shared hardcoded public key)
Any suggestions in regards to where I should start looking to educate myself ?
I would agree with the comments that SSL is a decent way to go, but to answer your direct question, the scheme you described is fairly simple and doesn't appear to give away any secrets. Here's an implementation of the RSA portion of the client, based on a hard-coded public key.
Although you can use lower-level cryptographic functions by building your
PublicKey
and usingCipher
, it's worth considering using JSSE: it will provide all that within the context of sockets. In addition, the encryption provided by SSL/TLS is done via shared keys negotiated during the handshake (amongst other things, it's faster than asymmetric crypto).You could build a truststore with a self-signed certificate for pre-sharing that public key. You can load it as follows (note that the
InputStream
doesn't have to be aFileInputStream
, you can read the content from memory for example):That's the normal way of using the JSSE. If you wanted to use SSL/TLS with your explicit RSA public key, you would have to implement your own
TrustManager
do make the explicit comparison (instead of using theTrustManagerFactory
): that would certainly make the code a bit longer and more complex.If you run all this within an applet, you may still have problems regarding the applet permissions system, to make socket connections. See What Applets Can and Cannot Do.