API Key Secret / Consumer Key Secret - Generation Logic - SHA256?

nathanaw
Participant V

What is Apigee API Key Secret / Consumer Key Secret Generation Logic? SHA256?

Documentation does not state anywhere.

How can we know if the key and secret is computationally infeasible to guess?

0 5 355
5 REPLIES 5

We don't document the algorithm.

We assure you that it's random and secure.

Today, the generation algorithm uses Java SecureRandom, but there's no guarantee that won't change.

thanks it is OK I understand but without getting into a debate -- isn't not sharing the algorithm in public documentation a violation of Kerckhoffs's principle where a cryptographic system should be secure even if everything about the system, except the key, is public knowledge?

With the dawn of quantum supremacy at hand, we do need to ensure that the algorithm used is quantum computationally infeasible to crack?

I understand what you're saying.

We're not trying to base security of the system on obscurity.

We just cannot document every implementation detail in the system. There is a possibility that we'll move from a Java implementation to a Go-lang implementation of token generation, in which case the documentation would be wrong, and people could have a complaint that we've changed.

So if you have some proof that the token is guessable, I'm interested to hear it.

The assertion is: the tokens get generated and are secure and random and infeasible to guess.

Dino-at-Google, I am sorry for my own confusion. Can I clarify the below 2 points, please?

1. Are API Keys/Secrets generated using Java SecureRandom?

2. Are Access Tokens are generated using Java SecureRandom?

Hi @Dino-at-Google Dino-at-Google, I am sorry for my own confusion. Can I clarify the below 2 points, please?

1. Are API Keys/Secrets generated using Java SecureRandom?

2. Are Access Tokens are generated using Java SecureRandom?