Edward Shryane wrote:
How do you share per-organisation keys securely? If we display a list of all active keys, then we must keep the plaintext keys on the server-side, which increases the risk of exposure for the RIPE NCC and the organisation. It's good practice when generating a key for a user to only display it once, and then store only the hashed version on the server side. It's the users responsibility to keep it secret.
It is possible with the per-user API key model to display a summary of API keys for all users and when they were last used. You can manage users instead of knowing about individual keys.
You don't need to show the full API key to identify it. An API key is, by definition, an opaque string. Thus you are allowed to store extra information there. For instance, an API key could be: RIPE-APIKEY-66F87CB1-af970283c7cdb9c402afe8be2b4f1d107 Where "RIPE-APIKEY-" doesn't provide any security at all, "66F87CB1" is actually an internal identifier for this specific API key, and af970283c7cdb9c402afe8be2b4f1d107 the actual random secret that you salt and hash. You could then list it as: RIPE-APIKEY-66F87CB1-… Not compromising the security of the API key at all. if it is a LIR-level API key, other org members (and ideally also the creator itself) can view that this API key exists, but not the full key. And I think that you *do* want to use an schema similar to this, not just showing a label, so that you can univocally identify the key on all kind of logs, not just with a user-defined label that can be repeated (I suppose that, even without considering a malicious user reusing a label on purpose, many entries will have a label of '', 'api', etc). Regards -- INCIBE-CERT - Spanish National CSIRT https://www.incibe-cert.es/ PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ==================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ==================================================================== In compliance with the General Data Protection Regulation of the EU (Regulation EU 2016/679, of 27 April 2016) we inform you that your personal and corporate data (as well as those included in attached documents); and e-mail address, may be included in our records for the purpose derived from legal, contractual or pre-contractual obligations or in order to respond to your queries. You may exercise your rights of access, correction, cancellation, portability, limitationof processing and opposition under the terms established by current legislation and free of charge by sending an e-mail to dpd@incibe.es. The Data Controller is S.M.E. Instituto Nacional de Ciberseguridad de España, M.P., S.A. More information is available on our website: https://www.incibe.es/proteccion-datos-personales and https://www.incibe.es/registro-actividad. ====================================================================