Android - encryption and decryption

I am downloading XML file via HTTP connection and now I need to have encrypted XML in my FTP and befaore download I will check XML signature (or decrypt it) before any other use of it. I have got my app signature (combination of 976 letters and numbers) and I don't know, can I use my signature string to verify my XML? Or p开发者_如何学Gorivate/public key solution? But how to create keys and how to store them in APK?

Thanks

The best way is to use a asymmetric key pair (RSA is most common) where you sign the data on the FTP site, keeping your private key, uh, private and the public key on the android device. You may use another key pair for encryption/decryption. You could use your signature string as a password to your private decryption key on the android device. Make sure your application is not vulnerable to padding oracle attacks (encrypt, then sign or don't notify the other side if decryption failed).

Note that implementing your own version of the XML sign/verify or XML encrypt/decrypt may be very hard to do (and fraught with pitfalls that at least match using XML security related libraries). I would recommend trying for wrapping your XML within a CMS container instead.

For other users, a link to the later question of yours: Android - verify the signature of XML

owlstead is right, trying to reinvent the wheel is not the optimal choice. On the other hand, the internals of signing and verifying XML files are trivial if you really want to implement it, or learn how to do it. First, you generate a RSA public/private key pair. Then you take the hash of the XML file and encrypt the hash with your RSA key and ship the encrypted data along with the XMl file, which now makes your XML file signed. To verify the file, you simply take the hash of the XML file and compare it with the encrypted hash (after decrypting it) to see if they match. If so, file was not tempered with along the way.