skip to Main Content

I have logins for different platforms (say facebook credentials for example), that I want to securely store in a database. I want to be able to use the APIs to login to these platforms through the app (automatically).

Is there a safe way to store these logins without losing them (can’t hash them).

Thanks

2

Answers


  1. You don’t want to know the safe way. You want to know the secure way. 🙂

    Guess what, there isn’t one. Imagine this. You want to store some sensitive data. You use encryption. Great. Now the data is secure. What do you do about the key? Let the user remember it? No, you wanted to automatically do stuff, so you need to have the key lying somewhere (not that the user can remember random >128 bits…). What do you do with the key then? Encrypt it? Well, you already done it once. You can obfuscate, hide, put access rights and so on. If you want stuff to happen automatically, there needs to be a key lying around somewhere.

    Look at KeePass for example. Imaging you could have stuff as secure as KeePass is. This is as far as you can go.

    Login or Signup to reply.
  2. It is probably too much risk for your app to store credentials for third parties. If I were your target user, I would certainly not trust a platform to store my credentials to facebook and others in a way that the platform itself might have access.

    Let’s assume you assessed and accepted this risk, and your users will trust you for some reason. One thing you need to acknowledge is that if your platform is compromised, all of the credentials stored will be compromised, but you can limit the impact of such a breach, and that’s what you should do.

    You should use a hardware security module. Now that’s traditionally really expensive and complex, but you can now use a HSM as a cloud service. All major cloud platforms have CloudHSM solutions, and also higher level services based on the HSM itself.

    The point in a HSM is that a stored key is never released. You generate a keypair in the HSM, and there is no way to extract the private key. For cryptographic operations (like encyprtion, decryption) you send data to the HSM and it does it for you, without you ever knowing the key. The point is that even if there is a compromise, the impact is limited, because attacker access is timebound, and also you can apply proper auditing and access control on the HSM itself.

    But the HSM does not store website credentials, it stores keypairs. So you can use something like Amazon Secrets Manager (or you could build your own, but that’s really tricky), which itself is based on AWS KMS, and encrypts your secrets with a key stored securely in the HSM.

    So you would

    • create a KMS key, if you have large customers, then probably one KMS key per customer (or if corporations, they can probably provide their own KMS keys, see Bring Your Own Key, BYOK)
    • use secrets manager to store secrets, ideally encrypted with your customers specific key
    • run your app in say AWS with an IAM role that allow it to access the secrets in Secrets Manager

    Note that a similar architecture can also be set up without AWS or any other cloud provider, but it’s a lot more complex.

    What this provides you is

    • auditability (who used which key/secret/credential, and when)
    • possibility to revoke access
    • timebound access to your credential store even for an attacker that did compromise your whole application
    • an option to let your users know if there was a compromise in which case they will need to change their credentials in downstream services
    • BYOK as described above

    Note that this is a fairly complex thing tom implement and get right, and also costs non-negligible money to operate. You would need processes and technical controls to mitigate numerous other risks. This is just a brief introduction into what you could actually do to secure those secrets.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search