How do I share my mobile app's secret key with the server the first time I generate it?

Question

So I am working on a mobile app right now that will be making requests to a REST API built with Django.

In order to secure the API I plan on using a private/public key pair authentication system.

The workflow I have thought out goes something like this:

1. The user logs in using Facebook
2. Once the user signs the app generates a private key
3. The private key is shared between the server and the app so that the server knows to map that private key to a specific user.
4. Every time the mobile app makes a request the app generates an HMAC/signature using the request parameters and the private key. In addition to the HMAC the app also sends the user_id of the user who sent it (this will act as the public key).
5. When the server receives the request it generates its own HMAC. Its takes the user_id and looks up the private key in a table. Using the private key it recreates the HMAC with the request parameters and compares it to the HMAC that the mobile app sent. If the server and the mobile have matching HMACs then it performs the request.

Now my problem lies in step 3 where the private key has to somehow be shared between the mobile app and the server. How can I securely send the private key?

Answer 1

I would start by asking why the server part of your app needs to know the private key. If it only wants to authenticate a user, it only needs the public key and the user id, and the user id cannot iself be the public key (you need a way to find out which public key to use).

For instance, the process of sharing the key, your step three, could look something like this:

1. The app generates a public-private key pair.
2. The app sends the public key to the server, not caring who can intercept it.
3. The server stores that public key, associating it with the id the user provided.

Maybe the integration into Facebook is the part that makes this impossible. I do not quite understand how Facebook comes into this whole process.

One thing that can make the transfer of a key slightly more secure is to use multiple channels to transfer it.

For instance, your application could send the private key that was generated using your REST API but encrypting it with a symmetric encryption scheme. The symmetric encryption key can be sent via some other medium, such as email, or through SMS since this is a mobile app, or maybe even an automated phone call placed to a number provided by the registering user. The key can be a random passphrase that generates the actual symmetric encryption key, to make sure it is something that can be typed in by the user. Then, to unlock the app, the user needs to type in this passphrase into a screen and the secret key is unlocked.

Again, this only improves the security of the transfer by a small margin, especially considering the fact that if you can intercept the transmission of the private key, you can probably intercept the email containing the passphrase. In my opinion, not sending the private key to the server would not only be optimal but required.