为什么这两个关键，在很多网站的API秘密吗？ [英] Why both a key and a secret in many web APIs?

问题描述

许多Web REST API的给你一个密钥和一个秘密。当您对API的请求，你必须回到他们的两个。有什么用的呢？就没有一个人就够了吗？

Many web REST APIs give you a key and a secret. When you make a request to the API, you have to return them both. What is the use of this? Would not one of them be enough?

• 这不是一个公共/私有密钥交换：你给他们两个，右

• It is not a public/private key exchange: you give them both, right?

你还没有与秘密散列的内容并计算其他的价值，因为在许多哈希算法：你总是给出相同的密钥和密码回来

You're also not hashing your contents with the secret and calculating the other value, as in many hashing algorithms: you always give the same key and secret back.

我能找到的唯一的事情就是一个答案如何用于验证密钥和秘密？，说服务器可以便宜哈希您的域名（或可能的用户名或别的东西）的秘密并检查它是否是匹配的。事实是否真的使用？

The only thing I can find is an answer to How to use a key and secret for verification? that says the server can cheaply hash your domain (or probably username or something else) with the secret and check if it matches the key. Is that really the use?

（奖金将是这一机制的名称。它似乎并不匹配什么我能找到对加密机制计算器/维基百科）

(A bonus would be the name of this mechanism. It doesn't seem to match what I can find on stackoverflow/wikipedia on cryptographic mechanisms.)

更新：答案和一些评论的告诉我，它的是的一个坏主意，同时通过一个键，在请求​​相应的密钥。它的确实的实践中发生的，但它是一个坏主意，不过。

Update: the answer and several of the comments tell me that it is a bad idea to pass both a key and the corresponding secret key in a request. It does happen in practice, but it is a bad idea nonetheless.

推荐答案

您将谈 HMAC认证维基，键你提的是，像您的帐户名，它不会被直接用于任何身份验证。在秘密将共享严格下线，并且永远不会送回去。在HMAC验证您发回一组paramters衍生签名服务器和客户端，当然还有秘密是其中的一部分商定。

You would be talking about HMAC Authentication
The key you are mentioning is something like your account name, it would not be directly used for any authentication. The secret would be shared strictly offline and is never send back. In HMAC Authentication you send back a signature derived from a set of paramters agreed between the server and client and of course the secret is part of it.

这篇关于为什么这两个关键，在很多网站的API秘密吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！