0

I'm currently looking for guidelines on sharing API tokens or Access tokens securely, for integrating a third-party application with my own. The two methods I'm currently thinking of are:

  • PGP: I could share our public key with the third-party application owner, who could send us the access token for their API. However, from experience I've noticed the person on the other end is often not familiar with PGP and has neither the time or the knowledge how to sent via PGP properly.
  • Using an AES-256 encrypted zip over mail, and sending the zip password over another communication channel (e.g. in a text): This has the benefit of protecting the secret token from a mail compromise, and having a lower 'technical threshold' for third-party application owners.

I've looked for this in the NIST 800 guidelines without much success..

Are there other methods I'm overlooking, or is there an official source that can confirm these proposed methods as being the "industry standard"?

Don
  • 101
  • 2
  • 1
    What types of parties are you sharing these secrets with? – securityOrange Mar 13 '19 at 08:39
  • Integrators that expose an api from which I can pull information. They share with me an access token, but want to do so via mail. I'm looking for a more secure solution (so the token doesn't just sit on a mail server in plain text) but also still practical (so the integrator has a slower chance of doing it wrong or doesn't need to google for four hours). – Don Mar 13 '19 at 08:53

1 Answers1

2

OAuth2 might be appropriate in this case, the official standard is RFC6750.

There's no need to devise your own crpytographic protocol (which is widely regarded to be a bad idea).


EDIT:

For one-time-sharing you could simply use asymmetric encryption. You encrypt the token with the receiver's public key and only the receiver can decrypt it with his private key. Sending an AES256-encrypted token and the decryption key via another channel seems a little bit overkill.

AleksanderCH
  • 721
  • 4
  • 11
  • 23
  • 1
    That would be the PGP option right? Are there other solutions that are easier for less technical people? – Don Mar 13 '19 at 08:52