Can you send an API secret key if it is encrypted?

1

Very basic question... Trying to figure this out before I go back to work tomorrow, so unfortunately I do not have access to my Powershell script, but I will post it tomorrow if I don't figure it out.

I have created a text file containing my encrypted API secret key. When I send the GET request with my key hardcoded in the application, it works as expected. However, when I store the encrypted key in a variable and then attempt the GET request using that variable, I get an error saying it cannot authenticate the key. Is this because I have to decrypt it before I send it?

Update:

Still unclear on how to solve this. Concerned about vulnerabilities if I decrypt the key within my script.

$key = new-object -typename System.Management.Automation.PSCredential - 
argumentlist $keyFile.username, $keyFile.password 
$secret = new-object -typename System.Management.Automation.PSCredential - 
argumentlist $secretFile.username, $secretFile.password 


$tc='[{"data":"pdnsBlah.domaincontrol.com","name":"- 
","ttl":9999,"type":"NS"}, 
{"data":"pdnsBlah.domaincontrol.com","name":"-","ttl":9999,"type":"NS"}]'

# Event log settings
$eventLog = "Application"
$eventSource = "GoDaddyDNSMonitor"

#check to see if event source exists, if not create one
if (![System.Diagnostics.EventLog]::SourceExists($eventSource))
{
New-EventLog -LogName $eventLog -Source $eventSource

}



#Here is where my issue lies########################################
$newConfig=C:\Users\di203179\Documents\Curl\bin\curl.exe -s -X GET -H 
"Authorization: sso-key $key`:$secret" 
https://api.godaddy.com/...
If ($tc -ne $newConfig)
{
    $Message = "DNS Nameserver @ GoDaddy has changed to " + $newConfig + " 
Application Infrastructure On-call needs to be paged. Details are below."
    Write-EventLog -LogName $eventLog -Source $eventSource -EventID 20000 - 
EntryType Error -Message $Message
    echo "false"
}
else {

    echo "true"
}

Thanks for your help and patience.

dillon.harless

Posted 2019-01-16T23:28:11.200

Reputation: 23

Though this is not all up PKI, the same principal applies. Unless the code or destination can decrypt it using the defined key, then nope. Since you encrypted it, there is no way for the destination to decrypt it. This is no different than using a self-signed certificate to encrypt things, without sending the public key to the target in order to decrypt. PKI 101. – postanote – 2019-01-17T01:25:29.800

Please clarify: “When I send the GET request with my key hardcoded...” - do you mean you hardcode the unencrypted key? If yes, then it is quite apparent the API is looking for the unencrypted key. – Appleoddity – 2019-01-17T05:41:18.817

Thanks for your responses! @appleoddity I did in fact mean the unencrypted key was hardcoded. I am about to head to work, and will attempt to solve with both of your comments in mind. – dillon.harless – 2019-01-17T13:08:12.597

Answers

0

Alright, so I figured out the issue. Many thanks to those who commented and got me past my first hurdle. Definitely couldn't send an encrypted file to the sever and apparently, many servers do not know how to handle PSCredential objects.

Details here: https://blogs.technet.microsoft.com/heyscriptingguy/2013/03/26/decrypt-powershell-secure-string-password/

And here is how I solved it.

$keyObject = new-object -typename System.Management.Automation.PSCredential - 
argumentlist $keyFile.username, $keyFile.password 
$secretObject = new-object -typename System.Management.Automation.PSCredential - 
argumentlist $secretFile.username, $secretFile.password

$newConfig=C:\Users\di203179\Documents\Curl\bin\curl.exe -s -X GET -H "Authorization: 
sso-key

$($keyObject.GetNetworkCredential().Password):$($secretObject.GetNetworkCredential().Password)" https://api.godaddy.com/... ...

dillon.harless

Posted 2019-01-16T23:28:11.200

Reputation: 23

Asked: 2019-01-16T23:28:11.200

Viewed: 154 times

Active: 2019-01-18T13:53:59.987