{"title":"Keeping Your API Keys in a Safe","authors":"Hongqian Karen Lu","doi":"10.1109/CLOUD.2014.143","DOIUrl":null,"url":null,"abstract":"Cloud API (Application Programming Interface) enables client applications to access services and manage resources hosted in the Cloud. To protect themselves and their customers, Cloud service providers (CSP) often require client authentication for each API call. The authentication usually depends on some kind of secret (or called API key), for example, secret access key, password, or access token. As such, the API key unlocks the door to the treasure inside the Cloud. Hence, protecting these keys is critical. It is a difficult task especially on the client side, such as users' computers or mobile devices. How do CSPs authenticate client applications? What are security risks of managing API keys in common practices? How can we mitigate these risks? This paper focuses on finding answers to these questions. By reviewing popular client authentication methods that CSPs use and using Cloud APIs as software developers, we identified various security risks associated with API keys. To mitigate these risks, we use hardware secure elements for secure key provisioning, storage, and usage. The solution replaces the manual key handling with end-to-end security between CSP and its customers' secure elements. This removes the root causes of the identified risks and enhances API security. It also enhances the usability by eliminating manual key operations and alleviating software developers' worries of working with cryptography.","PeriodicalId":288542,"journal":{"name":"2014 IEEE 7th International Conference on Cloud Computing","volume":"24 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 IEEE 7th International Conference on Cloud Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CLOUD.2014.143","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 7
Abstract
Cloud API (Application Programming Interface) enables client applications to access services and manage resources hosted in the Cloud. To protect themselves and their customers, Cloud service providers (CSP) often require client authentication for each API call. The authentication usually depends on some kind of secret (or called API key), for example, secret access key, password, or access token. As such, the API key unlocks the door to the treasure inside the Cloud. Hence, protecting these keys is critical. It is a difficult task especially on the client side, such as users' computers or mobile devices. How do CSPs authenticate client applications? What are security risks of managing API keys in common practices? How can we mitigate these risks? This paper focuses on finding answers to these questions. By reviewing popular client authentication methods that CSPs use and using Cloud APIs as software developers, we identified various security risks associated with API keys. To mitigate these risks, we use hardware secure elements for secure key provisioning, storage, and usage. The solution replaces the manual key handling with end-to-end security between CSP and its customers' secure elements. This removes the root causes of the identified risks and enhances API security. It also enhances the usability by eliminating manual key operations and alleviating software developers' worries of working with cryptography.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
