Menu
I am generating some random API key(256 bits long) using java 7, two methods provided below, generate() and generate2(). Are there any difference ? if so which one is more secure /better?
Thanks in advance.
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.xml.bind.DatatypeConverter;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
public class RandomAESKeyGen {
public static String generate(final int keyLen) throws NoSuchAlgorithmException {
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(keyLen);
SecretKey secretKey = keyGen.generateKey();
byte[] encoded = secretKey.getEncoded();
return DatatypeConverter.printHexBinary(encoded).toLowerCase();
}
public static String generate2(final int keyLen) throws NoSuchAlgorithmException {
SecureRandom random = new SecureRandom();
byte bytes[] = new byte[keyLen/8];
random.nextBytes(bytes);
return DatatypeConverter.printHexBinary(bytes).toLowerCase();
}
public static void main(String[] args) {
String key = null;
for(int i=0; i< 5; ++i) {
try {
key = RandomAESKeyGen.generate(128);
} catch (NoSuchAlgorithmException e) {
System.out.println("Exception caught");
e.printStackTrace();
}
System.out.println(key);
}
System.out.println("==================");
for(int i=0; i< 5; ++i) {
try {
key = RandomAESKeyGen.generate(256);
} catch (NoSuchAlgorithmException e) {
System.out.println("Exception caught");
e.printStackTrace();
}
System.out.println(key);
}
System.out.println("==================");
for(int i=0; i< 5; ++i) {
try {
key = RandomAESKeyGen.generate2(128);
} catch (NoSuchAlgorithmException e) {
System.out.println("Exception caught");
e.printStackTrace();
}
System.out.println(key);
}
System.out.println("==================");
for(int i=0; i< 5; ++i) {
try {
key = RandomAESKeyGen.generate2(256);
} catch (NoSuchAlgorithmException e) {
System.out.println("Exception caught");
e.printStackTrace();
}
System.out.println(key);
}
}
}
Result from test above:
d6e21b44f47e3591fe3f04fa7f103128
8ece59484693e2376b196f2d33636b79
7fc0d320c1bdcdb927564fac95a79ef5
57c50e27f0d2b00e8f9ed0e519c6e8bb
efb1781846903d703106c8458b24c699
==================
cd81c144951d82b656ae9b8e78957c02bccc0d38db3dec1a1898b6ae715a28bc
1be78294e1d78eb303595cbe04ba1445baa4a044b0f99d77ca4a437d2a9b44ad
cce98925beb899a1c5710d7d6ae171ab6143db0cb421fdbb5b8ded8fe744bb42
7afcf673bd6557be6325d0129ad5eab35770fced759e37bdc5181d813065ccd6
4d3585605757c2681ab2789a0e6d25e842630ca9d27f256029c6ccb0c1a97ddf
==================
79fc08d98883af87e61e8fb1dab050b7
1f43be9e9481a8df3181aea5e2d17474
38dfe28d6e897e0be390b467a03992e8
6bc72524559f0975f7692133d1435ae6
cc79935f16af56287a82afdce2b1dbb0
==================
372ff9d52d99f674e177c61bc606cc72464c53ae87e26dfc78ac6f737fb35dc0
c00fe1573fc2c6b259181dccfb43644be2caad1355ad5921c623b5408a686a0e
7b72fdd8f17770333622566fff126e20f384224f340d6225c24a76048523c018
b65471cdc0e5d37bb869684962a90892539018f57f4aac177dd90f69c509ec75
73fe999d582f4752b129d7058738ee0edd300424ba55f7166e273cc641f1e55a
812
Registering the app with the API product generates the API key for accessing the APIs in that product. A string with authorization information that a client-side app uses to access the resources exposed by the API product. The API key is generated when a registered app is associated with an API product.
The main distinction between these two is: API keys identify the calling project — the application or site — making the call to an API. Authentication tokens identify a user — the person — that is using the app or site.
Yes, you should absolutely hash your API keys. In effect, they are your passwords and should be treated as such. And note that's hashed - not encrypted. You never need to decrypt the API keys, hence you should not be able to.
JRE is generating cipher key in the same way as you are. You methods are thus equivalent.
136
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
