Orginaly published on http://www.darkreading.com/cloud-security/167901092/security/application-security/232900809/insecure-api-implementations-threaten-cloud.html, April 23rd 2012, by Rob Lemos

Insecure API Implementations Threaten Cloud

Web and cloud services allow third-party access by exposing application programming interfaces, but many developers and customers do not adequately secure the keys to the cloud and their data, experts say

Dark Reading
Attackers over the past three years have begun to actively target the digital keys used to secure the Internet infrastructure. Stuxnet’s creators stole code-signing keys and then used them to allow the malware to more easily evade host-based security. An alleged Iranian hacker broke into a partner of registry Comodo and bought Secure Sockets Layer (SSL) keys for major domains to eavesdrop on activists. And unknown attackers stole important information on RSA’s SecureID token, a device that generates one-time keys to strengthen online security.

The unique codes that applications in the cloud use to identify one another could be next, security experts say.

So-called API keys are used by Web and cloud services to identify third-party applications using the services. If service providers are not careful, an attacker with access to the key can cause a denial-of-service or rack up fees on behalf of the victim.

“It was created as a fairly nonauthoritative identifier — it was only there to identify applications or the application’s use of an API,” says K. Scott Morrison, chief technology officer of Layer7 Technologies, a provider of Web security and governance products. “The problem is that developers have started using API keys for stuff that matters.”

The problem is not any inherent weakness in the keys, but that developers use them for security when they ought not, he says. In many implementations, the keys are used to identify users, even though the technology was not meant as a way to authorize access to data. And after expanding the power of the keys, developers do not treat them as critical assets. Instead, companies fail to keep track of the keys, e-mailing them around and storing them on desktop hard drives.

“They shouldn’t be used for anything that matters, but people do. And when they do, they don’t take it as far as they need to,” Morrison says. “It’s kind of the worst of both worlds.”

During a presentation at the RSA Security Conference earlier this year, Morrison stressed the danger in the misuse and mishandling of API keys. The warning was repeated at the recent SOURCE Boston conference by application gateway maker Vordel. An improper implementation that allows simple access to an API via use of a secret key can allow attackers to have unmitigated access if the key can be sniffed out or stolen from an authorized user’s computer, said Jeremy Westerman, Vordel’s director of product management, at the conference.

“There is a need to protect these cloud API keys,” Westerman said. “There is a lot of awareness in the industry about protecting, say, SSL keys … Unfortunately, protecting API keys has not reached that level of awareness.”

Cloud and Web service developers must first follow best practices in opening up their APIs to third parties. In return, third-party developers need to handle the keys in a secure manner and not, for example, encode a nonobfuscated key into an application.

[Microsoft Research report shows how risky single sign-on can be without solid integration and better support from Web service providers like Google and Facebook. See Web Services Single Sign-On Contain Big Flaws.]

Communicating best practices can go a long way to fixing the issues, says Mark O’Neill, Vordel’s chief technology officer.

“The SaaS [software-as-a-service] providers expect you to protect these keys, but they don’t tell you how to protect the keys,” O’Neill says.

Companies that have API keys should treat them as valued assets, he says. The keys should be handled in much the same way as code-signing keys and other encryption material.

API keys were first used by Google, Yahoo, and other early pioneers of Web services. However, as the model moved from standalone sites to Web 2.0 mashups and the companies exposed their services for use by other websites, the weaknesses of API keys quickly became evident. Companies began to implement different schemes for application and user authentication, including OAuth, the Security Assertion Markup Language (SAML), and hashed-based authentication codes (HMACs).

The stronger authentication methods should be used for securing sensitive data, and each token should have a reasonable expiration time. In addition, because secret keys are occasionally exchanged, communications should always be over SSL, says Gregory Brail, vice president of technology for Web technology and services firm Apigee.

“The developer needs to understand the limitations and understand the best practices around implementing API keys,” he says.

Developers should still use API keys, Brail says. They should just use them for their proper function and use other tools as the situation demands.

“I’m not saying that there is nothing that can go wrong here; I’m saying that this is not a reason to throw away your API keys,” Brail says. “They are an important part of your whole security system.”