> The only weakness I can see in this is that I am using the Encrypted > Local Store to save the RSA keys. I intend to use this same technique > in communicating sensitive with back end web services. Which brings up > the next question: How secure is the Encrypted Local Store? If someone > can get the private key from there, it's all for nothing.
The Encrypted Local Store is just a wrapper around the operating system's, well, encrypted local store. On Windows, it's the DPAPI, and on the Mac, it's the keychain. No idea what it is on Linux. As for whether those APIs are vulnerable, well, if they were, it would be a pretty high priority bug for OS manufacturers given all kinds of even more secret things are stored in there. It is worth noting that those APIs depend on the security of the system and the user's password. On top of that, the AIR ELS implementation uses your app's cert as part of the key (as well as your app and publisher IDs), so only your app with your cert can access data you have encrypted. Any other app cannot access it (not quite sure what happens when your cert expires and you need to renew it). The most vulnerable part of using the ELS is after the data has been decrypted. It is then stored in memory in plain text until it is garbage collected. (Curious question - I wonder if strings are interned in AIR, if so, that could pose another security problem.) But like others have said, if memory scanning is a problem, the problem is bigger than AIR. Here's a bit of discussion on it - http://weblogs.macromedia.com/cantrell/archives/2007/12/encrypting_data.html
