admin管理员组

文章数量:1327989

I am working on an open-source javascript application I am trying to interface with a third party API (github specifically). I am trying to keep my entire application client-side only, so I really won't have a server to fall back to or store hidden files on. As part of the OAuth process I need to provide the secret key provided for my api key. I am not supposed to publish or share this key.

I have e up with the following solution:

  1. Encrypt the secret key using triple-DES and a passphrase.
  2. Put the encrypted version in my repository somewhere.
  3. When I need to authenticate via Oauth, prompt for the passphrase and recover the secret key.
  4. Once known, store secret in local storage to avoid future prompts.

I am essentially storing a transformed version of th secret key. I guess all this buys me is that I must get the passphrase from the user instead of the full key. It should be a little easier to remember than random bytes.

Is this secure enough? It is not a super critical app, but I want to do my best to protect things that I am told not to share. Is there a better way than 3DES to encrypt the key in a reversible way?

I am working on an open-source javascript application I am trying to interface with a third party API (github specifically). I am trying to keep my entire application client-side only, so I really won't have a server to fall back to or store hidden files on. As part of the OAuth process I need to provide the secret key provided for my api key. I am not supposed to publish or share this key.

I have e up with the following solution:

  1. Encrypt the secret key using triple-DES and a passphrase.
  2. Put the encrypted version in my repository somewhere.
  3. When I need to authenticate via Oauth, prompt for the passphrase and recover the secret key.
  4. Once known, store secret in local storage to avoid future prompts.

I am essentially storing a transformed version of th secret key. I guess all this buys me is that I must get the passphrase from the user instead of the full key. It should be a little easier to remember than random bytes.

Is this secure enough? It is not a super critical app, but I want to do my best to protect things that I am told not to share. Is there a better way than 3DES to encrypt the key in a reversible way?

  • javascript
  • security
  • api
  • encryption
Share Improve this question asked May 15, 2012 at 14:17 captncraigcaptncraig 23.1k18 gold badges115 silver badges154 bronze badges 2
  • Turns out Client-side OAuth is not really supported by github for this very reason anyway. They don't want secret keys being shown. Could still be useful if dealing with less picky apis though. – captncraig Commented May 15, 2012 at 17:04
  • I don't really understand the scenario. Are you trying to hide the key to github from the user, even though they are running the client that uses the key? If so, you can't do it securely; a determined user will always be able to recover this key, and from an ethical standpoint, you shouldn't be trying to hide information stored on a machine from its owner. If each user gets their own github key, and you are just looking for a more convenient way to remember it, your solution is good. – erickson Commented May 15, 2012 at 18:12
Add a ment  | 

2 Answers 2

Reset to default 5

The problem with this solution is that the application has to contain the code (and possibly the key) to decrypt it. The best solution is not to put in the repository at all.

Most applications store this type of data in a config file that's ignored by version control software. Then include an example config file with a fake key and instructions on how to rename the file and acquire an api key of their own.

A good example of this is in wordpress's config file in the "Authentication Unique Keys and Salts." section.

That sounds more than adequate to keep something secret; though Triple DES is a little dated.

I would use X rounds of SHA-256 to hash the passphrase, then use that hash as an AES-256 key.

本文标签: javascriptHide secret key in public repositoryStack Overflow

版权声明:本文标题:javascript - Hide secret key in public repository - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742243082a2438955.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。