How do API Keys and Secret Keys work? Would it be secure if I have to pass my API and secret keys to another application?

Question

I am just starting to think about how api keys and secret keys work. Just 2 days ago I signed up for Amazon S3 and installed the S3Fox Plugin. They asked me for both my Ac

Answer 1

Public Key Cryptography is used to defend against very specific attacks, some of which are common. In short this is complex math that allows one to verify that at individual has both the Public and Private Key pair while only knowing the public key. This is very different from a credit card or static password. As an example if you are authenticating with an OpenSSH server then the server doesn't need the private key.

Ideally if Amazon's API database where to be compromised the attacker would have a list of public keys and would be unable to access the user's API using this information. However ideal systems are not always put into practice and i don't know for sure if Amazon is protecting against this attack vector, but they should be.

In public key authentication is statistically immune to brute force. Passwords are often dictionary words which can be broken relativity fast. However a private key is a massive number that isn't easy to guess. If the attacker had the public key then they could perform many guesses "offline" on a super computer, but even then it would take a lot of time and money to break the key.