How to Generate Public & Private Keys

Learn how to generate public and private keys, essential tools for securing communication and data in mobile app development. This guide aims to assist mobile app developers using Appdome’s mobile bot defense solutions in effectively generating and managing their key pairs.

Understanding Public and Private Keys

Definition and Roles

• Private Key: This key must be kept confidential and is used to encrypt data before secure transmission and decrypt received data. It is also essential to create digital signatures that authenticate the data’s source and integrity.
• Public Key: This key can be shared publicly and is used to decrypt data encrypted with the matching private key and to verify digital signatures.

Key Pair Relationship

The public and private keys are integral to asymmetric cryptography, where data encrypted with one key can only be decrypted with the other. This method ensures secure data transmission and the authentication of data sources without exposing sensitive keys.

Best Practices for Key Management

• Security: Protect private keys with strong passwords and store them in secure, encrypted formats.
• Backup: Implement regular backups of keys to different secure locations.
• Key Rotation: Regularly update and rotate keys to safeguard against potential security vulnerabilities.

Pre-requisites

Developers need to install OpenSSL on their systems to generate keys. OpenSSL is a powerful toolkit for implementing the TLS and SSL protocols and offers a comprehensive suite of cryptographic functions, including key generation.

Steps to Generate Public and Private Keys Using OpenSS

Follow these precise steps to generate your key pair using OpenSSL:

1. Open terminal
2. Install OpenSSL
3. OpenSSL version: if no results appear, then do the following:  
   • Install MacPorts 
   • Run the command on the terminal –

     >sudo port install OpenSSL

4. Generate a Private Key:
   • Use this OpenSSL command to create a 2048-bit RSA private key:

     openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048

   • This will generate a private key file named private_key.pem.
5. Generate the Public Key:
   • Extract the public key from your private key file with this command:

     openssl rsa -in private_key.pem -pubout -out public_key.pem

   • This command produces a public key file named public_key.pem.
6. Secure the Keys:

• Move your newly generated key files to a secure folder, typically a keys directory within your local Web Application Firewall (WAF) folder, to ensure they are safely stored and managed.

Troubleshooting

The following error can appear on WAF logs:

"error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs   

decoding error error:04065072:rsa

routines:RSA_EAY_PRIVATE_DECRYPT: padding check failed invoked from   

within ..."

This error results from a mismatch between the public and private keys on the server and client sides, which causes the padding check to fail.

Solution – validation of the match of keys:

1. Export the public key modulus and exponent

   • openssl rsa -pubin -text -in <public_key.pem>

2. Output should be:
   • Public-Key: (2048 bit)
   • Modulus:

     00:db:2d:9f:3e:3b:01:7d:16:8a:1a:07:7d:99:45: 
     d6:59:50:81:bb:2c:a5:34:76:74:93:d3:3b:61:86: 
     f1:5a:54:d7:3c:7c:db:b0:ba:0b:5f:ac:2f:1e:28: 
     ....... 
     fe:fc:54:0b:b4:a6:78:cc:ae:59:38:c8:53:1f:e9: 
     35:31 
     Exponent: 65537 (0x10001) 

3. Writing RSA key
   

   -----BEGIN PUBLIC KEY----- 
   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2y2fPjsBfR  
   aKGgd9mUXW 
   ........ 
                     3MRAh1H9QCTXpl9Dj1iFCP2efrr+2OsPio+Wl6ep0PD+/FQLtKZ4zK5ZO     
                     MhTH+k1MQIDAQAB 
   -----END PUBLIC KEY----- 

4. Export the private key modulus and exponent:

   • openssl rsa -inform PEM -text -noout < private_key.pem

5. Output should be:
   • Private-Key: (2048 bit, 2 primes)
   • modulus:

     00:db:2d:9f:3e:3b:01:7d:16:8a:1a:07:7d:99:45: 
     ................ 
     ................ 
     ................ 
     ................ 
     9e:7e:ba:fe:d8:eb:0f:8a:8f:96:97:a7:a9:d0:f0: 
     fe:fc:54:0b:b4:a6:78:cc:ae:59:38:c8:53:1f:e9: 
     35:31 
     publicExponent: 65537 (0x10001)  

Note:
The integer number n is called “modulus.” It defines the RSA key length and is a very large prime number.
The exponent (e or d) is used to decode and encode the data. 

The number e is called the “public key exponent,” and the combination {n, e} forms the public key.
The number d is called “private key exponent,” and the combination {n, d} forms the private key.  

Ensure that the exponent and modulus are identical in both keys. If they are not, you will need to reconfigure the correct public and private keys.

Related Articles:

• How to Use Session Headers in Mobile Bot Defense
• How to Secure Android & iOS Apps with Pin to Host
• How to use MobileBOT Source™ with Mobile Bot Defense
• How to use DEVICETrust™ with MobileBOT™ Defense

How Do I Learn More?

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.