Securing API Keys

How Keys are Stored on the Platform

Stored in a database that is encrypted at REST
There is no direct public access to the database
Database is only accessible to Paradigm compute workloads on a private AWS VPC network

Types of API Keys

Paradigm handles two main types of API keys:

Exchange API Keys: Used by Paradigm to submit trades on their behalf when users orders match
Paradigm API Keys: Authenticating and interacting with the Paradigm API.

Exchange API Key

Recommended Security Practices

Scope Exchange API keys with minimal required permissions needed for Paradigm to operate. Paradigm only needs the Block Trade permission to operate
Limit Exchange API key access to Paradigm’s IP addresses when possible (IP Allowlisting)
Disable Exchange API key directly from the exchange when not using Paradigm. This can be done programmatically with the Exchange

Users may have multiple exchange API keys per venue, each will need a unique label as it’s identifier. API Keys differ between venues but generally consist of a pair of tokens.

Encryption

Keys are encrypted before being saved into the database
Keys are only decrypted as needed when submitting matched trades to the exchange
Keys are symmetrically encrypted using the AWS Encryption SDK (backed by AWS KMS) using AES-GCM 256-bit encryption.
- AWS Encryption SDK leverages two keys to perform encryption: Primary key and data key
- Primary key provides generation, encryption, and decryption of data keys
- Data keys are used to encrypt the actual Exchange API Keys and are unique per set of exchange credentials
Access to the KMS key is strictly limited to systems that needs access to decrypting for submitting trades to exchanges
Employee access to KMS keys are strictly limited to those with admin privileges
We use AWS CloudTrail to log and monitor access of KMS keys

With these protections, should a bad actor somehow gain access to unencrypted contents of the DB, they would not feasibly be able to decrypt customers’ Exchange API Keys.

Paradigm API Key

Recommended Security Practices

Enable and set IP allow-lists for Paradigm API key access
Store Paradigm API Keys securely using a secrets manager such as HashiCorp Vault or AWS Secrets Manager

This consists of an access key and a signing key. A desk can have multiple keys but a unique label is required for them.

Access key is to identify desk
Signing is for signing request

Key Generation

Access keys
- 24-byte character string generated from a 62-character set, resulting in 142.9 bits of entropy
- First 8 characters are stored unhashed as a key identifier
- Hashed before storage
Signing keys
- Randomly generated 36-byte string, resulting in 288 bits of entropy
- Base64-encoded for transit
- Stored as raw bytes due to signature verification
Both generated from system source of randomness adequate for cryptographic use

Encryption

Access keys
- Salted and hashed using the SHA-256 hashing algorithm before storage in the database. SHA-256 chosen over traditional password-hashing algorithms since the key is generated from a secure random source
- One way hashing prevents Paradigm from having access to customer’s Paradigm API Access Keys. We can only verify API request validity by comparing hashed results.
Signing keys
- Stored in the database directly because it is needed for generating and comparing request signatures
- Provides no value without the Access keys

How Keys are Stored on the Platform

Stored in a database that is encrypted at REST
There is no direct public access to the database
Database is only accessible to Paradigm compute workloads on a private AWS VPC network

Types of API Keys

Paradigm handles two main types of API keys:

Exchange API Keys: Used by Paradigm to submit trades on their behalf when users orders match
Paradigm API Keys: Authenticating and interacting with the Paradigm API.

Exchange API Key

Recommended Security Practices

Scope Exchange API keys with minimal required permissions needed for Paradigm to operate. Paradigm only needs the Block Trade permission to operate
Limit Exchange API key access to Paradigm’s IP addresses when possible (IP Allowlisting)
Disable Exchange API key directly from the exchange when not using Paradigm. This can be done programmatically with the Exchange

Users may have multiple exchange API keys per venue, each will need a unique label as it’s identifier. API Keys differ between venues but generally consist of a pair of tokens.

Encryption

Keys are encrypted before being saved into the database
Keys are only decrypted as needed when submitting matched trades to the exchange
Keys are symmetrically encrypted using the AWS Encryption SDK (backed by AWS KMS) using AES-GCM 256-bit encryption.
- AWS Encryption SDK leverages two keys to perform encryption: Primary key and data key
- Primary key provides generation, encryption, and decryption of data keys
- Data keys are used to encrypt the actual Exchange API Keys and are unique per set of exchange credentials
Access to the KMS key is strictly limited to systems that needs access to decrypting for submitting trades to exchanges
Employee access to KMS keys are strictly limited to those with admin privileges
We use AWS CloudTrail to log and monitor access of KMS keys

With these protections, should a bad actor somehow gain access to unencrypted contents of the DB, they would not feasibly be able to decrypt customers’ Exchange API Keys.

Paradigm API Key

Recommended Security Practices

Enable and set IP allow-lists for Paradigm API key access
Store Paradigm API Keys securely using a secrets manager such as HashiCorp Vault or AWS Secrets Manager

This consists of an access key and a signing key. A desk can have multiple keys but a unique label is required for them.

Access key is to identify desk
Signing is for signing request

Key Generation

Access keys
- 24-byte character string generated from a 62-character set, resulting in 142.9 bits of entropy
- First 8 characters are stored unhashed as a key identifier
- Hashed before storage
Signing keys
- Randomly generated 36-byte string, resulting in 288 bits of entropy
- Base64-encoded for transit
- Stored as raw bytes due to signature verification
Both generated from system source of randomness adequate for cryptographic use

Encryption

Access keys
- Salted and hashed using the SHA-256 hashing algorithm before storage in the database. SHA-256 chosen over traditional password-hashing algorithms since the key is generated from a secure random source
- One way hashing prevents Paradigm from having access to customer’s Paradigm API Access Keys. We can only verify API request validity by comparing hashed results.
Signing keys
- Stored in the database directly because it is needed for generating and comparing request signatures
- Provides no value without the Access keys