Is there any way to obfuscate API keys in a R package?

Question

I need a consumer key and secret for an R package I am developing. It would be somewhat cumbersome for each user to apply and get their own and there really isn't a need since they will have to authenticate with a username/password to use the package functions. However, I am not allowed to share my keys in the open. Is there any way the key+secret (or any bit of information for that matter) could be hidden in my package source once it is on CRAN? I'm guessing that the answer is no but I'd like to make sure I'm not missing other ideas.

Update: The only abuse I foresee is someone extracting and using the keys in another application to max out my rate limits. But if that were the case, then I could just remove it. But there might be other forms of abuse that I am missing. Perhaps I should just let everyone apply for their own.

Answer 1

Well as long as you are aware that obfuscation is not security, there are some simple ways to obfuscate. You don't specify how your keys are stored, so I'll assume that they are stored in binary form in a file.

The simplest obfuscation is to xor with some value - I'll use "DEADBEEF" just because it sounds tasty:

keyFile <- "c:/foo.bin"
obfuscatedKey <- readBin(keyFile, "raw", file.info(keyFile)$size)
key <- xor(obfuscatedKey , as.raw(c(0xde, 0xad, 0xbe, 0xef))) # xor with DEADBEEF

Because of xor being symmetric, the same code can be used to create the obfuscatedKey from the original key too.

Another way is to scramble the vector. By using the random number generator with a "secret" seed (42), the key is obfuscated:

# obfuscate
key <- 101:110
n <- length(key)
set.seed(42, "Mersenne-Twister") # To get the same permutation
perm <- sample.int(n)
obfuscatedKey <- key[perm]

# unobfuscate
orgKey <- integer(n)
set.seed(42, "Mersenne-Twister") # To get the same permutation
perm <- sample.int(n)
orgKey[perm] <- obfuscatedKey

identical(key, orgKey) # TRUE

...and you can of course combine both methods...