On the RSA cryptography

Encryption basically works like this:

• (a) What is written using the private key can only be read with the public key.
• (b) What is written using the public key can only be read with the private key.

The idea is that your public key you share, while the private key should be saved and protected in every way possible. If your private key leaks, the entire encryption protection guarantee will be lost.

The RSA algorithm (or any other asymmetric key) assumes that your private key is secure. It is not part of the algorithm and encryption to say how or what you do to keep this private key, it just uses the key you give it. The key generation algorithm also doesn’t say how you should protect your keys, it just produces them and delivers you.

The case (b) above is used for when someone wants to write an encrypted message that only you can read. Once it is created with its public key, then anyone can write it, after all the key is public. However, only you, who have the private key, can read.

The case (a) above is used for digital signature. If you publish an encrypted message with your private key, everyone can read using the public key. However, your authorship will be guaranteed and confirmed, as the only way this message can be readable with your public key is if it was generated with your private key that only you have access to. This serves to ensure the authenticity of information.

If the hacker has access to your private key, he can take control of your encryption, read your private messages and also impersonate you. It’s about the same as when some hacker has access to your password.

If you are tempted to distribute your private key within the application, you are probably doing it wrong as you should never distribute your private key.

If the purpose of the application is to send a message to a central server controlled by you, it will only need the public key used by the server. The private key should be well protected and well stored inside the server and never leave.

If the application also needs to give authenticity to the messages generated by it and certify the author’s identification, you can generate a pair of different public and private keys for each application installation (within the application itself) and send the public key to you or to third parties. Each app should keep the guard of its own private key in the best possible way. And again, you should never put the server’s private key inside the application.

Within the application, the protection of the private key can be done by any means that offers a minimum of security, such as putting in some internal file. However, you don’t need to kill yourself to make this private key from the application ultra secure because each installation will use a different private key. Therefore, if a hacker can obtain the private key used in the application installed in Installation X, only Installation X will be compromised, and not all installations and not the server. This way, your care will only be to ensure that the application does not leak the respective private key.

The RSA cryptography uses (does not generate) a key pair, a public key that can be known by all and a private key that must be kept confidential. That’s why it’s called a toilet. Every encrypted message using a public key can only be decrypted using the respective private key.

More details about the RSA algorithm on Wikipedia.