When we generate an API key in Binance there is a generated secret key too. I could not find any reference that those are RSA key pairs. They could be just random unrelated numbers. Is the Binance API Key the public key of RSA key pairs?
-
1It's doubtful that these are RSA keypairs. See the example at https://cryptopro.app/wp-content/uploads/2019/06/6.copy-your-keys-to-crypto-pro-min-1024x734.png. The secret key is approx 60 base-58 characters. That translates to somewhere in the neighborhood of 350 bits. RSA private keys are typically much longer than this (1024 bits or longer). – mti2935 Jul 28 '22 at 13:51
-
Only the Binance-developer can say whether this secret key is aktually part of anything or not. – anion Jul 28 '22 at 20:09
-
Dear @anion, I think mti2935 's comment is logical. Typical RSA key lengths are not consistent with what we get from key pairs. – Ahmet Arslan Jul 29 '22 at 09:16
1 Answers
This answer pertains not only to this question, but also to your earlier question at Using two different random numbers instead of RSA Keys.
The api key
and the secret key
are not an asymmetric key pair. This can be seen by looking at an example of how these keys are used to access the API, for example, at https://stackoverflow.com/questions/47984654/binance-api-keys.
You'll notice that if you follow the code in the top-voted answer, that the api key
is included in the request, then to authenticate the request, an HMAC of the request is generated using the secret key
.
In order to validate the request, the server would have to verify the HMAC. HMAC's rely on symmetric cryptography, not asymmetric cryptography. In other words, in order to validate the request, the server would have to know the api key
. This is in contrast to a digital signature used in asymmetric cryptography, where the private key is used to sign the request, and the public key is used to verify the signature.
Another way to think of this is that this is akin to a login function, where the api key
is akin to the username, and the secret key
is akin the password. But, unlike a login function, the password is not sent across the wire in this case, it's used as the key to an HMAC function over the request.
See https://aspsecuritykit.net/guides/implementing-hmac-scheme-to-protect-api-requests/ for some interesting reading on this method of authentication with an API.
- 19,868
- 2
- 45
- 64
-
Yes, Binance uses HMAC to hash query string but uses the private key to hash. There are no singing or encryption by key pairs. – Ahmet Arslan Jul 29 '22 at 09:13
-
See https://security.stackexchange.com/questions/18572/is-it-okay-for-api-secret-to-be-stored-in-plain-text-or-decrypt-able, https://security.stackexchange.com/questions/38566/how-is-storing-an-api-secret-key-in-plaintext-in-a-database-secure, https://security.stackexchange.com/questions/180345/do-i-need-to-hash-or-encrypt-api-keys-before-storing-them-in-a-database for some interesting reading on this subject, especially the answer by Nick Sloan in the first link above. – mti2935 Aug 01 '22 at 15:19