1

To access a API, I have to have a secret key. How would you approach storing that secret key, if this is going to be used on multiple machines?

I read this answer, and if I understand it correctly, besides some obfuscation, there's no point doing anything more?

miniHessel
  • 778
  • 4
  • 15
  • 39
  • Why don't you transmit it to the application which requires the key ? No need to store it. Request on demand. – Blacktempel Nov 29 '17 at 10:23
  • And where would you request/transmit it from? – miniHessel Nov 29 '17 at 10:25
  • If that key is really secret - you should not distribute it to client machines. Instead, have your own api which is authenticated with username\password or other means, make clients call that api, and from it call that another api with secret key (which never leaves your server) and return results to client. – Evk Nov 29 '17 at 10:34
  • As simple solution may be to use a hash (e.g. SHA256) instead of the plain password. Create the hash from your password and store it elsewere in your API. If the user has to enter the password, compute the hash value from the entered password and compare it with the stored one. – KBO Nov 29 '17 at 10:35
  • @KBO the user doesn't even know about the access of the API. This is just in the code behind. – miniHessel Nov 29 '17 at 10:44
  • @miniHessel Transmit it from a server. Just let the client make a request to get the key, and transmit it from your server to the client. No need for any user interaction. – Blacktempel Nov 29 '17 at 10:52
  • 1
    @Blacktempel I see three issues with that; 1. Another point of delay 2. What if that server is down? 3. How would you control the security between the server then? Isn't that just moving the problem to another place? – miniHessel Nov 29 '17 at 10:59
  • @miniHessel 1. Are you worried about <20ms ? Well it depends, if the server is in North Korea it might take a while longer. 2. You have to guarantee that. 3. Proper use of SSL, certificates, etc. - In the end it's your problem and your choice what you do. Good luck. – Blacktempel Nov 29 '17 at 11:03
  • As long as the application needs to retrieve the original API key, there is no way to solve the problem in a safe way. ➽ The application must be able to get the key, and the same can do an attacker. The only thing you can do is to make it harder to get the key, e.g. by delivering an encrypted key (obfuscation). If the API offers kind of a token service, then you could at least revoke certain tokens when necessary. – martinstoeckli Nov 29 '17 at 16:36
  • @martinstoeckli this was what I thought as well. I can do things harder, but it will always be possible to reverse the things I do. – miniHessel Nov 30 '17 at 08:00

1 Answers1

0

It's not easy because IL code is readable. And the IL code easily gain from a binary like DLL or EXE using IL Disassembler: ildasm.exe.

The solution that @miniHessel said, downloading the code from a server using SSL is also not a safety solution, because a client on his/her own machine can track the SSL communication doing a "MITM attack" with a proxy like Fiddler or any other app. We have a lot.

We can only make things more difficult: One solution is to encrypt the secret and keep the encrypted secret in the code. (before you use it you can decrypt it) Better if you cut the encrypted secret to multiple parts and keep it different place in the code. And merge them before you decrypt it. Give the variables and functions innocent name, so noone can figure out what the content is.

A good encryption/decryption solution is here: Encrypting & Decrypting a String in C#

75ntamas
  • 123
  • 5