Ever wondered how secure are our APIs?
Let us consider a scenario where a bank exposes its services to third party beneficiaries. You login to your account that shows zero balance after a single transfer you might not have initiated a day ago. The exposed service could be compromised to hackers. To prevent such intervention or MTM (Man in the Middle attack), we can adopt one of the widely used security practices – key based security for APIs.
Application Program Interface keys (API keys) are used for authentication and authorization of user identities or devices who consume them. You can enable access control and track down users using these keys. There are two practices prevalent today: Single key and a combination of Access key and Secret key.
Single Key
This is the simplest way to authenticate or authorize the user when high degree of security is not required. Whenever the user wants to access the API, he should send the API key as part of the request to identify the caller. This API key will be confirmed against the credential store to validate the caller before granting access to the user.
Access key and Secret key
A key combination will be used to securely communicate with the APIs. The user will send the Access key and signature, which is generated with the secret key using some of the hashing algorithms such as HMAC-256. The key will be used to identify the user and the signature to ensure authenticity. The secret key is not exchanged, as it is a part of the request, making the communication more secure. The server validates the signature using the specified secret key to authorize the request. The signature on a cheque leaf with your account number printed on it, verifies the authenticity while the account number identifies the user.
API key can be generated randomly as a part of the user on boarding process or in some cases, application on boarding. It is possible to generate more than one key for an account when multiple devices or applications are accessing the service. These calls can be tagged to the respective identities for metering and monitoring purposes.
Read about other security aspects and solutions in my following blogs.
Relevant Video
