Patent Application
20230216681
An application programming interface (API) is a connection between computer programs. It is a type of software interface, offering a service to other software. For example, an API can be used to transmit information back and forth between a website or app and a user.
An API key is a unique identifier that is used to authenticate a user to an API. API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Once the key is stolen, it may have no expiration, so it may be used indefinitely.
For security reasons, many API infrastructures don’t use API keys for authorization purposes. Instead, they require users to first login at a specific registration endpoint with their API key in order to receive a “short-lived token,” which as its name suggests is a token with an expiration date.
A token is typically formed of three key components: a header, payload, and signature. The header may define the token type being used, as well as a signing algorithm involved. The payload is usually responsible for defining the token issuer and the token’s expiration details. It may also provide information about the user plus other metadata. The signature can verify the authenticity of a message such as a request for API service, and that the message has not changed while in transit.
Short-lived tokens allow users to access APIs without having to enter their login credentials each time they visit. Instead, the user logs in once, and a unique token is generated and shared. Users of tokens are provided with access to API services until they log out or close the services. If an attacker manages to acquire a short-lived token, it won’t be useful for long because it will eventually expire, limiting the possible impact.
The described embodiments and the advantages thereof may best be understood by reference to the following description taken in conjunction with the accompanying drawings. These drawings in no way limit any changes in form and detail that may be made to the described embodiments by one skilled in the art without departing from the spirit and scope of the described embodiments.
Token authorization works through a multi-step process. For example, a user can send a request to a registration endpoint executing on a computing device (e.g., a server). The request may include an API key. The registration endpoint may then verify the user using the API key in order to determine that the user should have access to API services. The registration endpoint generates a secure, signed short-lived token using a signing algorithm. A specific period of time is set for short-lived tokens. The short-lived token is transmitted back to the user’s computing device, which stores it for enabling future access. The short-lived token will remain active until the user logs out or it expires.
There are numerous issues involved with authorization of users seeking to access application program interfaces (APIs) using short-lived tokens. A primary issue is that short-lived tokens may not reveal the API key that was used to generate it, making it difficult to monitor users or log the services they request over time. Accordingly, it may be difficult to track a user’s behavior for a period of time that’s longer than the short-lived token’s expiration. Also, a user’s behavior pattern may be very difficult to identify when short-lived tokens constantly shift. And if attackers manage to get the API key itself, they can create a multitude of short-lived tokens, making it much more difficult to identify an attack and block it.
The present disclosure provides a proxy that is in data communication between a client computing device (hereinafter client) on one side and a registration endpoint and API services on the other side. The proxy receives registration requests and API service requests from clients. Before a registration request is forwarded to the registration endpoint, the proxy can read and store the registration request’s API key. The registration request is subsequently forwarded to the registration endpoint where the API key is used to generate a short-lived token. The token is provided back to the proxy in a message from the endpoint registration. The proxy can use the short-lived token to monitor the user and/or log services subsequently requested by the user.
Network 106 may be a public network (e.g., the internet), a private network (e.g., a local area network (LAN) or wide area network (WAN)), or a combination thereof. In one embodiment, network 106 may include a wired or a wireless infrastructure, which may be provided by one or more wireless communications systems, such as a Wi-Fi® hotspot connected with the network 106 and/or a wireless carrier system that can be implemented using various data processing equipment, communication towers (e.g. cell towers), etc. The network 106 may carry communications (e.g., data, message, packets, frames, etc.) between a client 102 and information system 104. Clients 102 and information system 104 may each include hardware such as processing device (e.g., processors, central processing units (CPUs)), memory (e.g., random access memory (RAM), storage devices (e.g., hard-disk drive (HDD)), and solid-state drives (SSD), etc.), and other hardware devices (e.g., sound card, video card, etc.). A storage device may comprise a persistent storage that is capable of storing data. A persistent storage may be a local storage unit or a remote storage unit. Persistent storage may be a magnetic storage unit, optical storage unit, solid state storage unit, electronic storage units (main memory), or similar storage unit. Persistent storage may also be a monolithic/single device or a distributed set of devices.
Clients 102 and information system 104 may each include any suitable type of computing device or machine that has a programmable processor including, for example, server computers, desktop computers, laptop computers, tablet computers, smartphones, set-top boxes, etc. In some examples, clients 102 and information system 104 may each comprise a single computing device or may include multiple interconnected computing devices (e.g., multiple servers configured in a cluster). Clients 102 and information system 104 may be implemented by a common entity/organization or may be implemented by different entities/organizations. For example, client 102-1 may be operated by a first entity and information system 104 may be operated by a second entity. Clients 102 and information system 104 may each execute or include an operating system (OS) (not shown in the figures). The OSs of clients 102 and information system 104 may manage the execution of other components (e.g., software, applications, etc.) and/or may manage access to the hardware (e.g., processors, memory, storage devices etc.) of the computing device.
Clients 102 may run an application (e.g., a browser) which may allow a user to interact with information system 104. When users want to access information system 104, they may utilize the application to connect to information system 104, and make calls to the information system 104. The information system 104 may further include any appropriate type of storage system such as an object storage system, a database, a filesystem, or a cloud storage layer, for example.
Returning to
The table of mapped short-lived tokens and API keys held in storage 116, can be used in a method to monitor API users. This monitoring can be used for various purposes including, for example, prevention of malicious activity.
Thereafter, proxy 110 processes the contents of the log in accordance with one or more security threat algorithms as shown in step 320. For example, after analyzing the contents of the log with the one or more security threat algorithms, the proxy 110 may determine that the country of origin of the request has changed too many times (e.g., more than a threshold number of times) throughout the different log entries, which may be a sign that certain requests are a security threat. Further, if the parameter values included in the request change throughout the different log entries, this may also be a sign that certain requests are a security threat. In addition, the one or more security algorithms may analyze historical request information associated with the same API key. For example, the total amount of requests for each API key may be saved by the proxy 110. In this way, an unusually large number of requests made by a particular API key within a certain time frame (determined based on the time stamps associated with the requests), which may be a sign of malicious activity, can be detected.
As will be more fully described below,
Proxy 404 can use the tokens it generates to monitor users of API services provided by nodes 410.
The information regarding the request for service may comprise information that can be used to detect malicious activity. For example, the information regarding the request for service may include the country of origin of the client requesting access to the service. In another example, the information regarding the request for service may include parameter values that are unique to the client (e.g., bank account ID). The proxy 110 may also store information regarding the history of requests (i.e., all of the requests) associated with the same API key, such as e.g., the total number of requests made, the total number of requests made during a particular time period (e.g., the total number of requests made in a week, or on a Tuesday), and the nature/type of requests made by a client associated with the API key. Such historical request information may be an indicator of anomalies both with respect to the API key itself (its logs) and with respect to comparison with other API keys.
Thereafter, in step 620 proxy 404 processes the contents of the log entries in accordance with one or more security threat algorithms. For example, after analyzing the contents of the log with the one or more security threat algorithms, the proxy 110 may determine that country of origin of the request has changed too many times (e.g., more than a threshold number of times) throughout the different log entries, which may be a sign that certain requests are a security threat. Further, if the parameter values included in the request change throughout the different log entries, this may also be a sign that certain requests are a security threat. In addition, the one or more security algorithms may analyze historical request information associated with the same API key. For example, the total amount of requests for each API key may be saved by the proxy 110. In this way, an unusually large number of requests made by a particular API key within a certain time frame (determined based on the time stamps associated with the requests), which may be a sign of malicious activity, can be detected. If proxy 404 determines the request received in step 602 is a security threat, the request for service is denied as shown in step 624. Otherwise, proxy forwards the request to the API services 410.
As noted in the flowcharts of
Computing device 800 may be connected (e.g., networked) to other computing devices in a local area network (LAN), an intranet, an extranet, or the Internet. The computing device may operate in the capacity of a server or a client in a client-server network environment, or as a peer machine in a peer-to-peer (or distributed) network environment. The computing device may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or bridge, a hub, an access point, a network access control device, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single computing device is illustrated, the term “computing device” shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methods discussed herein. In one embodiment, computing device 800 may be representative of a server.
The example computer system 800 includes a processing device 802, a main memory 804 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM), a static memory 806 (e.g., flash memory, static random access memory (SRAM), etc.), and a data storage device 818, which communicate with each other via a bus 830. Any of the signals provided over various buses described herein may be time multiplexed with other signals and provided over one or more common buses. Additionally, the interconnection between circuit components or blocks may be shown as buses or as single signal lines. Each of the buses may alternatively be one or more single signal lines and each of the single signal lines may alternatively be buses.
Computing device 800 may further include a network interface device 808 which may communicate with a network 820. The computing device 800 also may include a video display unit 810 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 812 (e.g., a keyboard), and a cursor control device 814 (e.g., a mouse). In one embodiment, video display unit 810, alphanumeric input device 812, and cursor control device 814 may be combined into a single component or device (e.g., an LCD touch screen).
Processing device 802 represents one or more general-purpose processing devices such as a microprocessor, central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set computer (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 802 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processing device 802 is configured to execute instructions 825, for performing the operations and steps discussed herein.
The data storage device 815 may include a machine-readable storage medium 828, on which is stored one or more sets instructions 825 (e.g., software) embodying any one or more of the methods described herein. The instructions 825 may also reside, completely or at least partially, within the main memory 804 or within the processing device 802 during execution thereof by the computer device 800; the main memory 804 and the processing device 802 also constituting machine-readable storage media. The instructions 825 may further be transmitted or received over a network 820 via the network interface device 808.
The machine-readable storage medium 828 may also be used to store instructions to perform a method as described herein. While the machine-readable storage medium 828 is shown in an exemplary embodiment to be a single medium, the term “machine-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, or associated caches and servers) that store the one or more sets of instructions. A machine-readable medium includes any mechanism for storing information in a form (e.g., software, processing application) readable by a machine (e.g., a computer). The machine-readable medium may include, but is not limited to, magnetic storage medium (e.g., floppy diskette); optical storage medium (e.g., CD-ROM); magnetooptical storage medium; read-only memory (ROM); random-access memory (RAM); erasable programmable memory (e.g., EPROM and EEPROM); flash memory; or another type of medium suitable for storing electronic instructions.
The preceding description sets forth numerous specific details such as examples of specific systems, components, methods, and so forth, in order to provide a good understanding of several embodiments of the present disclosure. It will be apparent to one skilled in the art, however, that at least some embodiments of the present disclosure may be practiced without these specific details. In other instances, well-known components or methods are not described in detail or are presented in simple block diagram format in order to avoid unnecessarily obscuring the present disclosure. Thus, the specific details set forth are merely exemplary. Particular embodiments may vary from these exemplary details and still be contemplated to be within the scope of the present disclosure.
Additionally, some embodiments may be practiced in distributed computing environments where the machine-readable medium is stored on and or executed by more than one computer system. In addition, the information transferred between computer systems may either be pulled or pushed across the communication medium connecting the computer systems.
Embodiments of the claimed subject matter include, but are not limited to, various operations described herein. These operations may be performed by hardware components, software, firmware, or a combination thereof.
Although the operations of the methods herein are shown and described in a particular order, the order of the operations of each method may be altered so that certain operations may be performed in an inverse order or so that certain operation may be performed, at least in part, concurrently with other operations. In another embodiment, instructions or sub-operations of distinct operations may be in an intermittent or alternating manner.
The above description of illustrated implementations of the invention is not intended to be exhaustive or to limit the invention to the precise forms disclosed. While specific implementations of, and examples for, the invention are described herein for illustrative purposes, various equivalent modifications are possible within the scope of the invention, as those skilled in the relevant art will recognize. The words “example” or “exemplary” are used herein to mean serving as an example, instance, or illustration. Any aspect or design described herein as “example” or “exemplary” is not necessarily to be construed as preferred or advantageous over other aspects or designs. Rather, use of the words “example” or “exemplary” is intended to present concepts in a concrete fashion. As used in this application, the term “or” is intended to mean an inclusive “or” rather than an exclusive “or”. That is, unless specified otherwise, or clear from context, “X includes A or B” is intended to mean any of the natural inclusive permutations. That is, if X includes A; X includes B; or X includes both A and B, then “X includes A or B” is satisfied under any of the foregoing instances. In addition, the articles “a” and “an” as used in this application and the appended claims should generally be construed to mean “one or more” unless specified otherwise or clear from context to be directed to a singular form. Moreover, use of the term “an embodiment” or “one embodiment” or “an implementation” or “one implementation” throughout is not intended to mean the same embodiment or implementation unless described as such. Furthermore, the terms “first,” “second,” “third,” “fourth,” etc. as used herein are meant as labels to distinguish among different elements and may not necessarily have an ordinal meaning according to their numerical designation.
It will be appreciated that variants of the above-disclosed and other features and functions, or alternatives thereof, may be combined into may other different systems or applications. Various presently unforeseen or unanticipated alternatives, modifications, variations, or improvements therein may be subsequently made by those skilled in the art which are also intended to be encompassed by the following claims. The claims may encompass embodiments in hardware, software, or a combination thereof.
This application claims priority to U.S. Provisional Application No. 63/295,787 filed on Dec. 31, 2021 and entitled “API USER TRACKING VIA TOKEN TO API KEY MAPPING,” the disclosure of which is hereby incorporated in its entirety.
| Number | Date | Country | |
|---|---|---|---|
| 63295787 | Dec 2021 | US |
