Set up key authentication

Prev Next

Available in Classic and VPC

The newly provided encryption/decryption APIs have several differences from the existing encryption/decryption APIs that used NAVER Cloud Platform account information as authentication credentials. The new APIs provided in Key Management Service (KMS) API 2.0 have the following differences compared to the existing API 1.0:

Item KMS API 1.0 KMS API 2.0
Base URL (domain) https://kms.apigw.ntruss.com https://ocapi.ncloud.com
API type Only provides 6 types of encryption/decryption APIs (Encrypt, Decrypt, Create Custom Key, Re-Encrypt, Sign, and Verify).
  • Only provides 6 types of encryption/decryption APIs (Encrypt, Decrypt, Create Custom Key, Re-Encrypt, Sign, and Verify).
  • Provides all key management functions available in the console.
    • Authentication method User authentication using NAVER Cloud Platform account information.
  • Token authentication API: Key authentication token.
  • Account authentication API: User authentication using NCP account information.
    • Request processing performance Maximum 200 TPS system-wide based on Encrypt APIs (AES): All keys share 200 TPS processing performance. Maximum 300 TPS system-wide based on Encrypt APIs (AES): Individually guarantees up to 300 TPS processing performance for each key.
    Availability guarantee Region-specific HA: Cipher API is affected during NAVER Cloud Platform region failures. Cross-region HA: Encryption/Decryption APIs guarantee uninterrupted operation regardless of NAVER Cloud Platform region failures.
    Request access control Using IP ACL function provided by Sub Account service at sub-account level.
  • IP ACL function provided by Sub Account service at sub-account level.
  • IP ACL that can be configured for each token.
    • Note

    KMS API 1.0 continues to be provided.

    Key request token overview

    The tokens used in encryption/decryption API requests of KMS API 2.0 are configured in a self-defined JWT (JSON Web Token) format.

    Token structure

    Access tokens and refresh tokens are tokens used for user authentication and permissions, with different roles considering security and efficiency.

    • Access token
      An access token is a short-lived token used when clients access resource servers (such as APIs). After a user or service is certified, they can access authorized resources using this token. Access tokens are valid for only a short time (few minutes-few hours) as a measure to enhance security. This is because even if a token is leaked, the short validity period minimizes potential damage.
      However, when authentication tokens have short validity periods, the cumbersome user authentication procedure to obtain new tokens must be performed more frequently. Refresh tokens are used to compensate for this.

    • Refresh token
      A refresh token is used to obtain a new access token when the validity period of an access token expires. Through this, you can continuously use services without having to perform user authentication (e.g., login) again.
      Refresh tokens have a much longer validity period (days-months) than access tokens. However, to minimize permissions, they generally cannot be used to access resources like access tokens can.

    JWT (JSON Web Token) method

    To efficiently use individual authentication tokens per key, KMS API 2.0 uses JWT (JSON Web Token) method instead of managing tokens independently. Here is an example of tokens:

    Item Token
    Refresh token eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI1YjEyNjg5MC1jMDgxLTExZWMtYmE2ZS0yNDZlOTY1OTE1OTQiLCJpYXQiOjE3MjkwNTI4NzYsImV4cCI6MTcyOTA5NjA3NiwiMSI6IlJFRlJFU0giLCIyIjoia2V5dGFnX19hNjg3NmM0NzFhOGJlYmM1NmRjMGQ2NjRkM2M2NGQ0NTNlZTE3ODIwNWE0YWJhZDE4NDk2NTFkZTNmYTY0MDVkIiwiMyI6IkVYVCIsIjQiOlszMywzNCw0LDE0LDI1LDIwLDEwLDExLDEyLDEzLDYsNyw4LDksMjEsMjMsMjQsMjIsMjYsMTYsMTgsMTksMTUsMTcsMzEsMzAsMzIsMjgsMjksMjcsMSwyLDAsMzksMzUsMzYsMzcsMzhdfQ.CUJ6ht53Pmp_Zht6EygvLeUZn1Kb0uqEIK04V_nxHD2J9BYbUk0w2Y8DkU6me0p7tma7jNStrH-duHCFVRgvmao3Mw5Wk0ir8msQnNxB1l8HWOm6CqJPg4TOfSvjhDjEN4mtrONz1ggprJnLs_yFOe-3BF0dTEqkR8w1Ux2q1XevuJ7-LC9gngFcK-4WOzzWwqY7lm8CnZh09Y-aKI591Ry8yNkTlKa9JAneZaA_GI7szVlMs2bBwwUr6NyaJo818jY7o3NHH6l54S3-useml31vBKTQ2I-yMZUmNpTgkHZvc-c9LJfSeeJ16LHLpFrC9yczkoSAYHv-RfqUr45Srw
    Access token eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI1YjEyNjg5MC1jMDgxLTExZWMtYmE2ZS0yNDZlOTY1OTE1OTQiLCJpYXQiOjE3MjkwNTI4NzYsImV4cCI6MTcyOTA2MzY3NiwiMSI6IkFDQ0VTUyIsIjIiOiJrZXl0YWdfX2E2ODc2YzQ3MWE4YmViYzU2ZGMwZDY2NGQzYzY0ZDQ1M2VlMTc4MjA1YTRhYmFkMTg0OTY1MWRlM2ZhNjQwNWQiLCIzIjoiRVhUIiwiNCI6WzMzLDM0LDQsMTQsMjUsMjAsMTAsMTEsMTIsMTMsNiw3LDgsOSwyMSwyMywyNCwyMiwyNiwxNiwxOCwxOSwxNSwxNywzMSwzMCwzMiwyOCwyOSwyNywxLDIsMCwzOSwzNSwzNiwzNywzOF19.HYxASPv_yzjRkxfG3VhDMElJowxC-sAccZWe4ecnIL6YC61uIYPerLIL9paWUqEcBEhTDWGHeJJKe2Qo7RBpwGfGgw7h5dE7JX0blJfSDEiFFr1w92EBN4rpnoQMjEVNwW6EpT3_s6GSgTB6XfeJFIK9rXAuzvy83fCrU3lBBo8Yf3Nfh-1c185AQ_xoSro3hcY_PCaanpUQzOMjqEvEl8L6nYgctBjmDXz3HnSkF3_3IUQOTYR67TRCNNgW1lS9N0oaS_gi6xrbTr7aRzMbexsWyxMipQ1cnY_h4E9iyAK8bkFHUeczEbwUC8W9RMxw3mO3HDqZrCID1wAUcZdj3A
    Note

    You can view decoded JWT tokens at https://jwt.io/.

    Token-based authentication flow (example)

    1. To sign and issue tokens per key, the key admin sets up a token creator.
    2. When the token creator is set up, a token pair is issued using the console or Create Token Set API. User authentication is required at this point.
    3. The client makes key encryption/decryption requests using the access token, and when the request is rejected due to the token's expiration, uses the refresh token to request a new access token.
    4. When a new access token is issued, the client can make key encryption/decryption requests again. If the refresh token has expired, you need to go through user authentication again to issue new tokens.

    Set up authentication

    Enable/Disable token creator

    To use the token authentication feature, you need to configure a token creator first. To enable and disable the token creator:

    1. From the NAVER Cloud Platform console, navigate to Menu > Services > Security > Key Management Service > Key.
    2. Select the key and move to the Set up authentication tab, then click Enable token creator to configure the token creator.
    3. When the token creator is initialized, a token creator ID is assigned, and tokens can now be issued.
      kms-token_01_ko
    4. Click Disable token creator to discard the token creator, and it no longer processes token authentication.

    Replace token creator

    You can also replace just the token creator while maintaining the token authentication functionality. To replace the token creator:

    1. From the NAVER Cloud Platform console, navigate to Menu > Services > Security > Key Management Service > Key.
    2. Select the key and move to the Set up authentication tab, then check the token creator ID.
    3. Click the Replace button next to the token creator to replace the token creator.
    Caution

    When a token creator is discarded or replaced, all tokens issued by that token creator are automatically expired, and this action cannot be undone. Therefore, if tokens are issued and in use, discard or replace the token creator only when it is absolutely necessary.

    Create token

    When a token creator is configured, tokens can be issued.

    1. From the NAVER Cloud Platform console, navigate to Menu > Services > Security > Key Management Service > Key.
    2. Select the key and move to the Set up authentication tab, then check the token creator ID.
    3. Click Create token and enter the validity period.
      • Refresh token TTL: Enter in hours. Can be set from a minimum of 1 hour to a maximum of 17,520 hours (730 days). If not entered, it defaults to 2,160 hours (90 days).
      • Access token TTL: Enter in hours. Can be set from a minimum of 1 hour to a maximum of 17,520 hours (730 days). If not entered, it defaults to 72 hours (3 days).
    4. Click OK to verify the issued tokens. When the token issuance popup closes, the issued tokens will be lost.
      kms-token_02_ko

    Token

    IP ACL settings

    To prevent token misuse from unauthorized clients, you can specify the IP addresses of requesters who are authorized to use tokens.

    1. From the NAVER Cloud Platform console, navigate to Menu > Services > Security > Key Management Service > Key.
    2. Select the key and move to the Set up authentication tab, then check IP ACL to enable it. Tokens issued after IP ACL is enabled undergo request IP address validation.
      Caution
      • When IP ACL is enabled, it operates as "All Deny'" by default. Therefore, when activating the IP ACL feature, you must register allowed IP addresses for tokens to be used properly.
      • Additionally, tokens issued before IP ACL activation also undergo request IP address validation. If tokens issued before IP ACL activation are not requested from allowed IP addresses, the validation fails.
    3. Enter the IP address and click Add to register it to the allowed list. IP addresses are allowed immediately upon registration.
    4. If there are IP addresses you wish to delete, click the Delete button next to the item to remove it from the allowed list. IP addresses are denied immediately upon deletion.
      kms-token_03_ko
    Business Registration Number: 129-86-31394 E-commerce Permit Number:No. 2009-GyeonggiSeongnam-0510
    CEO: Kim Yuwon Address: NAVER Green Factory 17th–26th Floors, Buljeong-ro 6, Bundang-gu, Seongnam-si, Gyeonggi-do 13561, Republic of Korea. Customer Support Number: 1544-5876
    © NAVER Cloud Corp. All Rights Reserved.