2

I'm implementing a REST API and I've generated 128-bit random API keys which are used with HMAC-SHA1 for authorization. Should I hash the secret key on both the client and server before using it, maybe with SHA1 or bcrypt? This would avoid storing the secret key in plaintext. However I've been having trouble finding other people doing this which makes me suspicious of this idea.

  • The data being transferred is not sensitive, only the API key is, since a particular user may be able to add data or start jobs.
  • I'm mainly trying to prevent easy access to the API key, either by someone running the server or by someone listening in.
  • This is a plugin for an existing system which may be installed on other systems by other people so SSL is not an option.
noisecapella
  • 121
  • 3
  • 6
    If sending that hashed key to the API is enough for authentication, what makes you think an attacker would need the cleartext key? Would they not just grab your hashed key and use that to authenticate? – Tim Lamballais Mar 17 '14 at 17:46
  • Ah, you're right. It would only require a slight modification of the client to use it. Guess I'll have to live with storing it plaintext – noisecapella Mar 17 '14 at 17:54
  • Adding data? Starting jobs? Do you seriously intend to leave a hole the size of a bulldozer in your system waiting for malicious exploitation? You'd better use TLS or be prepared to pay damages. – Deer Hunter Mar 18 '14 at 03:41
  • Unfortunately I have no control how the system is deployed by the user. They may just avoid using TLS and I'd like to do what I can to keep it secure even in that case – noisecapella Mar 18 '14 at 14:23

0 Answers0