Triplea: Moderator API Key Design Notes
Want to open this issue to discuss next steps and current thinking of moderator API key.
API Key Purpose
Public http endpoints can be accessed by anyone, the API key will be a header passed to any moderator specific endpoints to perform authentication.
API Key Password
In combination with API key, there will be an API key password.
- The api key password is stored in-memory only. If an attacker gains access to the file system/registry of a moderator, they'll still not know the full key-password pair.
- Second, if a non-moderator uses the same computer, they can potentially log in as a moderator but without the password they'll not be able to use the moderator toolbox.
Single use key, and API Key Process
A good question of how to issue new API keys, I'm thinking the following:
- super-moderator can raise a users privilege to moderator and can generator for them a single-use key. The single-use key will then be given to the new moderator.
- When accessing the moderator toolbox, if there is no key in client settings or the key is invalid, then we'll prompt for the single-use key and for a new password
- With a valid single-use key, the backend will create a new key and salt it with the password. This new key is then returned back to the client and stored in client settings. From then on the moderator will be prompted for their password which will be combined with API key and sent to the backend.
DanVanAtta
All 5 comments
@prastle please have a look at this issue. There is a choices to make and your feedback would be valuable:
(1) Once a new moderator has registered their API key, we can choose to not include a password. This means that opening up the moderator toolbox, the TripleA system will send the API key stored on the OS automatically to the backend, validate, and the moderator toolbox will just open. In essence once the API key is entered and registered for a given computer, the moderator will not even know that authentication is even happening.
(2) Password salted API key. Whenever the api key is sent to the servers we'll add a 'password' to it that will be required for the api key to be valid. This adds a burden that whenever TripleA is opened, the password will need to be entered to open the Toolbox. The benefit to this is higher security. The password will only "live" for as long as the TripleA app is open and once the game is closed down it's wiped away. This means that if a moderator were to lose the API key stored on their OS, either virus, someone gets a copy of your registry, or if someone is physically using the same computer, without the password the API key will be nearly useless.
I'm personally leaning a bit towards (2), for I think two reasons:
- defending against physical access I think has merits. It'll be easy to forget that a system is moderator unlocked and if a family member uses the same machine we would not want them having moderator controls
- reduces incentive to be attacked. Short of a key-logger and full system access, it would be really difficult to get both API key and password. Hopefully it's secure enough attackers would try just about any other attack vector (the theory of "don't present a target and you won't be hit")
DanVanAtta
on 8 Jun 2019
I agree with 2 as well for another reason. Many moderators are not always using the same computer ;)
@DanVanAtta
prastle
on 8 Jun 2019
Thanks @prastle
There is a caveat, I'm not sure if it should be the case for API keys to work on multiple machines. Instead I'm thinking moderators, once they are in the toolbox, can grant themselves additional single-use-key.
To explain, the single-use-key solves the problem of "the admin knows my key, they could spoof me". We need to provide keys to moderators, I'm thinking what will happen is you'll "promote" a user to a moderator and can then generate a single-use-key that is valid for 48 or 72 hours. You'll then send that key to the new moderator who will use it.
Once the single-use-key is 'registered', it is then rendered invalid, the backend will generate a new key and send it to the TripleA application running on the moderators system. That will be a transparent process and you won't really realize you're getting a brand new key. Once a moderator has a brand new key, nobody will know that value of that key. The key value will be hashed on the server side, the only place the unencrypted key would exist will be that moderators system.
With that said, I would not want to encourage moderators to be able to 'view' their key so that they could perhaps email it to themselves and use that on a new computer. Having the email record makes it insecure, once the key leaves the network in an unencrypted form it is more likely to be compromised.
A moderator to switch between computers will need to copy a key no matter what, so I'm thinking we'll give the option for a moderator, once they are logged in to the toolbox, to be able to issue themselves a new single-use-key so they can repeat the key registration process on multiple machines. I'm thinking it's just the same if you email yourself an API key vs a single-use key, in both cases you're emailing yourself an API key, but in the latter the single-use-key is destroyed and no longer matters if it is in your email.
I'm not sure if that really changes anything, but it's notable that registering a key on multiple machines is likely more involved than having a secret key written on a piece of a paper. Basically takes some pre-planning, to self-issue a single-use key and write that down. I think that will be okay, as moderator activities when on a 'random' computer should be pretty rare.
DanVanAtta
on 8 Jun 2019
@DanVanAtta
Your ideas make sense to me. Myself I only have three machines I use. You are correct though. They are generally for just for popping in. When I am online I mainly use the one.
prastle
on 8 Jun 2019
@ron-murhammer @ssoloff @RoiEXLab the overview of this issue may be useful to read for an overview of how key validation works. I'll see if i can get a PR out of this to add to the docs.
DanVanAtta
on 11 Jun 2019
Related issues
Cernelius
路
8Comments
tvleavitt
路
3Comments
DanVanAtta
路
8Comments
panther2
路
3Comments
drockken
路
6Comments
Most helpful comment
@prastle please have a look at this issue. There is a choices to make and your feedback would be valuable:
(1) Once a new moderator has registered their API key, we can choose to not include a password. This means that opening up the moderator toolbox, the TripleA system will send the API key stored on the OS automatically to the backend, validate, and the moderator toolbox will just open. In essence once the API key is entered and registered for a given computer, the moderator will not even know that authentication is even happening.
(2) Password salted API key. Whenever the api key is sent to the servers we'll add a 'password' to it that will be required for the api key to be valid. This adds a burden that whenever TripleA is opened, the password will need to be entered to open the Toolbox. The benefit to this is higher security. The password will only "live" for as long as the TripleA app is open and once the game is closed down it's wiped away. This means that if a moderator were to lose the API key stored on their OS, either virus, someone gets a copy of your registry, or if someone is physically using the same computer, without the password the API key will be nearly useless.
I'm personally leaning a bit towards (2), for I think two reasons: