Security Tips

INFO

⚠️ KeyAuth protects your licensing and authentication. But protecting your program is something you also need to take steps on. We are an authentication service, not an obfuscation service ⚠️

When you use the official KeyAuth API libraries, the following protections are already built in:

Signed Responses : Every response from the server is signed with Ed25519. The client checks this signature - attackers cannot fake a "success" reply without the real server's private key.

Timestamp Verification : Replies include a timestamp to prevent replaying old requests. The client checks that the timestamp is valid before accepting the response.

Session Handling : Sessions expire automatically. Even if someone grabs a request, it won't work later.

In other words: it's not just a simple "if" check. Your program only proceeds if the response is signed and timestamped.

What you should do as a Developer

Do not remove checks : The checks that we have in place (timestamp, signature, etc.) should remain in your program

If altering the API file use HTTPS safely. Add certificate pinning to stop man-in-the-middle atacks.

Spread out security checks. Don't rely on a check just on startup. A security check should ideally be ran every 30sec-1min and in multiple places in your code.

Do not hard code senstive data.

Obfuscate your code. Even basic obfuscation/packing makes it harder for an attacker to gain access to your program. Adding anti-debug/anti-inject is highly recommended if possible.

Update your program often. The longer your program stays "as is", the more time an attacker has to learn more about it and plan an attack.

These don't make your program "uncrackable", but they slow attackers down. Nothing is "uncrackable".

There is no point in doing the steps below if you're sending requests from a server. As servers will not need this protection as the user will not be able to modify the network traffic between the server and the KeyAuth API.

GUID Setup

You are going to want to include a random GUID in the enckey paramater with the initialization request to the 1.2 endpoint. Make sure that the length of the GUID is 36 characters or less. You will send this GUID in the enckey paramater only on init (initialization), none of the other requests.

Then you will want to store this GUID along with your application secret for later reference. Example: [GUID]-[secret].

So, if my GUID that I passed in the enckey parameter was 4a59f8ca-b304-47 and my application secret is 76489f2ba92ddf9132e28d56870004a62d30ec5b40eaf2071ae48036e7144b5f, I would want to store the string 4a59f8ca-b304-47-76489f2ba92ddf9132e28d56870004a62d30ec5b40eaf2071ae48036e7144b5f for later use for the initialization response.

For initialization request responses, there is a signature header which is a SHA256 HMAC of the JSON response encoded with the application secret.

So the header is signature: 8d0a11b00f44bee4e563117db28533943f5170854f5f65e69470c59bffb7d0d5 and the JSON response is:

{
    "success":true,
    "message":"Initialized",
    "sessionid":"b8Q1f62SdW",
    "appinfo":
    {
        "numUsers":"6",
        "numOnlineUsers":"120",
        "numKeys":"1533",
        "version":"1.0",
        "customerPanelLink":"https:\/\/localhost\/panel\/wnelson03\/test\/"
    }
 }

Encoding the above JSON with my application secret 76489f2ba92ddf9132e28d56870004a62d30ec5b40eaf2071ae48036e7144b5f on the website HMAC SHA256 ONLINE I get the following output: 8d0a11b00f44bee4e563117db28533943f5170854f5f65e69470c59bffb7d0d5. In my application, I compare these and abort the program if the do not match.

For all other responses, you're going to need the string that you saved earlier, [GUID]-[secret].

My string is 4a59f8ca-b304-47-76489f2ba92ddf9132e28d56870004a62d30ec5b40eaf2071ae48036e7144b5f and the JSON response is:

{
    "success":true,
    "message":"Logged in!",
    "info":
    {
        "username":"3Y8FC2-MRHKUO-U9RH8I-GNHD2U-THK4X8-PW584D",
        "subscriptions":
        [
            {
                "subscription":"default",
                "key":"3Y8FC2-MRHKUO-U9RH8I-GNHD2U-THK4X8-PW584D",
                "expiry":"1659657607"
             },
             {
                 "subscription":"default",
                 "key":null,
                 "expiry":"1659749662"
             }
         ],
         "ip":"::1",
         "hwid":null,
         "createdate":"1659225608",
         "lastlogin":"1659363059"
    }
}

and the header that I received was signature: e2993347290077c90011694bf887975117bff08897106f9c501d75c48102f721

Encoding the JSON response that I received with the string that I saved before I made the init request, 4a59f8ca-b304-47-76489f2ba92ddf9132e28d56870004a62d30ec5b40eaf2071ae48036e7144b5f on the website HMAC SHA256 ONLINE, I get the same result as the signature e2993347290077c90011694bf887975117bff08897106f9c501d75c48102f721

Security Practices

Security Tips#

What you should do as a Developer#

GUID Setup#

Security Tips

What you should do as a Developer

GUID Setup