I want to encrypt a file with
AES CBC mode encryption, Using cryptoAPI functions and set my own key from the command-line (It my change in the code)
I imagine that the key (after change) will be
1a1dc91c907325c6 and tried in this form:
but
CryptImportKey failed
I don't know how to use cryptoAPI functions and It's parameters
I tested some other codes and change the parameters or function's call's order for about 2 weeks but I wasn't able to do this
Please help me [a big help :)]
Thank you
user3105142user3105142
1 Answer
You should do it like this:
After that you need to use Andrew KomiaginAndrew Komiagin
CryptEncrypt /CryptDecrypt to do encode/decode data.
5,57311 gold badge88 silver badges1919 bronze badges
Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.
Not the answer you're looking for? Browse other questions tagged c++cryptographyaescryptoapi or ask your own question.
Most app developers will integrate some third party libraries into their apps. If it's to access a service, such as Dropbox or YouTube, or for logging crashes. The number of third party libraries and services is staggering. Most of those libraries and services are integrated by somehow authenticating with the service, most of the time, this happens through an API key. For security purposes, services usually generate a public and private, often also referred to as secret, key. Unfortunately, in order to connect to the services, this private key must be used to authenticate and hence, probably be part of the application. Needless to say, that this faces in immense security problem. Public and private API keys can be extracted from APKs in a matter of minutes and can easily be automated.
Assuming I have something similar to this, how can I protect the secret key:
What is in your opinion the best and most secure way to store the private key? Obfuscation, encryption, what do you think?
Basic Coder
Basic CoderBasic Coder
4,46355 gold badges3131 silver badges6363 bronze badges
14 Answers
In the end, it's an economic trade-off that you have to make: how important are the keys, how much time or software can you afford, how sophisticated are the hackers who are interested in the keys, how much time will they want to spend, how much worth is a delay before the keys are hacked, on what scale will any successful hackers distribute the keys, etc. Small pieces of information like keys are more difficult to protect than entire applications. Intrinsically, nothing on the client-side is unbreakable, but you can certainly raise the bar.
(I am the developer of ProGuard and DexGuard)
Eric LafortuneEric Lafortune
39.9k66 gold badges9393 silver badges9494 bronze badges
Few ideas, in my opinion only first one gives some guarantee:
If you want to have a quick look at how easy it is to read you apk code then grab APKAnalyser:
marcinjmarcinj
41k77 gold badges5656 silver badges8080 bronze badges
Follow 3 simple steps to secure API/Secret key
We can use Gradle to secure the API key or Secret key.
1. gradle.properties (Project properties) : Create variable with key.
2. build.gradle (Module: app) : Set variable in build.gradle to access it in activity or fragment. Add below code to buildTypes {}.
3. Access it in Activity/Fragment by app's BuildConfig :
Update :
The above solution is helpful in the open source project to commit over Git. (Thanks to David Rawson and riyaz-ali for your comment).
As per the Matthew and Pablo Cegarra comments the above way is not secure and Decompiler will allow someone to view the BuildConfig with our secret keys.
Solution :
We can use NDK to Secure API Keys. We can store keys in the native C/C++ class and access them in our Java classes.
Please follow this blog to secure API keys using NDK.
SANATSANAT
Another approach is to not have the secret on the device in the first place! See Mobile API Security Techniques (especially part 3).
Using the time honored tradition of indirection, share the secret between your API endpoint and an app authentication service.
When your client wants to make an API call, it asks the app auth service to authenticate it (using strong remote attestation techniques), and it receives a time limited (usually JWT) token signed by the secret.
The token is sent with each API call where the endpoint can verify its signature before acting on the request.
The actual secret is never present on the device; in fact, the app never has any idea if it is valid or not, it juts requests authentication and passes on the resulting token. As a nice benefit from indirection, if you ever want to change the secret, you can do so without requiring users to update their installed apps.
So if you want to protect your secret, not having it in your app in the first place is a pretty good way to go.
shareef
5,40188 gold badges4545 silver badges7373 bronze badges
![]()
Skip HovsmithSkip Hovsmith
One possible solution is to encode the data in your app and use decoding at runtime (when you want to use that data). I also recommend to use progaurd to make it hard to read and understand the decompiled source code of your app . for example I put a encoded key in the app and then used a decode method in my app to decode my secret keys at runtime:
Decompiled source code of a proguarded app is this:
At least it's complicated enough for me. this is the way I do when I have no choice but store a value in my application. Of course we all know It's not the best way but it works for me.
Decompiled version:
and you can find so many encryptor classes with a little search in google.
Milad FaridniaMilad Faridnia
5,8341010 gold badges4848 silver badges6363 bronze badges
The App-Secret key should be kept private - but when releasing the app they can be reversed by some guys.
for those guys it will not hide, lock the either the
ProGuard the code. It is a refactor and some payed obfuscators are inserting a few bitwise operators to get back the jk433g34hg3 String. You can make 5 -15 min longer the hacking if you work 3 days :)
Best way is to keep it as it is, imho.
Even if you store at server side( your PC ) the key can be hacked and printed out. Maybe this takes the longest? Anyhow it is a matter of few minutes or a few hours in best case.
A normal user will not decompile your code.
Cipher Trace Api Keys Video
user529543
This example has a number of different aspects to it. I will mention a couple of points that I don't think have been explicitly covered elsewhere.
Protecting the secret in transit
The first thing to note is that accessing the dropbox API using their app authentication mechanism requires you to transmit your key and secret. The connection is HTTPS which means that you can't intercept the traffic without knowing the TLS certificate. This is to prevent a person intercepting and reading the packets on their journey from the mobile device to the server. For normal users it is a really good way of ensuring the privacy of their traffic.
What it is not good at, is preventing a malicious person downloading the app and inspecting the traffic. It is really easy to use a man-in-the-middle proxy for all traffic into and out of a mobile device. It would require no disassembly or reverse engineering of code to extract the app key and secret in this case due to the nature of the Dropbox API.
You could do pinning which checks that the TLS certificate you receive from the server is the one you expect. This adds a check to the client and makes it more difficult to intercept the traffic. This would make it harder to inspect the traffic in flight, but the pinning check happens in the client, so it would likely still be possible to disable the pinning test. It does make it harder though.
Protecting the secret at rest
As a first step, using something like proguard will help to make it less obvious where any secrets are held. You could also use the NDK to store the key and secret and send requests directly, which would greatly reduce the number of people with the appropriate skills to extract the information. Further obfuscation can be achieved by not storing the values directly in memory for any length of time, you can encrypt them and decrypt them just before use as suggested by another answer.
More advanced options
If you are now paranoid about putting the secret anywhere in your app, and you have time and money to invest in more comprehensive solutions, then you might consider storing the credentials on your servers (presuming you have any). This would increase the latency of any calls to the API, as it will have to communicate via your server, and might increase the costs of running your service due to increased data throughput.
You then have to decide how best to communicate with your servers to ensure they are protected. This is important to prevent all of the same problems coming up again with your internal API. The best rule of thumb I can give is to not transmit any secret directly because of the man-in-the-middle threat. Instead you can sign the traffic using your secret and verify the integrity of any requests that come to your server. One standard way of doing this is to compute an HMAC of the message keyed on a secret. I work at a company that has a security product that also operates in this field which is why this sort of stuff interests me. In fact, here is a blog article from one of my colleagues that goes over most of this.
How much should I do?
With any security advice like this you need to make a cost/benefit decision about how hard you want to make it for someone to break in. If you are a bank protecting millions of customers your budget is totally different to someone supporting an app in their spare time. It is virtually impossible to prevent someone from breaking your security, but in practice few people need all of the bells and whistles and with some basic precautions you can get a long way.
ThePragmatistThePragmatist
Adding to @Manohar Reddy solution, firebase Database or firebase RemoteConfig (with Null default value) can be used:
What is different in this solution?
8,18344 gold badges4646 silver badges6969 bronze badges
Ayman Al-AbsiAyman Al-Absi
The most secure solution is to keep your keys on a server and route all requests needing that key through your server. That way the key never leaves your server, so as long as your server is secure then so is your key. Of course there is a performance cost with this solution.
Bernard IgiriBernard Igiri
93522 gold badges1414 silver badges3131 bronze badges
Ages old post, but still good enough. I think hiding it in an .so library would be great, using NDK and C++ of course. .so files can be viewed in a hex editor, but good luck decompiling that :P
Ahmed AwadAhmed Awad
73422 gold badges1010 silver badges1818 bronze badges
Whatever you do to secure your secret keys is not going to be a real solution. If developer can decompile the application there is no way to secure the key, hiding the key is just security by obscurity and so is code obfuscation. Problem with securing a secret key is that in order to secure it you have to use another key and that key needs to also be secured. Think of a key hidden in a box that is locked with a key. You place a box inside a room and lock the room. You are left with another key to secure. And that key is still going to be hardcoded inside your application.
So unless the user enters a PIN or a phrase there is no way to hide the key. But to do that you would have to have a scheme for managing PINs happening out of band, which means through a different channel. Certainly not practical for securing keys for services like Google APIs.
user1611728user1611728
Keep the secret in Manohar ReddyManohar Reddy
firebase database and get from it when app starts , It is far better than calling a web service .
8,18344 gold badges4646 silver badges6969 bronze badges
The only true way to keep these private is to keep them on your server, and have the app send whatever it is to the server, and the server interacts with Dropbox. That way you NEVER distribute your private key in any format. Darkest dungeon guide.
NickNick
1,46911 gold badge1818 silver badges3131 bronze badges
Based on bitter experience, and after consulting with an IDA-Pro expert the best solution is to move a key part of the code into a DLL/SharedObject, then fetch it from a server and load at runtime.
Sensitive data must be encoded as it's very easy to do something like this:
RonTLVRonTLV
1,28922 gold badges1010 silver badges2424 bronze badges
Not the answer you're looking for? Browse other questions tagged androidreverse-engineeringproguardapi-key or ask your own question.
Network security has never been more of a hot topic than it is now. There are many different driving forces making network security an ever increasing topic for discussion and review. Network security using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) are particularly focused on since they are layer of network security which can traverse a corporate on premise network and provide security from that network to a cloud hosted service. Or online shopping ?
In today’s post we will be focusing on how to determine
This blog post will make assumptions about a basic understanding of SSL and TLS. That may seem like a huge base of knowledge (and it is!) but you can apply Occam’s Razor as a framework to making things understandable: there’s a client and a server and they must negotiate the best mutually supported security for the session. That’s it in a nutshell for most network security and authentication and everything else is just filling in the blanks.
MSDN has a detailed explanation of how SSL and TLS work at this link.
Getting a network capture
Though I love the WireShark tool like a long lost brother I will be talking about using NetMon 3.x for the purposes of this blog post. I’ve used Message Analyzer a bit and I suspect the same filters and techniques will work with it as well.
If you have NetMon installed then getting a capture is very easy. What many don’t know is that getting a network capture on a Windows computer even without NetMon is easy and scriptable. NetSh.exe, the “Swiss Army knife” of Windows networking, can be used to collect a network trace. More on NetSh.exe can be found on TechNet at this link.
Company of heroes 2 all units mod download. The command I usually use is (at an elevated command prompt):
netsh trace start tracefile=<filenameandpath> capture=yes maxsize=200 filemode=circular overwrite=yes report=no
If you want to include this in a PowerShell script the command translates to (at an elevated PowerShell prompt):
$NetCapFile = $env:SystemRoot + 'tempnetcap.etl'
$StartNetCap = 'netsh trace start traceFile=' + $NetCapFile + ' capture=yes maxsize=200 filemode=circular overwrite=yes report=no'
Locating SSL or TLS in Network Trace
This is the easiest of filters in NetMon. For SSL of any version the filter is simply “ssl” (without the quotes) and for TLS it is “tls” (also without quotes).
Finding the SSL or TLS Version Used
Finding the SSL or TLS version is very easy since it is exchanged in the Client and Server Hellos. Just expand the packet to view using the NetMon parsers. Keep in mind that this is negotiated between client and server.
Determining Client and Server in Trace
This is the second easiest filter you will use when looking at SSL or TLS. If you filter for SSLA or TLS you can identify the client who is initiating the secure session because that is the computer which is the source of the “Client Hello” message. That’s the quick and easy way to understand who is initiating the conversation and who is the server side of the session, every time.
If you want to get an idea of all of the client connections by filtering just for the Client Hello messages you can apply the filter
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello //TLS 1.x Client Hello filter
Finding SSL and TLS Negotiation Errors
SSL and TLS have a set client to server exchange where how the secure session will take place is ironed out and mutually agreed upon. This negotiation can go wrong for various reasons and the client or the server are allowed to send an error message to the other side of the conversation detailing that things went wrong. In SSL/TLS parlance this is known as an “alert” message. It invariably means that something went wrong. An example would be that a server side (Server Auth) certificate may be expired, or not trusted by the client, and the result is that the client would send a TLS alert message to the server. Servers can send the requesting clients TLS alerts for a variety of reasons as well.
This capture filter will only any TLS errors in the capture so you can quickly see if any are present at all…
TLS.TlsRecLayer.TlsRecordLayer.ContentType 0x15 //This filter will show TLS Alerts
Viewing Exchanged Certificates
SSL and TLS rely on Public Key Infrastructure (PKI)-in other words certificates and specifically certificates which have the Server Authentication usage (identified by OID 1.3.6.1.5.5.7.3.1) or the Client Authentication Usage (identified by the OID 1.3.6.1.5.5.7.3.2). The server side application decides whether both client and server or only the server side certificate is required.
If the certificate’s issuer is not trusted, or a specified URI in the certificate cannot be checked, or it is expired or not yet valid then the certificate cannot be used. SSL or TLS will fail at that point.
During the SSL/TLS session setup the certificates are exchanged. The server will offer its certificate in the Server Hello, and the client will offer it’s certificate if the server tells it that it is needed. To find those certificates you can use the filter below
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType 0xb //This filter will show packets which contain certificates exchanged in TLS negotiation
The things which you can see about the certificate are really helpful to tell you what is actually being offered by the client and server applications:
Determining the Supported Ciphers
With the added attention to transport layer security comes more attention to the ciphers used by the client and server for the security. Not all TLS servers and clients support the same ciphers and it is possible to see incompatibilities in TLS negotiation. This is true within the Windows versions from over the years, but is equally true when looking at network captures between other operating systems or network devices and Windows clients or servers.
In network captures we can filter for specific ciphers if we know that they may be problematic for either the client or the server. When doing so you simply add the hexadecimal value of the offered cipher to the filter below.
The hexadecimal values are the right hand numbers above. For example:
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.TLSCipherSuites.Cipher <hexadecimal cipher value>
In support we talked to some customers who saw issues related to newer ciphers after they installed the Microsoft security fix MS14-066 (https://technet.microsoft.com/en-us/library/security/ms14-066.aspx). Some customers reported performance related concerns on the servers or even failed TLS session setups. This was by no means universally saw by all customers in all scenarios but was a complex scenario-specific thing in each and every case.
One of the more difficult things to do is to identify whether that is even a potentially related concern when troubleshooting. To quickly rule in or rule out whether those newer ciphers are being used simply add both lines below to a filter with an “or” between them:
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.TLSCipherSuites.Cipher 0xc014 //Filter to find TLS Client Hello’s which are offering ECDHE_RSA_WITH_AES_256_CBC_SHA as an available cipher
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.TLSCipherSuites.Cipher 0xc013 //Filter to find TLS Client Hello’s which are offering ECDHE_RSA_WITH_AES_128_CBC_SHA as an available cipher
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.TLSCipherSuites.Cipher 0xc0A //Filter to find TLS Client Hello’s which are offering ECDHE_ECDSA_WITH_AES_256_CBC_SHA as an available cipher
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.TLSCipherSuites.Cipher 0xc09 //Filter to find TLS Client Hello’s which are offering ECDHE_ECDSA_WITH_AES_256_CBC_SHA as an available cipher
Does simply finding these ciphers in the TLS Client Hello mean that there is a problem? No it doesn't. (I put that in bold to make sure it is not missed). Things can work perfectly well with these advanced ciphers in place, and in fact they can offer better security.
There are some additional techniques which you can apply to find out whether those newer ciphers being present are leading to the server side of the negotiation to close or reset the connection before any real data can be transmitted.
First filter for the TLS traffic you are concerned about. If the capture was taken using the NetSH.exe commands earlier in this blog post and it was taken on the client side you can identify your application in a column named “UTProcessName”. An example of one for Outlook.exe is
UTProcessName 'OUTLOOK.EXE (3014)' //filter for process
Keep in mind that the process ID number above (3014) changes client to client and reboot to reboot. Also, if you filter only for that then you may miss some of the conversation since not all network traffic for any network exchange “goes in or out” of a single process. However, it is a very useful filter to know of if you need to tune into a specific application and how it is behaving on the wire.
If the server is perhaps closing the TLS session with a TCP reset after negotiation-without failing with a TLS alert-then you can help tune into that with a filter like this one, where we are looking for server side TCP resets and showing TLS negotiations as well.
TCP.Flags.Reset 0x1 and ipv4.address<IP of Server side> or TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake
Keep in mind that TCP resets should always be expected at some point as the client closes out the session to the server. However, if there are a high volume of TCP resets with little or no “Application Data” (traffic which contains the encapsulated encrypted data between client and server) then you likely have a problem. Particularly if the server side is resetting the connection as opposed to the client.
Also, remember that you can quickly find what the IP address of the client and the server in the TLS exchange are by simply filtering for Client Hellos.
Finding the Unexpected
It is very common for people on the Identity support team to be engaged with a vague problem description that is thought to be related to SSL or TLS. It is truly a Monty Python-esque “rumors and portents of things going on” ambiguity where the people asking for us to look for “problems” aren't really sure even if the reason they are asking can be remotely related to SSL or TLS concerns.
The right thing to do is simply look and see what is in the network traces.
Sometimes we discover that the connection is not even using SSL or TLS. Conversely, sometimes we are engaged on a general problem with authentication only to discover that the failure is SSL/TLS related. They key is to approach it with an open mind and simply see what happens on the wire during the failure.
I usually start with the filter captures discussed in this blog post and simply go from there. If I do not find any TLS alerts then I “widen the net” to look for how the TLS sessions are setting up (what version, what ciphers, what certificates) and contextually where the session setups fit in with the client to server scenario.
If nothing SSL or TLS related stand out then I simply select the built in “authentication filter” like below and apply it to start looking for things unrelated to SSL and TLS.
This allows us to quickly look for anything related to authentication between a client and a server including NTLM, Kerberos and transport layer protocols which are authenticated using them.
Thanks for reading and I hope the “Poor Man’s Guide…” helps you better understand and perhaps even fix transport layer security on your network.
DPAPI (Data Protection Application Programming Interface) is a simple cryptographicapplication programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windowsoperating systems. In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.
For nearly all cryptosystems, one of the most difficult challenges is 'key management' - in part, how to securely store the decryption key. If the key is stored in plain text, then any user that can access the key can access the encrypted data. If the key is to be encrypted, another key is needed, and so on. DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets, or in the case of system encryption, using the system's domain authentication secrets.
The DPAPI keys used for encrypting the user's RSA keys are stored under
%APPDATA%MicrosoftProtect{SID} directory, where {SID} is the Security Identifier of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 64 bytes of random data.
In 2010 Elie Bursztein and Jean-Michel Picod presented an analysis of the protocol titled Reversing DPAPI and Stealing Windows Secrets Offline at Black Hat DC 2010.[1] In addition to their briefing, Bursztein and Picod released DPAPIck which allows offline decryption of data encrypted with DPAPI. In 2012 Passcape Software published in their blog more detailed article on DPAPI internal logic[2] and presented a tool[3] for fully offline DPAPI decryption and analysis. Unlike previous one, the tool utilizes some old Windows bugs (for example, you can decrypt Windows 2000 DPAPI blobs without knowing the owner logon password) and is fully compatible with Windows 8 DPAPI data structure. In Windows 8 Microsoft changed the way the DPAPI logic works. Now multiple user keys can be used to derive an encryption key to decrypt the user masterkey which is used then to decode a single DPAPI blob.
Security properties[edit]
DPAPI doesn't store any persistent data for itself; instead, it simply receives plaintext and returns ciphertext (or vice versa).
DPAPI security relies upon the Windows operating system's ability to protect the Master Key and RSA private keys from compromise, which in most attack scenarios is most highly reliant on the security of the end user's credentials. A main encryption/decryption key is derived from user's password by PBKDF2 function.[4] Particular data binary large objects can be encrypted in a way that salt is added and/or an external user-prompted password (aka 'Strong Key Protection') is required. The use of a salt is a per-implementation option - i.e. under the control of the application developer - and is not controllable by the end user or system administrator.
Delegated access can be given to keys through the use of a COM+ object. This enables IISweb servers to use DPAPI.
Use of DPAPI by Microsoft software[edit]
While not universally implemented in all Microsoft products, the use of DPAPI by Microsoft products has increased with each successive version of Windows. However, many applications from Microsoft and third-party developers still prefer to use their own protection approach or have only recently switched to use DPAPI. For example, Internet Explorer versions 4.0-6.0, Outlook Express and MSN Explorer used the older Protected Storage (PStore) API to store saved credentials such as passwords etc. Internet Explorer 7 now protects stored user credentials using DPAPI.[5]
References[edit]
External links[edit]
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Data_Protection_API&oldid=870719626'
![]()
I see this word in almost every cross service application these days.
What exactly is an API key and what are its uses?
Also, what is the difference between public and private API keys.
Steven M. Vascellaro
6,8721010 gold badges5151 silver badges109109 bronze badges
![]()
2,4681111 gold badges3939 silver badges5555 bronze badges
closed as too broad by Samuel Liew♦Nov 2 '18 at 5:19
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
6 Answers
What 'exactly' an API key is used for depends very much on who issues it, and what services it's being used for. By and large, however, an API key is the name given to some form of secret token which is submitted alongside web service (or similar) requests in order to identify the origin of the request. The key may be included in some digest of the request content to further verify the origin and to prevent tampering with the values.
Typically, if you can identify the source of a request positively, it acts as a form of authentication, which can lead to access control. For example, you can restrict access to certain API actions based on who's performing the request. For companies which make money from selling such services, it's also a way of tracking who's using the thing for billing purposes. Further still, by blocking a key, you can partially prevent abuse in the case of too-high request volumes.
In general, if you have both a public and a private API key, then it suggests that the keys are themselves a traditional public/private key pair used in some form of asymmetric cryptography, or related, digital signing. These are more secure techniques for positively identifying the source of a request, and additionally, for protecting the request's content from snooping (in addition to tampering).
RobRob
44.5k33 gold badges6666 silver badges8888 bronze badges
Very generally speaking:
An API key simply identifies you.
If there is a public/private distinction, then the public key is one that you can distribute to others, to allow them to get some subset of information about you from the api. The private key is for your use only, and provides access to all of your data.
timdevtimdev
50.7k66 gold badges6868 silver badges9090 bronze badges
It looks like that many people use API keys as a security solution. The bottom line is: Never treat API keys as secret it is not. On https or not, whoever can read the request can see the API key and can make whatever call they want. An API Key should be just as a 'user' identifier as its not a complete security solution even when used with ssl.
The better description is in Eugene Osovetsky link to: When working with most APIs, why do they require two types of authentication, namely a key and a secret?Or check http://nordicapis.com/why-api-keys-are-not-enough/
Community♦
timandtheoceantimandtheocean
An API key is a unique value that is assigned to a user of this service when he's accepted as a user of the service.
The service maintains all the issued keys and checks them at each request.
By looking at the supplied key at the request, a service checks whether it is a valid key to decide on whether to grant access to a user or not.
user151323
API keys are just one way of authenticating users of web services.
GG.GG.
1,47144 gold badges1818 silver badges3030 bronze badges
Think of it this way, the 'Public API Key' is similar to a user name that your database is using as a login to a verification server. The 'Private API Key' would then be similar to the password. By the site/databse using this method, the security is maintained on the third party/verification server in order to authentic request of posting or editing your site/database.
The API string is just the URL of the login for your site/database to contact the verification server.
Eugene Grant-SinclairEugene Grant-Sinclair
Not the answer you're looking for? Browse other questions tagged apisecurityterminologyapi-key or ask your own question.Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |