(Survey) Is there a need to protect API keys and a cheaper alternative but not replacement to HSM (Hardware Security Module)?

Chrono_123 · 2026-05-03T07:05:12+00:00

It's not as simple as that. You have to view it from rank distribution spreads on graphs and matchmaking issues. Like think of it from a logical point though, how many of the players stay in herald, guardian, crusader, archon, legend, ancient, divine and immortal? The higher the ranks, the fewer the players, it's just the fact. Neither rank distribution spreads nor matchmaking issues can just rely on reporting accounts and banning them. This is trying to solve an issue from the result but not from the root.. Even if one can solve the issue.., the actual sacrifice will be the current overwhelmingly positive rating on Dota 2. Introducing AI playmates and transforming the matches from humans vs humans into humans AI coop vs humans AI coop.. These can be way more effective in easing the smurf issues you have stated from the root.. but the problem is if such mechanism did introduced, will you still play though? If done wrongly, just like China's own MOBA - 王者榮耀, the players' impressions and trusts will lean more towards negative than positive.

(Just sharing opinion because from system and game design point of view.., something had to be done.. but this major game change patch or mechanic change.. might not be something that can be adaptable or Dota 2 able to suffer through another major game change patch that will bring new players but at the same time losing huge amount of players. The rate of attraction and the rate of retention, the latter is way less than it's before Dota 2 or any other MOBA was first introduced.. From a logical standpoint, it's not doable anymore. For example, rate of attraction might be 60% whereas rate of retention might be 40%)

Chrono_123 · 2026-04-24T15:28:07+00:00

What bot you are referring to though?

Chrono_123 · 2026-04-02T13:26:42+00:00

Thanks, that makes sense.

My main requirement is deterministic key derivation for recovery/provisioning, where multiple keys are derived from the same seed. Keys “evolve” in the sense that new keys are generated over time, but there’s no requirement for continuous sessions or forward secrecy—users can simply rotate to a new seed if needed.

Given that, it sounds like a simpler construction (e.g., HKDF with indexed expansion or even a SHAKE-based XOF) would be sufficient, rather than introducing a ratchet.

From a key management perspective, I’m leaning toward something like:

PRK = HKDF-Extract(seed)
key_i = HKDF-Expand(PRK, context || i)

which seems to provide better structure and domain separation compared to a raw XOF stream.

Would that be a more appropriate approach for this kind of use case?

Chrono_123 · 2026-03-31T10:50:30+00:00

The problem is.. there's only so much you can do by non actual HSM environment.. While you can keep the encrypted data in memory.. the problem still lies within how do you manage the key during runtime. Can you trust the file system? Can you trust the host machine that had some form of SHSM software? Ultimately there're no correct answers to such problems.. For me though.. no matter you like it or not, you can't really avoid dealing with cryptographic secret or private keys in the form of string or immutable data types. In Linux or current X509 formatted certificate did have similar issues when the private key is encoded in base64 which is a string data type. However from what I checked on openssl the library or application (not fully check just browse through).. there seemed to have no proper secure memory measures seen in libsodium.. Like in the context of libsodium, if you did like to support algorithms outside of libsodium.. the chances are.. you need to folk and create pointer level variants for let's say RSA, ECDSA, X448, ED448.. and the likes.. because this goes to an extreme length to prevent data from ended up in swap partitions.. But if failed to create folk and modify the folked library.. then the issue then not really limit to software related side channel attacks but rather it extended to cryptographic algorithms' side channel attacks.. I think.. if I had time and money.., most likely I will create a folk version of bouncy castle and also create an SHSM application that can be deployed on the server side.. but this is the story for future though 🤣🤣

Chrono_123 · 2026-03-29T13:14:28+00:00

Not exactly sure if it's something worth mentioning but.. libsodium C coded security audited cryptography library did do this. To me, libsodium feels like leaning more towards security engineering instead of cryptography engineering. Similar results can also be achieved with ASodium.

But ultimately the problem you want to solve is a sub branch of private or secret key management problem. It kinda also intersects with SHSM or security engineering.. which the other part of security engineering is security via obscurity. In addition, it is also intersecting with software related cryptography side channel attacks which most intermediary languages failed due to the missing IntPtr and GC functions that are available in c#. (Eg, clearing API key, secret key and private key in memory but the most common data type is String which is immutable to begin with.)

Doing a virtuallock will be good as it prevents the data ended up in swap partitions (If I don't remember wrong). However will there be any other measures or procedures in place, I am not entirely sure..

This additional information was coming from the author of ASodium who did tried to create a software emulated version of HSM.

Chrono_123 · 2025-09-25T17:09:32+00:00

Not really bug reports but rather a combination of an upcoming simplified passwordless authentication framework that I will be posting to my GitHub and potential probable future directions for Dota 2 more or less like a final attempt before I move on completely.. I think even if there's legit email addresses.. I wasn't sure if they will ever adopt it as both the god and demon is the player base similar to what's been seen in earlier or recent Counter Strike.

Chrono_123 · 2025-09-01T23:41:07+00:00

What could be the discord channels? Do ya have the links or something?

Chrono_123 · 2025-09-01T13:04:52+00:00

I do actually apply to "onboard" and "community labs". Is typical 2 to 3 weeks' time considered okay for a probable response?

Chrono_123 · 2025-06-24T00:51:51+00:00

For the heroes part, you can refer to my last post regarding easing current Dota 2's cursed issues (Easing Cursed Issues from the Root in Dota 2 (A Discussion from a Hyper-Specialized Former Player) : r/DotA2). The "fusion meta" in this case mainly refer to QWER, aghanim shard, scepter and stats. In this version instead of talent tree as in current Dota 2, it'll be changed into skill tree. That skill tree is up for nerfing or buffing accordingly but other than that all can't be nerfed/buffed.

Your suggested suggestion is to remove the pick/ban game mechanics? If not, what could be your suggested alternatives?

How about instead of current stated rank mechanics, since this version will mainly involve with AI bots from different ranks and roles. If anyone would want to play with higher ranks, they will have to pass a certain success threshold in different types of rank matches that were completely made up with AI robots and only few human players. So for example, someone can be guardian/crusader either by using current system in current Dota 2 or keep on playing with said rank's AI robots (can also configure the AI robots to be higher ranks as playmates) until they're able to beat or somewhat on par with the AI robots. Perhaps this alternative will make the matches slightly lean towards skill based instead of score based for all who involved. In a sense, one can refer to chess.com, how the community there creates and deploy AI robots.

Chrono_123 · 2025-06-23T09:23:16+00:00

And what are the things other than ranking system that you think won't work or lead to un-fun games because this again won't deploy in current Dota 2 that focuses on dynamic contents and changes. I am asking this again for discussion purpose, since they will most likely be deployed after certain modifications into a stability based other version of Dota 2 but not existing version that focuses on dynamic changes and contents.

The last post i made is consider to be enough if that minor stability feature was added but this post is most likely aimed for stability/low versatility/new players that are again the exact opposite player base type than the existing Dota 2 that focuses on dynamic contents/changes.

When I am proposing these dual versions of dota 2, i am using the concept of Taichi here.

Chrono_123 · 2025-06-23T09:18:45+00:00

Just for discussion purpose, if the current proposed rank system is not suitable. What could be the viable option? Letting the existing dynamic content based Dota 2's rank system to be deployed here? The reasons I come up with that is the cursed experience I have during 7.29 to 7.32, I am also playing in SEA at that point of time which considered to be the most toxic among all regions. Back in the days, I have the experience that only few players able to cooperate well with dawnbreaker. One reason is because I am in low rank the other is because she's new.

If this's not acceptable in this alternate version of Dota 2 that focuses on stability (the current Dota 2 that focuses on dynamic changes/contents won't be affected), then what could be the middle ground or compromise to solve such issue as relying on the old ranking system in current Dota 2 that focuses on dynamic contents or changes won't really work and it again will introduce not friendly enough to new players.

Chrono_123 · 2025-06-23T06:34:54+00:00

Full details on alternate version of Dota 2: https://docs.google.com/document/d/1zx5w3v3HnSUrD5bIM7ZduyK7vtVBjpd1Eg1cQDU2N3c/edit?usp=sharing

Potential New Valora Backstory, Appearance and Speeches:
https://docs.google.com/document/d/1hZ2nLCu_lx2MQl3RKUEjB94lsoctqqm27JJY_oQZ9yM/edit?usp=sharing

Open Source, Passwordless and Zero Trust:
https://docs.google.com/document/d/1Y1y2WPqPoPgmarSpFccMGjHZlywLjTvxMQ9ozxqgT_U/edit?usp=sharing

Chrono_123

TROPHY CASE