Generating 64 Chars key for API

Question

I want to generate a API key for new clients that want to use any of my API services. because I'm using a open API service i don't want to use authentication only identify the client usage by the API key

I tried to use this code

    public static string GetAPIKey()
    {
        string sig = string.Empty;
        using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
        {
            var ex = rsa.ExportParameters(true);
            sig = Convert.ToBase64String(ex.DQ);
            sig = sig
                .Replace("+", "")
                .Replace("/", "")
                .TrimEnd('=');
        }
        return sig.Substring(0, 64);
    }

In my tests i do get a random 64 length string, but something not feeling right with the method usage. proberly because of the RSACryptoServiceProvider usage, especially when i try to generate the DQ property

Do you know any better implementation of generating a random 64 string?

Use the RNG provider, highest voted answer here: [Unique random string generation](http://stackoverflow.com/questions/730268/unique-random-string-generation) — Alex K., Mar 04 '14 at 12:31

score 0 · Answer 1 · answered Mar 04 '14 at 12:29

0

If you do not want to use a GUID you can use the standard Random class in C#.

private static readonly Random Random = new Random();
public static string GetApiKey()
{
    var bytes = new byte[48];
    Random.NextBytes(bytes);
    var result = Convert.ToBase64String(bytes);
    return result;
}

Since 48 bytes will map to 64 characters in Base64, this gives you 64 random characters. It does not guarantee uniqueness however.

answered Mar 04 '14 at 12:29

Bas

26,772
8
53
86

The question shows that he removed some characters from a base64 encoded string, which would make it shorter. – Ashigore Mar 04 '14 at 12:31
Actually, the DQ variable is 64 bytes, which would lead to 88 base64 characters. He strips out two trailing '=' signs that are added to compensate for trailing zeros in the resulting base64 octets. Then he removes '+' and '/' characters that occur at random, so the length of the result is anywhere between 0 and 86 characters, but will mostly be around 80. The result is trimmed to 64 characters, so not likely to be shorter – Bas Mar 04 '14 at 12:40
I'd probably improve on that and use the `RNGCryptoServiceProvider` over `Random.NextBytes` – Brad Christie Mar 04 '14 at 12:46

score -1 · Answer 2 · answered Mar 04 '14 at 12:24

-1

Why not just use a GUID?

Use it twice to generate a 64 character string, which is completely random and unique.

answered Mar 04 '14 at 12:24

Aniket Inge

25,375
5
50
78

yes of course i thought about GUID but i also read that GUID is not always unique , i want my key to use all alphabet case sensative – Izikon Mar 04 '14 at 12:30
Depending on the security requirement using Guid might not be advisable, as guid-s are not cryptographically strong random numbers, i.e. it might be possible to guess API keys. – csgero Mar 04 '14 at 12:30
Used twice, is it still possible for anyone to guess it? – Aniket Inge Mar 04 '14 at 12:31
@Izikon No matter how many different characters you use any length string let alone only 64 character string will be completely unique. – Ashigore Mar 04 '14 at 12:33
GUIDs are designed to be unique, not random: https://blogs.msdn.microsoft.com/oldnewthing/20120523-00/?p=7553 – janv8000 Mar 26 '18 at 09:30

Generating 64 Chars key for API

2 Answers2