Forums » Ryzom API suggestions »
Enhanced security and privacy protection on the API Keys
Added by kregora about 9 years ago
The current API keys are in my opinion not secure enough. If the format of the API keys remains unchanged and it will in the future still be necessary to give the real API keys to 3rd parties, giving away a key, gives partial access to all keys on the same account, each protected only by a 32-bit random number.
My suggestion is to either increase the randomness of the API Keys to maybe 128-256 bit, or to offer an option to disable API Key usage in the Account Management.
Additionally or alternatively I would like to see a application registry, where I can generate application specific API keys.- A application is registered under a specific name on a ryzom.com site
- an application id will be generated which has to be used by the application to retrieve information from the Ryzom API
- an secret hash is generated and stored with the application id at ryzom.com
- A player that wants to give access to a specific site, goes to a ryzom.com site, selects a given application and enters his personal API key, and receives an encrypted application specific API key, which he then gives to the application site
- The application requests information with its own application identifier and the application specific API key
- The Ryzom API delivers the content only after successfully decrypting the application specific API key
Replies (6)
RE: Enhanced security on the API Keys - Added by vl about 9 years ago
Hello kregora.
Thanks for your post and your interest in the security.
It's your opinion but it cannot be good since you don't know what security we provide.
There's absolutely no security problem with our key system, don't worry.
Regards.
RE: Enhanced security on the API Keys - Added by kregora about 9 years ago
Currently it is a fact that I have to give the plain api keys to 3rd parties, so that those are able to query the api, or am I wrong here?
RE: Enhanced security on the API Keys - Added by kregora about 9 years ago
Okay, lets look at the two keys of APIHomin and APINoob, and take for given that the capital R is delimiter, so we have four fields to consider:
APIHomin
api key: PR521366R0R343D6080 P 521366 0 343D6080 P type: partial character key 521366 uid 0 slot number 343D6080 32bit password
APINoob
api key: FR521366R1R05EF0010 F 521366 1 05EF0010 F type: full character key 521366 uid 1 slot number 05EF0010 32bit password
When you regenerate the key only the 32bit password is set to a new value.
Issue 1: in my opinion a 32bit password is too weak (but you commented that already)
Issue 2: breach of privacy, someone who knows about both keys sees that they belong to the same account (same uids)
Anyone who was able to access the data can safe it as uid=521366 (APINoob, APIHomin) if in the future a new character is generated on the account with
the name APIRyzomTest the new API Key will be something like FR521366R3R11223344.
To make my privacy protection suggestion work, there need other changes to be made, too, like the removal of the uid from the returned character data.
This is to prevent that Player A may find out that SuperFried and YourMeanestEnemy are played by the same person.
And I am not sure if the login and logout times if given to other player may be a violation of the Code of Conduct 9: You may not communicate any player's real world personal information on the Winch Gate Property Limited forum, ingame, on the live chat support nor any Ryzom Services.
RE: Enhanced security and privacy protection on the API Keys - Added by suibom about 9 years ago
I would like to see this addressed as well. I mean, it's enough of an issue that you offer a key encryption method so the general populace doesn't get character API keys, but you do expect trust in offering the keys to the app hoster.
For example, let's say Joe Ganker creates an app, or (more likely) snags one from someone else, and finds a way to host it. Let's say the app is a wonderfully cute thing that shows an animation of your character wearing equipment and juggling inventory items from the character profile API, everyone loves it and goes out and signs up all of their characters, cause the app allows for multiple characters to juggle items to each other... Now, the app itself isn't at question here, it's a great little toy. The problem arises with Joe Ganker.
See, Joe Ganker is a member of a griefing group that likes to mess with other players and ruin their experience. Now, with the help of the app, Mr. Ganker has the character api keys of many users. He houses them in a database and sorts them out so he knows what characters are linked together. He finds one player that his group has been tormenting and now has all of their alts that are happily juggling away on the user's screen.
Next time user logs in with one of his characters, they are immediately harassed by one of the GankerCrew. Fed up, they log out and decide to play another character.. same problem. Eventually the once happy player is now miserable.
It's a bit far fetched, sure, but hopefully illustrates the potential of abuse of the current system.
Peace,
- Sui
RE: Enhanced security and privacy protection on the API Keys - Added by kregora about 9 years ago
I think it is better if you continue this thread Suibom.
I totally lost my trust in the Ryzom project.
Bye.
RE: Enhanced security and privacy protection on the API Keys - Added by barbaros about 9 years ago
Actually I see the problem with the 32 bit token but it seems arrangements were made to secure this.
I cannot agree with your second part. There always have been limitations for multi-chars on one account, like the one account at the official forum.
PS: The uid is not only in the key but also in the xml data.
(1-6/6)