Secure Your API Keys or Risk Losing Everything: The Harsh Reality of API Key Mismanagement
As more companies rely on APIs to connect to various systems, applications, and services, API security has become a crucial aspect of business operations. Proper use and management of these keys are essential to ensuring the security and privacy of digital assets. API leaks can have severe consequences such as financial losses, reputational damage, and even legal consequences. Therefore, companies must take proactive measures to ensure the security of their APIs and prevent any unauthorised access or exploitation.
To understand the importance of securing API keys, let’s examine the 3Commas API Key leak that occurred at the end of last year.
An unidentified user managed to obtain approximately 100,000 API keys belonging to the users of the cryptocurrency trading service provider, 3Commas. The individual disclosed over 10,000 of these keys on Twitter and indicated their intention to publish the complete set of data. Although 3Commas confirmed the leak and stated that prompt action was taken to address the issue, many users reported losing their funds as a result of the incident.
Understanding API Keys
API keys are critical tools for modern digital currency custody institutions to provide services and protect digital asset security. API keys consist of an Access Key and Secret Access Key (AK/SK). These API keys are used to communicate with system API gateways, protecting service interfaces from unauthorised access; the Access Key (AK) is used to identify users on the server-side, while the Secret Key (SK) is used to sign API operations.
However, if not used and secured properly, API keys can pose a significant risk to crypto institutions and their end users. API key leakage can lead to malicious access to service interfaces, causing service interruption or abuse. AK/SK leakage may result in the theft of digital assets and damage to end users’ interests. Therefore, it is crucial to identify and manage potential risks associated with the use of these keys.
We will explore measures that institutions can take to prevent API key and AK/SK leaks and safeguard their valuable digital assets. By staying up-to-date with the latest trends and best practices in API security, institutions can equip themselves with the knowledge and tools needed to mitigate the risks of key leaks and safeguard their digital assets.
Best Practices for Managing API Keys and AK/SK
To avoid such risks, institutions need to implement best practices for using API keys and AK/SK. Understanding how to protect digital assets, prevent API leaks and respond effectively when an incident occurs, is absolutely vital for institutions. These measures include using dedicated IP addresses, correctly safeguarding API keys and AK/SK, regularly replacing keys, assigning dedicated keys, reasonably setting permissions, using dedicated encryption storage schemes, and regularly monitoring the use of API keys and AK/SK.
- Using dedicated IP addresses for API calls can help you avoid having your API calls used by unauthorised parties in the event of key loss.
- Safeguard API keys and AK/SK: you should neither discuss the use and storage of keys with untrusted third parties nor share keys through insecure communication tools such as email and instant messaging.
- Regularly replacing API keys and AK/SK is recommended, such as replacing keys at least once every three months or immediately replacing them when the risk of key leakage is high.
- Assigning dedicated keys to each business or project to ensure that key permissions match business requirements.
- Reasonably setting permissions for API keys and AK/SK is recommended. For example, a company can only grant the minimum permissions required by the key according to business needs to reduce potential risks caused by permission abuse.
- Using a dedicated encryption storage scheme for API keys and AK/SK: Use hardware security modules (HSM) or other trusted encryption storage technologies to protect keys and prevent unauthorised access.
- Regularly Monitoring the use of API keys and AK/SK can be helpful. Regularly reviewing key usage records, investigating suspicious operations or abnormal behaviour, and taking corresponding measures such as stopping or updating the keys immediately when necessary.
In conclusion, proper use and management of API keys and AK/SK are critical to ensure digital asset security. By following the recommended best practices, institutions can minimise the risk of key leakage and prevent unauthorised access, theft, and abuse of digital assets. By taking these precautions, digital currency custody institutions can provide better services and protect the interests of their customers.
Cactus Custody takes the security of your account and API calls seriously. We authenticate every API request using the ‘SHA256 with ECDSA’ signature, which utilises the highly secure Secure Hash Algorithm 256-bit (SHA-256) and the cryptographically secure digital signature scheme ECDSA. SHA-256 produces unique and irreversible hashes, ensuring that every block in the ledger is assigned a unique hash value, providing peace of mind to our clients.
In addition, we only allow our clients to generate their own API public and private key pairs, and the public key is shared with our operation team for validation purposes. Every API request must obtain a signature with the client’s private key in a specific format. Our IP address whitelisting functionality provides an extra layer of security, giving our clients complete control over API access.
To stay up-to-date on Cactus Custody’s latest developments, visit us at https://www.mycactus.com/en. Feel free to connect with us anytime.