Keeping Your API Keys in a Safe

Cloud API (Application Programming Interface) enables client applications to access services and manage resources hosted in the Cloud. To protect themselves and their customers, Cloud service providers (CSP) often require client authentication for each API call. The authentication usually depends on some kind of secret (or called API key), for example, secret access key, password, or access token. As such, the API key unlocks the door to the treasure inside the Cloud. Hence, protecting these keys is critical. It is a difficult task especially on the client side, such as users´ computers or mobile devices. How do CSPs authenticate client applications? What are security risks of managing API keys in common practices? How can we mitigate these risks? This paper focuses on finding answers to these questions. By reviewing popular client authentication methods that CSPs use and using Cloud APIs as software developers, we identified various security risks associated with API keys. To mitigate these risks, we use hardware secure elements for secure key provisioning, storage, and usage. The solution replaces the manual key handling with end-to-end security between CSP and its customers´ secure elements. This removes the root causes of the identified risks and enhances API security. It also enhances the usability by eliminating manual key operations and alleviating software developers´ worries of working with cryptography.