Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

When working with most APIs, why do they require two types of authentication, namely a key and a secret?

I have been working with APIs and I've always wondered why you have to use a key and a secret?

Why do you need two types of authentication?

like image 606
mager Avatar asked Sep 27 '09 00:09

mager


People also ask

Why is API authentication required?

Authentication of users Authentication schemes provide a secure way of identifying the calling user. Endpoints also checks the authentication token to verify that it has permission to call an API. Based on that authentication, the API server decides on authorizing a request.

What is the most secure way of authenticating an API?

Every web API should use TLS (Transport Layer Security). TLS protects the information your API sends (and the information that users send to your API) by encrypting your messages while they're in transit. You might know TLS by its predecessor's name, SSL.

How does API key and secret work?

It works like this: You take the text of your request and your secret key and apply the HMAC function. You add that authentication header to your request and send it to Amazon. Amazon looks up their copy of the secret key, and the text you just sent and applies the HMAC function.


1 Answers

When a server receives an API call, it needs to know two things: Who is making the call, and whether or not the call is legitimate.

If you just had one item ("key"), and included it with every call, it would answer both questions. Based on the "key" the server knows who you are, and because only you know the key it proves that the call is actually coming from you. But including the key with every call is bad security practice: if someone can read even one of your messages in transit, your key is compromised, and someone can pretend to be you. So unless you're using HTTPS, this approach doesn't work.

Instead, you can include a digital signature with every call, signed with some "secret" number. (The "secret" number itself is not sent). If an attacker manages to read your message, they won't be able to figure out this "secret" number from the signature. (This is how digital signatures work: they are one-way).

But this doesn't solve the identification question: In the latter case, how does the server know who is making the call? It could try to verify the signature against the "secret" of every single user, but of course this would be very time-consuming.

So, here's what we do: Send both a "key" (that identifies the user), and a signature created using the "secret" number (that proves that the message is legitimate). The server looks up the user based on the key, and then validates the signature using that user's "secret" number.

This is a bit like when you write a check: It has an account number on it (to identify you) and your signature (to prove that you're you). Having just the account number wouldn't prove that you actually wrote the check. Having just the signature without the account number would force the bank to compare your check against all of its signatures for all of its accounts, which would obviously be inefficient.

like image 79
Eugene Osovetsky Avatar answered Oct 14 '22 06:10

Eugene Osovetsky