Often we’ve found ourselves working with a third party and we open need a way to secure API calls they make to us.
There are lots of ways to do this, from the simple and not so secure (such as using IP restrictions) to the slightly more secure (using a secret key), to the very secure (using a hash – with shared secret key value – of all parameters passed).
With a recent third party we’ve taken the latter approach – the first check we do when a web service request arrives is for a hash value passed with the web service URL parameters. So for the following request:
We would first take all the parameters – except the hash – and hash them using a shared secret key value like so:
var myhash = hash(URL.x & URL.y & mySecretKey, "SHA");
This calculated hash should be the same as the passed hash in the URL parameters. If not we immediately reject the request becuase it proves that either
- One of the parameters has been corrupted or
- One of the parameters has been tampered with or
- The sender does not have the correct shared secret key value
However, once you decide on this approach you and the third party need to exchange this shared secret key value.
Problem: how do we do this securely?
- Option 1: You could use email to agree on the secret key – not great if you email is intercepted or you computer is hacked at a later date
- Option 2: Use Skype to send the details to each other – not great as it uses pier to pier communication and a packet sniffer might see the data your are trying to securely exchange
- Option 3: Use email to send a password encrypted zip of the key, and them Skype the password seperately – a bit better but still open to eavesdropping
Forget all of those options and instead just use OpenPGP to send the keys to each other!
Using OpenPGP you can implement public key encryption. What this means in practice is you:
- Create a key pair, one private and one public
- Share your public key
- If someone wants to send some info to you they use your public key to encrypt it
- And when you get it, you use your private key to decrypt it
So in practice, to use it you will need an OpenPGP client such as the GNU Privacy Assistant (GPA) by GPG4Win. Download their latest release and when you start up GPA you’ll be asked to create a OpenPGP public/private key pair. Just follow the instructions and save it someplace safe!
You can the then:
- Export your private key and share it
- Decrypt data encrypted using your public key
- Import another’s private key and use it to encrypt data to send to them
The bundled program Kleoparta offers a nice UI to allow you choose what keys to use and a way to select which files to encrypt and decrypt.
As an added bonus, if you are using Outlook 2003, installing GNU Privacy Assistant (GPA) will also install a plugin to Outlook to allow you read mails encrypted using OpenPGP. All you need to do is restart Outlook and when you try to open an encrypted mail you will be asked for your key pass phrase before decrypting the content and showing it to you – very useful!
So no more sending of secret keys over insecure email or instant messaging – use OpenPGP to ensure that what you want secret stays secret.