I am currently working on a project with a high degree of security, and I had a problem choosing a technical solution to meet the needs of our customers.
First of all, let me explain to you the customer's need.
For my client website, at some point, the user must generate the private key and the client part with the public key (gui: browser), then send the public key to the server and save the private key (password encrypted by the user by the user) at the local level. The private key needs to be saved, because it is used once in the second part of the process (the user must enter his password in order to decrypt it), after use we can dispose of the private key.
I must add that the client requests backward compatibility with IE7.
First technical choice: Java Applet
The first thing we looked at is to use a Java applet that generates keys just fine, but we get into a problem with Safari Mac OSX, the application is isolated and the user has to perform a complex action to disable the sandbox modem. Our client does not want this, since he is not a user.
Second solution: saving the secret private key in a cookie
We saved the Java applet, but it does not save anything on the disk, it is used only for cryptographic operations. We passed the secret private key from the applet to javascript for saving in a cookie. We did it well, and we can get the secret private key from the cookie store and transfer it to the decryption applet (with a pop-up window asking the user to enter a password).
Question
We know that it is technically possible to store the secret private key in a cookie, but the question arises: is it protected, what risks do we take by storing this private key in the browser cookie store?
It would help me a lot if any of you could help me!
Greetings