Jump to content

Recommended Posts

Hi, I need to create a secure API at work so that 2 systems can interact with each other and request data (json format). I need to use an API key for this but don't want to use an API key stored in a database, what is the best way to go about this?

 

 

I would like to use some sort of encryption algorithm and a white list of a few values to validate against once decrypted, is this safe and are there any algorithms I can use to generate my keys and white list?

Link to comment
https://forums.phpfreaks.com/topic/247513-algorithm-based-api-key/
Share on other sites

what do you mean by "two systems"? two local machines, two remote machines, 2 applications on the same machine?

 

I'm guessing two remote machines... why not digital certificates? PGP pairs, etc... (how exactly will they be communicating?)

 

 

Two applications, they could be hosted on the same server, but may not be, basically a developer needs to be able to make a CURL request to my application and recieve some data in JSON format, I just need a way to generate and validate an API key and would perfer not to store anything in my database. Can those be implemented using PHP alone? Don't know anything about this type of thing. Thanks.

you're going to have to store the keys somewhere (or at least the key generation logic), if not in a database, probably in a file (not really secure), and you're going to have to give the key to the client machine... What exactly is the purpose, and who/what are you trying to hide this key from? (the more information, the easier it is to find a solution)

Not being sure of exactly what you're trying to accomplish, you could do a challenge/response kind of thing, or a different key based on the weekday... imagine the key is something like a sha1 of the weekday, followed by a timestamp (would look something like: 0ff11fb076d3d5f9300bdd34fee8a92a7ce76716.1316532526) where all you need to know on either side is the day of the week (following this logic you can come up with anything you want, if you use a full date, + hour + minute, you never actually have the same key)... then on the other side, when you receive the request, you check that the key is the same as yours and that the timestamp is within a 5 second period or something...

But then I would have to generate the hash 10 times to compare against wouldn't I? And I work for a motor-vehicle tracking systems provider and have just coded the CRM side of the system but my boss wants to make API calls to get data from my database for his tracking system side.

generate 10 hashes? why?

if I sent a request with 0ff11fb076d3d5f9300bdd34fee8a92a7ce76716.13165325 26 all you need to do is compare it (using the weekday example)

 

(assume the has is received in a variable called $requestCode)

 

// split the hash:
$parts = explode(".",$requestCode);
// check if first part corresponds to today's code (weekday)
$today = date("l");
if($parts[0] == sha1($today){
   // so far so good... check if timeframe is within 5 seconds:
    if( ($time() - $parts[1]) < 5) {
         // ok to continue
    }
}

 

you don't generate anything, both sides generate the hashes on the fly before doing the request, and when receiving a request... you could also include the IP address and stuff like that. it's just one method, now you can make it as complicated as you want.

I think/hope WebStyles was simply providing theory. There is some good advice in there, but it should not be implemented directly, more use it as a general guideline to come up with a cryptographically strong method. For one, not using some sort of password/passphrase/key exchange is just silly. You NEED to store some form of key SOMEWHERE to prevent prediction. Ideally, these keys would be unique to each user - allowing a single key to work for several users is dangerous in so many ways.

 

I would consider myself to be well versed in information security, but it's not my job nor my major field of study, just an outside interest. I can help you come up with a somewhat sound method of allowing outside parties to request information though I need a set of limitations from you. One of the absolute easiest ways to help ensure security is to allow a security expert to deal with it. My first suggestion would be to use SSL/TSL through the https protocol. These certs can even be had for free (http://cert.startcom.org/).

 

Is there any reason you can't store several client keys in the server, or are you just trying to avoid this?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.