tags:

views:

46

answers:

2
+1  Q: 

Best way to create a cryptographic API key

Hi,

I have an open API in my application that I'd like to provide access key's for. The incoming info will be a user id, resource id and a value to update with. I'd like one API key per resource.

Preferably I would like to be able to validate the authenticity of an incoming request using only the supplied data and not checking against any sort of database (very simple, very fast!)

If I used md5 to generate the API key from the resource ID, user id and a salt it might look something like this ...

authentic_request = md5(user_id + resource_id + salt) == api_key

My question is really one on how paranoid I should be. Would something like the above with just plain old md5 suffice? Another option would be to use openssl generate the key against a pem and then maybe md5 the result to keep it concise, does that sound overly paranoid or even add a layer of security in reality?

Any ideas or even alternataaives gratefully received!

Thanks

+2  A: 

This is effectively a simplistic implementation of a hash-based message authentication code.

Assuming you're going to give out these keys on the basis of the (user_id, resource_id) pair and keep the value you're calling salt secret, and you're not expecting a serious attempt at an attack, this should work. However, best practice dictates that you should use a more secure algorithm than mere concatenation to combine the key and data, and a stronger digest algorithm such as SHA-1; there is a standard HMAC-SHA1 combination algorithm which would work nicely for this.

The third value is actually a key, not a salt; possession of this key is what allows for both generation and validation of the authentication code.

Jeffrey Hantin  2010-10-28 00:45:07
Thanks, this is exactly what I was looking for. Knew there must be a known technique for this just had a hard time expressing the search terms!
matth  2010-10-28 11:05:33
A: 

It depends on what you're trying to protect against. On it's own this will prevent casual misuse of your API, but it won't prevent replay attacks. If someone is sniffing your traffic then they'll see the key and be able to access the resource by reusing it. Adding SSL to the solution would prevent this type of attack.

While you're at it you may as well change MD5 to SHA-256.

Andrew Cooper  2010-10-28 00:48:05
Thanks, I understand that the key doesn't provide this level of security as it can be intercepted and misused. Just looking for a secure authentication mechanism, will be looking at SSL for communications.
matth  2010-10-28 11:07:23

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords