Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I have a mobile app that communicates to server over HTTPS. To authenticate the

ID: 659797 • Letter: I

Question

I have a mobile app that communicates to server over HTTPS. To authenticate the client and to make sure its who I believe it is, I return upon successful signup (apart from the username) a secret API key (saved locally on the app). Every private method call following successful signup is SHA256 using the [method_name + parameters] with the API secret key.

My question is this:

How do I keep the secret API key safe on server side DB?

I mean, I need it in plain text so I can sign each request parameters with this secret key to make sure the signature matches that sent from the client, so if it is kept on server db as plaintext then any breach of usernames + secret key combination will be horrendous.

Explanation / Answer

You need to store the secret key in encrypted form in the DB so that even if the DB gets compromised, your key is in encrypted form and is of no use to the attacker unless it gets decrypted. In addition, you need to have a mechanism using which your key gets decrypted on the fly whenever you need to use it.
Added DB stores your data and your application logic/code is separate from the DB storage. Your secret key will be stored in DB but used in application logic/code. It should not be hard coded in your application logic otherwise you won't be able to change it later, so you need to store it in DB. However, DB can be compromised so you need to store it securely. For securing the key you need to store it in encrypted form and decrypt it on the fly. But for applying this security(encryption/decryption) you need another key(or keypair) which also needs to be secure. One method of securing that key is that instead of using a well-defined fixed key you can use consider some parameter for example, user's date of birth or user's account creation data etc. (any parameter whose value can vary for each user, but can remain constant atleast for some time for a particular user). Take the value of that specific parameter, apply some transformation function on it and use the resultant value of that transformation as the key (you can use it directly as your secret key or the key needed for encryption/decryption of secret key). Your transformation function is the part of application logic and that parameter is stored in db. In case your db gets compromised, the transformation function will still not be exposed. In case your application logic/code gets analyzed, your basic parameter for key generation will not be available. In this way, you will be able to keep your system secure unless the attacker has access to both the db (for key generation parameter) and your application logic/code (for transformation function) for getting the knowledge required for encryption/decryption of your secret key. Hope it explains your query.

Related Questions

I have a library that makes architecture to load data from server and display al
Question #661416
I have a lingering question which stems from an answer that I gave to What hydro
Question #30950
I have a link here that I\'m looking at as a shortcut to finding the characteris
Question #2901598
I have a linked list assignment. It\'s a simple text editor that will go through
Question #673322
I have a linkedList class and I need to convert it into a hash table through an
Question #3638621
I have a list ADT and I\'m supposed to write a matrix ADT and then use both ADTs
Question #3630544
I have a list and want to select a random item from the list. An algorithm which
Question #652888
I have a list box that has populations. I have another listbox that has the diff
Question #3684568

Navigate

Previous
I have a mobile app built using jquerymobile, PhoneGap and some custom CSS and J
Next
I have a mobile banking application installed on my phone which allows me to pay

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.