Secure your assets through advanced API key protection
Binance announced today that its exchange will update the security rules for API keys (application programming identifiers) and move to API keys using an asymmetric RSA encryption scheme. This is in order to secure users from potential API key leaks in the future.
To find out how to link a Binance auto-generated key to your Kryll account, read our tutorial.
What is an Auto-generated API Key?
An auto-generated API key is an application programming key that uses an asymmetric RSA encryption system to ensure the identity of its user to an online service. Like the HTTPS protocol, this type of signature uses a system of private and public keys to secure exchanges between two parties.
This type of API key is generated using the public key of the person or application that wishes to access data or features of another system or service, such as Binance in our case, while proving its identity.
How does an Auto-generated API key work?
To create such a key, the user must provide Binance with the public key of the software they wish to use as the first step in creating their API key.
Once the process is complete, the key consists only of a simple identifier that can only be used by the software holding the private key. This way, if the API key is disclosed, an attacker will not be able to use it.
This new security update makes it so in using the key, the software will have to sign the requests sent to Binance using the secret private key associated with the public key provided when the API key was created. Binance has no knowledge of the private key but will use the public key provided at the time of API key creation to validate the provenance of the requested actions.
In other words, the private key remains secret and signs the actions, while the public key certifies the provenance of those actions.
Kryll Public Key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzq/mQsV4iIRW8JJe2Xu8
SW0Ynpqu0hklJNATH0sMp6Cu523m233udv43c4nHgnJporImlv7DEiZjixfR6N9g
lmAFai8a+0nriyQyWQmGDs1DE8qDa+uONIyprA6ZmE/xso/OcbG18727O8DmoWtm
3hxm3JV+mmG1j11pQ+uZMjNu+X9r9/WqvZMlaA6+WlLhZSMbeimujZ28lb+Ipxje
Bg0Z0dpgGrSekTix/F8rzUQz6lrcQC5KY9c6ZENTwMfEfoJg6DLTUzC/Ur63wAND
sq0VByPdXNJhqXtVTqqbPnNxAIusmsIkmd/XYCxMHqQh/tdSAl1KuuIRUCeF5x4P
SQIDAQAB
-----END PUBLIC KEY-----
Why such a change?
About two weeks ago, a group of traders reported that $22 million worth of crypto-currencies had been stolen via compromised API keys on the trading platform 3Commas. On Wednesday, 3Commas admitted to the API keys being leaked. The announcement came after an anonymous Twitter user obtained approximately 100,000 API keys belonging to 3Commas users and posted them online. Initially, 3Commas insisted that there were no security issues on their side and co-founder Yuriy Sorokin repeatedly said on Twitter that it was phishing that caused the disclosure of user data.
However, on Wednesday 28th december, Sorokin tweeted:
"We saw the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas."
Binance and Kucoin quickly removed the compromised keys, but this story has continued to have significant repercussions for the entire automated trading industry.
Cryptocurrency exchange Binance informed its partners on 5 January 2023 that all symmetric API key (HMAC) keys created after 6 January 2023 would be required to have a whitelist of IP addresses, otherwise only read-only functions would be allowed.
Faced with some outcry from the crypto community resulting from the announcement and the imposed timetable, Binance announced on 6 January that these changes would be postponed for a few weeks to give partners time to adapt.
Kryll.io switches to RSA auto-generated keys with Binance
In response to Binance's announcement on January 5th regarding the new policies for API keys, the Kryll team has sprung into action to offer support for asymmetric API keys to its users the following day, January 6th. We worked quickly to implement this feature to allow our users to continue to use their API keys securely and efficiently on our platform. We are committed to providing the best possible service to our users and we are committed to keeping up to date with the latest technological and regulatory developments to ensure the security of their assets.
Although this story has already been widely reported in the trade press and on social networks, its impact on the market is not yet over. Overall it has resulted in tightened and better security for the crypto eco-system and API linked platforms.
To find out how to link a Binance auto-generated key to your Kryll account, read our tutorial.
Join us on our Telegram and Discord groups as well as our other social networks to share your opinion and your feedback on the Kryll.io platform.
Happy Trading,
Website : https://kryll.io
Twitter : @Kryll.io
Telegram EN : https://t.me/kryll_io
Telegram FR: https://t.me/kryll_fr
Telegram ES: https://t.me/kryll_es
Discord : https://discord.gg/PDcHd8K
Facebook : https://www.facebook.com/kryll.io
Support : support@kryll.io