这是ScotlandIS成员的最新博客, 速度反盗版, emphasises the need to enhance API Security to protect your critical infrastructure.
API Security is critical to protecting the IT infrastructure of any organization. If a cyberattacker is able to abuse APIs, they can breach an organization through the front door.
这是 why CISOs (Chief Information Security Officers) and their teams are increasingly spending on API Security. 根据 未来市场洞察据估计,美国的需求将以惊人的26%的复合年增长率增长.预计到2032年将达到100亿美元.
API滥用
APIs (application programming interfaces) allow software to talk to the back-end services it consumes, 而不暴露服务的所有内部细节或其工作原理. 例如, a mobile banking app will talk to the banking systems through the bank’s API to get account information and make transaction requests. This makes APIs highly attractive to a cyberattacker, and high risk from a cybersecurity perspective.
API滥用分为两类:
- 未经授权的访问. 这是 when APIs are used as designed but by someone that should not be allowed to use them. With unauthorized access to an API, an attacker can maliciously access services and data.
- 漏洞剥削. APIs are software; and like all software are prone to defects (bugs). 攻击者试图识别打开非预期功能的漏洞. 如果他们能让API以一种对他们有用的方式运行, 这就给了他们破坏组织的手段.
The traditional approach to protecting APIs is to build defenses into the server. These defenses monitor the traffic coming through the API—making go/no-go decisions based on the data passing through the API. 如果数据看起来正确,则允许它通过. 如果攻击者可以伪造看起来正确的消息, 然后他们就可以访问API和API背后的服务.
这并不意味着这些防御措施本质上是不好的. Quite the opposite: they are an important—and often very sophiscated—part of the cybersecurity puzzle. The challenge they have is that they only see part of a much bigger picture.
我们的产品管理总监, Neal米奇, 谈到了如何“成为你的DevSecOps团队的英雄” droidcon伦敦 2023.
客户端身份验证增强API安全性
One important piece of the picture that server-side defenses do not see is who is sending the data. Security can therefore be greatly enhanced by adding authentication of clients that are connecting to an API. Limiting traffic to only legitimate and known clients goes a long way to stopping API abuse.
对客户机进行身份验证的经典方法是使用API Key. 这是 a shared secret (effectively a password) that the client will pass to the server when connecting. 因为只有授权的客户端应该知道API密钥, 应该只允许授权的客户端连接到API. 所有其他连接将立即被拒绝.
重放攻击危险
The challenge with this approach is the same as with any password: once an attacker knows the API key, 他们可以随心所欲地将其“重放”回服务器. This allows them to authenticate any device or script as if it was a legitimate client application.
API密钥可以通过多种方式公开. Common approaches include reverse engineering (more on that later) or simply sniffing the key off the wire. 这样的工具 打嗝套件 allow an attacker to run a man-in-the-middle (MitM) attack against an application instance they control. A MitM attack enables a threat actor to see all the network traffic, including the API Key.
使用加密技术防止重放攻击
The proven solution to replay attacks is a cryptographic challenge-response. 这确保了每个身份验证请求都是唯一的.
在实践中,这意味着:
- The server generates a unique and unpredictable challenge and sends it to the client.
- The client cryptographically signs the challenge with a private key and sends the response to the server.
- The server validates the response cryptographically using the public key associated with the private key held by the client.
Therefore, there is no longer a single fixed secret sent to the server every time. Instead, the client sends a dynamic response value that only the server can validate.
逆向工程的危险
到目前为止一切顺利, 但是让我们看看客户机不是另一个服务器的情况, 而是在边缘运行的软件, e.g.桌面应用程序、移动应用程序或物联网设备. In this situation, the software containing the private key can be easily accessed by an attacker.
软件不是一个锁着的盒子. It can easily be opened and analyzed by an attacker using a process known as reverse engineering. 从一系列设备中提取软件的工具是免费的, 将代码反编译回可读的内容, and instrument executing code to fully understand exactly what it is doing.
使用逆向工程, attackers can quickly and relatively easily extract a cryptographic key from the software. 然后,它们可以生成对服务器请求的有效响应, 对自己进行身份验证并欺骗服务器授予访问权限.
这就是为什么,在 2024年版的十佳手机榜单OWASP识别 不正确的凭证使用 as the number one threat to mobile apps; with hardcoded credentials the top scenario described. 当然,这种风险并不只适用于移动应用. It exists anywhere that software is running at the edge and so at risk of analysis by threat actors.
对白盒密码术的需求
Cryptographically, this is the correct solution for authenticating a client with the server. The trouble with this in-app cryptography is that there is still a secret value in the client-side software: the private key. 与API密钥一样,私钥也可以很容易地公开. 这是 应用内加密的危险.
To tackle this danger, it is essential to incorporate cryptographic key protection. 白盒密码, a proven solution employed in various real-world contexts from mobile payments to video DRM, effectively prevents the discovery of cryptographic keys within the code.
PACE开发了第三代白盒 白盒的作品. 这是 a software development tool that PACE’s customers use to protect their high-value algorithms and data wherever their software is running.
Traditional white-box library products are monolithic and inflexible SDKs. This means they force developers to bend their architectures to the white-box SDK. 与此形成鲜明对比的是, 像白盒的作品这样的第三代白盒增强了开发人员的能力, allowing them to design software architectures that are sympathetic to their use case.
To learn more about using white-box cryptography to get in front of API Security, 联系PACE与我们的专家交谈.
This article was updated on March 20, 2024 to include details of the OWASP Mobile Top 10 2024.