Cryptography has become increasingly popular as the demand for cryptocurrencies has risen. Binance, Coinbase, Huobi, Gemini and many other exchange platforms have been on the lead of the crypto world with the amount of trusted service they provide for their users. When it comes to making an exchange, it is important to have security protocols applied into your system to prevent user data from being stolen.
When it comes to making an exchange, it is important to have security protocols applied into your system to prevent user data from being stolen. Mainly, these security protocols are being used by most of the well-known exchange platforms, but there isn’t any right or wrong way to do it therefore, it’s important to note that each platform has its own unique features and security protocols.
Security is a tedious process to implement. There are many different ways of protecting data such as implementing multi-factor authentication, hardware security modules, encryption, security audits, etc. Mainly, these security protocols are being used by most of the well-known exchange platforms, but there isn’t any right or wrong way to do it therefore, it’s important to note that each platform has its own unique features and security protocols. This may sound great in case of one exchange platform gets leaked and other’s cannot be leaked the same way since they implement different security protocols, it sometimes can be frustrating for the companies that provide exclusive services using these exchange platforms and their users’ data.
As of Crypto Index Series, one of our latest goals is to provide a system where our users can request their exchange information from multiple platforms to generate a portfolio analysis on our product based on the user data. In order for us to achieve this and provide such a useful product for our users, we require a unique key that should be given by the exchange platforms that our users would like to retrieve their data from. This unique key is known as API Key, or Application Programming Interface Key, and it is a text generated by the platform it is requested from. API Keys are no different than a password, only effective when it is securely stored by the owner as well as can be easily exploited when leaked unless the owner deactivates and regenerates a new key.
Crypto Index Series’ development team has been researching about the authentication protocols of commonly used exchange platforms. As our team continues to implement new solutions for challenges encountered on every exchange platform and their private authentication protocols, we would like to share our experience with these security measures.
Binance is one of the most popular and widely used exchange platform in Europe, they represent their secured endpoints with the term ‘SIGNED’. These endpoints require multi-step process to acquire the expected value which is the signature. Binance uses HMAC SHA256 keyed hashing algorithm to generate hash-based message authentication code. Some of the keys used in this process are secretKey and totalParams. A secretKey comes with the API Key when generated, just like username and password, these keys need to match in order to authenticate. On the other hand, totalParams is concatenation of query string and request body.
In order for us to achieve this and provide such a useful product for our users, we require a unique key that should be given by the exchange platforms that our users would like to retrieve their data from. This unique key is known as API Key, or Application Programming Interface Key, and it is a text generated by the platform it is requested from. Crypto Index Series' development team has been researching about the authentication protocols of commonly used exchange platforms.
One of the other popular platform that is well-known in Europe is Coinbase. Just like Binance, Coinbase also uses HMAC SHA256 hashing algorithm to generate the signature for authentication. The difference is Coinbase requires these parameters to be added to the request header when making the API Call, and these parameters are timestamp (current UTC time in unix milliseconds), method (GET or POST), requestPath (the endpoint excluding the base URL) and the body which was totalParams in Binance’s signing protocol.
Since exchange rates change multiple times less than a second, it is important to perform an exchange on time with the desired exchange rate, therefore it is crucial that network connection is stable between the platform’s server and user location, since both of the above two exchange examples are Europe based platform, people from Asia and America might have tough time using these platforms due to the latency. Next, we would like to share the authentication protocol that Huobi uses. Huobi is a Chinese exchange platform that is publicly accessible even out of Asia, though same issues we discussed above, latency, applies here as well. Similar to other two exchanges we talked about, Huobi as well uses HMAC SHA256 hashing algorithm, and the required parameters are somewhat similar but have differences. Huobi’s signing procedure requires full URL path (base URL + endpoint), API Key (Access Key as they refer), timestamp (UTC sortable date time), method (GET or POST), and the signature. The signature is generated by using all these parameters, encoded with UTF-8 encoding format, and be in specific.
Lastly, we would like to include a platform that is based on United States. Gemini is commonly used in America and has implemented one of the most different authentication procedure among the other three we talked about. First of all, they did not prefer HMAC SHA256, instead they preferred to use HMAC SHA384, main reason might be that SHA384 is roughly 50% faster than some of the other SHA-2 family cryptographic hashes, SHA224 and SHA256. “The speed-up is due to the internal computation being performed with 64-bit words, whereas the other two hash functions employ 32-bit words. SHA-512, SHA-512/224, and SHA-512/256 too are faster on 64-bit machines for the same reason.” (PyCryptodome). The formula Gemini uses to generate signature is
|
No matter how much it bothers us to always try to find a work-around with different exchanges, we will continue to deliver what our customers like to see.
We sign the payload (an encoded message generated by using all the parameters) with the apiSecret key using HMAC SHA384 algorithm then hexify at the end.
In conclusion, as a group of developers, we somewhat find this situation disturbing to work with, wish that there would be a base structure in private authentications that everyone would follow the same formula or similar approaches to generate their desired signatures, but as we also discussed, it might have created some security issues. No matter how much it bothers us to always try to find a work-around with different exchanges, we will continue to deliver what our customers like to see.
Crypto Index Series Development Team
Feb 2023
References