Open in app

Sign in

Write

Sign in

API Security — Part 1 with HTTPs

Namrata
6 min readFeb 29, 2024

--

API Security refers to the practices and protocols that are used to protect application programming interfaces (APIs) from misuse or malicious attacks. This is crucial because APIs serve as the main conduit for transferring data, triggering functionalities, and connecting services across different applications.

API security involves implementing various measures to ensure that the APIs are accessible only to authorized individuals and that the data being exchanged is secure. This includes practices like encryption, use of API keys, rate limiting, and more.

HTTPS (Hypertext Transfer Protocol Secure) plays a significant role in achieving API security. Here’s how:

Encryption

Encryption is a method of converting data into a code to prevent unauthorized access. HTTPS uses two main types of encryption protocols: SSL (Secure Sockets Layer) and TLS (Transport Layer Security). These protocols use a combination of symmetric and asymmetric encryption to protect the data being transferred.

Here’s a simplified explanation of how it works:

  1. Asymmetric Encryption (Public Key Encryption): When a client (for example, your web browser) first connects to an HTTPS server, they perform a handshake. During this handshake, the server sends its public key to the client. This public key is used to encrypt the data. However, it can’t decrypt it. For decryption, a different key is needed — the private key — which is securely stored on the server and never shared.
  2. Symmetric Encryption (Session Key Encryption): Asymmetric encryption, while secure, is computationally heavy. So, for efficiency, once the secure connection is established, the server and the client create a separate, unique key for that session. This session key is symmetric, which means the same key is used to both encrypt and decrypt the data. This key is shared between the client and server but is encrypted during transmission for security.
  3. Data Transfer: Once the secure connection is established, the data transferred between the client and server is encrypted with the session key. This ensures that even if the data is intercepted, it cannot be understood without the unique key used for its encryption.
  4. Decryption: When the data reaches its destination, it is decrypted using the same session key.

This combination of asymmetric and symmetric encryption provides a balance of security and efficiency, ensuring that data transmitted over HTTPS is protected from eavesdropping or tampering.

It’s also worth mentioning that modern browsers and servers typically use TLS, the successor to SSL, as it’s more secure and efficient. However, the term “SSL” is often still used colloquially to refer to these encryption protocols.

Who creates this public and private key ?

The public and private keys are created by the server where the SSL/TLS certificate is installed. This process is part of the SSL/TLS certificate generation process. Here’s a simplified explanation of how it works:

  1. Key Generation: When a website owner decides to secure their website with HTTPS, they start by generating a pair of keys: a public key and a private key. This is usually done on the server where the website is hosted. These keys are mathematically linked — what one key encrypts, only the other can decrypt.
  2. Certificate Signing Request (CSR): The website owner then creates a Certificate Signing Request, which includes the public key and some additional information about the website and the organization that owns it.
  3. Certificate Issuance: The CSR is then sent to a Certificate Authority (CA). The CA validates the information, signs the CSR using their own private key, and issues an SSL/TLS certificate. This certificate includes the website’s public key and the CA’s digital signature.
  4. Certificate Installation: The website owner installs this certificate on their server. The private key remains securely stored on the server and is never shared.

When a client (like a web browser) connects to the server, it uses the public key included in the SSL/TLS certificate to encrypt data. This data can only be decrypted by the private key on the server. Additionally, the client can verify the authenticity of the certificate (and thus the server) by using the CA’s public key to check the digital signature.

Authentication

Authentication in HTTPS is achieved through the use of SSL/TLS certificates. These certificates are issued by a trusted third-party called a Certificate Authority (CA). When a server presents a certificate, the client (usually a web browser) can verify that the certificate was issued by a trusted CA, confirming the server’s identity.

Here’s a more detailed breakdown of the process:

  1. Certificate Presentation: When a client tries to establish a connection with a server over HTTPS, the server presents its SSL/TLS certificate. This certificate includes the server’s public key and a range of other details, such as the certificate’s validity period and the identity of the entity it was issued to.
  2. Certificate Verification: The client then verifies the certificate. This involves checking that the certificate was issued by a trusted CA and that it hasn’t expired or been revoked. The client also checks that the certificate was issued to the entity it’s trying to communicate with.
  3. Key Exchange: If the certificate checks out, the client uses the server’s public key to encrypt a ‘pre-master secret’ — a random number that’s used to generate the session keys for this particular communication session. This encrypted pre-master secret is sent to the server.
  4. Session Key Generation: Both the client and the server use the pre-master secret to generate the same set of session keys. These keys are used to encrypt and decrypt all the data sent during the communication session.

This process ensures that the client is communicating with the correct server and not a malicious actor pretending to be the server (a ‘man-in-the-middle’ attack). It also allows the client and server to establish a set of session keys which only they know, enabling secure communication.

This is a fundamental part of HTTPS and one of the main reasons why it’s used to secure sensitive communications. However, it’s worth noting that while this process provides a high level of security, it’s not completely foolproof and can potentially be compromised by certain attacks, such as those involving compromised CAs or certificates.

Data integrity

Data integrity in HTTPS refers to the assurance that the data that is sent from a source to a destination has not been tampered with or altered during transmission.

When a client sends a request to a server over HTTPS, the data in that request is encrypted using SSL/TLS protocols before it is sent over the network. Similarly, the response from the server is also encrypted before it is sent back to the client. This encryption process helps maintain the integrity of the data during transmission.

Here’s a more detailed look at how it works:

  1. Encryption: When a client sends a request to a server, the data is encrypted using a secret key. This encryption process transforms the original data into a format that can only be read by someone who has the decryption key.
  2. Transmission: The encrypted data is then sent over the network to the server. Even if someone intercepts the data during this transmission, they won’t be able to understand or alter it without the decryption key.
  3. Decryption: When the server receives the data, it uses the decryption key to transform the data back into its original format. The server can then process the request and send a response back to the client.
  4. Verification: Before the data is used, the server or client can verify that the data has not been altered during transmission. This is typically done using a process called a hash function, which generates a unique output for a given input. If the data was altered, the output of the hash function would be different, indicating that the data integrity has been compromised.

By ensuring data integrity, HTTPS provides a secure environment for data transmission, reducing the risk of data tampering or alteration during transit. This is crucial for sensitive data like financial transactions, personal information, and other confidential data that need to be securely transmitted over the internet.

To achieve API security with HTTPS, you should:

  • Always use HTTPS for all API requests and responses.
  • Use strong SSL/TLS protocols and avoid using outdated or weak ones.
  • Regularly update and renew your SSL/TLS certificates.
  • Use HTTP Strict Transport Security (HSTS) to ensure that the browser only sends HTTPS requests to your server.
  • Implement certificate pinning to ensure that your application only accepts certain certificates, thereby reducing the risk of accepting fraudulent certificates.

Remember, while HTTPS is a critical component of API security, it’s not the only measure you should take. Other security practices like input validation, proper error handling, and implementing rate limiting are also essential to secure your APIs that we will discuss soon.

To understand how we can achieve API security with oAuth refer.

OAuth 2.0 — Authorization Code Grant

OAuth, which stands for Open Authorization, is a protocol that allows users to approve applications to act on their…

codescoddler.medium.com

Api Security
Security
API
Https
Encryption

--

--

Namrata
Namrata

Written by Namrata

75 Followers
23 Following

Engineering @Microsoft A software developer writing her daily bits . https://www.linkedin.com/in/namrataagarwal5/

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams